[Help-gnutls] Beginner Questions

Nikos Mavrogiannopoulos nmav at gnutls.org
Fri Oct 12 21:50:15 CEST 2007


On Friday 12 October 2007, Kip Warner wrote:
> Greetings,
>
> I am new to GnuTLS and I am slowly learning more about cryptography in
> general. I would like to build both a client and server application,
> with the following security constraints:
> - The server needn't authenticate the client because it doesn't care who
> it is.
> - The client, however, needs to be sure that the server it connected to
> really is the genuine server and not an impostor. The IP address of the
> server machine may change from time to time (it is on DHCP), but the
> server machine itself will always be the same. It will be identified by
> hostname.
> - The communication between the two should be encrypted and sent over
> the wire via TLS 1.1.
> The protocol the two will use will be my own text based protocol handled
> through gnutls_record_recv() / gnutls_record_send(). I am using the
> sample "Echo Server with OpenPGP Authentication" as a starting point for
> implementing the server. I just hope this is the right kind of basic
> skeleton model I should be using for pedagogical purposes. Do you think
> this is sufficient?

Actually for pedagogical purposes I'd suggest to use an X.509 server. These 
are for sure well tested. However openpgp should work too but is not as well 
tested.

> I have gone through some of the OpenSSL documentation and GnuTLS's
> documentation on certtool, but I am still confused on how to generate
> the three files mentioned at the beginning of the server's source. I
> cannot seem to find any mention of their creation anywhere. Could be
> that I am just looking in all the wrong places:
>
> #define KEYFILE "secret.asc"
> #define CERTFILE "public.asc"

Those two can be generated using gpg (gnupg) and exported without a password 
key for the key file.

> #define RINGFILE "ring.gpg"

This is a collection of pgp keys that will be used to verify the client's pgp 
key. If it is signed by at least one of these keys it will be considered 
trusted. Otherwise not. This file is also generated using gpg. You export 
using gpg --export key1 key2 etc... 

> three). Also, where should these three files reside? What should the
> client have and what should the server have available to them on disk?

Since you don't care about client authentication, the client should use the 
ring file and the server the two keys. You might want to help us improve the 
documentation by specifying the sections you didn't understand, or even by 
adding text that you consider helpful for you.

regards,
Nikos





More information about the Gnutls-help mailing list