From jas at extundo.com Sun Jul 3 02:47:22 2005 From: jas at extundo.com (Simon Josefsson) Date: Sun, 03 Jul 2005 02:47:22 +0200 Subject: [Help-gnutls] GnuTLS 1.2.5 Message-ID: We are pleased to announce the availability of GnuTLS version 1.2.5! GnuTLS is a modern C library that implement the standard network security protocol Transport Layer Security (TLS), for use by network applications. Strategically, I'll be away hiking in Romania for the next week, so if there is anything wrong with this release, it may be some time before it can be corrected. Noteworthy changes since version 1.2.4: - More builddir != srcdir fixes, reported by Mike Castle . - Fixed off-by-one bug in the size parameter of gnutls_x509_crt_get*_dn, reported by Adam Langley . - Corrected some stuff in minilzo detection. Pointed out by Sergey Lipnevich. - MiniLZO updated to version 2.00. - gnutls_x509_crt_list_import now accept a DER formatted CRL. - API and ABI modifications: No changes since last version. Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. If you need help to use GnuTLS, or want to help others, you are invited to join our help-gnutls mailing list, see: . The project page of the library is available at: http://www.gnutls.org/ http://www.gnu.org/software/gnutls/ http://josefsson.org/gnutls/ (updated fastest) Here are the compressed sources: http://josefsson.org/gnutls/releases/gnutls-1.2.5.tar.bz2 (2.4MB) ftp://ftp.gnutls.org/pub/gnutls/devel/gnutls-1.2.5.tar.bz2 (2.4MB) Here are GPG detached signatures signed using key 0xB565716F: http://josefsson.org/gnutls/releases/gnutls-1.2.5.tar.bz2.sig ftp://ftp.gnutls.org/pub/gnutls/devel/gnutls-1.2.5.tar.bz2.sig Here are the build reports for various platforms: http://josefsson.org/autobuild-logs/gnutls.html Here are the MD5/SHA1 checksums: 73aa29593327d7e4d561cee5cd39cf6d gnutls-1.2.5.tar.bz2 976dfd61390989e96a67f9caddd9f1b9 gnutls-1.2.5.tar.bz2.sig d7db76d3e4580758f97eb1ecfdf7d5786ce52cd1 gnutls-1.2.5.tar.bz2 9a1404283f2d6188664e9fc66d86e04b0dafea5d gnutls-1.2.5.tar.bz2.sig Enjoy, Nikos and Simon From paul44441 at comcast.net Sun Jul 10 13:43:01 2005 From: paul44441 at comcast.net (paul) Date: Sun, 10 Jul 2005 19:43:01 +0800 Subject: [Help-gnutls] Question About GPL Software Development Message-ID: We are developing a piece of software which we would like to release under the GPL. The only problem is we do not have exclusive rights to some of the icons and artwork we have for the program. Is it possible to release the software/source code itself as gpl but not the icons and artwork in the program? From jas at extundo.com Tue Jul 12 11:28:21 2005 From: jas at extundo.com (Simon Josefsson) Date: Tue, 12 Jul 2005 11:28:21 +0200 Subject: [Help-gnutls] Re: Question About GPL Software Development In-Reply-To: (paul's message of "Sun, 10 Jul 2005 19:43:01 +0800") References: Message-ID: paul writes: > We are developing a piece of software which we would like to release under > the GPL. The only problem is we do not have exclusive rights to some of the > icons and artwork we have for the program. Is it possible to release the > software/source code itself as gpl but not the icons and artwork in the > program? I believe so. Note that this mailing list is about GNU TLS, a network security package. The mailing list is not about GNU or GPL in general. You might get better answers elsewhere, perhaps including legal at gnu.org. Cheers, Simon From regit at inl.fr Tue Jul 12 17:15:05 2005 From: regit at inl.fr (Regit) Date: Tue, 12 Jul 2005 17:15:05 +0200 Subject: [Help-gnutls] gnutls and non blocking socket Message-ID: <1121181305.2224.11.camel@localhost.localdomain> Hi, I've got a question about how gnutls works with non-blocking socket and with socket that reach timeout. In the file lib/gnutls_buffers.c around line 243 there is no special case for errno==EAGAIN and i=-1. But man page of recv says : If no messages are available at the socket, the receive calls wait for a message to arrive, unless the socket is nonblocking (see fcntl(2)) in which case the value -1 is returned and the external variable errno set to EAGAIN. Is it correct that we should rather leave cleanly in this case