From nmav at gnutls.org Fri Nov 1 19:12:02 2002 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Fri Nov 1 19:12:02 2002 Subject: [gnutls-dev]Re: exim + gnutls In-Reply-To: References: Message-ID: <20021101180514.GA748@gnutls.org> On Thu, Oct 31, 2002 at 02:40:18PM +0000, Philip Hazel wrote: > Nikos, > You will be pleased to hear that I have now made Exim work with GnuTLS > to my satisfaction. It passes my tests, so I have released the code to > the Exim community for anybody who wants to test it. There were a few Great news! > 1. I could not get gnutls_X509_extract_certificate_dn_string() to work. > I don't know what I was doing wrong, but I just got no data. In the end, > I used gnutls_X509_extract_certificate_dn() and formatted it myself. Did it returned an error code? Was the certificate a valid X.509 DER formated certificate? > 2. It seems that the library writes to file descriptor 2 (stderr) when > it hasn't got enough random bits. This seems to me to be a bad idea. > I don't think _any_ general library function should assume that file > descriptor 2 is attached to a useful debugging destination. (In fact, > Exim takes care to ensure that fd2 is opened to /dev/null because of > just this problem.) This is due to libgcrypt. I though it was solved in the latest version. > 3. OpenSSL has a feature whereby you can pass it a list of acceptable > cipher suites before starting the handshake; it will then use only > those cipher suites when negotiating. I passed this feature on in > Exim by an option called require_ciphers. As far as I can tell, the > only approximation with GnuTLS is to check the cipher after the > negotiation is complete - but if it's no good, the only thing you can > do is shut the session down, and that is not quite the same thing. > Is there something in GnuTLS that I am missing here? The only thing I can suggest here, is to use the gnutls' priority functions. That is break the cipher suites, to Key Exchange method, Cipher algorithm, and MAC, and the feed that to the priority functions. You could use a table like { "RC4-MD5", GNUTLS_KX_RSA, GNUTLS_CIPHER_ARCFOUR, GNUTLS_MAC_MD5 }. > 4. When investigating the cipher suites, I noticed that GnuTLS uses an > underscore between the components, whereas OpenSSL uses a hyphen. Is > there a standard for this? OpenSSL actually complains if you use an > underscore. For the moment, I have put in code to convert between > underscores and hyphens as necessary. Why does this cause problem? GnuTLS does not use the name of the cipher suites, anywhere (except for informational use -- ie print the name of the ciphersuite) > Regards, > Philip > -- > Philip Hazel University of Cambridge Computing Service, > ph10 at cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714. -- Nikos Mavroyanopoulos Email: nmav at gnutls org From nmav at gnutls.org Sat Nov 2 09:49:01 2002 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Sat Nov 2 09:49:01 2002 Subject: [gnutls-dev]Re: exim + gnutls In-Reply-To: <20021101180514.GA748@gnutls.org> References: <20021101180514.GA748@gnutls.org> Message-ID: <20021102084300.GA8800@gnutls.org> On Fri, Nov 01, 2002 at 08:05:14PM +0200, Nikos Mavroyanopoulos wrote: > > 1. I could not get gnutls_X509_extract_certificate_dn_string() to work. > > I don't know what I was doing wrong, but I just got no data. In the end, > > I used gnutls_X509_extract_certificate_dn() and formatted it myself. > Did it returned an error code? Was the certificate a valid X.509 DER formated > certificate? I think I've identified the problem. The new code in 0.5.11 (when released) should be ok. The problem should be in certificates that do not have all the elements of a gnutls_dn structure set. -- Nikos Mavroyanopoulos Email: nmav at gnutls org From nmav at gnutls.org Sat Nov 2 20:57:02 