[Modules] mod_gnutls: Failed to load Client CA File ... The given memory buffer is too short to hold parameters.
Simon Josefsson
simon at josefsson.org
Wed Jan 14 04:13:02 EST 2009
Sander Marechal <s.marechal at jejik.com> writes:
> Hi,
>
> I'm the submitter of the bug at Debian.
>
> Nikos Mavrogiannopoulos wrote:
>> Thanks for the report. I'll try to fix it as soon. However note that if
>> you want to set all the list of ca-certificates.crt as the trusted list
>> then probably you are doing something wrong.
>
> In my case I am building a website where people authenticate using a
> client certificate. I extract the e-mail address from the client
> certificate DN and match that against the database of known users. If
> it's an unknown user then they can create an account.
>
> I don't want to babysit SSL certificates and sign them all myself. As
> long as someone presents me with a certificate signed by someone I trust
> (that would be all the CA's in ca-certificates) I want them to be able
> to access the website. This is not some small, closed intranet or
> something, but a website that anyone should be able to access.
>
> The only way I see to reduce the list of CA's that I need to load is to
> figure out which of them don't give out client certificates. There's got
> to be quite a few in that list that only give out server certificates.
You can increase MAX_CA_CRTS in includes/mod_gnutls.h.in manually, it is
currently hard-coded to 128. Of course, the proper fix will be to make
the allocation dynamic.
/Simon
More information about the Modules
mailing list