[Help-gnutls] RE: GnuTLS supports RSA_WITH_RC4_128_MD5?

Thangiah, Leny IN BLR SISL leny.thangiah at siemens.com
Thu Aug 23 17:15:46 CEST 2007


Simon,

You are rocking! I 'm really amazed by your support. Let me analyze the code with your input and come back.

Thanks a lot!
Leny



-----Original Message-----
From: Simon Josefsson [mailto:simon at josefsson.org]
Sent: Thursday, August 23, 2007 8:38 PM
To: Thangiah, Leny IN BLR SISL
Cc: help-gnutls at gnu.org
Subject: Re: GnuTLS supports RSA_WITH_RC4_128_MD5?


"Thangiah, Leny IN BLR SISL" <leny.thangiah at siemens.com> writes:

> Thanks, Simon. 
> It's motivating me further towards using the GnuTLS. 

Great!

> I have one more question. Is there any possibility to hook my file operation functions (fopen, fread...) with the GnuTLS. 
> Basically, I want GnuTLS to call my functions for the file operations.

There aren't many file operations in the GnuTLS library:

jas at mocca:~/src/gnutls/lib$ rgrep fopen *
auth_psk_passwd.c:  fd = fopen (cred->password_file, "r");
auth_srp_passwd.c:  fd = fopen (pconf_file, "r");
auth_srp_passwd.c:  fd = fopen (cred->password_file, "r");
gnutls_helper.c:  fd = fopen (file, "r");
minitasn1/structure.c:  file = fopen (output_file_name, "w");
jas at mocca:~/src/gnutls/lib$ rgrep read_binary_file *
gnutls_x509.c:  char *data = read_binary_file (certfile, &size);
gnutls_x509.c:  char *data = read_binary_file (keyfile, &size);
gnutls_x509.c:  char *data = read_binary_file (cafile, &size);
gnutls_x509.c:  char *data = read_binary_file (crlfile, &size);
gnutls_x509.c:  p12blob.data = read_binary_file (pkcs12file, &size);
jas at mocca:~/src/gnutls/lib$ 

The usage in minitasn1/structure.c is never invoked from GnuTLS.

The usage in gnutls_helper.c is in the function _gnutls_file_exists and
that function is only used from PSK/SRP:

jas at mocca:~/src/gnutls/lib$ rgrep _gnutls_file_exists *
gnutls_helper.c:_gnutls_file_exists (const char *file)
gnutls_helper.h:int _gnutls_file_exists (const char *file);
gnutls_psk.c:  if (_gnutls_file_exists (password_file) != 0)
gnutls_srp.c:  if (_gnutls_file_exists (password_file) != 0)
gnutls_srp.c:  if (_gnutls_file_exists (password_conf_file) != 0)
jas at mocca:~/src/gnutls/lib$ 

Thus, only the SRP/PSK and the X.509 APIs ever opens any files.

For TLS-PSK, this is the password file, and the functionality is only
used in the server if you use the
gnutls_psk_set_server_credentials_file() API.  If you avoid it and use
gnutls_psk_set_server_credentials_function() instead, you will have a
callback into your application for the necessary data.

Similar for TLS-SRP, it is only used in the server when you use the
gnutls_srp_set_server_credentials_file() API.  Use
gnutls_srp_set_server_credentials_function() instead.

For X.509 the file operations are used when you use some of the APIs
that takes a filename:

gnutls_certificate_set_x509_key_file
gnutls_certificate_set_x509_trust_file
gnutls_certificate_set_x509_crl_file
gnutls_certificate_set_x509_simple_pkcs12_file

You don't need to use those APIs to set X.509 key/trust/crl files, just
make sure you use other APIs that doesn't involve reading files:

gnutls_certificate_set_x509_key_mem
gnutls_certificate_set_x509_trust_mem
gnutls_certificate_set_x509_crl_mem

For PKCS#12 there isn't a equivalent memory-based API, but if you need
one added, let me know and I can add it easily for you.

Is this sufficient for what you need?

> I saw such callbacks for the socket and memory operations.

Right.

/Simon

>
> Leny
>
> -----Original Message-----
> From: Simon Josefsson [mailto:simon at josefsson.org]
> Sent: Thursday, August 23, 2007 2:34 PM
> To: Thangiah, Leny IN BLR SISL
> Cc: help-gnutls at gnu.org
> Subject: Re: GnuTLS supports RSA_WITH_RC4_128_MD5?
>
>
> "Thangiah, Leny IN BLR SISL" <leny.thangiah at siemens.com> writes:
>
>> Hi,
>>  
>> I 'm new to the world of SSL. I am evaluating various SSL
>> implementations for using in one of our products. I found that GnuTLS
>> is more portable, scalable and flexible than any other
>> implementations.
>
> Hi, and welcome!
>
>> Please let me know if GnuTLS supports the following ciphering algorithms. These are the crucial requirements for my evaluation.
>> SSL_RSA_WITH_RC4_128_MD5
>>
>> TLS_RSA_WITH_RC4_128_MD5
>
> As far as I know, those are the same cipher, RFC 4346 says:
>
>     CipherSuite TLS_RSA_WITH_RC4_128_MD5               = { 0x00,0x04 };
>
> and on http://support.microsoft.com/kb/245030 I see that
>
> SSL_RSA_WITH_RC4_128_MD5	{ 0x00,0x04 }
>
> Anyway, yes, GnuTLS supports that cipher suite.
>
> You may want to look into this comparison between some implementations:
>
> http://www.gnu.org/software/gnutls/comparison.html
>
> It may not be complete (additions are most welcome), but should give you
> some indication on what is supported.
>
> Note that GnuTLS does not support SSL version 2.0 since it has been
> broken security-wise.
>
> /Simon





More information about the Gnutls-help mailing list