From simon at josefsson.org  Sun Apr 12 12:56:33 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Sun, 12 Apr 2009 12:56:33 +0200
Subject: [Help-gnutls] GnuTLS 2.6.5
Message-ID: <87prfim97i.fsf@mocca.josefsson.org>

We are proud to announce a new stable GnuTLS release: Version 2.6.5.

GnuTLS is a modern C library that implement the standard network
security protocol Transport Layer Security (TLS), for use by network
applications.  GnuTLS is developed for GNU/Linux, but works on many
Unix-like systems and comes with a binary installer for Windows.

The GnuTLS library is distributed under the terms of the GNU Lesser
General Public License version 2.1 (or later).  The "extra" GnuTLS
library (which contains TLS/IA support, LZO compression and Libgcrypt
FIPS-mode handler), the OpenSSL compatibility library, the self tests
and the command line tools are all distributed under the GNU General
Public License version 3.0 (or later).  The manual is distributed under
the GNU Free Documentation License version 1.2 (or later).

The project page of the library is available at:
  http://www.gnu.org/software/gnutls/

What's New
==========

Version 2.6.5 is a maintenance release on our stable branch.

** libgnutls: Added %SSL3_RECORD_VERSION priority string that allows to
specify the client hello message record version. Used to overcome buggy
TLS servers. Report by Martin von Gagern.

** GnuTLS no longer uses the libtasn1-config script to find libtasn1.
Libtasn1 0.3.4 or later is required.  This is to align with the
upcoming libtasn1 v2.0 release that doesn't have a libtasn1-script.

** API and ABI modifications:
No changes since last version.

Getting the Software
====================

GnuTLS may be downloaded from one of the mirror sites or direct from
<ftp://ftp.gnu.org/gnu/gnutls/>.  The list of mirrors can be found at
<http://www.gnu.org/software/gnutls/download.html>.

Here are the BZIP2 compressed sources (4.9MB):

  ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.6.5.tar.bz2
  http://ftp.gnu.org/gnu/gnutls/gnutls-2.6.5.tar.bz2

Here are OpenPGP detached signatures signed using key 0xB565716F:

  ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.6.5.tar.bz2.sig
  http://ftp.gnu.org/gnu/gnutls/gnutls-2.6.5.tar.bz2.sig

Note, that we don't distribute gzip compressed tarballs.

In order to check that the version of GnuTLS which you are going to
install is an original and unmodified one, you should verify the OpenPGP
signature.  You can use the command

     gpg --verify gnutls-2.6.5.tar.bz2.sig

This checks whether the signature file matches the source file.  You
should see a message indicating that the signature is good and made by
that signing key.  Make sure that you have the right key, either by
checking the fingerprint of that key with other sources or by checking
that the key has been signed by a trustworthy other key.  The signing
key can be identified with the following information:

pub   1280R/B565716F 2002-05-05 [expires: 2010-02-22]
      Key fingerprint = 0424 D4EE 81A0 E3D1 19C6  F835 EDA2 1E94 B565 716F
uid                  Simon Josefsson <simon at josefsson.org>
uid                  Simon Josefsson <jas at extundo.com>
sub   1280R/4D5D40AE 2002-05-05 [expires: 2009-04-21]

The key is available from:
  http://josefsson.org/key.txt
  dns:b565716f.josefsson.org?TYPE=CERT

Alternatively, after successfully verifying the OpenPGP signature of
this announcement, you could verify that the files match the following
checksum values.  The values are for SHA-1 and SHA-224 respectively:

87d0fd82debee0d644f72fcf404ccd7540c6c71a  gnutls-2.6.5.tar.bz2

1787a6eee766a8622b1fc5c94ead3394dea70769dca2143a759e6625  gnutls-2.6.5.tar.bz2

Documentation
=============

The manual is available online at:

  http://www.gnu.org/software/gnutls/documentation.html

In particular the following formats are available:

 HTML: http://www.gnu.org/software/gnutls/manual/html_node/index.html
 PDF: http://www.gnu.org/software/gnutls/manual/gnutls.pdf

For developers there is a GnuTLS API reference manual formatted using
the GTK-DOC tools:

  http://www.gnu.org/software/gnutls/reference/gnutls-gnutls.html

Community
=========

If you need help to use GnuTLS, or want to help others, you are invited
to join our help-gnutls mailing list, see:

  http://lists.gnu.org/mailman/listinfo/help-gnutls

If you wish to participate in the development of GnuTLS, you are invited
to join our gnutls-dev mailing list, see:

  http://lists.gnu.org/mailman/listinfo/gnutls-devel

Windows installer
=================

GnuTLS has been ported to the Windows operating system, and a binary
installer is available.  The installer contains DLLs for application
development, manuals, examples, and source code.  The installer uses
libgpg-error v1.7, libgcrypt v1.4.4, libtasn1 v1.8, and GnuTLS v2.6.5.

For more information about GnuTLS for Windows:
  http://josefsson.org/gnutls4win/

The Windows binary installer and PGP signature:
  http://josefsson.org/gnutls4win/gnutls-2.6.5.exe (14MB)
  http://josefsson.org/gnutls4win/gnutls-2.6.5.exe.sig

The checksum values for SHA-1 and SHA-224 are:

d50b2b1ede9699f89ffbd1dc43b2656bdfc64d88  gnutls-2.6.5.exe

8603a549ca8d8b8f3b7eaeafedc953d638a45b9772916120b63d73df gnutls-2.6.5.exe

Thanks to Enrico Tassi, we also have mingw32 *.deb's available:
  http://josefsson.org/gnutls4win/mingw32-gnutls_2.6.5-1_all.deb

The checksum values for SHA-1 and SHA-224 are:

bac1c1d5873efb8e1c81f2c98a777220bd2e44a2  mingw32-gnutls_2.6.5-1_all.deb

a8470fce811406fe41890f80bc8d1230ba3a56316583a86e287d0bf8  mingw32-gnutls_2.6.5-1_all.deb

Internationalization
====================

GnuTLS messages have been translated into Dutch, French, German,
Malay, Polish, Swedish, and Vietnamese.  We welcome the addition of
more translations.

Support
=======

Improving GnuTLS is costly, but you can help!  We are looking for
organizations that find GnuTLS useful and wish to contribute back.
You can contribute by reporting bugs, improve the software, or donate
money or equipment.

Commercial support contracts for GnuTLS are available, and they help
finance continued maintenance.  Simon Josefsson Datakonsult AB, a
Stockholm based privately held company, is currently funding GnuTLS
maintenance.  We are always looking for interesting development
projects.  See http://josefsson.org/ for more details.

The GnuTLS service directory is available at:

  http://www.gnu.org/software/gnutls/commercial.html

Happy Hacking,
Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 419 bytes
Desc: not available
URL: </pipermail/attachments/20090412/39de2f0a/attachment.pgp>

From exa.exa at gmail.com  Sun Apr 12 14:59:53 2009
From: exa.exa at gmail.com (Miroslav Kratochvil)
Date: Sun, 12 Apr 2009 14:59:53 +0200
Subject: [Help-gnutls] Simple question about performance
Message-ID: <a37929f0904120559p694aeefch1b20c4a3206b396@mail.gmail.com>

Hi there,

I'm thinking about rewriting one my project from OpenSSL to GnuTLS.
The project is a VPN, and as it basically needs only pretty good raw
transfer speed, I began to concern about some rumors that my little
search returned - those were mostly about the GnuTLS is 30-50% slower
than OpenSSL. Most of those posts was around 3-5 years old, though, so
I'm writing here to ask:

a] Is there really such performance gap? (I don't count
recently-discussed TLS handshake problems, I need only raw
crypting/transfer speeds.)
b] Do we have some kind of real benchmark? like "encrypt 50 megs with
RSA: x,y,z seconds for gnutls/openssl/nss/..."

I'm sorry if bringing this topic up isn't needed and I only got
confused by bad google results; but I would really like someone
comment on this.

Thanks
Mirek Kratochvil


PS. the application I'm planning to rewrite is here:
http://exa.czweb.org/?view=cloudvpn




From simon at josefsson.org  Mon Apr 13 19:23:28 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Mon, 13 Apr 2009 19:23:28 +0200
Subject: [Help-gnutls] Libtasn1 2.0
Message-ID: <87d4bgwjqn.fsf@mocca.josefsson.org>

Libtasn1 is a standalone library written in C for manipulating ASN.1
objects including DER/BER encoding and DER/BER decoding.  Libtasn1 is
used by GnuTLS to manipulate X.509 objects and by Shishi to handle
Kerberos V5 packets.

Version 2.0 (released 2009-04-13)
- Optimized tree generation.
- ASN1 parser code re-generated using Bison 2.4.1.
- Build with more warning flags.  Many compiler warnings fixed.
- Compiled with -fvisibility=hidden by default if supported.
  See http://gcc.gnu.org/wiki/Visibility
- The libtasn1-config tool has been removed.
  For application developers, please stop using libtasn1-config for
  finding libtasn1, use proper autoconf checks or pkg-config instead.
  For users that need a libtasn1 that provides a libtasn1-config
  script (for use with older applications), use libtasn1 v1.x instead.
  Version 1.x is still supported.

Commercial support contracts for Libtasn1 are available, and they help
finance continued maintenance.  Simon Josefsson Datakonsult AB, a
Stockholm based privately held company, is currently funding Libtasn1
maintenance.  We are always looking for interesting development
projects.  See http://josefsson.org/ for more details.

If you need help to use Libtasn1, or want to help others, you are
invited to join the help-gnutls mailing list, see:
<http://lists.gnu.org/mailman/listinfo/help-gnutls>.

Homepage:
  http://josefsson.org/libtasn1/

Here are the compressed sources (1.6MB):
  ftp://ftp.gnu.org/gnu/gnutls/libtasn1-2.0.tar.gz
  http://ftp.gnu.org/gnu/gnutls/libtasn1-2.0.tar.gz

Here are GPG detached signatures using key 0xB565716F:
  ftp://ftp.gnu.org/gnu/gnutls/libtasn1-2.0.tar.gz.sig
  http://ftp.gnu.org/gnu/gnutls/libtasn1-2.0.tar.gz.sig

The software is cryptographically signed by the author using an
OpenPGP key identified by the following information:

pub   1280R/B565716F 2002-05-05 [expires: 2010-02-22]
      Key fingerprint = 0424 D4EE 81A0 E3D1 19C6  F835 EDA2 1E94 B565 716F
uid                  Simon Josefsson <simon at josefsson.org>
uid                  Simon Josefsson <jas at extundo.com>
sub   1280R/4D5D40AE 2002-05-05 [expires: 2009-04-21]

The key is available from:
  http://josefsson.org/key.txt
  dns:b565716f.josefsson.org?TYPE=CERT

Here are the SHA-1 and SHA-224 checksums:

56abc5d794a61a65ea921a04129b51f4262f255f  libtasn1-2.0.tar.gz

58093cd40850f8792c7c898a031098af5c3036a20bfc5fe2dbc1eec3  libtasn1-2.0.tar.gz

Happy hacking,
Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 419 bytes
Desc: not available
URL: </pipermail/attachments/20090413/0710da8d/attachment.pgp>

From simon at josefsson.org  Tue Apr 14 02:35:43 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Tue, 14 Apr 2009 02:35:43 +0200
Subject: [Help-gnutls] Re: Simple question about performance
In-Reply-To: <a37929f0904120559p694aeefch1b20c4a3206b396@mail.gmail.com>
	(Miroslav Kratochvil's message of "Sun, 12 Apr 2009 14:59:53 +0200")
References: <a37929f0904120559p694aeefch1b20c4a3206b396@mail.gmail.com>
Message-ID: <878wm4t6lc.fsf@mocca.josefsson.org>

Miroslav Kratochvil <exa.exa at gmail.com> writes:

> Hi there,
>
> I'm thinking about rewriting one my project from OpenSSL to GnuTLS.
> The project is a VPN, and as it basically needs only pretty good raw
> transfer speed, I began to concern about some rumors that my little
> search returned - those were mostly about the GnuTLS is 30-50% slower
> than OpenSSL. Most of those posts was around 3-5 years old, though, so
> I'm writing here to ask:
>
> a] Is there really such performance gap? (I don't count
> recently-discussed TLS handshake problems, I need only raw
> crypting/transfer speeds.)
> b] Do we have some kind of real benchmark? like "encrypt 50 megs with
> RSA: x,y,z seconds for gnutls/openssl/nss/..."
>
> I'm sorry if bringing this topic up isn't needed and I only got
> confused by bad google results; but I would really like someone
> comment on this.

For bulk encryption, you probably want to compare libgcrypt vs openssl
rather than gnutls vs openssl.

I benchmarked mod_gnutls vs mod_ssl under apache, using sieve, some time
ago, even for large files, and the differences weren't significant
(mod_ssl was typically faster but mod_gnutls were faster in some
configurations).  One potential problem with mod_gnutls/gnutls was that
it sent each TLS handshake message as a separate TCP packet which may
slow down benchmarks, but it is not clear whether this is significant.
It does not apply to bulk encryption.

