From simon at josefsson.org Thu May 3 14:03:29 2007 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 03 May 2007 14:03:29 +0200 Subject: [Help-gnutls] GnuTLS vs OpenSSL vs NSS Message-ID: <87k5vq5d2m.fsf@mocca.josefsson.org> Hi! I've created some tables with a comparison between common TLS implementations. I'm running short of ideas on things to compare. Any ideas or suggestions? The URL is: http://www.gnu.org/software/gnutls/comparison.html What do you think? Also, if you notice any mistakes, or know for sure the status on some I put down as 'No?', please let me know and I'll fix it. /Simon From daniel at haxx.se Thu May 3 13:16:01 2007 From: daniel at haxx.se (Daniel Stenberg) Date: Thu, 3 May 2007 13:16:01 +0200 (CEST) Subject: [Help-gnutls] GnuTLS vs OpenSSL vs NSS In-Reply-To: <87k5vq5d2m.fsf@mocca.josefsson.org> References: <87k5vq5d2m.fsf@mocca.josefsson.org> Message-ID: On Thu, 3 May 2007, Simon Josefsson wrote: > I've created some tables with a comparison between common TLS > implementations. I'm running short of ideas on things to compare. Any > ideas or suggestions? The URL is: > > http://www.gnu.org/software/gnutls/comparison.html > > What do you think? I love it! The fact that libcurl supports all three of these also makes it a great comparison table for me to point out to libcurl users. A few ideas: - Make the Yes/No boxes use different colors (perhaps green/red) to make it easier to detect the differences when browsing casually. - The multi-threaded situation. With NSS they say no mutex callbacks are necessary, with GnuTLS you need to set them in an _underlying_ crypto library while in OpenSSL you use the OpenSSL API to set them. - The random seed situation. I don't know about the NSS in this aspect, but again with GnuTLS you need to set them in an _underlying_ crypto library while in OpenSSL you use the OpenSSL API. These two latter points are stuff I've planned to discuss with you to fix in a future GnuTLS but I've not yet had the time. From dev001 at pas-world.com Thu May 3 19:21:33 2007 From: dev001 at pas-world.com (devel) Date: Thu, 03 May 2007 17:21:33 +0000 Subject: [Help-gnutls] GnuTLS vs OpenSSL vs NSS In-Reply-To: <87k5vq5d2m.fsf@mocca.josefsson.org> References: <87k5vq5d2m.fsf@mocca.josefsson.org> Message-ID: <1178212893.4633.8.camel@www.pas-world.com> El jue, 03-05-2007 a las 14:03 +0200, Simon Josefsson escribi?: > Hi! > > I've created some tables with a comparison between common TLS > implementations. I'm running short of ideas on things to compare. Any > ideas or suggestions? The URL is: Suggestion: Implementations of usable software. In this, I think that gnutls is less than OpenSSL, for example mod_ssl of apache. Vitality of projects that support GNUTLS, OPENSSL,... Lifetime projects. Critical bugs. Support to hardware accelerator and other devices. Lines of code. ... Etc. > > http://www.gnu.org/software/gnutls/comparison.html > > What do you think? > > Also, if you notice any mistakes, or know for sure the status on some I > put down as 'No?', please let me know and I'll fix it. > > /Simon > > > _______________________________________________ > Help-gnutls mailing list > Help-gnutls at gnu.org > http://lists.gnu.org/mailman/listinfo/help-gnutls -- -- Publicidad http://www.pas-world.com From simon at josefsson.org Thu May 3 17:36:53 2007 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 03 May 2007 17:36:53 +0200 Subject: [Help-gnutls] Re: GnuTLS vs OpenSSL vs NSS In-Reply-To: (Daniel Stenberg's message of "Thu\, 3 May 2007 13\:16\:01 +0200 \(CEST\)") References: <87k5vq5d2m.fsf@mocca.josefsson.org> Message-ID: <87tzut2a22.fsf@mocca.josefsson.org> Daniel Stenberg writes: > On Thu, 3 May 2007, Simon Josefsson wrote: > >> I've created some tables with a comparison between common TLS >> implementations. I'm running short of ideas on things to compare. >> Any ideas or suggestions? The URL is: >> >> http://www.gnu.org/software/gnutls/comparison.html >> >> What do you think? > > I love it! The fact that libcurl supports all three of these also > makes it a great comparison table for me to point out to libcurl > users. Nice. Btw, I intend to send the link to the OpenSSL/NSS communities, so they can correct any errors and suggest other things to compare too. > A few ideas: > > - Make the Yes/No boxes use different colors (perhaps green/red) to make it > easier to detect the differences when browsing casually. Done. > - The multi-threaded situation. With NSS they say no mutex callbacks are > necessary, with GnuTLS you need to set them in an _underlying_ crypto > library while in OpenSSL you use the OpenSSL API to set them. > > - The random seed situation. I don't know about the NSS in this aspect, but > again with GnuTLS you need to set them in an _underlying_ crypto library > while in OpenSSL you use the OpenSSL API. Added, under a new "Portability concerns" table. It got a bit verbose, comments welcome. > These two latter points are stuff I've planned to discuss with you to > fix in a future GnuTLS but I've not yet had the time. Fixing them would indeed be useful. I'm not happy with how libgcrypt creates additional thread-safety concerns for GnuTLS applications, but fixing it is non-trivial and nobody has offered to work on it or sponsor such work. I expect the random seed API problem will be resolved soon, I noticed some patches went into libgcrypt for this recently. /Simon From simon at josefsson.org Thu May 3 18:04:44 2007 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 03 May 2007 18:04:44 +0200 Subject: [Help-gnutls] Re: GnuTLS vs OpenSSL vs NSS In-Reply-To: <1178212893.4633.8.camel@www.pas-world.com> (devel's message of "Thu\, 03 May 2007 17\:21\:33 +0000") References: <87k5vq5d2m.fsf@mocca.josefsson.org> <1178212893.4633.8.camel@www.pas-world.com> Message-ID: <87hcqt28rn.fsf@mocca.josefsson.org> devel writes: > El jue, 03-05-2007 a las 14:03 +0200, Simon Josefsson escribi?: >> Hi! >> >> I've created some tables with a comparison between common TLS >> implementations. I'm running short of ideas on things to compare. Any >> ideas or suggestions? The URL is: > > Suggestion: > > Implementations of usable software. In this, I think that gnutls is less > than OpenSSL, for example mod_ssl of apache. Vitality of projects that > support GNUTLS, OPENSSL,... > Lifetime projects. I find it difficult to measure those things. Any suggestion exactly how a table measuring those things would look like? > Critical bugs. A list of published vulnerabilities may be relevant here... > Support to hardware accelerator and other devices. Adding it would be good. > Lines of code. I added a 'code size' Table. The 60kLoc is for the core library. I'm not sure what a good way to compute kloc is for a project with required dependencies... Anyway, it is a start. /Simon > ... > Etc. > > >> >> http://www.gnu.org/software/gnutls/comparison.html >> >> What do you think? >> >> Also, if you notice any mistakes, or know for sure the status on some I >> put down as 'No?', please let me know and I'll fix it. >> >> /Simon >> >> >> _______________________________________________ >> Help-gnutls mailing list >> Help-gnutls at gnu.org >> http://lists.gnu.org/mailman/listinfo/help-gnutls > -- > -- > Publicidad http://www.pas-world.com From dkg-debian.org at fifthhorseman.net Thu May 3 18:43:24 2007 From: dkg-debian.org at fifthhorseman.net (Daniel Kahn Gillmor) Date: Thu, 03 May 2007 12:43:24 -0400 Subject: [Help-gnutls] Re: GnuTLS vs OpenSSL vs NSS In-Reply-To: <87hcqt28rn.fsf@mocca.josefsson.org> (Simon Josefsson's message of "Thu, 03 May 2007 18:04:44 +0200") References: <87k5vq5d2m.fsf@mocca.josefsson.org> <1178212893.4633.8.camel@www.pas-world.com> <87hcqt28rn.fsf@mocca.josefsson.org> Message-ID: <87tzut7t8z.fsf@squeak.fifthhorseman.