From jas at extundo.com Fri Dec 10 12:25:58 2004 From: jas at extundo.com (Simon Josefsson) Date: Fri, 10 Dec 2004 12:25:58 +0100 Subject: [gnutls-dev] libtasn1 0.2.11 Message-ID: Build logs at: http://josefsson.org/autobuild-logs/gnutls.html#libtasn1-0.2.11 Here are the compressed sources: ftp://ftp.gnutls.org/pub/gnutls/libtasn1/libtasn1-0.2.11.tar.gz (536KB) http://josefsson.org/gnutls/releases/libtasn1/libtasn1-0.2.11.tar.gz (536KB) Here are GPG detached signatures using key 0xB565716F: ftp://ftp.gnutls.org/pub/gnutls/libtasn1/libtasn1-0.2.11.tar.gz.sig http://josefsson.org/gnutls/releases/libtasn1/libtasn1-0.2.11.tar.gz.sig Here are the SHA-1 checksums: 0924a7d3fa35c3d68d172d355994ba23c62060ce libtasn1-0.2.11.tar.gz ef4d33c5cff35d99670ddf1c26d89cfdea776db7 libtasn1-0.2.11.tar.gz.sig Noteworthy changes since the last release: - Added the self test with "make check" target - Added management of ANY type with null length - Corrected some writes to invalid data. From jas at extundo.com Fri Dec 10 17:48:33 2004 From: jas at extundo.com (Simon Josefsson) Date: Fri, 10 Dec 2004 17:48:33 +0100 Subject: [gnutls-dev] libtasn1 0.2.12 Message-ID: - Manual converted to Texinfo format. - Manual in GTK-DOC and DevHelp formats added. - Man pages for all functions added. - Various internal cleanups. Manual in many formats: http://josefsson.org/gnutls/manual/libtasn1/ Build logs at: http://josefsson.org/autobuild-logs/gnutls.html#libtasn1-0.2.12 Here are the compressed sources: ftp://ftp.gnutls.org/pub/gnutls/libtasn1/libtasn1-0.2.12.tar.gz (860KB) http://josefsson.org/gnutls/releases/libtasn1/libtasn1-0.2.12.tar.gz (860KB) Here are GPG detached signatures using key 0xB565716F: ftp://ftp.gnutls.org/pub/gnutls/libtasn1/libtasn1-0.2.12.tar.gz.sig http://josefsson.org/gnutls/releases/libtasn1/libtasn1-0.2.12.tar.gz.sig Here are the SHA-1 checksums: f8491cf236a5d5e0fd6acac9887c6b80889af453 libtasn1-0.2.12.tar.gz 2a4ab2145ef4a804f0c20292b3471b4e3a592a45 libtasn1-0.2.12.tar.gz.sig From ametzler at downhill.at.eu.org Tue Dec 14 12:03:21 2004 From: ametzler at downhill.at.eu.org (Andreas Metzler) Date: Tue, 14 Dec 2004 12:03:21 +0100 Subject: [gnutls-dev] gnutls_rsa_params_init hangs. Is regenerating rsa-params once a day to frequent? Message-ID: <20041214110321.GC2382@downhill.at.eu.org> Hello, exim4 uses gnutls for TLS/SSL and we (on Debian) have chosen to configure it to regenerate rsa and dh params once a day. However promptly after this change we received a bug-report[1] telling us that exim just hang. Further analysis showed that gnutls_rsa_params_generate2(rsa_params, 512); got stuck on his system, waiting indefinitely for new data to appear in /dev/random. I am a little bit at loss on how to deal with this. Is "once a day" too frequent as a default value? Can (Should) gnutls_rsa_params_generate2 deal more gracefully with systems with little data in /dev/random (by using urandom after a timeout or supporting alternative entropy gathering devices?) Is exim faulty for running gnutls_rsa_params_generate2 while handling an incoming connection? (Not faulty as in in "not optimal" but as in "the stupiest idea I've ever heard of, everybody using gnutls seriously knows that you put running gnutls_rsa_params_generate2 in a separate little thread/program") The bug submitter is running Linux kernel 2.6.8-something if that is of any help. thanks, cu andreas [1] . -- "See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf, fuhggvat qbja gur juveyvat tha. Neal Stephenson in "Snow Crash" -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From jas at extundo.com Tue Dec 14 16:09:21 2004 From: jas at extundo.com (Simon Josefsson) Date: Tue, 14 Dec 2004 16:09:21 +0100 Subject: [gnutls-dev] Re: gnutls_rsa_params_init hangs. Is regenerating rsa-params once a day to frequent? References: <20041214110321.GC2382@downhill.at.eu.org> Message-ID: Andreas Metzler writes: > Hello, Hi. > exim4 uses gnutls for TLS/SSL and we (on Debian) have chosen to > configure it to regenerate rsa and dh params once a day. However > promptly after this change we received a bug-report[1] telling us that > exim just hang. Further analysis showed that > > gnutls_rsa_params_generate2(rsa_params, 512); > > got stuck on his system, waiting indefinitely for new data to appear > in /dev/random. > > I am a little bit at loss on how to deal with this. Is "once a day" > too frequent as a default value? I don't think so. > Can (Should) gnutls_rsa_params_generate2 deal more gracefully with > systems with little data in /dev/random (by using urandom after a > timeout or supporting alternative entropy gathering devices?) Yes, ideally. This was suggested recently, and as a consequence TODO now reads: - Add progress handler gnutls_{dh,rsa}_params_generate2, to allow application to give progress feedback to user. - Support non-blocking gnutls_{dh,rsa}_params_generate2 for when there is not enough entropy available. If someone wants to work on this, that would be useful... > Is exim faulty for running gnutls_rsa_params_generate2 while handling > an incoming connection? (Not faulty as in in "not optimal" but as in > "the stupiest idea I've ever heard of, everybody using gnutls seriously > knows that you put running gnutls_rsa_params_generate2 in a separate > little thread/program") I wouldn't say faulty, but as you suggest, it may be sub-optimal. You could have a stand-alone program that generate dh/rsa parameters, save the data to a file and ask the main process to re-load its data. Or use a separate thread. I suspect the manual should discuss this problem. Thanks, Simon From ametzler at downhill.at.eu.org Wed Dec 15 08:11:00 2004 From: ametzler at downhill.at.eu.org (Andreas Metzler) Date: Wed, 15 Dec 2004 08:11:00 +0100 Subject: [gnutls-dev] Re: gnutls_rsa_params_init hangs. Is regenerating rsa-params once a day to frequent? In-Reply-To: References: <20041214110321.GC2382@downhill.at.eu.org> Message-ID: <20041215071100.GA3411@downhill.at.eu.org> On 2004-12-14 Simon Josefsson wrote: > Andreas Metzler writes: [...] > > gnutls_rsa_params_generate2(rsa_params, 512); > > got stuck on his system, waiting indefinitely for new data to appear > > in /dev/random. > > I am a little bit at loss on how to deal with this. Is "once a day" > > too frequent as a default value? > I don't think so. Fine. [hopes for the future] > > Is exim faulty for running gnutls_rsa_params_generate2 while handling > > an incoming connection? (Not faulty as in in "not optimal" but as in > > "the stupiest idea I've ever heard of, everybody using gnutls seriously > > knows that you put running gnutls_rsa_params_generate2 in a separate > > little thread/program") > I wouldn't say faulty, but as you suggest, it may be sub-optimal. You > could have a stand-alone program that generate dh/rsa parameters, save > the data to a file and ask the main process to re-load its data. Or > use a separate thread. [...] Thanks for the information. This should be easy to do, as exim's processes are short lived there is no need for complicated communication, asking proccesses to reload data. thanks, cu andreas -- "See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf, fuhggvat qbja gur juveyvat tha. Neal Stephenson in "Snow Crash" From nmav at gnutls.org Wed Dec 15 18:14:06 2004 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 15 Dec 2004 18:14:06 +0100 Subject: [gnutls-dev] Re: gnutls_rsa_params_init hangs. Is regenerating rsa-params once a day to frequent? In-Reply-To: References: <20041214110321.GC2382@downhill.at.eu.org> Message-ID: <200412151814.06971.nmav@gnutls.org> On Tuesday 14 December 2004 16:09, Simon Josefsson wrote: > > Is exim faulty for running gnutls_rsa_params_generate2 while handling > > an incoming connection? (Not faulty as in in "not optimal" but as in > > "the stupiest idea I've ever heard of, everybody using gnutls seriously > > knows that you put running gnutls_rsa_params_generate2 in a separate > > little thread/program") > I wouldn't say faulty, but as you suggest, it may be sub-optimal. You > could have a stand-alone program that generate dh/rsa parameters, save > the data to a file and ask the main process to re-load its data. Or > use a separate thread. In addition certtool can generate parameters by using: 1. for DH: ./certtool --generate-dh-params --bits 1024 --outfile dhfile 2. for RSA 512: ./certtool --generate-privkey --bits 512 --outfile rsafile You can easily import the output of certtool to any program by using the gnutls_dh_params_import_pkcs3() and gnutls_rsa_params_import_pkcs1() functions. -- Nikos Mavrogiannopoulos From nmav at gnutls.org Wed Dec 15 18:20:19 2004 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 15 Dec 2004 18:20:19 +0100 Subject: [gnutls-dev] Re: gnutls_rsa_params_init hangs. Is regenerating rsa-params once a day to frequent? In-Reply-To: <200412151814.06971.nmav@gnutls.org> References: <20041214110321.GC2382@downhill.at.eu.org> <200412151814.06971.nmav@gnutls.org> Message-ID: <200412151820.19627.nmav@gnutls.org> On Wednesday 15 December 2004 18:14, Nikos Mavrogiannopoulos wrote: > In addition certtool can generate parameters by using: > 1. for DH: ./certtool --generate-dh-params --bits 1024 --outfile dhfile Actually if the DH parameters are generated every one or two days there is no real reason to use 1024 bits. 768 might be better since it will speed up the handshake. -- Nikos Mavrogiannopoulos From jas at extundo.com Wed Dec 15 20:09:12 2004 From: jas at extundo.com (Simon Josefsson) Date: Wed, 15 Dec 2004 20:09:12 +0100 Subject: [gnutls-dev] libtasn1 0.2.13 Message-ID: - Version number in libtasn1.h updated properly. Manual in many formats: http://josefsson.org/gnutls/manual/libtasn1/ Build logs at: http://josefsson.org/autobuild-logs/gnutls.html#libtasn1-0.2.13 Here are the compressed sources: ftp://ftp.gnutls.org/pub/gnutls/libtasn1/libtasn1-0.2.13.tar.gz (860KB) http://josefsson.org/gnutls/releases/libtasn1/libtasn1-0.2.13.tar.gz (860KB) Here are GPG detached signatures using key 0xB565716F: ftp://ftp.gnutls.org/pub/gnutls/libtasn1/libtasn1-0.2.13.tar.gz.sig http://josefsson.org/gnutls/releases/libtasn1/libtasn1-0.2.13.tar.gz.sig Here are the SHA-1 checksums: 286d6592393edd6e0fef0badffac568000fe816d libtasn1-0.2.13.tar.gz 05a948721021e62ca18fa8c33a352af0e2065465 libtasn1-0.2.13.tar.gz.sig