I don't recall much feedback about speed issues.  There is certainly
room for optimization.  If you can provide a good test setup to compare
gnutls vs openssl in an application, I would be interested in optimizing
things.  However, the first step before optimization is to do good
benchmarks to illustrate that there is a significant problem.  My last
attempt at benchmarking didn't result in any obvious problem so I didn't
proceed in optimizing anything.

/Simon




From simon at josefsson.org  Tue Apr 14 02:38:03 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Tue, 14 Apr 2009 02:38:03 +0200
Subject: [Help-gnutls] Re: Odd issue with gnu-tls 2.6.4 running as a
	subprocess of emacs-23 on Windows XP
In-Reply-To: <c61534450903261538tc1574a2hc7503e6ab4025272@mail.gmail.com>
	(Iver Odin Kvello's message of "Thu, 26 Mar 2009 23:38:31 +0100")
References: <c61534450903211706y711c075dod1a0db286dbef306@mail.gmail.com>
	<c61534450903261538tc1574a2hc7503e6ab4025272@mail.gmail.com>
Message-ID: <874owst6hg.fsf@mocca.josefsson.org>

Iver Odin Kvello <iverodin at gmail.com> writes:

> Hi, I've continued debugging this problem somewhat more, getting
> somewhat confusing results.
>
> The first thing I tried was to remove stdin from the call to select in
> cli.c line 735, instead just reading from stdin unconditionally after
> each select timeouts. This actually helped, a bit - earlier, jabber
> would hang waiting for the server to indicate that authentication
> succeeded, but this change fixed that. It now started hanging a bit
> later on, waiting for session initiation to succeed.
>
> After diverse experiments, I thought of adding a linefeed to each
> message sent. In jabber-conn.el I found that this was already done --
> so I just added *another* linefeed, sending two after each message.
> With my modified copy of cli.c, this actually fixed things, and
> everything worked as it should. I then tried doing this with an
> unmodified cli.c, and to my surprise found that that *didn't* work,
> instead hanging at the session-initiation stage - that is, it actually
> got a bit further than before, but not all the way through.
>
> Obviously the next step would then be to have jabber.el add *five*
> line-feeds after each message. And of course, that works with the
> standard unmodified gnutls-cli.exe.
>
> So I think that there is *some* kind of bug going on with reading from
> stdin when run as a subprocess under windows; not entirely connected
> to but not unaffected by the select()-emulation.

Yes, gnutls 2.6.x and earlier uses a broken emulation of select() which
likely does have problems, and there is also some buffering problems
that can result in CRLF confusion.

Gnutls 2.7.x will fix this, but unfortunately there is a small piece
missing to prevent it from working under Windows right now...  this is
probably the biggest remaining issue to fix before 2.8.x so it is a
priority.

/Simon




From exa.exa at gmail.com  Tue Apr 14 08:06:53 2009
From: exa.exa at gmail.com (Miroslav Kratochvil)
Date: Tue, 14 Apr 2009 08:06:53 +0200
Subject: [Help-gnutls] Re: Simple question about performance
In-Reply-To: <878wm4t6lc.fsf@mocca.josefsson.org>
References: <a37929f0904120559p694aeefch1b20c4a3206b396@mail.gmail.com>
	<878wm4t6lc.fsf@mocca.josefsson.org>
Message-ID: <a37929f0904132306j6c3958dehaefcf2b1da73bd3d@mail.gmail.com>

Hi,
big thanks for quick response, and, before all, for correcting the
misinformation I had found. Moreover, the connecting speed issue
doesnt really bother me.

>
> I don't recall much feedback about speed issues. ?There is certainly
> room for optimization. ?If you can provide a good test setup to compare
> gnutls vs openssl in an application, I would be interested in optimizing
> things. ?However, the first step before optimization is to do good
> benchmarks to illustrate that there is a significant problem. ?My last
> attempt at benchmarking didn't result in any obvious problem so I didn't
> proceed in optimizing anything.

My thought was to write a libgcrypt alternative of 'openssl speed',
which would be simple and give fair and comparable results. I will
probably post it here when it's ready.