2002 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Sat Nov 2 20:57:02 2002 Subject: [gnutls-dev]Re: exim + gnutls In-Reply-To: References: <20021101180514.GA748@gnutls.org> Message-ID: <20021102193515.GA2040@gnutls.org> On Sat, Nov 02, 2002 at 04:00:19PM +0000, Philip Hazel wrote: > > > 4. When investigating the cipher suites, I noticed that GnuTLS uses an > > > underscore between the components, whereas OpenSSL uses a hyphen. Is > > > there a standard for this? OpenSSL actually complains if you use an > > > underscore. For the moment, I have put in code to convert between > > > underscores and hyphens as necessary. > > Why does this cause problem? > It doesn't cause a problem with GnuTLS. It only caused me a technical > problem because I have tests which I run with both GnuTLS and OpenSSL, > and OpenSSL doesn't like cipher names that contain underscores. > However, the culture difference might cause problems of understanding > for people that are swapping from one library to the other. That's why I > wondered if there was any standard. Well the only standard is rfc2246, which names ciphersuites as TLS_RSA_EXPORT_WITH_RC4_40_MD5. However gnutls, does not really use ciphersuites directly on the priority functions. That decision was because, at least for some programs, it's much easier, to set priorities on individual ciphers and key exchange methods, than having a large list of cipher suites to select from. > > Regards, > Philip > > -- > Philip Hazel University of Cambridge Computing Service, > ph10 at cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714. > -- Nikos Mavroyanopoulos Email: nmav at gnutls org From ph10 at cus.cam.ac.uk Sun Nov 3 10:29:01 2002 From: ph10 at cus.cam.ac.uk (Philip Hazel) Date: Sun Nov 3 10:29:01 2002 Subject: [gnutls-dev]Re: exim + gnutls In-Reply-To: <20021102084300.GA8800@gnutls.org> Message-ID: On Sat, 2 Nov 2002, Nikos Mavroyanopoulos wrote: > I think I've identified the problem. The new code in 0.5.11 (when released) > should be ok. The problem should be in certificates that do not > have all the elements of a gnutls_dn structure set. Good News. Thank you. -- Philip Hazel University of Cambridge Computing Service, ph10 at cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714. From ph10 at cus.cam.ac.uk Sun Nov 3 10:29:02 2002 From: ph10 at cus.cam.ac.uk (Philip Hazel) Date: Sun Nov 3 10:29:02 2002 Subject: [gnutls-dev]Re: exim + gnutls In-Reply-To: <20021101180514.GA748@gnutls.org> Message-ID: On Fri, 1 Nov 2002, Nikos Mavroyanopoulos wrote: > This is due to libgcrypt. I though it was solved in the latest version. I *thought* I installed the latest version. Anyway, it isn't actually a problem for Exim. > The only thing I can suggest here, is to use the gnutls' priority functions. > That is break the cipher suites, to Key Exchange method, Cipher algorithm, and > MAC, and the feed that to the priority functions. > You could use a table like { "RC4-MD5", GNUTLS_KX_RSA, GNUTLS_CIPHER_ARCFOUR, GNUTLS_MAC_MD5 }. Ah, I see how that might work now. Thanks. > > 4. When investigating the cipher suites, I noticed that GnuTLS uses an > > underscore between the components, whereas OpenSSL uses a hyphen. Is > > there a standard for this? OpenSSL actually complains if you use an > > underscore. For the moment, I have put in code to convert between > > underscores and hyphens as necessary. > > Why does this cause problem? It doesn't cause a problem with GnuTLS. It only caused me a technical problem because I have tests which I run with both GnuTLS and OpenSSL, and OpenSSL doesn't like cipher names that contain underscores. However, the culture difference might cause problems of understanding for people that are swapping from one library to the other. That's why I wondered if there was any standard. Regards, Philip -- Philip Hazel University of Cambridge Computing Service, ph10 at cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714. From nmav at gnutls.org Tue Nov 5 22:07:02 2002 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Tue Nov 5 22:07:02 2002 Subject: [gnutls-dev]gnutls 0.5.11 Message-ID: <20021105210101.GA15468@gnutls.org> gnutls 0.5.11 is out. Changes since 0.5.10: - Some fixes in 'gnutls-cli' client program to prevent some segmentation faults at exit. - Example programs found in the documentation can now be generated by running "make examples" in doc/tex directory. - Added more descriptive error strings, to gnutls_strerror(). - Documented error codes, and the function reference list is now sorted. - Optimized buffering code. - gnutls_x509_extract_certificate_dn_string() was rewritten. - Added GNUTLS_E_SHORT_MEMORY_BUFFER error code, which is returned in the case where the memory buffer provided is not long enough. - Depends on the new OpenCDK 0.3.2. -- Nikos Mavroyanopoulos Email: nmav at gnutls org From ivo at o2w.nl Wed Nov 6 00:00:01 2002 From: ivo at o2w.nl (Ivo Timmermans) Date: Wed Nov 6 00:00:01 2002 Subject: [gnutls-dev]gnutls 0.5.11 In-Reply-To: <20021105210101.GA15468@gnutls.org> References: <20021105210101.GA15468@gnutls.org> Message-ID: <20021105230108.GA20281@juarez> Nikos Mavroyanopoulos wrote: > - Depends on the new OpenCDK 0.3.2. This hasn't been released yet, AFAICS, or am I missing something? Also, the suggested URL for downloading it as given by the configure script is wrong: checking for libopencdk - version >= 0.3.2... no *** An old version of LIBOPENCDK (0.3.1) was found. *** You need a version of LIBOPENCDK newer than 0.3.2. The latest version of *** LIBOPENCDK is always available from ftp://ftp.gnupg.org/pub/libopencdk/gnupg. However, there is no such directory on that server. Ivo -- /* I can't stand it anymore! Please can't we just write the whole Unix system in lisp or something? */ - bash-2.02/unwind_prot.c From nmav at gnutls.org Wed Nov 6 13:56:02 2002 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Wed Nov 6 13:56:02 2002 Subject: [gnutls-dev]gnutls 0.5.11 In-Reply-To: <20021105230108.GA20281@juarez> References: <20021105210101.GA15468@gnutls.org> <20021105230108.GA20281@juarez> Message-ID: <20021106125047.GC21632@gnutls.org> On Wed, Nov 06, 2002 at 12:01:08AM +0100, Ivo Timmermans wrote: > > - Depends on the new OpenCDK 0.3.2. > This hasn't been released yet, AFAICS, or am I missing something? Oooops. I've released that before Timo released 0.3.2. I think that opencdk 0.3.2 will be available soon, but it's up to Timo! > Also, the suggested URL for downloading it as given by the configure > script is wrong: > checking for libopencdk - version >= 0.3.2... no [..] > However, there is no such directory on that server. Thanks, I've fixed that. > Ivo -- Nikos Mavroyanopoulos Email: nmav at gnutls org From twoaday at freakmail.de Wed Nov 6 22:46:02 2002 From: twoaday at freakmail.de (Timo Schulz) Date: Wed Nov 6 22:46:02 2002 Subject: [gnutls-dev]gnutls 0.5.11 In-Reply-To: <20021105230108.GA20281@juarez> References: <20021105210101.GA15468@gnutls.org> <20021105230108.GA20281@juarez> Message-ID: <20021106090401.GD915@daredevil.joesixpack.net> On Wed Nov 06 2002; 00:01, Ivo Timmermans wrote: > > - Depends on the new OpenCDK 0.3.2. > > This hasn't been released yet, AFAICS, or am I missing something? > Also, the suggested URL for downloading it as given by the configure > script is wrong: But the 0.3.2-cvs version is available and it should work if you get the code directly from the CVS. I didn't succeed to release the 0.3.2, but I will do this soon. And then, I will put a tarball in the right directory (ftp.gnutls.org/pub/gnutls/opencdk/) Timo From nmav at gnutls.org Tue Nov 26 12:32:01 