as this is not an error case but a waited behaviour ? BR, -- ?ric Leblond, eleblond at inl.fr T?l?phone : 01 44 89 46 40, Fax : 01 44 89 45 01 INL, http://www.inl.fr From nmav at gnutls.org Tue Jul 12 18:18:26 2005 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 12 Jul 2005 18:18:26 +0200 Subject: [Help-gnutls] gnutls and non blocking socket In-Reply-To: <1121181305.2224.11.camel@localhost.localdomain> References: <1121181305.2224.11.camel@localhost.localdomain> Message-ID: <42D3ED52.8010603@gnutls.org> Regit wrote: > Hi, > > I've got a question about how gnutls works with non-blocking socket and > with socket that reach timeout. > > In the file lib/gnutls_buffers.c around line 243 there is no special > case for errno==EAGAIN and i=-1. As far as I can see (if you mean in the function _gnutls_read()) there is. It checks whether i is less than zero and then checks whether errno is EAGAIN or EINTR. From regit at inl.fr Wed Jul 13 10:47:27 2005 From: regit at inl.fr (Regit) Date: Wed, 13 Jul 2005 10:47:27 +0200 Subject: [Help-gnutls] gnutls and non blocking socket In-Reply-To: <42D3ED52.8010603@gnutls.org> References: <1121181305.2224.11.camel@localhost.localdomain> <42D3ED52.8010603@gnutls.org> Message-ID: <1121244447.3739.5.camel@localhost.localdomain> Le mardi 12 juillet 2005 ? 18:18 +0200, Nikos Mavrogiannopoulos a ?crit : > Regit wrote: > > Hi, > As far as I can see (if you mean in the function _gnutls_read()) there is. > It checks whether i is less than zero and then checks whether errno is > EAGAIN or EINTR. Ok, I give some explanation of my problem : Under windows (as it is not implemented under Linux) I've created a socket with a RECV timeout. I do a gnutls_record_recv on a TLS session built over the socket. When the timeout expires, I try to send a packet with gnutls_record_send on that TLS session. The point is that at this moment gnutls_record_send always fail sending a -10 error (TLS session not correct). I may have look in the bad place in the code but it seems that there's a problem anyway. BR, -- ?ric Leblond, eleblond at inl.fr T?l?phone : 01 44 89 46 40, Fax : 01 44 89 45 01 INL, http://www.inl.fr From nmav at gnutls.org Wed Jul 13 18:17:58 2005 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 13 Jul 2005 18:17:58 +0200 Subject: [Help-gnutls] gnutls and non blocking socket In-Reply-To: <1121244447.3739.5.camel@localhost.localdomain> References: <1121181305.2224.11.camel@localhost.localdomain> <42D3ED52.8010603@gnutls.org> <1121244447.3739.5.camel@localhost.localdomain> Message-ID: <42D53EB6.3000309@gnutls.org> Regit wrote: > Ok, I give some explanation of my problem : > Under windows (as it is not implemented under Linux) I've created a > socket with a RECV timeout. > I do a gnutls_record_recv on a TLS session built over the socket. > When the timeout expires, I try to send a packet with gnutls_record_send > on that TLS session. The point is that at this moment gnutls_record_send > always fail sending a -10 error (TLS session not correct). > I may have look in the bad place in the code but it seems that there's a > problem anyway. I don't think there is. Most probably you are using SO_RCVTIMEO to setsockopt, so you get something different as errno than EAGAIN or EINTR. This is like a BSD extension and I don't know if this can be handled by gnutls in a portable way. As a quick hack you could make a wrapper over recv() and return EINTR or EAGAIN when you get the timeout errno code. Nikos From jas at extundo.com Sat Jul 16 14:31:50 2005 From: jas at extundo.com (Simon Josefsson) Date: Sat, 16 Jul 2005 14:31:50 +0200 Subject: [Help-gnutls] Libtasn1 0.2.14 - Tiny ASN.1 Library Message-ID: All, today is a rainy day, so I decided to roll a new Libtasn1 release, and created a web page for it, to maybe attract more users. Libtasn1 is a standalone library written in C for manipulating ASN.1 objects including DER encoding and DER decoding. It is used by GnuTLS to manipulate X.509 objects and by GNU Shishi to handle Kerberos packets, and possibly by other projects too. Commercial support contracts for Libtasn1 are available, and they help finance continued maintenance. Simon Josefsson Datakonsult, a Stockholm based privately held company, is currently funding Libtasn1 maintenance. We are always looking for interesting development projects. If you need help to use Libtasn1, or want to help others, you are invited to join our help-gnutls mailing list, see: . Version 0.2.14 - Some build fixes. - Pkg-config script 'libtasn1.pc' added. - Postal address to FSF in license updated. Homepage: http://josefsson.org/libtasn1/ Manual in many formats: http://josefsson.org/gnutls/manual/libtasn1/ Here are the compressed sources: ftp://ftp.gnutls.org/pub/gnutls/libtasn1/libtasn1-0.2.14.tar.gz (864KB) http://josefsson.org/gnutls/releases/libtasn1/libtasn1-0.2.14.tar.gz (864KB) Here are GPG detached signatures using key 0xB565716F: ftp://ftp.gnutls.org/pub/gnutls/libtasn1/libtasn1-0.2.14.tar.gz.sig http://josefsson.org/gnutls/releases/libtasn1/libtasn1-0.2.14.tar.gz.sig CVS web interface to the source code: http://josefsson.org/cgi-bin/viewcvs.cgi/libtasn1/?root=gnupg-mirror Here are the MD5/SHA-1 checksums: e5291d6f26a04d1ebef381861de30c53 libtasn1-0.2.14.tar.gz c7e8721afd080115e2fa1b315caa10e6 libtasn1-0.2.14.tar.gz.sig 7e1aa2ca437318b3ff2f140b634c5e1d83fc2532 libtasn1-0.2.14.tar.gz 3ffbff6856ec2d5df49f23be47b1cf3099e10ecf libtasn1-0.2.14.tar.gz.sig From marlam at web.de Sat Jul 16 14:53:55 2005 From: marlam at web.de (Martin Lambers) Date: Sat, 16 Jul 2005 14:53:55 +0200 Subject: [Help-gnutls] gnutls and non blocking socket In-Reply-To: <42D53EB6.3000309@gnutls.org> References: <1121181305.2224.11.camel@localhost.localdomain> <42D3ED52.8010603@gnutls.org> <1121244447.3739.5.camel@localhost.localdomain> <42D53EB6.3000309@gnutls.org> Message-ID: <20050716125355.GA13046@cthulhu.lambers.home> On Wed, 13. Jul 2005, 18:17:58 +0200, Nikos Mavrogiannopoulos wrote: > >Ok, I give some explanation of my problem : > >Under windows (as it is not implemented under Linux) I've created a > >socket with a RECV timeout. > >I do a gnutls_record_recv on a TLS session built over the socket. > >When the timeout expires, I try to send a packet with gnutls_record_send > >on that TLS session. The point is that at this moment gnutls_record_send > >always fail sending a -10 error (TLS session not correct). > > >I may have look in the bad place in the code but it seems that there's a > >problem anyway. > > I don't think there is. Most probably you are using SO_RCVTIMEO to > setsockopt, so you get something different as errno than EAGAIN or > EINTR. This is like a BSD extension and I don't know if this can be > handled by gnutls in a portable way. As a quick hack you could make > a wrapper over recv() and return EINTR or EAGAIN when you get the > timeout errno code. As far as I know, EAGAIN is the errno return code of recv() when a SO_RCVTIMEO timeout expires (and similar for SO_SNDTIMEO and send()), and gnutls_record_recv() and gnutls_record_send() pass this through by returning GNUTLS_E_AGAIN. According to the Windows setsockopt() documentation at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ winsock/winsock/setsockopt_2.asp there are two problems with using SO_*TIMEO on Windows: 1. They don't work correctly on systems older than Windows 2000. 2. The socket is unusable once a timeout occurs. (Which means they don't work correctly even on Windows 2000 and newer). This is probably the cause of the "TLS session not correct" error. Martin From jas at extundo.com Sat Jul 16 15:37:27 2005 From: jas at extundo.com (Simon Josefsson) Date: Sat, 16 Jul 2005 15:37:27 +0200 Subject: [Help-gnutls] GnuTLS 1.2.6 Message-ID: We are pleased to announce the availability of GnuTLS version 1.2.6! GnuTLS is a modern C library that implement the standard network security protocol Transport Layer Security (TLS), for use by network applications. The LZO related changes in version 1.2.5 did not work for several people, hence this brown paper-bag release to address that. This release has been tested on systems with lzo2 and lzo1, with only lzo2, with only lzo1, and finally on systems that lack both lzo2 and lzo1 (thus using the embedded minilzo). However, there may still be problems in this area. I'd also like to mention (for those who may have missed it) that Libtasn1, the standalone ASN.1 library used by GnuTLS and other projects, is a separate product with it's own release cycle and full support. Today I released 0.2.14 of it, see: http://josefsson.org/libtasn1/ http://news.gmane.org/find-root.php?message_id=%3cilumzonlyo9.fsf%40latte.josefsson.org%3e Noteworthy changes since version 1.2.5: - MiniLZO updated to version 2.01 and moved to separate directory. - Collision between system LZO header files and MiniLZO header file fixed, reported by Matthias Urlichs . - Will now test for liblzo functionality in liblzo2 too, reported by Thomas Klausner . - Minilibtasn1 is now 0.2.14 (no code changes). - Some code changes to avoid GTK-DOC warnings. - API and ABI modifications: No changes since last version. Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. If you need help to use GnuTLS, or want to help others, you are invited to join our help-gnutls mailing list, see: . The project page of the library is available at: http://www.gnutls.org/ http://www.gnu.org/software/gnutls/ http://josefsson.org/gnutls/ (updated fastest) Here are the compressed sources: http://josefsson.org/gnutls/releases/gnutls-1.2.6.tar.bz2 (2.4MB) ftp://ftp.gnutls.org/pub/gnutls/devel/gnutls-1.2.6.tar.bz2 (2.4MB) Here are GPG detached signatures signed using key 0xB565716F: http://josefsson.org/gnutls/releases/gnutls-1.2.6.tar.bz2.sig ftp://ftp.gnutls.org/pub/gnutls/devel/gnutls-1.2.6.tar.bz2.sig Here are the build reports for various platforms: http://josefsson.org/autobuild-logs/gnutls.html Here are the MD5/SHA1 checksums: a9aeaf687e40b6b27df51fac9d3315ff gnutls-1.2.6.tar.bz2 dbae7eddde9ea02d6fe1da55fa558e3a gnutls-1.2.6.tar.bz2.sig b9bba9447e3863236d153720ae875da2b29b1309 gnutls-1.2.6.tar.bz2 ea3ee35fa3b7f65e27355dab8e6acf036ac04a89 gnutls-1.2.6.tar.bz2.sig Enjoy, Nikos and Simon From javi at productshome.com Tue Jul 19 15:23:51 2005 From: javi at productshome.com (Fco .J. Arias) Date: Tue, 19 Jul 2005 15:23:51 +0200 Subject: [Help-gnutls] Thinking in public Message-ID: <1121779431.3512.25.camel@localhost> Hello, I'm testing gnutls some time, and only see this problems (no bugs). -With option --template <> in certtool, fields without value are generated in blank. -Certtool do not accept all fields needed to generate a certificate in command line. - strange Syntax of certtool, --load-request --infile - information printed by program to user is little, and while user is learning gnutls syntax can be generated incorrect certificates. For this reasons, make a CA is difficult for normal user. Scripts like this can't solve this problem: > #generate a user CA signed certificate. > PASS="lula" > certtool -p > new-user.key > # Use --load-request or --infile ? > certtool -q --outfile new-user.csr --load-privkey new-user.key --password $PASS --template certtool.cfg > #certtool -q --outfile new-user.csr --to-p12 --load-privkey new-user.key --password $PASS > certtool -c --load-request new-user.csr --outfile new-user.crt --load-ca-certificate ca.crt --load-ca-privkey ca.key --load-privkey new-user.key --password $PASS > certtool --load-certificate new-user.crt --load-privkey new-user.key --to-p12 --outder --outfile new-user.p12 > certtool --p12-info --infile new-user.p12 --inder --password $PASS Is a good idea modify certtool? Can be a good idea make an executable to manage a non professional simple Certificate Authority? Should I modify certtool? Thanks for your time... -- Fco .J. Arias From jas at extundo.com Tue Jul 19 17:08:17 2005 From: jas at extundo.com (Simon Josefsson) Date: Tue, 19 Jul 2005 17:08:17 +0200 Subject: [Help-gnutls] Re: Thinking in public In-Reply-To: <1121779431.3512.25.camel@localhost> (Fco's message of "Tue, 19 Jul 2005 15:23:51 +0200") References: <1121779431.3512.25.camel@localhost> Message-ID: "Fco .J. Arias" writes: > Hello, > I'm testing gnutls some time, and only see this problems (no bugs). > -With option --template <> in certtool, fields without value are > generated in blank. > -Certtool do not accept all fields needed to generate a certificate in > command line. > - strange Syntax of certtool, --load-request --infile > - information printed