Thanks for response
Mirek Kratochvil




From iverodin at gmail.com  Tue Apr 14 09:21:52 2009
From: iverodin at gmail.com (Iver Odin Kvello)
Date: Tue, 14 Apr 2009 09:21:52 +0200
Subject: [Help-gnutls] Re: Odd issue with gnu-tls 2.6.4 running as a
	subprocess of emacs-23 on Windows XP
In-Reply-To: <874owst6hg.fsf@mocca.josefsson.org>
References: <c61534450903211706y711c075dod1a0db286dbef306@mail.gmail.com> 
	<c61534450903261538tc1574a2hc7503e6ab4025272@mail.gmail.com> 
	<874owst6hg.fsf@mocca.josefsson.org>
Message-ID: <c61534450904140021q69ce966k1d18e4e83964df65@mail.gmail.com>

> Yes, gnutls 2.6.x and earlier uses a broken emulation of select() which
> likely does have problems, and there is also some buffering problems
> that can result in CRLF confusion.
>
> Gnutls 2.7.x will fix this, but unfortunately there is a small piece
> missing to prevent it from working under Windows right now... ?this is
> probably the biggest remaining issue to fix before 2.8.x so it is a
> priority.

I debugged the issue a bit more over easter, and found that the hang
is actually in the read from stdin in cli.c when there is no input
ready on stdin. Apparently the select() emulation for normal
filehandles using MsgWaitForMultipleObjects returns stdin as ready no
matter if there is input ready there or not - at least when run like
this. Adding extra newlines seems to fix this by ensuring that there
is some input to be read most of the time, helped along a bit by some
buffering; but of course it will be defeated by  bad timing.

I don't know why waitformultipleobjects behaves like this; I don't
really know win32. I was thinking perhaps the easiest way of fixing
this might be to just avoid select() for stdin and just handle stdin
in a dedicated thread on windows, but I haven't tested that yet. Or I
could just wait for 2.8.x :)

Regards,
Iver




From simon at josefsson.org  Tue Apr 14 17:45:27 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Tue, 14 Apr 2009 17:45:27 +0200
Subject: [Help-gnutls] Re: Simple question about performance
In-Reply-To: <a37929f0904132306j6c3958dehaefcf2b1da73bd3d@mail.gmail.com>
	(Miroslav Kratochvil's message of "Tue, 14 Apr 2009 08:06:53 +0200")
References: <a37929f0904120559p694aeefch1b20c4a3206b396@mail.gmail.com>
	<878wm4t6lc.fsf@mocca.josefsson.org>
	<a37929f0904132306j6c3958dehaefcf2b1da73bd3d@mail.gmail.com>
Message-ID: <874owrp7c8.fsf@mocca.josefsson.org>

Miroslav Kratochvil <exa.exa at gmail.com> writes:

> Hi,
> big thanks for quick response, and, before all, for correcting the
> misinformation I had found. Moreover, the connecting speed issue
> doesnt really bother me.
>
>>
>> I don't recall much feedback about speed issues. ?There is certainly
>> room for optimization. ?If you can provide a good test setup to compare
>> gnutls vs openssl in an application, I would be interested in optimizing
>> things. ?However, the first step before optimization is to do good
>> benchmarks to illustrate that there is a significant problem. ?My last
>> attempt at benchmarking didn't result in any obvious problem so I didn't
>> proceed in optimizing anything.
>
> My thought was to write a libgcrypt alternative of 'openssl speed',
> which would be simple and give fair and comparable results. I will
> probably post it here when it's ready.

Did you see libgcrypt's tests/benchmark?  It outputs results like this:

             ECB             CBC             CFB             OFB             CTR             STREAM         
             --------------- --------------- --------------- --------------- --------------- ---------------
3DES            90ms   100ms   100ms    90ms   100ms    90ms   100ms    90ms   110ms   100ms                
CAST5           30ms    40ms    40ms    40ms    40ms    40ms    40ms    40ms    50ms    40ms                
...

However I agree a tool that computes more statistics, similar to openssl
speed, would be useful.  Maybe it could perform the same computations,
then you can compare the results directly.

gcrypt-speed.c?

/Simon




From simon at josefsson.org  Tue Apr 14 17:47:10 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Tue, 14 Apr 2009 17:47:10 +0200
Subject: [Help-gnutls] Re: Odd issue with gnu-tls 2.6.4 running as a
	subprocess of emacs-23 on Windows XP
In-Reply-To: <c61534450904140021q69ce966k1d18e4e83964df65@mail.gmail.com>
	(Iver Odin Kvello's message of "Tue, 14 Apr 2009 09:21:52 +0200")
References: <c61534450903211706y711c075dod1a0db286dbef306@mail.gmail.com>
	<c61534450903261538tc1574a2hc7503e6ab4025272@mail.gmail.com>
	<874owst6hg.fsf@mocca.josefsson.org>
	<c61534450904140021q69ce966k1d18e4e83964df65@mail.gmail.com>
Message-ID: <87ws9nnsox.fsf@mocca.josefsson.org>