2002 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Tue Nov 26 12:32:01 2002 Subject: [gnutls-dev]thoughts on the gnutls API Message-ID: <20021126112547.GA2998@gnutls.org> Hello, Currently the gnutls API is quite stabilized, although there are still some points that may need to be reconsidered. The gnutls api now includes, the required to handle TLS sessions, plus some limited functionality to parse X.509 and OpenPGP certificates. This was helpful at the begining where there was no GPL compatible library to handle certificates, but now I think that it is questionable if this is still needed. That is because libksba of project aegypten can now handle x.509 certificates and CRLs. So my current plan is to make all the x509 certificate handling stuff, wrap over the libksba, to avoid maintaining/generating duplicate code[0]. This will probably be in the next major release. Are there any suggestions or comments about that? [0]. And for advanced certificate handling, gnutls documentation will reference directly libksba, and opencdk for certificate handling. -- Nikos Mavroyanopoulos From andrew at mcdonald.org.uk Fri Nov 29 23:48:01 2002 From: andrew at mcdonald.org.uk (Andrew McDonald) Date: Fri Nov 29 23:48:01 2002 Subject: [gnutls-dev]thoughts on the gnutls API In-Reply-To: <20021126112547.GA2998@gnutls.org> References: <20021126112547.GA2998@gnutls.org> Message-ID: <20021129224852.GA744@mcdonald.org.uk> On Tue, Nov 26, 2002 at 01:25:47PM +0200, Nikos Mavroyanopoulos wrote: > > That is because libksba of project aegypten can now handle x.509 > certificates and CRLs. So my current plan is to make all the > x509 certificate handling stuff, wrap over the libksba, to avoid > maintaining/generating duplicate code[0]. This will probably be in > the next major release. Are there any suggestions or comments > about that? Basically sounds good, however, isn't libksba GPL? Wouldn't this stop non-GPL-compatible applications using gnutls under its current LGPL license? -- Andrew McDonald E-mail: andrew at mcdonald.org.uk http://www.mcdonald.org.uk/andrew/ From wk at gnupg.org Sat Nov 30 19:37:06 2002 From: wk at gnupg.org (Werner Koch) Date: Sat Nov 30 19:37:06 2002 Subject: [gnutls-dev]thoughts on the gnutls API In-Reply-To: <20021129224852.GA744@mcdonald.org.uk> (Andrew McDonald's message of "Fri, 29 Nov 2002 22:48:52 +0000") References: <20021126112547.GA2998@gnutls.org> <20021129224852.GA744@mcdonald.org.uk> Message-ID: <87n0nqsy5s.fsf@alberti.g10code.de> On Fri, 29 Nov 2002 22:48:52 +0000, Andrew McDonald said: > Basically sounds good, however, isn't libksba GPL? Wouldn't this stop > non-GPL-compatible applications using gnutls under its current LGPL Yep. And there are no plans to change it. Salam-Shalom, Werner From nmav at gnutls.org Sat Nov 30 21:13:01 2002 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Sat Nov 30 21:13:01 2002 Subject: [gnutls-dev]thoughts on the gnutls API In-Reply-To: <20021129224852.GA744@mcdonald.org.uk> References: <20021126112547.GA2998@gnutls.org> <20021129224852.GA744@mcdonald.org.uk> Message-ID: <20021130201242.GB10573@gnutls.org> On Fri, Nov 29, 2002 at 10:48:52PM +0000, Andrew McDonald wrote: > > x509 certificate handling stuff, wrap over the libksba, to avoid > > maintaining/generating duplicate code[0]. This will probably be in > > the next major release. Are there any suggestions or comments > > about that? > Basically sounds good, however, isn't libksba GPL? Wouldn't this stop > non-GPL-compatible applications using gnutls under its current LGPL > license? This is a problem. I didn't notice that at the begining. So, at least for the time being, there will be no effort to use libksba. > -- > Andrew McDonald > E-mail: andrew at mcdonald.org.uk > http://www.mcdonald.org.uk/andrew/ -- Nikos Mavroyanopoulos