[Help-gnutls] Re: GnuTLS supports RSA_WITH_RC4_128_MD5?

Simon Josefsson simon at josefsson.org
Thu Aug 23 17:07:44 CEST 2007

"Thangiah, Leny IN BLR SISL" <leny.thangiah at siemens.com> writes:

> Thanks, Simon. 
> It's motivating me further towards using the GnuTLS. 


> I have one more question. Is there any possibility to hook my file operation functions (fopen, fread...) with the GnuTLS. 
> Basically, I want GnuTLS to call my functions for the file operations.

There aren't many file operations in the GnuTLS library:

jas at mocca:~/src/gnutls/lib$ rgrep fopen *
auth_psk_passwd.c:  fd = fopen (cred->password_file, "r");
auth_srp_passwd.c:  fd = fopen (pconf_file, "r");
auth_srp_passwd.c:  fd = fopen (cred->password_file, "r");
gnutls_helper.c:  fd = fopen (file, "r");
minitasn1/structure.c:  file = fopen (output_file_name, "w");
jas at mocca:~/src/gnutls/lib$ rgrep read_binary_file *
gnutls_x509.c:  char *data = read_binary_file (certfile, &size);
gnutls_x509.c:  char *data = read_binary_file (keyfile, &size);
gnutls_x509.c:  char *data = read_binary_file (cafile, &size);
gnutls_x509.c:  char *data = read_binary_file (crlfile, &size);
gnutls_x509.c:  p12blob.data = read_binary_file (pkcs12file, &size);
jas at mocca:~/src/gnutls/lib$ 

The usage in minitasn1/structure.c is never invoked from GnuTLS.

The usage in gnutls_helper.c is in the function _gnutls_file_exists and
that function is only used from PSK/SRP:

jas at mocca:~/src/gnutls/lib$ rgrep _gnutls_file_exists *
gnutls_helper.c:_gnutls_file_exists (const char *file)
gnutls_helper.h:int _gnutls_file_exists (const char *file);
gnutls_psk.c:  if (_gnutls_file_exists (password_file) != 0)
gnutls_srp.c:  if (_gnutls_file_exists (password_file) != 0)
gnutls_srp.c:  if (_gnutls_file_exists (password_conf_file) != 0)
jas at mocca:~/src/gnutls/lib$ 

Thus, only the SRP/PSK and the X.509 APIs ever opens any files.

For TLS-PSK, this is the password file, and the functionality is only
used in the server if you use the
gnutls_psk_set_server_credentials_file() API.  If you avoid it and use
gnutls_psk_set_server_credentials_function() instead, you will have a
callback into your application for the necessary data.

Similar for TLS-SRP, it is only used in the server when you use the
gnutls_srp_set_server_credentials_file() API.  Use
gnutls_srp_set_server_credentials_function() instead.

For X.509 the file operations are used when you use some of the APIs
that takes a filename:


You don't need to use those APIs to set X.509 key/trust/crl files, just
make sure you use other APIs that doesn't involve reading files:


For PKCS#12 there isn't a equivalent memory-based API, but if you need
one added, let me know and I can add it easily for you.

Is this sufficient for what you need?

> I saw such callbacks for the socket and memory operations.



> Leny
> -----Original Message-----
> From: Simon Josefsson [mailto:simon at josefsson.org]
> Sent: Thursday, August 23, 2007 2:34 PM
> To: Thangiah, Leny IN BLR SISL
> Cc: help-gnutls at gnu.org
> Subject: Re: GnuTLS supports RSA_WITH_RC4_128_MD5?
> "Thangiah, Leny IN BLR SISL" <leny.thangiah at siemens.com> writes:
>> Hi,
>> I 'm new to the world of SSL. I am evaluating various SSL
>> implementations for using in one of our products. I found that GnuTLS
>> is more portable, scalable and flexible than any other
>> implementations.
> Hi, and welcome!
>> Please let me know if GnuTLS supports the following ciphering algorithms. These are the crucial requirements for my evaluation.
> As far as I know, those are the same cipher, RFC 4346 says:
>     CipherSuite TLS_RSA_WITH_RC4_128_MD5               = { 0x00,0x04 };
> and on http://support.microsoft.com/kb/245030 I see that
> SSL_RSA_WITH_RC4_128_MD5	{ 0x00,0x04 }
> Anyway, yes, GnuTLS supports that cipher suite.
> You may want to look into this comparison between some implementations:
> http://www.gnu.org/software/gnutls/comparison.html
> It may not be complete (additions are most welcome), but should give you
> some indication on what is supported.
> Note that GnuTLS does not support SSL version 2.0 since it has been
> broken security-wise.
> /Simon

More information about the Gnutls-help mailing list