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu 2007-05-03 12:04:44 -0400, Simon Josefsson wrote: > devel writes: >> Support to hardware accelerator and other devices. > > Adding it would be good. I also think this would be worth including. openSSL's "engine" architecture and NSS's "security modules" provide some food for thought. I don't know GnuTLS well enough to know if there's a comparable API for either of these, so i'd very much like to see them compared by someone knowledgable. As nice as those frameworks are for encouraging hardware crypto (smartcard support, etc), i think they also provide yet another place for security concerns to pop up. So they're a mixed bag. You might also want to clarify that this table is comparing *free* TLS implementations, or else add some non-free implementations to the list. Lastly, i'd be very excited if the headers of the various columns could be links to the specifications of the features to which they refer. That could make this page an all-around reference point for TLS functionality and specifications, which would be great. Thanks for writing this up, Simon. It's great. --dkg -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.8+ iD8DBQFGOhEpiXTlFKVLY2URAqSmAJ4gLGLDuALwda8tZNgN72yFi+K3NQCfQs6U 7QGxhCEszPl7jV2R5u4v21s= =epTU -----END PGP SIGNATURE----- From simon at josefsson.org Thu May 3 21:38:35 2007 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 03 May 2007 21:38:35 +0200 Subject: [Help-gnutls] Re: GnuTLS vs OpenSSL vs NSS In-Reply-To: <87tzut7t8z.fsf@squeak.fifthhorseman.net> (Daniel Kahn Gillmor's message of "Thu\, 03 May 2007 12\:43\:24 -0400") References: <87k5vq5d2m.fsf@mocca.josefsson.org> <1178212893.4633.8.camel@www.pas-world.com> <87hcqt28rn.fsf@mocca.josefsson.org> <87tzut7t8z.fsf@squeak.fifthhorseman.net> Message-ID: <87hcqtd7es.fsf@mocca.josefsson.org> Daniel Kahn Gillmor writes: > On Thu 2007-05-03 12:04:44 -0400, Simon Josefsson wrote: > >> devel writes: > >>> Support to hardware accelerator and other devices. >> >> Adding it would be good. > > I also think this would be worth including. openSSL's "engine" > architecture and NSS's "security modules" provide some food for > thought. I don't know GnuTLS well enough to know if there's a > comparable API for either of these, so i'd very much like to see them > compared by someone knowledgable. Right, I think we should mention this. There is no equivalent feature in GnuTLS yet, but I'm working on PKCS#11 support to address one aspect of this (client smart card authentication) and made the first release a few days ago. > As nice as those frameworks are for encouraging hardware crypto > (smartcard support, etc), i think they also provide yet another place > for security concerns to pop up. So they're a mixed bag. Yup. > You might also want to clarify that this table is comparing *free* TLS > implementations, or else add some non-free implementations to the > list. Oh, right. I made this clear at the top of the page now. Btw, I'd like to add other free TLS libraries to the list. That's why I made the implementations have one row each in the tables, rather than having the implementations be one column each. This allows the list of implementations to be added easily, without clobbering the page too much. > Lastly, i'd be very excited if the headers of the various columns > could be links to the specifications of the features to which they > refer. That could make this page an all-around reference point for > TLS functionality and specifications, which would be great. Good idea. > Thanks for writing this up, Simon. It's great. Thanks for the support. I hope people more familiar with OpenSSL and NSS will provide the appropriate feedback. /Simon From dkg-debian.org at fifthhorseman.net Thu May 3 22:03:04 2007 From: dkg-debian.org at fifthhorseman.net (Daniel Kahn Gillmor) Date: Thu, 03 May 2007 16:03:04 -0400 Subject: [Help-gnutls] Re: GnuTLS vs OpenSSL vs NSS In-Reply-To: <87hcqtd7es.fsf@mocca.josefsson.org> (Simon Josefsson's message of "Thu, 03 May 2007 21:38:35 +0200") References: <87k5vq5d2m.fsf@mocca.josefsson.org> <1178212893.4633.8.camel@www.pas-world.com> <87hcqt28rn.fsf@mocca.josefsson.org> <87tzut7t8z.fsf@squeak.fifthhorseman.net> <87hcqtd7es.fsf@mocca.josefsson.org> Message-ID: <87bqh1wu87.fsf@squeak.fifthhorseman.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu 2007-05-03 15:38:35 -0400, Simon Josefsson wrote: > Right, I think we should mention this. There is no equivalent feature > in GnuTLS yet, but I'm working on PKCS#11 support to address one aspect > of this (client smart card authentication) and made the first release a > few days ago. i'd be interested in reviewing this, if you've got test cases that need it. Sorry that i missed the initial announcement. i use an eGate smartcard for daily (hooked in via opensc and openct) via PAM and openssh [0], and i've got a spare device i could test with. Can you point me towards something to test? > Btw, I'd like to add other free TLS libraries to the list. That's > why I made the implementations have one row each in the tables, > rather than having the implementations be one column each. This > allows the list of implementations to be added easily, without > clobbering the page too much. these might be worth including: http://yassl.com/ http://www.matrixssl.org/ (and soliciting feedback from their developers would be a good thing for the page, too) Regards, --dkg [0] http://lair.fifthhorseman.net/~dkg/egate/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.8+ iD8DBQFGOj/tiXTlFKVLY2URAkbNAJ9KYYeNEM93A6xMSkrtUlb5oRTMTgCeJ3Wq WGik+SvUWC6vXMoCpIfkqsw= =Jenp -----END PGP SIGNATURE----- From daniel at haxx.se Thu May 3 22:05:38 2007 From: daniel at haxx.se (Daniel Stenberg) Date: Thu, 3 May 2007 22:05:38 +0200 (CEST) Subject: [Help-gnutls] Re: GnuTLS vs OpenSSL vs NSS In-Reply-To: <87hcqtd7es.fsf@mocca.josefsson.org> References: <87k5vq5d2m.fsf@mocca.josefsson.org> <1178212893.4633.8.camel@www.pas-world.com> <87hcqt28rn.fsf@mocca.josefsson.org> <87tzut7t8z.fsf@squeak.fifthhorseman.net> <87hcqtd7es.fsf@mocca.josefsson.org> Message-ID: On Thu, 3 May 2007, Simon Josefsson wrote: > Btw, I'd like to add other free TLS libraries to the list. That's why I > made the implementations have one row each in the tables, rather than having > the implementations be one column each. This allows the list of > implementations to be added easily, without clobbering the page too much. yassl is one of them other ones. GPL licensed with an OpenSSL compatible API alternative, that makes at least libcurl possible to build with it and use it. This said, I don't know much about it to be able to fill in info