[glib-networking] Try adjusting the connection tests' check for TLS 1.3

From: Michael Catanzaro <mcatanzaro src gnome org>
To: commits-list gnome org
Cc:
Subject: [glib-networking] Try adjusting the connection tests' check for TLS 1.3
Date: Mon, 12 Nov 2018 01:06:21 +0000 (UTC)

commit 9e306caa89cde4befdd0191836ea86ce1d21e392
Author: Michael Catanzaro <mcatanzaro igalia com>
Date:   Sun Nov 11 19:03:13 2018 -0600

    Try adjusting the connection tests' check for TLS 1.3
    
    This seems *slightly* better than just checking the GnuTLS version, but
    it's still not actually going to work on Fedora 28, which has GnuTLS 3.6
    but not TLS 1.3. That's achieved by distro patching, though, so I think
    we can declare it effectively unsupported for further glib-networking
    development.

 tls/tests/connection.c | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)
---
diff --git a/tls/tests/connection.c b/tls/tests/connection.c
index a90d2e4..db8de0e 100644
--- a/tls/tests/connection.c
+++ b/tls/tests/connection.c
@@ -1013,21 +1013,24 @@ test_client_auth_rehandshake (TestConnection *test,
   test_client_auth_connection (test, data);
 }
 
-/* FIXME: This isn't good to have different API behavior depending on
+/* In TLS 1.3 the client handshake succeeds before the client has sent
+ * its certificate to the server, so the client doesn't realize the
+ * server has rejected its certificate until it tries performing I/O.
+ * This results in different errors bubbling up to the API level. The
+ * differences are unfortunate but difficult to avoid.
+ *
+ * FIXME: This isn't good to have different API behavior depending on
  * the version of GnuTLS in use. And how is OpenSSL supposed to deal
  * with this?
  */
 static gboolean
 client_can_receive_certificate_required_errors (TestConnection *test)
 {
-  /* This is an imperfect heuristic, but we'll assume GnuTLS 3.6.0 or
-   * higher means TLS 1.3. Broken pipe is expected here because in TLS
-   * 1.3 the client handshake succeeds before the client has sent its
-   * certificate to the server, so the client doesn't realize the server
-   * has rejected its certificate until it tries performing I/O.
-   * Unfortunate but probably unavoidable.
+  /* This is a very imperfect check, since it returns true on Fedora 28,
+   * where GNUTLS_TLS1_3 is defined but TLS 1.3 is disabled anyway.
+   * The tests will just remain broken there, I guess.
    */
-  return !gnutls_check_version_numeric (3, 6, 0);
+  return GNUTLS_TLS_VERSION_MAX <= GNUTLS_TLS1_2;
 }
 
 static void

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]