by program to user is little, and while user is > learning gnutls syntax can be generated incorrect certificates. Right. Certtool appear to be somewhat hastily written. > For this reasons, make a CA is difficult for normal user. > Scripts like this can't solve this problem: >> #generate a user CA signed certificate. >> PASS="lula" >> certtool -p > new-user.key >> # Use --load-request or --infile ? >> certtool -q --outfile new-user.csr --load-privkey new-user.key --password $PASS --template certtool.cfg >> #certtool -q --outfile new-user.csr --to-p12 --load-privkey new-user.key --password $PASS >> certtool -c --load-request new-user.csr --outfile new-user.crt --load-ca-certificate ca.crt --load-ca-privkey ca.key --load-privkey new-user.key --password $PASS >> certtool --load-certificate new-user.crt --load-privkey new-user.key --to-p12 --outder --outfile new-user.p12 >> certtool --p12-info --infile new-user.p12 --inder --password $PASS > > Is a good idea modify certtool? > Can be a good idea make an executable to manage a non professional > simple Certificate Authority? > > Should I modify certtool? Absolutely! Having more command line tools to expose the GnuTLS library's functionality to non-programmers is a good idea. If you have ideas on what a good command line interface would be for use as a CA, please explain and discuss. Large parts of the code is probably already present in certtool, but it could use a rewrite in order to be more user friendly. In general, I think it is better to have several small tools for specific purposes, rather than to try and put them all into one tool. But managing a X.509 PKI's is such a mess that you need to support many formats for the same thing, which leads to that one tool probably must be able to read all formats. You will need to sign a copyright disclaimer if you want to propose substantial patches though. Thanks, Simon From michaelberhanu at gmail.com Sun Jul 31 12:47:10 2005 From: michaelberhanu at gmail.com (Michael Berhanu) Date: Sun, 31 Jul 2005 20:47:10 +1000 Subject: [Help-gnutls] DHE_DSS Message-ID: Could someone give me an overview of how Diffie-Hellman ephemeral key exchange based on DSS works? I'm asking here not for a code overview, but rather a conceptual overview. I've tried to understand it by going through a number of rfcs but it hasn't worked for me. Also are the asymmteric encryption keys transferred between the two parties encrpyted using DH in this situation? Very much apprieciated, Michael. From alangley at gmail.com Sun Jul 31 14:08:21 2005 From: alangley at gmail.com (Adam Langley) Date: Sun, 31 Jul 2005 13:08:21 +0100 Subject: [Help-gnutls] DHE_DSS In-Reply-To: References: Message-ID: <396556a205073105084d6b60da@mail.gmail.com> On 7/31/05, Michael Berhanu wrote: > Could someone give me an overview of how Diffie-Hellman ephemeral key > exchange based on DSS works? I'm asking here not for a code overview, > but rather a conceptual overview. I've tried to understand it by going > through a number of rfcs but it hasn't worked for me. You can find a description of the maths of DH all over the place[1] so I wont go into that here. DH allows two parties to agree on a shared key such that no eavesdropper can learn the key (for some bound on computational ability). This key is used for the current session only and is discarded afterwards. This gives it 'perfect forward secrecy' - you cannot be made to give up the session key at a later date. That's the E in EDH (and DHE, which is the same thing). However, an attacker who can manipulate the exchange between two hosts can launch a man-in-the-middle attack against DH. So DSS is used to sign the DH exchange so that you know that the host which you're agreeing a key with is the one that you expect. Once the key material has been exchanged, it's used to seed the generation of the symmetric key (the generation may just be the identity function). [1] http://en.wikipedia.org/wiki/Diffie-Hellman [2] http://en.wikipedia.org/wiki/Perfect_forward_secrecy AGL -- Adam Langley agl at imperialviolet.org http://www.imperialviolet.org (+44) (0)7906 332512 PGP: 9113 256A CC0F 71A6 4C84 5087 CDA5 52DF 2CB6 3D60