[Help-gnutls] Re: TLS/OpenPGP draft expiring soon
Simon Josefsson
simon at josefsson.org
Fri Feb 2 17:17:53 CET 2007
ludovic.courtes at laas.fr (Ludovic Courtès) writes:
> Hi,
>
> Simon Josefsson <simon at josefsson.org> writes:
>
>> Hi! Actually, the tools works fine without your patch, IF I use a
>> newly generated key.
>
> Hmm, but without the patch, the DH parameters aren't used since the
> invocation of `gnutls_certificate_set_dh_params ()' is commented out,
> are they?
Doesn't it work for you?
Setting the DH and export RSA parameters are done through the
'get_params' function, if I understand correctly.
>> I suspect OpenCDK uses the wrong RSA key to encrypt and/or decrypt the
>> data. I have several old and expired keys in my private key. IIRC,
>> even GnuPG had a similar problem with my key some time ago.
>
> Then the key is to blame. ;-)
>
> Or at least GnuTLS should return a more appropriate error, like
> `GNUTLS_A_CERTIFICATE_EXPIRED'.
Yes. Alas, I can't send my private key for debugging... ;) If I get
time, I'll debug it. The important thing is that it seems to work.
I'll add a client example and perhaps a self test too.
I'm still not certain what these parameters do, though:
--pgpkeyring FILE PGP Key ring file to use.
--pgptrustdb FILE PGP trustdb file to use.
I can guess that the former is used to search for keys when only the
fingerprint is sent, and the latter is used for WoT verification, but
neither seem to work.
If I understand correctly, this should work:
jas at mocca:~$ gnutls-serv --dhparams ~/dh.pem --pgpcertfile ~/.gnupg-foo/pub.txt --pgpkeyfile ~/.gnupg-foo/sec.txt --pgpkeyring ~/.gnupg-foo/pub.txt
Read Diffie Hellman parameters.
Echo Server ready. Listening to port '5556'.
Error in handshake
Error: Could not get OpenPGP key.
jas at mocca:~$ gnutls-cli --pgpcertfile ~/.gnupg-foo/pub.txt --pgpkeyfile ~/.gnupg-foo/sec.txt -p 5556 localhost -f
Processed 1 client PGP certificate...
Resolving 'localhost'...
Connecting to '127.0.0.1:5556'...
*** Fatal error: Error in the push function.
*** Handshake has failed
GNUTLS ERROR: Error in the push function.
jas at mocca:~$
But as you can see, the server wasn't able to find the OpenPGP key.
The error message on the client seems sub-optimal too.
Maybe this is an ASCII vs binary issue. Ah, yes, it is. After:
jas at mocca:~$ gpg -a --export-secret-keys 40CD57C9 > ~/.gnupg/sec.bin
jas at mocca:~$ gpg --export-secret-keys 40CD57C9 > ~/.gnupg/sec.bin
Then it works:
jas at mocca:~$ gnutls-serv --dhparams ~/dh.pem --pgpcertfile ~/.gnupg-foo/pub.txt --pgpkeyfile ~/.gnupg-foo/sec.txt --pgpkeyring ~/.gnupg-foo/pub.bin
Read Diffie Hellman parameters.
Echo Server ready. Listening to port '5556'.
* connection from ::ffff:127.0.0.1, port 41465
- Given server name[1]: localhost
- Certificate type: OpenPGP
# Key was created at: Fri Feb 2 14:32:23 CET 2007
# Key expires: Never
# PGP Key version: 4
# PGP Key public key algorithm: DSA (1024 bits)
# PGP Key fingerprint: BF:D6:44:C3:26:74:9E:3A:99:1E:D0:B5:C0:85:0D:AD:40:CD:57:C9
# NAME: Foo Bar <test at test.org>
- Peer's key is valid
- Version: TLS 1.1
- Key Exchange: DHE DSS
- Cipher: AES 128 CBC
- MAC: SHA
- Compression: DEFLATE
...
jas at mocca:~$ gnutls-cli --pgpcertfile ~/.gnupg-foo/pub.txt --pgpkeyfile ~/.gnupg-foo/sec.txt -p 5556 localhost -f
Processed 1 client PGP certificate...
