From jas at extundo.com Wed May 3 12:24:02 2006 From: jas at extundo.com (Simon Josefsson) Date: Wed, 03 May 2006 12:24:02 +0200 Subject: [Help-gnutls] GnuTLS Summer of Code Message-ID: <871wvbxv7h.fsf@latte.josefsson.org> Hi all! Just to let you know that GnuTLS participate in Google's summer of code: http://code.google.com/soc/ You can earn USD 4500 for working on a project in GnuTLS! The projects Nikos and I thought of are listed at: http://www.gnu.org/software/soc-projects/ideas.html#gnutls We are open to hear about other neat ideas, even if you are not volunteering to be either mentor or student. Cheers, Simon From jas at extundo.com Sun May 7 17:22:51 2006 From: jas at extundo.com (Simon Josefsson) Date: Sun, 07 May 2006 17:22:51 +0200 Subject: [Help-gnutls] Libtasn1 0.3.3 Message-ID: <87irohg8qc.fsf@latte.josefsson.org> Libtasn1 is a standalone library written in C for manipulating ASN.1 objects including DER/BER encoding and DER/BER decoding. Libtasn1 is used by GnuTLS to manipulate X.509 objects and by GNU Shishi to handle Kerberos V5 packets. Version 0.3.3 (2006-05-07) - Add some 'const' to prototypes. - Remove some 'unsigned' keywords. - Corrected asn1_der_coding() bug introduced when it became reentrant. Now it produces correct encodings. Commercial support contracts for Libtasn1 are available, and they help finance continued maintenance. Simon Josefsson Datakonsult, a Stockholm based privately held company, is currently funding Libtasn1 maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. If you need help to use Libtasn1, or want to help others, you are invited to join our help-gnutls mailing list, see: . Homepage: http://josefsson.org/libtasn1/ Manual in many formats: http://josefsson.org/gnutls/manual/libtasn1/ Here are the compressed sources (1.2MB): ftp://ftp.gnutls.org/pub/gnutls/libtasn1/libtasn1-0.3.3.tar.gz http://josefsson.org/gnutls/releases/libtasn1/libtasn1-0.3.3.tar.gz Here are GPG detached signatures using key 0xB565716F: ftp://ftp.gnutls.org/pub/gnutls/libtasn1/libtasn1-0.3.3.tar.gz.sig http://josefsson.org/gnutls/releases/libtasn1/libtasn1-0.3.3.tar.gz.sig The software is cryptographically signed by the author using an OpenPGP key identified by the following information: pub 1280R/B565716F 2002-05-05 [expires: 2006-08-14] Key fingerprint = 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F uid Simon Josefsson uid Simon Josefsson sub 1280R/4D5D40AE 2002-05-05 [expires: 2006-08-14] sub 1024R/09CC4670 2006-03-18 [expires: 2007-04-22] sub 1024R/AABB1F7B 2006-03-18 [expires: 2007-04-22] sub 1024R/A14C401A 2006-03-18 [expires: 2007-04-22] The key is available from: http://josefsson.org/key.txt dns:b565716f.josefsson.org?TYPE=CERT Here are the SHA-1 and SHA-224 checksums: 93f1250e203af66072dd6de7aa2611414afc90cf libtasn1-0.3.3.tar.gz f17ba9a563149ae7b6c35f797ceeb187a6ac24f7 libtasn1-0.3.3.tar.gz.sig 7650faac293c0b71701d89c3d7e4a2c79ab29bcf21f54e810784c96d libtasn1-0.3.3.tar.gz 9aebbf6b058c58832e1ec6377fadb76533bc3bdb911d48a2c4c78759 libtasn1-0.3.3.tar.gz.sig Enjoy, Fabio, Nikos and Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 421 bytes Desc: not available URL: From jas at extundo.com Tue May 9 13:57:08 2006 From: jas at extundo.com (Simon Josefsson) Date: Tue, 09 May 2006 13:57:08 +0200 Subject: [Help-gnutls] Re: Libtasn1 0.3.3 In-Reply-To: <20060508133318.GA704@underworld.novel.ru> (Roman Bogorodskiy's message of "Mon, 8 May 2006 13:33:18 +0000") References: <87irohg8qc.fsf@latte.josefsson.org> <20060508133318.GA704@underworld.novel.ru> Message-ID: <871wv3fm23.fsf@latte.josefsson.org> Roman Bogorodskiy writes: > - "-Wno-pointer-sign" flag has been added to CFLAGS for gcc. IMHO, it's > gcc 4.x thing only. At least, it doesn't work here with gcc 3.4.4. Ouch, that's really bad. We'll probably have to roll a 0.3.4 to fix that. I guess that it should only be used if 'gcc --help --verbose' contain "-Wpointer-sign". > - Since libtasn1 0.3.0 _asn1* symbols are not visible anymore, while > gnutls 1.2.x (current stable version) uses