From trapni at gentoo.org Fri Feb 4 19:22:57 2005 From: trapni at gentoo.org (Christian Parpart) Date: Fri, 4 Feb 2005 19:22:57 +0100 Subject: [Help-gnutls] ML-test Message-ID: <200502041923.02506.trapni@gentoo.org> ML-test. please ignore me :o) -- Netiquette: http://www.ietf.org/rfc/rfc1855.txt 19:22:23 up 98 days, 11:52, 1 user, load average: 0.33, 0.46, 0.39 From marlam at web.de Sat Feb 5 16:26:21 2005 From: marlam at web.de (Martin Lambers) Date: Sat, 5 Feb 2005 16:26:21 +0100 Subject: [Help-gnutls] Sending a client certificate Message-ID: <20050205152621.GA17559@cthulhu.lambers.home> I'm trying to send a client certificate when starting a TLS handshake with a server. Currently, I use the following steps (plus error checking, of course): gnutls_init(&session, GNUTLS_CLIENT); gnutls_set_default_priority(session); gnutls_certificate_allocate_credentials(&cred); gnutls_certificate_set_x509_key_file(cred, "cert_file.pem", "key_file.pem", GNUTLS_X509_FMT_PEM); gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cred); gnutls_transport_set_ptr(session, fd); gnutls_handshake(session); But this does not work; no client certificate is send. Are there more steps necessary? Am I missing something? I used both GnuTLS 1.0.17 and 1.2.0. Martin From nmav at gnutls.org Sat Feb 5 19:02:34 2005 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sat, 5 Feb 2005 19:02:34 +0100 Subject: [Help-gnutls] Sending a client certificate In-Reply-To: <20050205152621.GA17559@cthulhu.lambers.home> References: <20050205152621.GA17559@cthulhu.lambers.home> Message-ID: <200502051902.34320.nmav@gnutls.org> On Saturday 05 February 2005 16:26, Martin Lambers wrote: > I'm trying to send a client certificate when starting a TLS handshake > with a server. Does the server request a certificate? If it doesn't then no matter if you specify one, it will not be used. Otherwise please attach the output of ssldump, or the debug output of level 3. > Martin -- Nikos Mavrogiannopoulos From marlam at web.de Sat Feb 5 19:47:15 2005 From: marlam at web.de (Martin Lambers) Date: Sat, 5 Feb 2005 19:47:15 +0100 Subject: [Help-gnutls] Sending a client certificate In-Reply-To: <200502051902.34320.nmav@gnutls.org> References: <20050205152621.GA17559@cthulhu.lambers.home> <200502051902.34320.nmav@gnutls.org> Message-ID: <20050205184715.GA17879@cthulhu.lambers.home> On Sat, 05. Feb 2005, 19:02:34 +0100, Nikos Mavrogiannopoulos wrote: > Does the server request a certificate? If it doesn't then no matter if > you specify one, it will not be used. Otherwise please attach the > output of ssldump, or the debug output of level 3. This is the level 3 debug output: GNUTLS DEBUG 3: HSK[8076ad0]: Keeping ciphersuite: RSA_AES_256_CBC_SHA GNUTLS DEBUG 3: HSK[8076ad0]: Keeping ciphersuite: RSA_AES_256_CBC_RMD GNUTLS DEBUG 3: HSK[8076ad0]: Keeping ciphersuite: RSA_AES_128_CBC_SHA GNUTLS DEBUG 3: HSK[8076ad0]: Keeping ciphersuite: RSA_AES_128_CBC_RMD GNUTLS DEBUG 3: HSK[8076ad0]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA GNUTLS DEBUG 3: HSK[8076ad0]: Keeping ciphersuite: RSA_3DES_EDE_CBC_RMD GNUTLS DEBUG 3: HSK[8076ad0]: Keeping ciphersuite: RSA_ARCFOUR_SHA GNUTLS DEBUG 3: HSK[8076ad0]: Keeping ciphersuite: RSA_ARCFOUR_MD5 GNUTLS DEBUG 3: HSK[8076ad0]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA GNUTLS DEBUG 3: HSK[8076ad0]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_RMD GNUTLS DEBUG 3: HSK[8076ad0]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA GNUTLS DEBUG 3: HSK[8076ad0]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_RMD GNUTLS DEBUG 3: HSK[8076ad0]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA GNUTLS DEBUG 3: HSK[8076ad0]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_RMD GNUTLS DEBUG 3: HSK[8076ad0]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA GNUTLS DEBUG 3: HSK[8076ad0]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA GNUTLS DEBUG 3: HSK[8076ad0]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_RMD GNUTLS DEBUG 3: HSK[8076ad0]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA GNUTLS DEBUG 3: HSK[8076ad0]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_RMD GNUTLS DEBUG 3: HSK[8076ad0]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA GNUTLS DEBUG 3: HSK[8076ad0]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_RMD GNUTLS DEBUG 3: HSK[8076ad0]: CLIENT HELLO was send [85 bytes] GNUTLS DEBUG 3: HSK[8076ad0]: SERVER HELLO was received [74 bytes] GNUTLS DEBUG 3: HSK[8076ad0]: Server's version: 3.1 GNUTLS DEBUG 3: HSK[8076ad0]: SessionID length: 32 GNUTLS DEBUG 3: HSK[8076ad0]: SessionID: a16c0704a2322071bf83669cbffb9f3bfdbfea6f5f34478669edae4468b3d09c GNUTLS DEBUG 3: HSK[8076ad0]: Selected cipher suite: RSA_AES_256_CBC_SHA GNUTLS DEBUG 2: ASSERT: gnutls_extensions.c:143 GNUTLS DEBUG 3: HSK[8076ad0]: CERTIFICATE was received [1454 bytes] GNUTLS DEBUG 3: HSK[8076ad0]: CERTIFICATE REQUEST was received [137 bytes] GNUTLS DEBUG 2: ASSERT: auth_cert.c:198 GNUTLS DEBUG 3: HSK[8076ad0]: SERVER HELLO DONE was received [4 bytes] GNUTLS DEBUG 3: HSK[8076ad0]: CERTIFICATE was send [7 bytes] GNUTLS DEBUG 3: HSK[8076ad0]: CLIENT KEY EXCHANGE was send [134 bytes] GNUTLS DEBUG 3: REC[8076ad0]: Sent ChangeCipherSpec GNUTLS DEBUG 3: HSK[8076ad0]: Cipher Suite: RSA_AES_256_CBC_SHA GNUTLS DEBUG 3: HSK[8076ad0]: Initializing internal [write] cipher sessions GNUTLS DEBUG 3: HSK[8076ad0]: FINISHED was send [16 bytes] GNUTLS DEBUG 3: HSK[8076ad0]: Cipher Suite: RSA_AES_256_CBC_SHA GNUTLS DEBUG 3: HSK[8076ad0]: Initializing internal [read] cipher sessions GNUTLS DEBUG 3: HSK[8076ad0]: FINISHED was received [16 bytes] GNUTLS DEBUG 2: ASSERT: dn.c:426 GNUTLS DEBUG 2: ASSERT: dn.c:426 GNUTLS DEBUG 2: ASSERT: dn.c:426 GNUTLS DEBUG 2: ASSERT: dn.c:358 GNUTLS DEBUG 2: ASSERT: dn.c:468 GNUTLS DEBUG 2: ASSERT: dn.c:426 GNUTLS DEBUG 2: ASSERT: dn.c:426 GNUTLS DEBUG 2: ASSERT: dn.c:426 GNUTLS DEBUG 2: ASSERT: dn.c:426 GNUTLS DEBUG 2: ASSERT: dn.c:358 GNUTLS DEBUG 2: ASSERT: dn.c:468 GNUTLS DEBUG 2: ASSERT: dn.c:426 GNUTLS DEBUG 2: ASSERT: dn.c:426 GNUTLS DEBUG 2: ASSERT: dn.c:426 GNUTLS DEBUG 2: ASSERT: verify.c:223 GNUTLS DEBUG 2: ASSERT: verify.c:333 GNUTLS DEBUG 2: ASSERT: gnutls_buffers.c:503 GNUTLS DEBUG 2: ASSERT: gnutls_record.c:795 From nmav at gnutls.org Sat Feb 5 21:27:06 2005 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sat, 5 Feb 2005 21:27:06 +0100 Subject: [Help-gnutls] Sending a client certificate In-Reply-To: <20050205184715.GA17879@cthulhu.lambers.home> References: <20050205152621.GA17559@cthulhu.lambers.home> <200502051902.34320.nmav@gnutls.org> <20050205184715.GA17879@cthulhu.lambers.home> Message-ID: <200502052127.06342.nmav@gnutls.org> On Saturday 05 February 2005 19:47, Martin Lambers wrote: > On Sat, 05. Feb 2005, 19:02:34 +0100, Nikos Mavrogiannopoulos wrote: > > Does the server request a certificate? If it doesn't then no matter if > > you specify one, it will not be used. Otherwise please attach the > > output of ssldump, or the debug output of level 3. > > This is the level 3 debug output: > GNUTLS DEBUG 3: HSK[8076ad0]: CERTIFICATE was received [1454 bytes] > GNUTLS DEBUG 3: HSK[8076ad0]: CERTIFICATE REQUEST was received [137 bytes] > GNUTLS DEBUG 2: ASSERT: auth_cert.c:198 > GNUTLS DEBUG 3: HSK[8076ad0]: SERVER HELLO DONE was received [4 bytes] > GNUTLS DEBUG 3: HSK[8076ad0]: CERTIFICATE was send [7 bytes] So it seems you got a certificate request and the certificate gnutls select is empty. This might be because your certificate does not match the CAs advertized by the server. You can check the CAs advertized by the server by using gnutls-cli. If you want to override the server's request, and send anyway a certificate you have to use the retrieve[0] function as used in gnutls-cli (cli.c). [0]. gnutls_certificate_client_set_retrieve_function() -- Nikos Mavrogiannopoulos From regit at inl.fr Sun Feb 6 14:21:35 2005 From: regit at inl.fr (Eric Leblond) Date: Sun, 06 Feb 2005 14:21:35 +0100 Subject: [Help-gnutls] Sending a client certificate In-Reply-To: <20050205152621.GA17559@cthulhu.lambers.home> References: <20050205152621.GA17559@cthulhu.lambers.home> Message-ID: <1107696096.18092.1.camel@coati> Hi, I've got a related question about handling of passphrase protected certificate ? How can this be done ? BR On Sat, 2005-02-05 at 16:26 +0100, Martin Lambers wrote: > I'm trying to send a client certificate when starting a TLS handshake > with a server. > Currently, I use the following steps (plus error checking, of course): > > gnutls_init(&session, GNUTLS_CLIENT); > gnutls_set_default_priority(session); > gnutls_certificate_allocate_credentials(&cred); > gnutls_certificate_set_x509_key_file(cred, > "cert_file.pem", "key_file.pem", GNUTLS_X509_FMT_PEM); > gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cred); > gnutls_transport_set_ptr(session, fd); > gnutls_handshake(session); > > But this does not work; no client certificate is send. Are there more > steps necessary? Am I missing something? > > I used both GnuTLS 1.0.17 and 1.2.0. > > Martin > > > _______________________________________________ > Help-gnutls mailing list > Help-gnutls at gnu.org > http://lists.gnu.org/mailman/listinfo/help-gnutls From marlam at web.de Sun Feb 6 14:18:52 2005 From: marlam at web.de (Martin Lambers) Date: Sun, 6 Feb 2005 14:18:52 +0100 Subject: [Help-gnutls] Sending a client certificate In-Reply-To: <200502052127.06342.nmav@gnutls.org> References: <20050205152621.GA17559@cthulhu.lambers.home> <200502051902.34320.nmav@gnutls.org> <20050205184715.GA17879@cthulhu.lambers.home> <200502052127.06342.nmav@gnutls.org> Message-ID: <20050206131852.GA2798@cthulhu.lambers.home> On Sat, 05. Feb 2005, 21:27:06 +0100, Nikos Mavrogiannopoulos wrote: > So it seems you got a certificate request and the certificate gnutls > select is empty. This might be because your certificate does not match > the CAs advertized by the server. This was the problem. I did not know that GnuTLS sends the cert only if it matches the CAs advertized by the server. Thanks for your help! Martin From nmav at gnutls.org Sun Feb 6 14:59:30 2005 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 6 Feb 2005 14:59:30 +0100 Subject: [Help-gnutls] Sending a client certificate In-Reply-To: <1107696096.18092.1.camel@coati> References: <20050205152621.GA17559@cthulhu.lambers.home> <1107696096.18092.1.camel@coati> Message-ID: <200502061459.30886.nmav@gnutls.org> On Sunday 06 February 2005 14:21, Eric Leblond wrote: > Hi, > > I've got a related question about handling of passphrase protected > certificate ? > How can this be done ? You probably mean an encrypted private key. This can be done, if the key is stored in PKCS #8/12 format, so you only have to use the relevant pkcs8/12 functions to import it. Other formats like the pem encryption (i think this is rfc1421) are not supported. > BR -- Nikos Mavrogiannopoulos From jas at extundo.com Sun Feb 6 15:23:17 2005 From: jas at extundo.com (Simon Josefsson) Date: Sun, 06 Feb 2005 15:23:17 +0100 Subject: [Help-gnutls] Re: Sending a client certificate In-Reply-To: <1107696096.18092.1.camel@coati> (Eric Leblond's message of "Sun, 06 Feb 2005 14:21:35 +0100") References: <20050205152621.GA17559@cthulhu.lambers.home> <1107696096.18092.1.camel@coati> Message-ID: Eric Leblond writes: > Hi, > > I've got a related question about handling of passphrase protected > certificate ? > > How can this be done ? You can use `gnutls_pkcs12_bag_decrypt' to decrypt a PKCS#12 structure. There is more than one way to store protected keys and certificates, so if you aren't using PKCS#12, you need to tell us which format you want to use. Regards, Simon From trapni at gentoo.org Tue Feb 22 01:14:40 2005 From: trapni at gentoo.org (Christian Parpart) Date: Tue, 22 Feb 2005 01:14:40 +0100 (CET) Subject: [Help-gnutls] wildcarded certificates - *.foobar.org Message-ID: <3278.217.231.59.209.1109031280.squirrel@217.231.59.209> Hi, after I now know that wildcarded certificates SHALL be possible, by using *.foobar.org e.g. I got also told, that ALMOST no browser supports it. This actually isn't certtool/GnuTLS related anylonger but I'd like to finish up my mind in here anyway ;) So, do you know *any* browser supporting wildcarded CommonNames? best regards, Christian Parpart. From m at tthias.net Tue Feb 22 22:19:28 2005 From: m at tthias.net (Matthias Wimmer) Date: Tue, 22 Feb 2005 22:19:28 +0100 Subject: [Help-gnutls] wildcarded certificates - *.foobar.org In-Reply-To: <3278.217.231.59.209.1109031280.squirrel@217.231.59.209> References: <3278.217.231.59.209.1109031280.squirrel@217.231.59.209> Message-ID: <20050222211927.GA8083@false> Hi Christian! Christian Parpart schrieb am 2005-02-22 01:14:40: > after I now know that wildcarded certificates SHALL be possible, > by using *.foobar.org e.g. I got also told, that ALMOST no browser > supports it. This actually isn't certtool/GnuTLS related anylonger > but I'd like to finish up my mind in here anyway ;) > > So, do you know *any* browser supporting wildcarded CommonNames? Any browser I tested yet supports them ... Tot kijk Matthias -- Fon: +49-(0)70 0770 07770 http://web.amessage.info Fax: +49-(0)89 312 88 654 xmpp:mawis at amessage.info -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From bronson at rinspin.com Sat Feb 26 12:05:53 2005 From: bronson at rinspin.com (Scott Bronson) Date: Sat, 26 Feb 2005 03:05:53 -0800 Subject: [Help-gnutls] How to turn off optimization Message-ID: <200502260305.54041.bronson@rinspin.com> I want to compile gnutls without any compiler optimizations. How do I do this? There's no parameter to control optimization in the configuration file Deleteing the 3 occurrences of O2 from the config file doesn't work. ./configure CFLAGS=-O0 doesn't work (it appends -O2 after -O0). CFLAGS=-O0 ./configure doesn't work. ./configure --disable-optimization doesn't work. ... etc. I'm out of ideas. Can anyone give me a hint? Thanks, - Scott