Resolving 'localhost'...
Connecting to '127.0.0.1:5556'...
- Certificate type: OpenPGP
# The hostname in the key does NOT match 'localhost'.
# Key was created at: Fri Feb 2 14:32:23 CET 2007
# Key expires: Never
# PGP Key version: 4
# PGP Key public key algorithm: DSA (1024 bits)
# PGP Key fingerprint: BF:D6:44:C3:26:74:9E:3A:99:1E:D0:B5:C0:85:0D:AD:40:CD:57:C9
# NAME: Foo Bar <test at test.org>
- Peer's key is valid
- Could not find a signer of the peer's key
- Version: TLS 1.1
- Key Exchange: DHE DSS
- Cipher: AES 128 CBC
- MAC: SHA
- Compression: DEFLATE
- Handshake was completed
- Simple Client Mode:
jas at mocca:~$
Although it looks pretty serious that the server doesn't complain
about a missing signer for the key now. Is it using the keyring as
the trustdb?
The trustdb parameter doesn't seem to have the binary vs ASCII
problem, and the signer stuff seem to work:
jas at mocca:~$ gnutls-serv --dhparams ~/dh.pem --pgpcertfile ~/.gnupg-foo/pub.txt --pgpkeyfile ~/.gnupg-foo/sec.txt --pgptrustdb ~/.gnupg-foo/pub.txt
Read Diffie Hellman parameters.
Echo Server ready. Listening to port '5556'.
* connection from ::ffff:127.0.0.1, port 39134
- Given server name[1]: localhost
- Certificate type: OpenPGP
# Key was created at: Fri Feb 2 14:32:23 CET 2007
# Key expires: Never
# PGP Key version: 4
# PGP Key public key algorithm: DSA (1024 bits)
# PGP Key fingerprint: BF:D6:44:C3:26:74:9E:3A:99:1E:D0:B5:C0:85:0D:AD:40:CD:57:C9
# NAME: Foo Bar <test at test.org>
- Peer's key is valid
- Version: TLS 1.1
- Key Exchange: DHE DSS
- Cipher: AES 128 CBC
- MAC: SHA
- Compression: DEFLATE
client:
jas at mocca:~$ gnutls-cli --pgpcertfile ~/.gnupg-foo/pub.txt --pgpkeyfile ~/.gnupg-foo/sec.txt -p 5556 localhost
Processed 1 client PGP certificate...
Resolving 'localhost'...
Connecting to '127.0.0.1:5556'...
- Certificate type: OpenPGP
# The hostname in the key does NOT match 'localhost'.
# Key was created at: Fri Feb 2 14:32:23 CET 2007
# Key expires: Never
# PGP Key version: 4
# PGP Key public key algorithm: DSA (1024 bits)
# PGP Key fingerprint: BF:D6:44:C3:26:74:9E:3A:99:1E:D0:B5:C0:85:0D:AD:40:CD:57:C9
# NAME: Foo Bar <test at test.org>
- Peer's key is valid
- Could not find a signer of the peer's key
- Version: TLS 1.1
- Key Exchange: DHE DSS
- Cipher: AES 128 CBC
- MAC: SHA
- Compression: DEFLATE
- Handshake was completed
- Simple Client Mode:
So there are a few problems:
* use static DH if none are supplied
* fix reading of ASCII OpenPGP keyrings
* fix error message in client when the server cannot find the openpgp key
* investigate whether the server thinks the client's cert is ok
when a keyring is specified
* add self-tests for the above :)
and most importantly:
* document how everything works, with examples like those in this message
Thanks,
Simon
More information about the Gnutls-help
mailing list