[gnutls-dev]Re: exim + gnutls
Nikos Mavroyanopoulos
nmav@gnutls.org
Fri Nov 1 19:12:02 2002
On Thu, Oct 31, 2002 at 02:40:18PM +0000, Philip Hazel wrote:
> Nikos,
> You will be pleased to hear that I have now made Exim work with GnuTLS
> to my satisfaction. It passes my tests, so I have released the code to
> the Exim community for anybody who wants to test it. There were a few
Great news!
> 1. I could not get gnutls_X509_extract_certificate_dn_string() to work.
> I don't know what I was doing wrong, but I just got no data. In the end,
> I used gnutls_X509_extract_certificate_dn() and formatted it myself.
Did it returned an error code? Was the certificate a valid X.509 DER formated
certificate?
> 2. It seems that the library writes to file descriptor 2 (stderr) when
> it hasn't got enough random bits. This seems to me to be a bad idea.
> I don't think _any_ general library function should assume that file
> descriptor 2 is attached to a useful debugging destination. (In fact,
> Exim takes care to ensure that fd2 is opened to /dev/null because of
> just this problem.)
This is due to libgcrypt. I though it was solved in the latest version.
> 3. OpenSSL has a feature whereby you can pass it a list of acceptable
> cipher suites before starting the handshake; it will then use only
> those cipher suites when negotiating. I passed this feature on in
> Exim by an option called require_ciphers. As far as I can tell, the
> only approximation with GnuTLS is to check the cipher after the
> negotiation is complete - but if it's no good, the only thing you can
> do is shut the session down, and that is not quite the same thing.
> Is there something in GnuTLS that I am missing here?
The only thing I can suggest here, is to use the gnutls' priority functions.
That is break the cipher suites, to Key Exchange method, Cipher algorithm, and
MAC, and the feed that to the priority functions.
You could use a table like { "RC4-MD5", GNUTLS_KX_RSA, GNUTLS_CIPHER_ARCFOUR, GNUTLS_MAC_MD5 }.
> 4. When investigating the cipher suites, I noticed that GnuTLS uses an
> underscore between the components, whereas OpenSSL uses a hyphen. Is
> there a standard for this? OpenSSL actually complains if you use an
> underscore. For the moment, I have put in code to convert between
> underscores and hyphens as necessary.
Why does this cause problem?
GnuTLS does not use the name of the cipher suites, anywhere (except for
informational use -- ie print the name of the ciphersuite)
> Regards,
> Philip
> --
> Philip Hazel University of Cambridge Computing Service,
> ph10@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.
--
Nikos Mavroyanopoulos
Email: nmav at gnutls org