them and, that way, fails > to build with libtasn1 >= 0.3.0. I wrote a personal message to you > but have not got a reply. Is there any chance to build gnutls 1.2.x > with libtasn1 0.3.x? Is the attached patch correct? I'll release gnutls 1.2.11 shortly that should work fine with the recent libtasn1 versions. You must disable the X.509 XML stuff in gnutls 1.2 to be able to link to libtasn1 cleanly. Thanks, Simon From jas at extundo.com Wed May 10 19:15:50 2006 From: jas at extundo.com (Simon Josefsson) Date: Wed, 10 May 2006 19:15:50 +0200 Subject: [Help-gnutls] Libtasn1 0.3.4 Message-ID: <87ejz1aji1.fsf@latte.josefsson.org> Libtasn1 is a standalone library written in C for manipulating ASN.1 objects including DER/BER encoding and DER/BER decoding. Libtasn1 is used by GnuTLS to manipulate X.509 objects and by GNU Shishi to handle Kerberos V5 packets. Version 0.3.4 (released 2006-05-10) - Really fix encodings. - Add new self test, tests/Test_encoding.c. - Self tests are ran under valgrind, if it is available. - We test for the -Wno-pointer-sign parameter before using it. Commercial support contracts for Libtasn1 are available, and they help finance continued maintenance. Simon Josefsson Datakonsult, a Stockholm based privately held company, is currently funding Libtasn1 maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. If you need help to use Libtasn1, or want to help others, you are invited to join our help-gnutls mailing list, see: . Homepage: http://josefsson.org/libtasn1/ Manual in many formats: http://josefsson.org/gnutls/manual/libtasn1/ Here are the compressed sources (1.2MB): ftp://ftp.gnutls.org/pub/gnutls/libtasn1/libtasn1-0.3.4.tar.gz http://josefsson.org/gnutls/releases/libtasn1/libtasn1-0.3.4.tar.gz Here are GPG detached signatures using key 0xB565716F: ftp://ftp.gnutls.org/pub/gnutls/libtasn1/libtasn1-0.3.4.tar.gz.sig http://josefsson.org/gnutls/releases/libtasn1/libtasn1-0.3.4.tar.gz.sig The software is cryptographically signed by the author using an OpenPGP key identified by the following information: pub 1280R/B565716F 2002-05-05 [expires: 2006-08-14] Key fingerprint = 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F uid Simon Josefsson uid Simon Josefsson sub 1280R/4D5D40AE 2002-05-05 [expires: 2006-08-14] sub 1024R/09CC4670 2006-03-18 [expires: 2007-04-22] sub 1024R/AABB1F7B 2006-03-18 [expires: 2007-04-22] sub 1024R/A14C401A 2006-03-18 [expires: 2007-04-22] The key is available from: http://josefsson.org/key.txt dns:b565716f.josefsson.org?TYPE=CERT Here are the SHA-1 and SHA-224 checksums: 9429bbedd4bd7e94b9119c2ef36522bfd55a676d libtasn1-0.3.4.tar.gz fe32c9eae8222eb23bc3f7e6c59b8969b954b6e6 libtasn1-0.3.4.tar.gz.sig 3d567071a984e75aa1aae152c1f7e59ec99b64b2d9c1d8c0c3e7e3f0 libtasn1-0.3.4.tar.gz 08cfa2d87ba3374095b82654253c0692dae780452dd546b291da97dc libtasn1-0.3.4.tar.gz.sig Enjoy, Fabio, Nikos and Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From jas at extundo.com Thu May 11 18:05:06 2006 From: jas at extundo.com (Simon Josefsson) Date: Thu, 11 May 2006 18:05:06 +0200 Subject: [Help-gnutls] GnuTLS 1.2.11 - final maintainance release of 1.2 branch Message-ID: <87k68sczt9.fsf@latte.josefsson.org> We are pleased to announce the availability of GnuTLS version 1.2.11, the (most likely) last release on the successful 1.2 branch. Expect the 1.4.0 release later today or tomorrow, which will be the new stable branch. The goal of this release was to produce a GnuTLS 1.2 release that builds with the most recent libtasn1 releases. There aren't many other changes, but see below for the details. GnuTLS is a modern C library that implement the standard network security protocol Transport Layer Security (TLS), for use by network applications. Noteworthy changes since version 1.2.10: - The function gnutls_x509_crt_to_xml is not supported any more, and return an internal error. The reason is that the function called internal libtasn1 functions which are no longer exported from libtasn1. - Updated libtasn1 requirement to 0.3.4 and refreshed internal mintiasn1. - Updated gnulib compatibility files. - Fixed _gnutls_x509_get_raw_crt_expiration_time and _gnutls_x509_get_raw_crt_activation_time to return (time_t)-1 on errors. - API and ABI modifications: No changes since last version. Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. If you need help to use GnuTLS, or want to help others, you are invited to join our help-gnutls mailing list, see: . The project page of the library is available at: http://www.gnutls.org/ http://www.gnu.org/software/gnutls/ http://josefsson.org/gnutls/ (updated fastest) Here are the compressed sources: http://josefsson.org/gnutls/releases/gnutls-1.2.11.tar.bz2 (2.7MB) ftp://ftp.gnutls.org/pub/gnutls/gnutls-1.2.11.tar.bz2 Here are GPG detached signatures signed using key 0xB565716F: http://josefsson.org/gnutls/releases/gnutls-1.2.11.tar.bz2.sig ftp://ftp.gnutls.org/pub/gnutls/gnutls-1.2.11.tar.bz2.sig The software is cryptographically signed by the author using an OpenPGP key identified by the following information: 1280R/B565716F 2002-05-05 [expires: 2006-02-28] Key fingerprint = 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F The key is available from: http://josefsson.org/key.txt dns:b565716f.josefsson.org?TYPE=CERT Here are the build reports for various platforms: http://josefsson.org/autobuild-logs/gnutls.html Here are the SHA-1 and SHA-224 checksums: 4d5167091c72f994ed97e1406ae886f3c2757d49 gnutls-1.2.11.tar.bz2 6658e951da94fe4303eb95375d22276656fe4661 gnutls-1.2.11.tar.bz2.sig 31799140787c70c64c078bd73ec7ce8896a42d6d5b8890204c01236f gnutls-1.2.11.tar.bz2 04fec8dff8f3299af9b7a9092e9452d5bb2fe0400e9b218a1a1f0973 gnutls-1.2.11.tar.bz2.sig Enjoy, Nikos and Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From jas at extundo.com Thu May 11 21:22:43 2006 From: jas at extundo.com (Simon Josefsson) Date: Thu, 11 May 2006 21:22:43 +0200 Subject: [Help-gnutls] Re: CRLs and gnutls_certificate_set_x509_crl_file In-Reply-To: <444E40A6.2030708@fsrz.net> (Rich Fought's message of "Tue, 25 Apr 2006 10:30:46 -0500") References: <444E40A6.2030708@fsrz.net> Message-ID: <87zmhobc3g.fsf@latte.josefsson.org> Rich Fought writes: > Does the function > > gnutls_certificate_set_x509_crl_file > > do any sort of checking whatsoever on the CRL file? It reads the file and DER decode the data. > The documentation implies that the CRL should be verified > beforehand, but I'm not sure what this means. I know for sure that > it does not check dates; does it check the CRL's signature against > the loaded root CA cert? No, I don't think so. You'll have to verify that beforehand. This should probably be fixed, patches welcome. > If not, does the API provide a way to extract the loaded CRL from the > credentials structure and do the checking? Hm, I can't find any API for that. Nikos? > Or is a separate deal? gnutls_certificate_verify_peers2 do check certificates against the CRL though. /Simon From nmav at gnutls.org Thu May 11 21:50:26 2006 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 11 May 2006 21:50:26 +0200 Subject: [Help-gnutls] Re: CRLs and gnutls_certificate_set_x509_crl_file In-Reply-To: <87zmhobc3g.fsf@latte.josefsson.org> References: <444E40A6.2030708@fsrz.net> <87zmhobc3g.fsf@latte.josefsson.org> Message-ID: <200605112150.26195.nmav@gnutls.org> On Thu 11 May 2006 21:22, Simon Josefsson wrote: > > The documentation implies that the CRL should be verified > > beforehand, but I'm not sure what this means. I know for sure that > > it does not check dates; does it check the CRL's signature against > > the loaded root CA cert? > > No, I don't think so. You'll have to verify that beforehand. This > should probably be fixed, patches welcome. Indeed. However the idea is to check the CRL on reception and not every time it is used. That's why it is not done in that function. > > If not, does the API provide a way to extract the loaded CRL from > > the credentials structure and do the checking? > Hm, I can't find any API for that. Nikos? No there isn't, but why extract the loaded CRL, and not verify it before you load it? (with the gnutls_x509_crl_* functions) regards, Nikos From help-gnutls at mlists.thewrittenword.com Mon May 15 09:01:37 2006 From: help-gnutls at mlists.thewrittenword.com (Albert Chin) Date: Mon, 15 May 2006 02:01:37 -0500 Subject: [Help-gnutls] Certs directory for peer certificate validation Message-ID: <20060515070137.GD36752@mail1.thewrittenword.com> OpenSSL has a directory and path for certificates in PEM format used to verify a peer certificate (i.e. CAfile and CApath). Does GnuTLS have similar functionality? -- albert chin (china at thewrittenword.com) From jas at extundo.com Mon May 15 14:05:45 2006 From: jas at extundo.com (Simon Josefsson) Date: Mon, 15 May 2006 14:05:45 +0200 Subject: [Help-gnutls] Re: Certs directory for peer certificate validation In-Reply-To: <20060515070137.GD36752@mail1.thewrittenword.com> (Albert Chin's message of "Mon, 15 May 2006 02:01:37 -0500") References: <20060515070137.GD36752@mail1.thewrittenword.com> Message-ID: <87hd3r8pd2.fsf@latte.josefsson.org> Albert Chin writes: > OpenSSL has a directory and path for certificates in PEM format used > to verify a peer certificate (i.e. CAfile and CApath). Does GnuTLS > have similar functionality? GnuTLS does not support reading all files in a directory, but it supports reading CA certificates in PEM format from a file, see gnutls_certificate_set_x509_trust_file(). You'll call gnutls_certificate_verify_peers2() to use it. IIRC, the file may contain more than one CA certificate, so you should be able to 'cat /somewhere/openssl/somewhere/* > gnutls-cas.pem' and use that file, or similar Regards, Simon From help-gnutls at mlists.thewrittenword.com Mon May 15 16:46:00 2006 From: help-gnutls at mlists.thewrittenword.com (Albert Chin) Date: Mon, 15 May 2006 09:46:00 -0500 Subject: [Help-gnutls] Re: Certs directory for peer certificate validation In-Reply-To: <87hd3r8pd2.fsf@latte.josefsson.org> References: <20060515070137.GD36752@mail1.thewrittenword.com> <87hd3r8pd2.fsf@latte.josefsson.org> Message-ID: <20060515144600.GE36752@mail1.thewrittenword.com> On Mon, May 15, 2006 at 02:05:45PM +0200, Simon Josefsson wrote: > Albert Chin writes: > > > OpenSSL has a directory and path for certificates in PEM format used > > to verify a peer certificate (i.e. CAfile and CApath). Does GnuTLS > > have similar functionality? > > GnuTLS does not support reading all files in a directory, but it > supports reading CA certificates in PEM format from a file, see > gnutls_certificate_set_x509_trust_file(). You'll call > gnutls_certificate_verify_peers2() to use it. Is there a default CA certificate file or do all clients need to call gnutls_certificate_set_x509_trust_file()? -- albert chin (china at thewrittenword.com) From jas at extundo.com Mon May 15 18:10:15 2006 From: jas at extundo.com (Simon Josefsson) Date: Mon, 15 May 2006 18:10:15 +0200 Subject: [Help-gnutls] Re: Certs directory for peer certificate validation In-Reply-To: <20060515144600.GE36752@mail1.thewrittenword.com> (Albert Chin's message of "Mon, 15 May 2006 09:46:00 -0500") References: <20060515070137.GD36752@mail1.thewrittenword.com> <87hd3r8pd2.fsf@latte.josefsson.org> <20060515144600.GE36752@mail1.thewrittenword.com> Message-ID: <87fyjb6zh4.fsf@latte.josefsson.org> Albert Chin writes: > On Mon, May 15, 2006 at 02:05:45PM +0200, Simon Josefsson wrote: >> Albert Chin writes: >> >> > OpenSSL has a directory and path for certificates in PEM format used >> > to verify a peer certificate (i.e. CAfile and CApath). Does GnuTLS >> > have similar functionality? >> >> GnuTLS does not support reading all files in a directory, but it >> supports reading CA certificates in PEM format from a file, see >> gnutls_certificate_set_x509_trust_file(). You'll call >> gnutls_certificate_verify_peers2() to use it. > > Is there a default CA certificate file or do all clients need to call > gnutls_certificate_set_x509_trust_file()? There is no default CA certificate file for all GnuTLS applications, all applications must call that function internally, and have a local policy on which CAs are acceptable, and thus, generally, a different path for each application. I'm not sure it is possible to have a "default CA" file/path that works fine for all kind of GnuTLS applications. The kind of CAs that are OK for one application may be unacceptable for another, and vice versa. It may be useful to centralize certificates per-usage on a single machine though, for improve user experience. It may make sense to have a "default" file with CA's used by all IMAP GnuTLS application on a host, one for all HTTPS GnuTLS applications and so on. There could be some GNOME tool to manage the certificates, per usage. Alternatively, creating a gnutls_certificate_set_x509_trust_dir() and have it read files a'la OpenSSL may be a solution too. /Simon From jas at extundo.com Mon May 15 22:39:40 2006 From: jas at extundo.com (Simon Josefsson) Date: Mon, 15 May 2006 22:39:40 +0200 Subject: [Help-gnutls] GnuTLS 1.4.0 Message-ID: <87odxz58fn.fsf@latte.josefsson.org> I am happy to announce GnuTLS 1.4.0, the first stable release of what used to be the 1.3.x development branch. We recommend everyone to upgrade to this version. GnuTLS is a modern C library that implement the standard network security protocol Transport Layer Security (TLS), for use by network applications. Noteworthy improvements over the 1.2.x branch: ** Support for TLS Inner application (TLS/IA). This is per draft-funk-tls-inner-application-extension-01, and is compatible with the recent -02 version too. The TLS/IA API is still experimental. ** Support for TLS Pre-Shared Key (TLS-PSK) ciphersuites have been added. ** New APIs to access the TLS Pseudo-Random-Function (PRF) and the client and server random fields in a session. This is primarily intended for when GnuTLS is used as a component in other authentication protocols, such as the EAP mechanism PEAP and TTLS. ** The session resumption data are now system independent. ** GnuTLS is now easier to port to Windows through mingw32. ** Error messages are now translated using GNU Gettext. ** Documentation improvements, including more discussion of the GnuTLS internals. ** New function to set a X.509 private key and certificate pairs, and/or CRLs, from an PKCS#12 file. ** Build improvements on many platforms, including 64-bit fixes. ...and the general set of cleanups and improvements. Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. If you need help to use GnuTLS, or want to help others, you are invited to join our help-gnutls mailing list, see: . The project page of the library is available at: http://www.gnutls.org/ http://www.gnu.org/software/gnutls/ http://josefsson.org/gnutls/ (updated fastest) Here are the compressed sources (3.2MB): http://josefsson.org/gnutls/releases/gnutls-1.4.0.tar.bz2 ftp://ftp.gnutls.org/pub/gnutls/gnutls-1.4.0.tar.bz2 Here are GPG detached signatures signed using key 0xB565716F: http://josefsson.org/gnutls/releases/gnutls-1.4.0.tar.bz2.sig ftp://ftp.gnutls.org/pub/gnutls/gnutls-1.4.0.tar.bz2.sig The software is cryptographically signed by the author using an OpenPGP key identified by the following information: pub 1280R/B565716F 2002-05-05 [expires: 2006-08-14] Key fingerprint = 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F uid Simon Josefsson uid Simon Josefsson sub 1280R/4D5D40AE 2002-05-05 [expires: 2006-08-14] sub 1024R/09CC4670 2006-03-18 [expires: 2007-04-22] sub 1024R/AABB1F7B 2006-03-18 [expires: 2007-04-22] sub 1024R/A14C401A 2006-03-18 [expires: 2007-04-22] The key is available from: http://josefsson.org/key.txt dns:b565716f.josefsson.org?TYPE=CERT Here are the SHA-1 and SHA-224 checksums: 71c2df8072796592bb20910f3554923b4178b352 gnutls-1.4.0.tar.bz2 bcad99905bd6d3865282518f6d8293ebfba4f288 gnutls-1.4.0.tar.bz2.sig 8d1e4e94730f864ecfc0b71b87ee30a9b7bf5bedae894a7afe4e7549 gnutls-1.4.0.tar.bz2 5a0d767465a45fe24ba662b85d5d4c9b163629ecef46aa6393b9ab2f gnutls-1.4.0.tar.bz2.sig Enjoy, Nikos and Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: