diff options
| author | Debarshi Ray <debarshir@gnome.org> | 2017-03-15 20:24:08 +0100 |
|---|---|---|
| committer | Debarshi Ray <debarshir@gnome.org> | 2017-03-20 20:36:31 +0100 |
| commit | fb6d60e5fcf7d4e6c77160fc2430072c71a1323a (patch) | |
| tree | 897a5ded2aed428548f9c823b54e1a831fc53e46 /tests/empathy-irc-server-test.c | |
| parent | 4568299d28360e9a8a71a6fc28934750c0dadb3c (diff) | |
| download | empathy-fb6d60e5fcf7d4e6c77160fc2430072c71a1323a.tar.gz | |
tls-verifier: Use GIO to verify the chain of TLS certificates
Gcr has its own hand rolled code to complete the certificate chain and
validate it, which predates the equivalent functionality in GIO. These
days, GIO's GnuTLS backend is a better option because it defers to
GnuTLS to do the right thing. It benefits automatically from any
improvements made to GnuTLS itself.
However, GIO doesn't support certificate pinning. Gcr continues to
provide that feature.
Note:
(a) We don't set "certificate-hostname" when we encounter
TP_TLS_CERTIFICATE_REJECT_REASON_HOSTNAME_MISMATCH. The resulting loss
of verbosity in EmpathyTLSDialog is balanced by no longer relying on a
specific encryption library.
(b) glib-networking doesn't differentiate between
GNUTLS_CERT_SIGNER_NOT_FOUND and GNUTLS_CERT_SIGNER_NOT_CA. Hence, we
club them together as TP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED and we
no longer return TP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED.
(c) Unlike Gcr, GnuTLS doesn't seem to provide a way to load a PKCS#11
module that's built into the code, as opposed to being a shared object.
This makes it hard for us to load our mock PKCS#11 module. Therefore,
we have disabled the test case that relies on using PKCS#11 storage to
complete the certificate chain.
Bump required GLib version to 2.48. We really do need 2.48 because we
rely on the improvements to GIO's GnuTLS backend.
https://bugzilla.gnome.org/show_bug.cgi?id=780160
Diffstat (limited to 'tests/empathy-irc-server-test.c')
0 files changed, 0 insertions, 0 deletions