Description of problem: [by David Woohouse] In F21 I seem to see gnutls_certificate_get_issuer() returning zero without actually filling in the certificate pointer that it was given. So this triggers: diff --git a/gnutls.c b/gnutls.c index 346da3c..99a5f11 100644 --- a/gnutls.c +++ b/gnutls.c @@ -1467,6 +1467,7 @@ static int load_certificate(struct openconnect_info *vpninfo) free_issuer = 1; } else { /* Look for it in the system trust cafile too. */ + issuer = (void *)0xdeadbeef; err = gnutls_certificate_get_issuer(vpninfo->https_cred, last_cert, &issuer, 0); /* The check_issuer_sanity() function works fine as a workaround where @@ -1474,7 +1475,13 @@ static int load_certificate(struct openconnect_info *vpninfo) a bogus cert, there's nothing we can do to fix it up. We don't get to iterate over all the available certs like we can over our own list. */ - if (!err && check_issuer_sanity(last_cert, issuer)) { + if (!err && issuer == (void *)0xdeadbeef) { + /* WTF */ + vpn_progress(vpninfo, PRG_ERR, + _("WARNING: GnuTLS broke. wtf?\n")); + break; + } + if (!err && issuer && check_issuer_sanity(last_cert, issuer)) { vpn_progress(vpninfo, PRG_ERR, _("WARNING: GnuTLS returned incorrect issuer certs; authentication may fail!\n")); break;
gnutls-3.3.9-2.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/gnutls-3.3.9-2.fc21
Package gnutls-3.3.9-2.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing gnutls-3.3.9-2.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-13540/gnutls-3.3.9-2.fc21 then log in and leave karma (feedback).
gnutls-3.3.9-2.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.