Package: libopenconnect2 Version: 5.03-1 Severity: important Tags: patch upstream X-Debbugs-CC: openconnect-devel at lists.infradead.org The changes in gnutls.c from v5.01 to v5.02 concerning "support of CA certificates from PKCS#11 tokens (with GnuTLS 3.2.7+)" break functionality in openconnect at least if compiled with GnuTLS 2.12.x. Therefore, it also affects libopenconnect2 (= 5.02-1) in Ubuntu 14.04LTS. I have tried to investigate on this issue with GDB and have come as far as to gnutls.c:1517 where err is not the return value of any call to gnutls_pkcs11_get_raw_issuer() or gnutls_x509_crt_import() within the code guarded by #if defined(HAVE_P11KIT) && defined(HAVE_GNUTLS_PKCS11_GET_RAW_ISSUER) if compiled with GnuTLS 2.12.x as in Debian and Ubuntu Linux. So I thought to shift the lines 1517-1518 "if (err) break;" upwards to its original position, but then it crashes in gnutls.c:1522 invoking function gnutls_x509_crt_check_issuer(). Finally, I have given up and, although I know this is far from being smart, I reverted all changes in gnutls.c to v5.01 which works perfectly for me. The patch for reverting changes in gnutls.c is attached. Could you please find a smarter fix or at least apply the given patch temporarily. Thank you in advance! Thomas Uhle -------------- next part -------------- A non-text attachment was scrubbed... Name: gnutls.diff Type: text/x-patch Size: 10279 bytes Desc: URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20140411/679fad00/attachment.bin>