to the tables about yassl. From simon at josefsson.org Fri May 4 14:18:18 2007 From: simon at josefsson.org (Simon Josefsson) Date: Fri, 04 May 2007 14:18:18 +0200 Subject: [Help-gnutls] Re: GnuTLS vs OpenSSL vs NSS In-Reply-To: <87bqh1wu87.fsf@squeak.fifthhorseman.net> (Daniel Kahn Gillmor's message of "Thu\, 03 May 2007 16\:03\:04 -0400") References: <87k5vq5d2m.fsf@mocca.josefsson.org> <1178212893.4633.8.camel@www.pas-world.com> <87hcqt28rn.fsf@mocca.josefsson.org> <87tzut7t8z.fsf@squeak.fifthhorseman.net> <87hcqtd7es.fsf@mocca.josefsson.org> <87bqh1wu87.fsf@squeak.fifthhorseman.net> Message-ID: <873b2c7pf9.fsf@mocca.josefsson.org> Daniel Kahn Gillmor writes: > On Thu 2007-05-03 15:38:35 -0400, Simon Josefsson wrote: > >> Right, I think we should mention this. There is no equivalent feature >> in GnuTLS yet, but I'm working on PKCS#11 support to address one aspect >> of this (client smart card authentication) and made the first release a >> few days ago. > > i'd be interested in reviewing this, if you've got test cases that > need it. Sorry that i missed the initial announcement. i use an > eGate smartcard for daily (hooked in via opensc and openct) via PAM > and openssh [0], and i've got a spare device i could test with. > > Can you point me towards something to test? Neat! It would be very useful to have more testers with other smart card devices. See the gnutls-dev list, and the recent p11-branch announcement: http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/1976 http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/1923 Right now, loading trusted CAs via the Scute PKCS#11 provider works. If you can point to a PKCS#11 provider for your card, I can see if I can make GnuTLS support linking to it -- I probably can't test it myself though. >> Btw, I'd like to add other free TLS libraries to the list. That's >> why I made the implementations have one row each in the tables, >> rather than having the implementations be one column each. This >> allows the list of implementations to be added easily, without >> clobbering the page too much. > > these might be worth including: > > http://yassl.com/ > http://www.matrixssl.org/ > > (and soliciting feedback from their developers would be a good thing > for the page, too) Yup. I'll update the comparison page with all input next week or so. /Simon From dkg-debian.org at fifthhorseman.net Fri May 4 17:38:45 2007 From: dkg-debian.org at fifthhorseman.net (Daniel Kahn Gillmor) Date: Fri, 04 May 2007 11:38:45 -0400 Subject: [Help-gnutls] OpenSC and GnuTLS [was: Re: GnuTLS vs OpenSSL vs NSS] In-Reply-To: <873b2c7pf9.fsf@mocca.josefsson.org> (Simon Josefsson's message of "Fri, 04 May 2007 14:18:18 +0200") References: <87k5vq5d2m.fsf@mocca.josefsson.org> <1178212893.4633.8.camel@www.pas-world.com> <87hcqt28rn.fsf@mocca.josefsson.org> <87tzut7t8z.fsf@squeak.fifthhorseman.net> <87hcqtd7es.fsf@mocca.josefsson.org> <87bqh1wu87.fsf@squeak.fifthhorseman.net> <873b2c7pf9.fsf@mocca.josefsson.org> Message-ID: <87ejlwk396.fsf_-_@squeak.fifthhorseman.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri 2007-05-04 08:18:18 -0400, Simon Josefsson wrote: > If you can point to a PKCS#11 provider for your card, I can see if I > can make GnuTLS support linking to it -- I probably can't test it > myself though. on debian lenny (and probably etch too), the libopensc2 package provides /usr/lib/opensc-pkcs11.so: http://packages.qa.debian.org/o/opensc.html is that what you're looking for? i confess i still don't know enough about how the smartcard infrastructure works. But if you can get opensc to work, i think you'll enable many more cards than just the eGate that i'm using. If that's not what you're looking for, give me more details, and i'll try to find someting more appropriate. hth, --dkg -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.8+ iD8DBQFGO1OEiXTlFKVLY2URAhItAJsGxR28GfttXcxlpjxdQQ842hIwcwCgt92r yhpSZKtZPOz/emz3877Merk= =/Acf -----END PGP SIGNATURE----- From simon at josefsson.org Tue May 8 12:56:41 2007 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 08 May 2007 12:56:41 +0200 Subject: [Help-gnutls] Re: OpenSC and GnuTLS In-Reply-To: <87ejlwk396.fsf_-_@squeak.fifthhorseman.net> (Daniel Kahn Gillmor's message of "Fri\, 04 May 2007 11\:38\:45 -0400") References: <87k5vq5d2m.fsf@mocca.josefsson.org> <1178212893.4633.8.camel@www.pas-world.com> <87hcqt28rn.fsf@mocca.josefsson.org> <87tzut7t8z.fsf@squeak.fifthhorseman.net> <87hcqtd7es.fsf@mocca.josefsson.org> <87bqh1wu87.fsf@squeak.fifthhorseman.net> <873b2c7pf9.fsf@mocca.josefsson.org> <87ejlwk396.fsf_-_@squeak.fifthhorseman.net> Message-ID: <87ejlrk2hi.fsf@mocca.josefsson.org> Daniel Kahn Gillmor writes: > On Fri 2007-05-04 08:18:18 -0400, Simon Josefsson wrote: > >> If you can point to a PKCS#11 provider for your card, I can see if I >> can make GnuTLS support linking to it -- I probably can't test it >> myself though. > > on debian lenny (and probably etch too), the libopensc2 package > provides /usr/lib/opensc-pkcs11.so: > > http://packages.qa.debian.org/o/opensc.html > > is that what you're looking for? i confess i still don't know enough > about how the smartcard infrastructure works. But if you can get > opensc to work, i think you'll enable many more cards than just the > eGate that i'm using. Yup. That library appear to be linked with non-GPL compatible libraries (OpenSSL), though, so it may not be possible to distribute anything that support this approach. But using it to test my PKCS#11 implementation would still be possible. Another thing that would be useful is if I can figure out how to link to NSS's soft token PKCS#11 library. > If that's not what you're looking for, give me more details, and i'll > try to find someting more appropriate. What I don't know is how to link to it... Removing '-lscute' and adding '/usr/lib/opensc-pkcs11.so' links fine: jas at mocca:~/src/gnutls-pkcs11/pkcs11$ /bin/sh ../libtool --tag=CC --mode=link gcc -std=gnu99 -D_REENTRANT -D_THREAD_SAFE -g -Wall -Wcast-align -W -Wpointer-arith -Wchar-subscripts -Wformat-security -Wno-format-y2k -Wmissing-braces -Winline -Wstrict-prototypes -Wno-unused-parameter -Wno-pointer-sign -pipe -I/usr/local/include -I/usr/local/include -no-undefined -version-info 21:1:8 -L/usr/local/lib -lassuan -L/usr/local/lib -lgpg-error -R/usr/local/lib -o libgnutls-pkcs11.la -rpath /usr/local/lib gnutls_pkcs11.lo ../lib/libgnutls.la /usr/lib/opensc-pkcs11.so rm -fr .libs/libgnutls-pkcs11.a .libs/libgnutls-pkcs11.la .libs/libgnutls-pkcs11.lai .libs/libgnutls-pkcs11.so .libs/libgnutls-pkcs11.so.13 .libs/libgnutls-pkcs11.so.13.8.1 gcc -std=gnu99 -shared .libs/gnutls_pkcs11.o -Wl,--rpath -Wl,/usr/local/lib -Wl,--rpath -Wl,/home/jas/src/gnutls-pkcs11/lib/.libs -Wl,--rpath -Wl,/usr/local/lib -L/usr/local/lib -lassuan /usr/local/lib/libgpg-error.so ../lib/.libs/libgnutls.so -Wl,-soname -Wl,libgnutls-pkcs11.so.13 -o .libs/libgnutls-pkcs11.so.13.8.1 (cd .libs && rm -f libgnutls-pkcs11.so.13 && ln -s libgnutls-pkcs11.so.13.8.1 libgnutls-pkcs11.so.13)(cd .libs && rm -f libgnutls-pkcs11.so && ln -s libgnutls-pkcs11.so.13.8.1 libgnutls-pkcs11.so) ar cru .libs/libgnutls-pkcs11.a gnutls_pkcs11.o ranlib .libs/libgnutls-pkcs11.a creating libgnutls-pkcs11.la (cd .libs && rm -f libgnutls-pkcs11.la && ln -s ../libgnutls-pkcs11.la libgnutls-pkcs11.la) However, for some reason, the opensc-pkcs11 library doesn't get pulled in: jas at mocca:~/src/gnutls-pkcs11/pkcs11$ ldd .libs/libgnutls-pkcs11.so linux-gate.so.1 => (0xffffe000) libgpg-error.so.0 => /usr/local/lib/libgpg-error.so.0 (0xb7fa0000) libgnutls.so.13 => /usr/local/lib/libgnutls.so.13 (0xb7f03000) libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7dc2000) libnsl.so.1 => /lib/tls/i686/cmov/libnsl.so.1 (0xb7dac000) libz.so.1 => /usr/lib/libz.so.1 (0xb7d98000) libgcrypt.so.11 => /usr/local/lib/libgcrypt.so.11 (0xb7d47000) /lib/ld-linux.so.2 (0x80000000) jas at mocca:~/src/gnutls-pkcs11/pkcs11$ So when I start gnutls-cli, it complains that C_Initialize (the PKCS#11 init function) is not available, which is correct. Perhaps opensc-pkcs11.so needs to be dlopen()'d, or something else is needed. /Simon From ludo at chbouib.org Fri May 11 15:33:50 2007 From: ludo at chbouib.org (Ludovic =?iso-8859-1?Q?Court=E8s?=) Date: Fri, 11 May 2007 15:33:50 +0200 Subject: [Help-gnutls] X.509 authentication and `GNUTLS_CERT_REQUIRE' Message-ID: <87mz0bh4ch.fsf@chbouib.org> Hi, When X.509 authentication is used along with `GNUTLS_CERT_REQUIRE' on the server-side, the client apparently does not send its certificate as it should. Enabling debugging shows the following: [7999|3] HSK[80aaee0]: CERTIFICATE was send [678 bytes] [8037|3] HSK[80aaee0]: CERTIFICATE was received [678 bytes] [7999|3] HSK[80aaee0]: CERTIFICATE REQUEST was send [9 bytes] [8037|3] HSK[80aaee0]: CERTIFICATE REQUEST was received [9 bytes] [8037|2] ASSERT: auth_cert.c:207 [7999|3] HSK[80aaee0]: SERVER HELLO DONE was send [4 bytes] [8037|3] HSK[80aaee0]: SERVER HELLO DONE was received [4 bytes] [8037|3] HSK[80aaee0]: CERTIFICATE was send [7 bytes] [8037|3] HSK[80aaee0]: CLIENT KEY EXCHANGE was send [134 bytes] [8037|3] REC[80aaee0]: Sent ChangeCipherSpec [8037|3] HSK[80aaee0]: Cipher Suite: RSA_NULL_MD5 [8037|3] HSK[80aaee0]: Initializing internal [write] cipher sessions [8037|3] HSK[80aaee0]: FINISHED was send [16 bytes] [7999|3] HSK[80aaee0]: CERTIFICATE was received [7 bytes] [7999|2] ASSERT: auth_cert.c:874 [7999|2] ASSERT: gnutls_handshake.c:2475 Here, 7999 is the server and 8037 is the client. Apparently, in `_gnutls_send_client_certificate ()', the client ends up calling `_gnutls_send_handshake ()' with DATA == NULL and DATA_SIZE == 0, hence the 7-byte "certificate" message. Any idea what's going wrong? Thanks, Ludovic. From simon at josefsson.org Fri May 11 17:08:30 2007 From: simon at josefsson.org (Simon Josefsson) Date: Fri, 11 May 2007 17:08:30 +0200 Subject: [Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE' In-Reply-To: <87mz0bh4ch.fsf@chbouib.org> ("Ludovic =?iso-8859-1?Q?Court?= =?iso-8859-1?Q?=E8s=22's?= message of "Fri\, 11 May 2007 15\:33\:50 +0200") References: <87mz0bh4ch.fsf@chbouib.org> Message-ID: <87ps57pfdd.fsf@mocca.josefsson.org> ludo at chbouib.org (Ludovic Court?s) writes: > Hi, > > When X.509 authentication is used along with `GNUTLS_CERT_REQUIRE' on > the server-side, the client apparently does not send its certificate as > it should. Enabling debugging shows the following: > > [7999|3] HSK[80aaee0]: CERTIFICATE was send [678 bytes] > [8037|3] HSK[80aaee0]: CERTIFICATE was received [678 bytes] > [7999|3] HSK[80aaee0]: CERTIFICATE REQUEST was send [9 bytes] > [8037|3] HSK[80aaee0]: CERTIFICATE REQUEST was received [9 bytes] > [8037|2] ASSERT: auth_cert.c:207 > [7999|3] HSK[80aaee0]: SERVER HELLO DONE was send [4 bytes] > [8037|3] HSK[80aaee0]: SERVER HELLO DONE was received [4 bytes] > [8037|3] HSK[80aaee0]: CERTIFICATE was send [7 bytes] > [8037|3] HSK[80aaee0]: CLIENT KEY EXCHANGE was send [134 bytes] > [8037|3] REC[80aaee0]: Sent ChangeCipherSpec > [8037|3] HSK[80aaee0]: Cipher Suite: RSA_NULL_MD5 > [8037|3] HSK[80aaee0]: Initializing internal [write] cipher sessions > [8037|3] HSK[80aaee0]: FINISHED was send [16 bytes] > [7999|3] HSK[80aaee0]: CERTIFICATE was received [7 bytes] > [7999|2] ASSERT: auth_cert.c:874 > [7999|2] ASSERT: gnutls_handshake.c:2475 > > Here, 7999 is the server and 8037 is the client. > > Apparently, in `_gnutls_send_client_certificate ()', the client ends up > calling `_gnutls_send_handshake ()' with DATA == NULL and DATA_SIZE == 0, > hence the 7-byte "certificate" message. > > Any idea what's going wrong? Is OpenPGP preferred over X.509? If OpenPGP is preferred over X.509, and that has been negotiated, then X.509 certificates will not be sent. This is somewhat of a flaw in the TLS-OpenPGP draft IMHO, it should be possible to support both X.509 and OpenPGP at the same time. I know that the GnuTLS recently default is to prefer OpenPGP over X.509. It is probably wrong, and I have reverted it in CVS HEAD. There may be other causes too, but this one is what I'm run into a few times. Does this help? Btw, is the 7-byte message wrong? Maybe it shouldn't be sent at all in this situation. /Simon From ludo at chbouib.org Fri May 11 22:43:49 2007 From: ludo at chbouib.org (Ludovic =?iso-8859-1?Q?Court=E8s?=) Date: Fri, 11 May 2007 22:43:49 +0200 Subject: [Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE' References: <87mz0bh4ch.fsf@chbouib.org> <87ps57pfdd.fsf@mocca.josefsson.org> Message-ID: <87zm4bay62.fsf@chbouib.org> Hi, Simon Josefsson writes: > Is OpenPGP preferred over X.509? Nope, the certificate priority on both sides contains only X.509. > If OpenPGP is preferred over X.509, > and that has been negotiated, then X.509 certificates will not be sent. > This is somewhat of a flaw in the TLS-OpenPGP draft IMHO, it should be > possible to support both X.509 and OpenPGP at the same time. OTOH, if both parties prefer OpenPGP, then it seems logical to use OpenPGP _and_ send OpenPGP certificates (if required). > I know that the GnuTLS recently default is to prefer OpenPGP over X.509. > It is probably wrong, and I have reverted it in CVS HEAD. Yes, since X.509 has been the default certificate type historically, it should probably remain so. > There may be other causes too, but this one is what I'm run into a few > times. Does this help? Not much. :-) > Btw, is the 7-byte message wrong? Maybe it shouldn't be sent at all in > this situation. The 7-byte message means "empty certificate"; it is produced by `_gnutls_gen_x509_crt ()' because APR_CERT_LIST_LENGTH == 0. So, the root of the problem is that `_find_x509_cert ()' finds no usable certificate (I'm using the "automatic" mode, i.e., with no call-backs). And it finds nothing because it gets only _DATA_SIZE == 5 worth of data. That's as far as I could go for now. :-) Thanks, Ludovic. From simon at josefsson.org Sat May 12 11:01:14 2007 From: simon at josefsson.org (Simon Josefsson) Date: Sat, 12 May 2007 11:01:14 +0200 Subject: [Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE' In-Reply-To: <87zm4bay62.fsf@chbouib.org> ("Ludovic =?iso-8859-1?Q?Court?= =?iso-8859-1?Q?=E8s=22's?= message of "Fri\, 11 May 2007 22\:43\:49 +0200") References: <87mz0bh4ch.fsf@chbouib.org> <87ps57pfdd.fsf@mocca.josefsson.org> <87zm4bay62.fsf@chbouib.org> Message-ID: <87r6pmo1ph.fsf@mocca.josefsson.org> ludo at chbouib.org (Ludovic Court?s) writes: > Hi, > > Simon Josefsson writes: > >> Is OpenPGP preferred over X.509? > > Nope, the certificate priority on both sides contains only X.509. Oh. I see, bad theory then. Hm. Have you loaded the proper CA cert in the server? The server sends over some information about the known CA certs, and if that doesn't match the user's certificate, the client won't send its user certificate. >> If OpenPGP is preferred over X.509, >> and that has been negotiated, then X.509 certificates will not be sent. >> This is somewhat of a flaw in the TLS-OpenPGP draft IMHO, it should be >> possible to support both X.509 and OpenPGP at the same time. > > OTOH, if both parties prefer OpenPGP, then it seems logical to use > OpenPGP _and_ send OpenPGP certificates (if required). Yup. Problem is in gnutls-cli: the preference is hard-coded to either "x509 then openpgp" or "openpgp then x509". It should probably depend on which credentials are available: if x509 credentials are available, prefer x509. If openpgp credentials are available, prefer openpgp. If both are available, I'm not sure what the default should be. Most likely x509. >> Btw, is the 7-byte message wrong? Maybe it shouldn't be sent at all in >> this situation. > > The 7-byte message means "empty certificate"; it is produced by > `_gnutls_gen_x509_crt ()' because APR_CERT_LIST_LENGTH == 0. > > So, the root of the problem is that `_find_x509_cert ()' finds no usable > certificate (I'm using the "automatic" mode, i.e., with no call-backs). > And it finds nothing because it gets only _DATA_SIZE == 5 worth of data. Ok. I think you'll need to debug why find_x509_cert doesn't return an appropriate cert. My "check your power cable"-theory is that there is no user cert that match the CA cert that the server uses. /Simon From simon at josefsson.org Sat May 12 15:43:08 2007 From: simon at josefsson.org (Simon Josefsson) Date: Sat, 12 May 2007 15:43:08 +0200 Subject: [Help-gnutls] GnuTLS 1.7.9 Message-ID: <87fy62ma37.fsf@mocca.josefsson.org> I'm posting this announcement of a development version here because I can't post to gnutls-dev at gnupg.org right now (it rejects messages sent From hosts with no reverse-DNS information). Note that the GnuTLS 1.7.x branch is NOT what you want for your stable system. It is intended for developers and experienced users. * Version 1.7.9 (released 2007-05-12) ** X.509 certificates are preferred over OpenPGP keys. This is a change in the semantics of gnutls_set_default_priority. ** The included copy of OpenCDK has been updated to 0.6.1. There has been some API changes in OpenCDK, and the GnuTLS layer have been modified as well. Note that while there are API/ABI incompatible changes in OpenCDK, this does not influence GnuTLS's API/ABI because its API/ABI have not changed. From this version on, GnuTLS requires OpenCDK 0.6.0 or later. ** Fix build failure caused by missing doc/gnutls-logo.pdf. ** Change certtool's default serial number from 0 to a time-based value. ** Fix X.509 signing with RSA-PKCS#1 to set a NULL parameters fields. Before, we remove the parameters field, which resulted in a slightly different DER encoding which in turn caused signature verification failures of GnuTLS-generated RSA certificates in some other implementations (e.g., GnuPG 2.x's gpgsm). Depending on which RFCs you read, this may or may not be correct, but our new behaviour appear to be consistent with other widely used implementations. ** Fix mem leaks in gnutls_x509_crt_print. ** API and ABI modifications: No changes since last version. Here are the compressed sources (4.3MB): ftp://ftp.gnutls.org/pub/gnutls/gnutls-1.7.9.tar.bz2 http://josefsson.org/gnutls/releases/gnutls-1.7.9.tar.bz2 Here are GPG detached signatures signed using key 0xB565716F: ftp://ftp.gnutls.org/pub/gnutls/gnutls-1.7.9.tar.bz2.sig http://josefsson.org/gnutls/releases/gnutls-1.7.9.tar.bz2.sig Here are the SHA-1 and SHA-224 checksums: fb54ad79207cf859b823d9fdf51e1d31d22a7d93 gnutls-1.7.9.tar.bz2 ca57b5f46869983f240f9866f6c2149ee51fb88c gnutls-1.7.9.tar.bz2.sig 070cf68633cb8c5445c3448e5b47b753ebc12ea4c11a13a09e46e6c2 gnutls-1.7.9.tar.bz2 dd6542ee03a29a96cff54d46c167c7c265c154e2be3ba2f1ff017853 gnutls-1.7.9.tar.bz2.sig Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. /Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From ludo at chbouib.org Sat May 12 16:56:22 2007 From: ludo at chbouib.org (Ludovic =?iso-8859-1?Q?Court=E8s?=) Date: Sat, 12 May 2007 16:56:22 +0200 Subject: [Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE' References: <87mz0bh4ch.fsf@chbouib.org> <87ps57pfdd.fsf@mocca.josefsson.org> <87zm4bay62.fsf@chbouib.org> <87r6pmo1ph.fsf@mocca.josefsson.org> Message-ID: <87hcqi9jl5.fsf@chbouib.org> Hi, Simon Josefsson writes: > Oh. I see, bad theory then. Hm. Have you loaded the proper CA cert in > the server? The server sends over some information about the known CA > certs, and if that doesn't match the user's certificate, the client > won't send its user certificate. Actually, you were right: my power cable was not quite plugged in. ;-) Adding a `set_x509_trust_file ()' call on the server side fixed the problem. I was not expecting such behavior, though. Roughly, I had copied my OpenPGP example (where `GNUTLS_CERT_REQUIRE' worked fine) and replaced "openpgp" with "x509". The fact that we need to specify a trust file in X.509 and not in the OpenPGP case for `GNUTLS_CERT_REQUIRE' to work creates a slight asymmetry. Thanks! Ludovic. From simon at josefsson.org Sun May 13 12:30:25 2007 From: simon at josefsson.org (Simon Josefsson) Date: Sun, 13 May 2007 12:30:25 +0200 Subject: [Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE' In-Reply-To: <87hcqi9jl5.fsf@chbouib.org> ("Ludovic =?iso-8859-1?Q?Court?= =?iso-8859-1?Q?=E8s=22's?= message of "Sat\, 12 May 2007 16\:56\:22 +0200") References: <87mz0bh4ch.fsf@chbouib.org> <87ps57pfdd.fsf@mocca.josefsson.org> <87zm4bay62.fsf@chbouib.org> <87r6pmo1ph.fsf@mocca.josefsson.org> <87hcqi9jl5.fsf@chbouib.org> Message-ID: <871whlm2wu.fsf@mocca.josefsson.org> ludo at chbouib.org (Ludovic Court?s) writes: > Hi, > > Simon Josefsson writes: > >> Oh. I see, bad theory then. Hm. Have you loaded the proper CA cert in >> the server? The server sends over some information about the known CA >> certs, and if that doesn't match the user's certificate, the client >> won't send its user certificate. > > Actually, you were right: my power cable was not quite plugged in. ;-) > Adding a `set_x509_trust_file ()' call on the server side fixed the > problem. Ah, ok. > I was not expecting such behavior, though. Roughly, I had copied my > OpenPGP example (where `GNUTLS_CERT_REQUIRE' worked fine) and replaced > "openpgp" with "x509". The fact that we need to specify a trust file in > X.509 and not in the OpenPGP case for `GNUTLS_CERT_REQUIRE' to work > creates a slight asymmetry. I think the asymmetry can be traced back to the protocols. Certificate requests with X.509 requires that the user cert matches the CA cert, but with OpenPGP such a check isn't applicable. I don't know whether it is OK for a client to send a X.509 client cert that doesn't match one of the authorities sent by the server. Maybe that should be possible? /Simon From ludo at chbouib.org Mon May 14 09:25:03 2007 From: ludo at chbouib.org (Ludovic =?iso-8859-1?Q?Court=E8s?=) Date: Mon, 14 May 2007 09:25:03 +0200 Subject: [Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE' References: <87mz0bh4ch.fsf@chbouib.org> <87ps57pfdd.fsf@mocca.josefsson.org> <87zm4bay62.fsf@chbouib.org> <87r6pmo1ph.fsf@mocca.josefsson.org> <87hcqi9jl5.fsf@chbouib.org> <871whlm2wu.fsf@mocca.josefsson.org> Message-ID: <87odknrho0.fsf@chbouib.org> Hi, Simon Josefsson writes: > ludo at chbouib.org (Ludovic Court?s) writes: >> I was not expecting such behavior, though. Roughly, I had copied my >> OpenPGP example (where `GNUTLS_CERT_REQUIRE' worked fine) and replaced >> "openpgp" with "x509". The fact that we need to specify a trust file in >> X.509 and not in the OpenPGP case for `GNUTLS_CERT_REQUIRE' to work >> creates a slight asymmetry. > > I think the asymmetry can be traced back to the protocols. Certificate > requests with X.509 requires that the user cert matches the CA cert, but > with OpenPGP such a check isn't applicable. Right. > I don't know whether it is OK for a client to send a X.509 client cert > that doesn't match one of the authorities sent by the server. Maybe > that should be possible? Sections 7.4.4 and 7.4.6 of RFC 4346 do not mention it explicitly, but they seem to imply that a "suitable" certificate is one that matches the "known roots and [...] desired authorization space" specified in the `certificate_authorities' field of the certificate request. Thanks, Ludovic. From simon at josefsson.org Mon May 14 11:01:13 2007 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 14 May 2007 11:01:13 +0200 Subject: [Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE' In-Reply-To: <87odknrho0.fsf@chbouib.org> ("Ludovic =?iso-8859-1?Q?Court?= =?iso-8859-1?Q?=E8s=22's?= message of "Mon\, 14 May 2007 09\:25\:03 +0200") References: <87mz0bh4ch.fsf@chbouib.org> <87ps57pfdd.fsf@mocca.josefsson.org> <87zm4bay62.fsf@chbouib.org> <87r6pmo1ph.fsf@mocca.josefsson.org> <87hcqi9jl5.fsf@chbouib.org> <871whlm2wu.fsf@mocca.josefsson.org> <87odknrho0.fsf@chbouib.org> Message-ID: <874pmfixt2.fsf@mocca.josefsson.org> ludo at chbouib.org (Ludovic Court?s) writes: >> I don't know whether it is OK for a client to send a X.509 client cert >> that doesn't match one of the authorities sent by the server. Maybe >> that should be possible? > > Sections 7.4.4 and 7.4.6 of RFC 4346 do not mention it explicitly, but > they seem to imply that a "suitable" certificate is one that matches > the "known roots and [...] desired authorization space" specified in the > `certificate_authorities' field of the certificate request. I just noticed that GnuTLS allows sending a user-selected certificate via the certificate callback interface -- I authenticated using my eID smart card against test.gnutls.org, and it certainly doesn't have the eID CA cert installed. I think this sounds like a good situation. The application can provide many user credentials, and GnuTLS will pick one of them that matches the CA information sent from the server. It won't pick one of them if none of them matches the CA information. If the application wants to decide for itself which certificate to send, and possibly send one that doesn't match any CA sent by the server, it has to use the callback interface. /Simon From ludovic.courtes at laas.fr Mon May 14 14:26:38 2007 From: ludovic.courtes at laas.fr (Ludovic =?iso-8859-1?Q?Court=E8s?=) Date: Mon, 14 May 2007 14:26:38 +0200 Subject: [Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE' References: <87mz0bh4ch.fsf@chbouib.org> <87ps57pfdd.fsf@mocca.josefsson.org> <87zm4bay62.fsf@chbouib.org> <87r6pmo1ph.fsf@mocca.josefsson.org> <87hcqi9jl5.fsf@chbouib.org> <871whlm2wu.fsf@mocca.josefsson.org> <87odknrho0.fsf@chbouib.org> <874pmfixt2.fsf@mocca.josefsson.org> Message-ID: <87zm47vbep.fsf@laas.fr> Hi, Simon Josefsson writes: > I think this sounds like a good situation. The application can provide > many user credentials, and GnuTLS will pick one of them that matches the > CA information sent from the server. It won't pick one of them if none > of them matches the CA information. If the application wants to decide > for itself which certificate to send, and possibly send one that doesn't > match any CA sent by the server, it has to use the callback interface. Ok, sounds good. Thanks, Ludovic. From ludo at chbouib.org Mon May 14 19:51:01 2007 From: ludo at chbouib.org (Ludovic =?iso-8859-1?Q?Court=E8s?=) Date: Mon, 14 May 2007 19:51:01 +0200 Subject: [Help-gnutls] [ANN] Guile-GnuTLS 0.1 Message-ID: <87odkni9a2.fsf@chbouib.org> Hi, I am pleased to announce the release of Guile-GnuTLS 0.1. It may be the last stand-alone release since it will eventually be integrated in GnuTLS itself. It is available from here: http://www.laas.fr/~lcourtes/software/guile/guile-gnutls-0.1.tar.gz Documentation is accessible at: http://www.laas.fr/~lcourtes/software/guile/guile-gnutls.html The SHA-1 sums of these files are: 397819818b0e206e69abf0b9a0536334499225e8 guile-gnutls-0.1.tar.gz f8891fbed9741ac60785c0523613de5fb10b8f5f guile-gnutls.html Guile-GnuTLS is a set of GNU Guile bindings for GnuTLS. It allows programmers to use GnuTLS facilities from Guile Scheme programs. The only build-time and run-time requirements are Guile 1.8 and GnuTLS 1.4 or later. This feature includes a better coverage of the X.509 API, as well as several bug fixes (see `NEWS' for details). Note that bindings of the core GnuTLS API are released under the LGPL version 2.1 or later, while bindings of GnuTLS-Extra are released under the GPL version 2 or later. A test suite can be run using "make check". If one of the OpenPGP-related tests fails, it may be the case that you hit a GnuTLS bug that is not fixed yet in the version you're using. Please send comments, bug reports, feature requests, etc., to myself. Thanks, Ludovic. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 188 bytes Desc: not available URL: From nielsen-list at memberwebs.com Tue May 22 19:45:23 2007 From: nielsen-list at memberwebs.com (Nate Nielsen) Date: Tue, 22 May 2007 17:45:23 +0000 (UTC) Subject: [Help-gnutls] How do i retrieve a full DER encoded subject from a gnutls_x509_crt_t Message-ID: <20070522174523.2D401D4C14@mx.npubs.com> There are several functions in x509.h to decompose or retrieve parts of the subject and issuer of a certificate. I need to be able to retrieve the full DER encoded subject from a gnutls_x509_crt_t (for use in a PKCS#11 module). Any idea how I would go about it? I'm sure that there's a painfully obvious solution that I've missed... Cheers, Nate Nielsen From simon at josefsson.org Wed May 23 11:27:04 2007 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 23 May 2007 11:27:04 +0200 Subject: [Help-gnutls] Re: How do i retrieve a full DER encoded subject from a gnutls_x509_crt_t In-Reply-To: <20070522174523.2D401D4C14@mx.npubs.com> (Nate Nielsen's message of "Tue\, 22 May 2007 17\:45\:23 +0000 \(UTC\)") References: <20070522174523.2D401D4C14@mx.npubs.com> Message-ID: <878xbfao0n.fsf@mocca.josefsson.org> Nate Nielsen writes: > There are several functions in x509.h to decompose or retrieve parts of > the subject and issuer of a certificate. > > I need to be able to retrieve the full DER encoded subject from a > gnutls_x509_crt_t (for use in a PKCS#11 module). Any idea how I would go > about it? I'm sure that there's a painfully obvious solution that I've > missed... There is _gnutls_x509_crt_get_raw_dn, but it is not part of the official API. I suspect it isn't possible to easily do what you want right now. Unless someone can think of a better approach, I think we should make that function an official API function. Does that sounds OK? Btw, I think we should move the gnutls-x509 stuff into a separate library, and make things more modular... I'm not sure it makes sense for GnuTLS to implement all of X.509 internally. The first step to replacing the X.509 functions in GnuTLS with an external X.509 library would be to make it more modular. This is a lot of work, though... /Simon From nielsen-list at memberwebs.com Wed May 23 16:58:42 2007 From: nielsen-list at memberwebs.com (Nate Nielsen) Date: Wed, 23 May 2007 14:58:42 +0000 (UTC) Subject: [Help-gnutls] Re: How do i retrieve a full DER encoded subject from a gnutls_x509_crt_t References: <20070522174523.2D401D4C14@mx.npubs.com> <878xbfao0n.fsf@mocca.josefsson.org> Message-ID: <20070523145842.3C402D4C05@mx.npubs.com> Simon Josefsson wrote: > There is _gnutls_x509_crt_get_raw_dn, but it is not part of the official > API. I suspect it isn't possible to easily do what you want right now. > Unless someone can think of a better approach, I think we should make > that function an official API function. It differs from the rest of the API in allowing direct access to an internal DER structure. That's certainly not a problem for me, but something you may be interested in. I'd also need this to be made public: _gnutls_x509_crt_get_raw_issuer_dn Cheers, Nate Nielsen From nielsen-list at memberwebs.com Wed May 23 21:43:42 2007 From: nielsen-list at memberwebs.com (Nate Nielsen) Date: Wed, 23 May 2007 19:43:42 +0000 (UTC) Subject: [Help-gnutls] Where do I file bug reports? Message-ID: <20070523194342.530C9D4C01@mx.npubs.com> Is there an appropriate mailing list or website to file bugs in gnutls? Should I just post them to this mailing list? Cheers, Nate Nielsen From simon at josefsson.org Thu May 24 13:35:58 2007 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 24 May 2007 13:35:58 +0200 Subject: [Help-gnutls] Re: Where do I file bug reports? In-Reply-To: <20070523194342.530C9D4C01@mx.npubs.com> (Nate Nielsen's message of "Wed\, 23 May 2007 19\:43\:42 +0000 \(UTC\)") References: <20070523194342.530C9D4C01@mx.npubs.com> Message-ID: <877iqy1mjl.fsf@mocca.josefsson.org> Nate Nielsen writes: > Is there an appropriate mailing list or website to file bugs in gnutls? > Should I just post them to this mailing list? There is bug-gnutls at gnu.org, although that goes to me at the moment. We'd might as well forward the alias to gnutls-dev at gnupg.org. For security-sensitive bugs, people tend to contact me privately anyway. Sending bugs to bug-gnutls at gnu.org just causes delays when I'm not around, and if someone else could answer or fix it. I think posting bugs to gnutls-dev at gnupg.org is better than help-gnutls at gnu.org though. Thanks, Simon From simon at josefsson.org Thu May 24 13:48:01 2007 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 24 May 2007 13:48:01 +0200 Subject: [Help-gnutls] Re: How do i retrieve a full DER encoded subject from a gnutls_x509_crt_t In-Reply-To: <20070523145842.3C402D4C05@mx.npubs.com> (Nate Nielsen's message of "Wed\, 23 May 2007 14\:58\:42 +0000 \(UTC\)") References: <20070522174523.2D401D4C14@mx.npubs.com> <878xbfao0n.fsf@mocca.josefsson.org> <20070523145842.3C402D4C05@mx.npubs.com> Message-ID: <873b1m1lzh.fsf@mocca.josefsson.org> Nate Nielsen writes: > Simon Josefsson wrote: >> There is _gnutls_x509_crt_get_raw_dn, but it is not part of the official >> API. I suspect it isn't possible to easily do what you want right now. >> Unless someone can think of a better approach, I think we should make >> that function an official API function. > > It differs from the rest of the API in allowing direct access to an > internal DER structure. That's certainly not a problem for me, but > something you may be interested in. Yeah, that's not very pretty, and eventually I think such operations should use some library (or possibly libgnutls_x509 which would be a separate library from libgnutls). But I can't recommend anything else right now, so exporting these functions seem the simplest solution. > I'd also need this to be made public: > > _gnutls_x509_crt_get_raw_issuer_dn I've exported them now in 1.7.x. Do you want this back-ported to the stable branch? /Simon From nielsen-list at memberwebs.com Thu May 24 15:40:43 2007 From: nielsen-list at memberwebs.com (Nate Nielsen) Date: Thu, 24 May 2007 13:40:43 +0000 (UTC) Subject: [Help-gnutls] Re: How do i retrieve a full DER encoded subject from a gnutls_x509_crt_t References: <20070522174523.2D401D4C14@mx.npubs.com> <878xbfao0n.fsf@mocca.josefsson.org> <20070523145842.3C402D4C05@mx.npubs.com> <873b1m1lzh.fsf@mocca.josefsson.org> Message-ID: <20070524134042.8A089D4C83@mx.npubs.com> Simon Josefsson wrote: >> I'd also need this to be made public: >> >> _gnutls_x509_crt_get_raw_issuer_dn > > I've exported them now in 1.7.x. Do you want this back-ported to the > stable branch? Yes please. Thanks, Nate Nielsen From simon at josefsson.org Fri May 25 15:21:52 2007 From: simon at josefsson.org (Simon Josefsson) Date: Fri, 25 May 2007 15:21:52 +0200 Subject: [Help-gnutls] Libtasn1 0.3.10 Message-ID: <87tzu1ujgv.fsf@mocca.josefsson.org> Second release from GIT instead of CVS, mostly as practicing before releasing GnuTLS 1.7.x for the first time from GIT. Libtasn1 is a standalone library written in C for manipulating ASN.1 objects including DER/BER encoding and DER/BER decoding. Libtasn1 is used by GnuTLS to manipulate X.509 objects and by Shishi to handle Kerberos V5 packets. Version 0.3.10 (released 2007-05-25) - Update gnulib files. Commercial support contracts for Libtasn1 are available, and they help finance continued maintenance. Simon Josefsson Datakonsult, a Stockholm based privately held company, is currently funding Libtasn1 maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. If you need help to use Libtasn1, or want to help others, you are invited to join our help-gnutls mailing list, see: . Homepage: http://josefsson.org/libtasn1/ Manual in many formats: http://josefsson.org/gnutls/manual/libtasn1/ Here are the compressed sources (1.3MB): ftp://ftp.gnutls.org/pub/gnutls/libtasn1/libtasn1-0.3.10.tar.gz http://josefsson.org/gnutls/releases/libtasn1/libtasn1-0.3.10.tar.gz Here are GPG detached signatures using key 0xB565716F: ftp://ftp.gnutls.org/pub/gnutls/libtasn1/libtasn1-0.3.10.tar.gz.sig http://josefsson.org/gnutls/releases/libtasn1/libtasn1-0.3.10.tar.gz.sig The software is cryptographically signed by the author using an OpenPGP key identified by the following information: pub 1280R/B565716F 2002-05-05 [expires: 2008-06-30] Key fingerprint = 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F uid Simon Josefsson uid Simon Josefsson sub 1280R/4D5D40AE 2002-05-05 [expires: 2008-06-30] The key is available from: http://josefsson.org/key.txt dns:b565716f.josefsson.org?TYPE=CERT Here are the SHA-1 and SHA-224 checksums: d2789ac7482132ef2c9b2b9d1a43d0e921796241 libtasn1-0.3.10.tar.gz 26de27736e904bdc6b37f9eb440a599aa23ce6c3 libtasn1-0.3.10.tar.gz.sig bba03703142f801bd2737f86bcefb6b0c9c9189dc000e5a780304914 libtasn1-0.3.10.tar.gzd92a0ffe2a1f42b754f608743403d7eb3870e8a5e0b11726340f9c13 libtasn1-0.3.10.tar.gz.sig Enjoy, Fabio, Nikos and Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From dtabor at mageeop.com Fri May 25 17:38:39 2007 From: dtabor at mageeop.com (Dave Tabor) Date: Fri, 25 May 2007 11:38:39 -0400 Subject: [Help-gnutls] FW: Newbie Troubleshooting Question... Message-ID: <6CAEC12D43122A49A36580C082BA528F12C828@comanche.mop.mageeop.com> Hi, I've loaded a software package (curl 7.15.1) and gnutls is one of the required requisite programs on an AIX 5.1 server . I can use curl to retrieve page information from regular http://---- addresses, but when I go to a secure https://----- page, I'm getting the following error: curl: (35) gnutls_handshake() failed: -9 My knowledge of gnutls, unix and SSL is limited, so I'm at a loss as to where to start with this one. Any ideas? Thanks! PS: gnutls version is 1.2.9 -------------- next part -------------- An HTML attachment was scrubbed... URL: From simon at josefsson.org Sat May 26 22:41:35 2007 From: simon at josefsson.org (Simon Josefsson) Date: Sat, 26 May 2007 22:41:35 +0200 Subject: [Help-gnutls] Re: FW: Newbie Troubleshooting Question... In-Reply-To: <6CAEC12D43122A49A36580C082BA528F12C828@comanche.mop.mageeop.com> (Dave Tabor's message of "Fri, 25 May 2007 11:38:39 -0400") References: <6CAEC12D43122A49A36580C082BA528F12C828@comanche.mop.mageeop.com> Message-ID: <87k5uvpbb4.fsf@mocca.josefsson.org> "Dave Tabor" writes: > Hi, > > I've loaded a software package (curl 7.15.1) and gnutls is one of the > required requisite programs on an AIX 5.1 server . I can use curl to > retrieve page information from regular http://---- addresses, but when I > go to a secure https://----- page, I'm getting the following error: > > curl: (35) gnutls_handshake() failed: -9 > > My knowledge of gnutls, unix and SSL is limited, so I'm at a loss as to > where to start with this one. Any ideas? For starters, -9 translates into: #define GNUTLS_E_UNEXPECTED_PACKET_LENGTH -9 /* GNUTLS_A_RECORD_OVERFLOW */ (btw, curl could use the gnutls_strerror function to translate into humanly readable error messages.) Alas, that return code is pretty generic, and often indicate some deeper problem. Does it happen for every https URL you use? Does GnuTLS 'make check' succeeds? You may want to try with something more recent than 1.2.9 though, the latest stable release 1.6.2 contains more self-tests. I haven't tested GnuTLS much on AIX, so there may be some compatibility concern. You may want to start by getting gnutls-cli against the server to work, before using curl too. In other words, try: $ gnutls-cli -d 4711 www.foo.com and let us know what it prints. Good luck, Simon From simon at josefsson.org Sat May 26 23:05:00 2007 From: simon at josefsson.org (Simon Josefsson) Date: Sat, 26 May 2007 23:05:00 +0200 Subject: [Help-gnutls] GnuTLS 1.6.3 Message-ID: <87fy5jpa83.fsf@mocca.josefsson.org> I am happy to announce GnuTLS 1.6.3! This is a bugfix-only release on the stable branch. This version is what we recommend for those who need a stable version of GnuTLS. GnuTLS is a modern C library that implement the standard network security protocol Transport Layer Security (TLS), for use by network applications. GnuTLS is developed for GNU/Linux, but works on many Unix-like systems and comes with a binary installer for Windows. Warning! GnuTLS uses OpenCDK for OpenPGP parsing. Recently, a new branch of OpenCDK has been released by Timo as 0.6.x. Unfortunately, the new branch is not backwards API/ABI compatible with the old 0.5.x branch. The stable branch of GnuTLS do not support the newer OpenCDK 0.6.x releases. To be able to build GnuTLS 1.6.x, you must use OpenCDK 0.5.x instead of 0.6.x. Alternatively, use the ./configure parameter --with-included-opencdk to use the included copy of OpenCDK 0.5.13 for building GnuTLS, or the --disable-openpgp-authentication parameter to disable OpenPGP altogether. * Version 1.6.3 (released 2007-05-26) ** New API functions to extract DER encoded X.509 Subject/Issuer DN. Suggested by Nate Nielsen . Backported From the 1.7.x branch, see . ** Have PKCS8 parser return better error codes. Reported by Nate Nielsen , see and . ** Fix mem leak for sessions with client authentication via certificates. Reported by Andrew W. Nosenko , see . ** Fix building of 'tlsia' self test. Earlier some gcc are known to build tlsia linking to $prefix/lib/libgnutls-extra.so rather than the libgnutls-extra.so in the build directory, even though command line parameters look OK. Changing order of some parameters fixes it. ** API and ABI modifications: gnutls_x509_crt_get_raw_issuer_dn: ADD. gnutls_x509_crt_get_raw_dn: ADD. Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. All manual formats are available from: http://www.gnutls.org/manual/ Direct link to the most popular formats: http://www.gnutls.org/manual/gnutls.html - HTML format http://www.gnutls.org/manual/gnutls.pdf - PDF format http://www.gnutls.org/reference/ch01.html - API Reference, GTK-DOC HTML If you need help to use GnuTLS, or want to help others, you are invited to join our help-gnutls mailing list, see: . The project page of the library is available at: http://www.gnutls.org/ http://www.gnu.org/software/gnutls/ http://josefsson.org/gnutls/ Here are the compressed sources (4.2MB): ftp://ftp.gnutls.org/pub/gnutls/gnutls-1.6.3.tar.bz2 http://josefsson.org/gnutls/releases/gnutls-1.6.3.tar.bz2 Here are GPG detached signatures signed using key 0xB565716F: ftp://ftp.gnutls.org/pub/gnutls/gnutls-1.6.3.tar.bz2.sig http://josefsson.org/gnutls/releases/gnutls-1.6.3.tar.bz2.sig For more information about GnuTLS for Windows: http://josefsson.org/gnutls4win/ The Windows binary installer and PGP signature: http://josefsson.org/gnutls4win/gnutls-1.6.3.exe (23MB) http://josefsson.org/gnutls4win/gnutls-1.6.3.exe.sig The software is cryptographically signed by the author using an OpenPGP key identified by the following information: pub 1280R/B565716F 2002-05-05 [expires: 2008-06-30] Key fingerprint = 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F uid Simon Josefsson uid Simon Josefsson sub 1280R/4D5D40AE 2002-05-05 [expires: 2008-06-30] The key is available from: http://josefsson.org/key.txt dns:b565716f.josefsson.org?TYPE=CERT Here are the SHA-1 and SHA-224 checksums: 7553b9f7ddd4982c0759b814bc6d9bf892cf7347 gnutls-1.6.3.tar.bz2 bc498d2b5c889508f4710a2df5fb12efd68017b6 gnutls-1.6.3.tar.bz2.sig ad48dcb65eb2c35bf4056d91c61f7653007b9e54bb458d40e71991d8 gnutls-1.6.3.tar.bz2 d66b001c0a82b6e6db9939a93d367f2c0983eaff5a9d649058b60405 gnutls-1.6.3.tar.bz2.sig 0aa3170d94fef9760fafdfab7cb0dbf5ad51b8be gnutls-1.6.3.exe 6beaaa5fcefd0f137470c527bfe7e6d3cb926d6b gnutls-1.6.3.exe.sig 4ac84057d4dde931dab4db0886acb448cb778ccc4e7cfce1bdc549e8 gnutls-1.6.3.exe 217ba330a6e8ad2e9ed0fa9c9dd0defec14fd9d27d113920a48d1d35 gnutls-1.6.3.exe.sig /Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: