[Help-gnutls] Re: unable to get gnutls-serv and -cli to communicate

[Evan Martin]

On Nov 4, 2007 1:29 PM, Evan Martin <martine at danga.com> wrote:
> I'm trying to get a simple case of gnutls-serv and -cli communicating
> with an x509 cert, but it's failing.

For future readers of the list: I figured this out.  I think my
problem was a combination of the wrong cert settings and not using DH
params.  I've amended my notes below.

> Following the examples in the "invoking certtool" section of the
> manual, I created a private key and cert:
>   $ certtool --generate-privkey --outfile priv
>   $ head -1 priv
>   -----BEGIN RSA PRIVATE KEY-----
>   $ certtool --generate-self-signed --load-privkey priv --outfile cert

You can just hit enter (answering "no") to every question except the
cert lifetime (how many days) as well as "Will the certificate be used
for signing (required for TLS)? (Y/N)", to which you obviously answer
yes.

>   $ head -1 cert
>   -----BEGIN CERTIFICATE-----

This is now enough to make communcation work if you use those files
with "openssl s_server".

However, for gnutls-serv, you also need Diffie-Hellman params.  You
can either generate those with "certtool --generate-dh-params" and
load them with "gnutls-serv --dhparams", or just run gnutls-serv with
"--generate" to generate them.

> In case it matters:
> $ dpkg -s gnutls-bin | grep Version
> Version: 1.6.3-1build1