I found gnutls_certificate_set_x509_trust_(file|dir)(), so it's a lot
easier than I feared. Plus a little diggiing shows that if you're
loading the system defaults, GnuTLS on Windows does load them from the
Windows certificate store.
The previous default cipher string wouldn't connect with getdnsapi.
Selection of cipher strings requires some deep study, I think.
So, taking working with getdnsapi.net as our target, discover that we
need SECURE128 as well as SECURE192. And rather than disable everything
except TLS1.2, disable TLS1.0 and TLS1.1. This should mean it connects
to TLS1.3.
Set the priority string to a concatenation of the connection cipher and curve strings, falling back to the context ones if the connection value isn't specified. Also get context.c to specify NULL for default context list and the opportunistic list for the connection, moving these library-specific quantities into the specific implementation.
Add a flag to the context (so, it's actually got something useful there!) and check the connection version on a successful handshake.
This means we need to access the context from a connection, so add a pointer to the context to the connection.
Link to the openssl val_secalgo implementation and use that, after adjusting the source of Nettle includes.
GnuTLS uses Nettle itself, so this is not adding a new dependency.
I could waste the rest of the available time trying to turn configure.ac into something that cleanly ignores OpenSSL, uses GnuTLS instead and retains all the options. Or even better scrap the whole autoconf mess and start again.
But in the interests of prototyping, do something quick and dirty. This means GnuTLS must for now be configured thus:
$ CFLAGS="-g" ../configure --enable-stub-only --with-gnutls --disable-gost --disable-ecdsa --disable-edns-cookies
to evade other items with hardcoded OpenSSL checks in them.
Convert the main util/val_secalgo.h to a plain interface. Move the preprocessor redefines into validator/val_secalgo.h, and move THAT under openssl, because it is OpenSSL implementation specific at present - you can compile with NSS and Nettle if config allows.
Jim Hague
Jim Hague
Willem Toorop