Iver Odin Kvello <iverodin at gmail.com> writes:

>> Yes, gnutls 2.6.x and earlier uses a broken emulation of select() which
>> likely does have problems, and there is also some buffering problems
>> that can result in CRLF confusion.
>>
>> Gnutls 2.7.x will fix this, but unfortunately there is a small piece
>> missing to prevent it from working under Windows right now... ?this is
>> probably the biggest remaining issue to fix before 2.8.x so it is a
>> priority.
>
> I debugged the issue a bit more over easter, and found that the hang
> is actually in the read from stdin in cli.c when there is no input
> ready on stdin. Apparently the select() emulation for normal
> filehandles using MsgWaitForMultipleObjects returns stdin as ready no
> matter if there is input ready there or not - at least when run like
> this. Adding extra newlines seems to fix this by ensuring that there
> is some input to be read most of the time, helped along a bit by some
> buffering; but of course it will be defeated by  bad timing.
>
> I don't know why waitformultipleobjects behaves like this; I don't
> really know win32. I was thinking perhaps the easiest way of fixing
> this might be to just avoid select() for stdin and just handle stdin
> in a dedicated thread on windows, but I haven't tested that yet. Or I
> could just wait for 2.8.x :)

The solution in 2.8.x. will be to avoid select() and use poll() instead,
for which there is (allegedly) a more reliable wrapper implementation in
gnulib:
http://git.savannah.gnu.org/cgit/gnulib.git/tree/lib/poll.c

/Simon




From iverodin at gmail.com  Wed Apr 15 00:44:24 2009
From: iverodin at gmail.com (Iver Odin Kvello)
Date: Wed, 15 Apr 2009 00:44:24 +0200
Subject: [Help-gnutls] Re: Odd issue with gnu-tls 2.6.4 running as a
	subprocess of emacs-23 on Windows XP
In-Reply-To: <87ws9nnsox.fsf@mocca.josefsson.org>
References: <c61534450903211706y711c075dod1a0db286dbef306@mail.gmail.com> 
	<c61534450903261538tc1574a2hc7503e6ab4025272@mail.gmail.com> 
	<874owst6hg.fsf@mocca.josefsson.org>
	<c61534450904140021q69ce966k1d18e4e83964df65@mail.gmail.com> 
	<87ws9nnsox.fsf@mocca.josefsson.org>
Message-ID: <c61534450904141544m2bbc2cablcb26f78565627c65@mail.gmail.com>

> The solution in 2.8.x. will be to avoid select() and use poll() instead,
> for which there is (allegedly) a more reliable wrapper implementation in
> gnulib:
> http://git.savannah.gnu.org/cgit/gnulib.git/tree/lib/poll.c

I see, that sounds great.

I actually managed to find and fix the bug in select.c (without any
extensive testing of course) - I've attached the patch in case this
could be useful temporarily or something.

I noticed that in select.c, normal handles would get 'translated'
using _get_osfhandle(), but pipes were not. Furthermore, stdin in this
case got an invalid handle error when GetFileType was called on it,
but this error wasn't detected, causing stdin to be treated as an
'uknown handle type' while it should have been a pipe. The result of
_get_osfhandle() called on stdin however *was* a pipe, so I applied
the same code to pipes as were already in place for 'normal'
filehandles, and that did the trick.

Regards, Iver
-------------- next part --------------
A non-text attachment was scrubbed...
Name: select.patch
Type: application/octet-stream
Size: 2409 bytes
Desc: not available
URL: </pipermail/attachments/20090415/06bacd88/attachment.obj>

From dbreiser at gmail.com  Thu Apr 16 05:08:43 2009
From: dbreiser at gmail.com (David Reiser)
Date: Wed, 15 Apr 2009 23:08:43 -0400
Subject: [Help-gnutls] build problem for libtasn1 on OS X
Message-ID: <F4AE6EBB-0F7A-4810-B1C5-15464811499B@gmail.com>

Fink's package of libtasn1 is getting a bit long in the tooth (version  
0.3.9), so I figured I'd look into modernizing it. Attempting to build  
version 1.2, I get:

make  all-recursive
/bin/sh ../../libtool --tag=CC   --mode=link gcc -std=gnu99 - 
fvisibility=hidden -g -O2  -L/sw/lib -o libgnu.la
libtool: link: ar cru .libs/libgnu.a
ar: no archive members specified
usage:  ar -d [-TLsv] archive file ...
	ar -m [-TLsv] archive file ...
	ar -m [-abiTLsv] position archive file ...
	ar -p [-TLsv] archive [file ...]
	ar -q [-cTLsv] archive file ...
	ar -r [-cuTLsv] archive file ...
	ar -r [-abciuTLsv] position archive file ...
	ar -t [-TLsv] archive [file ...]
	ar -x [-ouTLsv] archive [file ...]
make[5]: *** [libgnu.la] Error 1
make[4]: *** [all-recursive] Error 1
make[3]: *** [all] Error 2
make[2]: *** [all-recursive] Error 1
make[1]: *** [all-recursive] Error 1
make: *** [all] Error 2

one of the libtool experts from fink told me that OS X will not allow  
creation of an empty archive. He suspected a gnulib bug, or a problem  
with the way gnulib is being used.

Mac OS X 10.5.6, gcc 4.0.1 (Apple's), libtool 2.2.6 or 1.5.26

Suggestions?

Dave
--
David Reiser
dbreiser at gmail.com







From simon at josefsson.org  Thu Apr 16 15:35:55 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Thu, 16 Apr 2009 15:35:55 +0200
Subject: [Help-gnutls] Re: build problem for libtasn1 on OS X
In-Reply-To: <F4AE6EBB-0F7A-4810-B1C5-15464811499B@gmail.com> (David Reiser's
	message of "Wed, 15 Apr 2009 23:08:43 -0400")
References: <F4AE6EBB-0F7A-4810-B1C5-15464811499B@gmail.com>
Message-ID: <878wm0g1qc.fsf@mocca.josefsson.org>

David Reiser <dbreiser at gmail.com> writes:

> Fink's package of libtasn1 is getting a bit long in the tooth (version
> 0.3.9), so I figured I'd look into modernizing it. Attempting to build
> version 1.2, I get:

Please try libtasn1 1.8 or 2.0 instead.

/Simon

> make  all-recursive
> /bin/sh ../../libtool --tag=CC   --mode=link gcc -std=gnu99 -
> fvisibility=hidden -g -O2  -L/sw/lib -o libgnu.la
> libtool: link: ar cru .libs/libgnu.a
> ar: no archive members specified
> usage:  ar -d [-TLsv] archive file ...
> 	ar -m [-TLsv] archive file ...
> 	ar -m [-abiTLsv] position archive file ...
> 	ar -p [-TLsv] archive [file ...]
> 	ar -q [-cTLsv] archive file ...
> 	ar -r [-cuTLsv] archive file ...
> 	ar -r [-abciuTLsv] position archive file ...
> 	ar -t [-TLsv] archive [file ...]
> 	ar -x [-ouTLsv] archive [file ...]
> make[5]: *** [libgnu.la] Error 1
> make[4]: *** [all-recursive] Error 1
> make[3]: *** [all] Error 2
> make[2]: *** [all-recursive] Error 1
> make[1]: *** [all-recursive] Error 1
> make: *** [all] Error 2
>
> one of the libtool experts from fink told me that OS X will not allow
> creation of an empty archive. He suspected a gnulib bug, or a problem
> with the way gnulib is being used.
>
> Mac OS X 10.5.6, gcc 4.0.1 (Apple's), libtool 2.2.6 or 1.5.26
>
> Suggestions?
>
> Dave
> --
> David Reiser
> dbreiser at gmail.com




From dbreiser at gmail.com  Thu Apr 16 16:40:40 2009
From: dbreiser at gmail.com (David Reiser)
Date: Thu, 16 Apr 2009 10:40:40 -0400
Subject: [Help-gnutls] Re: build problem for libtasn1 on OS X
In-Reply-To: <878wm0g1qc.fsf@mocca.josefsson.org>
References: <F4AE6EBB-0F7A-4810-B1C5-15464811499B@gmail.com>
	<878wm0g1qc.fsf@mocca.josefsson.org>
Message-ID: <64202E36-563A-4712-96B4-AA621EBE5237@gmail.com>


On Apr 16, 2009, at 9:35 AM, Simon Josefsson wrote:

> David Reiser <dbreiser at gmail.com> writes:
>
>> Fink's package of libtasn1 is getting a bit long in the tooth  
>> (version
>> 0.3.9), so I figured I'd look into modernizing it. Attempting to  
>> build
>> version 1.2, I get:
>
> Please try libtasn1 1.8 or 2.0 instead.
>

oops. It was 2.0. Looking at the wrong list when writing the email.

> /Simon
>
>> make  all-recursive
>> /bin/sh ../../libtool --tag=CC   --mode=link gcc -std=gnu99 -
>> fvisibility=hidden -g -O2  -L/sw/lib -o libgnu.la
>> libtool: link: ar cru .libs/libgnu.a
>> ar: no archive members specified
>> usage:  ar -d [-TLsv] archive file ...
>> 	ar -m [-TLsv] archive file ...
>> 	ar -m [-abiTLsv] position archive file ...
>> 	ar -p [-TLsv] archive [file ...]
>> 	ar -q [-cTLsv] archive file ...
>> 	ar -r [-cuTLsv] archive file ...
>> 	ar -r [-abciuTLsv] position archive file ...
>> 	ar -t [-TLsv] archive [file ...]
>> 	ar -x [-ouTLsv] archive [file ...]
>> make[5]: *** [libgnu.la] Error 1
>> make[4]: *** [all-recursive] Error 1
>> make[3]: *** [all] Error 2
>> make[2]: *** [all-recursive] Error 1
>> make[1]: *** [all-recursive] Error 1
>> make: *** [all] Error 2
>>
>> one of the libtool experts from fink told me that OS X will not allow
>> creation of an empty archive. He suspected a gnulib bug, or a problem
>> with the way gnulib is being used.
>>
>> Mac OS X 10.5.6, gcc 4.0.1 (Apple's), libtool 2.2.6 or 1.5.26
>>
>> Suggestions?
>>
>> Dave
>> --
>> David Reiser
>> dbreiser at gmail.com

--
David Reiser
dbreiser at gmail.com







From simon at josefsson.org  Thu Apr 16 17:30:01 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Thu, 16 Apr 2009 17:30:01 +0200
Subject: [Help-gnutls] Re: build problem for libtasn1 on OS X
In-Reply-To: <64202E36-563A-4712-96B4-AA621EBE5237@gmail.com> (David Reiser's
	message of "Thu, 16 Apr 2009 10:40:40 -0400")
References: <F4AE6EBB-0F7A-4810-B1C5-15464811499B@gmail.com>
	<878wm0g1qc.fsf@mocca.josefsson.org>
	<64202E36-563A-4712-96B4-AA621EBE5237@gmail.com>
Message-ID: <87fxg81urq.fsf@mocca.josefsson.org>

David Reiser <dbreiser at gmail.com> writes:

> On Apr 16, 2009, at 9:35 AM, Simon Josefsson wrote:
>
>> David Reiser <dbreiser at gmail.com> writes:
>>
>>> Fink's package of libtasn1 is getting a bit long in the tooth
>>> (version
>>> 0.3.9), so I figured I'd look into modernizing it. Attempting to
>>> build
>>> version 1.2, I get:
>>
>> Please try libtasn1 1.8 or 2.0 instead.
>>
>
> oops. It was 2.0. Looking at the wrong list when writing the email.

I was able to reproduce this.  Please test this daily snapshot:

http://daily.josefsson.org/libtasn1/libtasn1-20090416.tar.gz

If you can confirm that it solves the problem, I'll release it.

/Simon




From dbreiser at gmail.com  Thu Apr 16 19:35:35 2009
From: dbreiser at gmail.com (David Reiser)
Date: Thu, 16 Apr 2009 13:35:35 -0400
Subject: [Help-gnutls] Re: build problem for libtasn1 on OS X
In-Reply-To: <87fxg81urq.fsf@mocca.josefsson.org>
References: <F4AE6EBB-0F7A-4810-B1C5-15464811499B@gmail.com>
	<878wm0g1qc.fsf@mocca.josefsson.org>
	<64202E36-563A-4712-96B4-AA621EBE5237@gmail.com>
	<87fxg81urq.fsf@mocca.josefsson.org>
Message-ID: <16672F77-ADC3-47D8-BDE3-65FBF0DAB847@gmail.com>


On Apr 16, 2009, at 11:30 AM, Simon Josefsson wrote:

> David Reiser <dbreiser at gmail.com> writes:
>
>> On Apr 16, 2009, at 9:35 AM, Simon Josefsson wrote:
>>
>>> David Reiser <dbreiser at gmail.com> writes:
>>>
>>>> Fink's package of libtasn1 is getting a bit long in the tooth
>>>> (version
>>>> 0.3.9), so I figured I'd look into modernizing it. Attempting to
>>>> build
>>>> version 1.2, I get:
>>>
>>> Please try libtasn1 1.8 or 2.0 instead.
>>>
>>
>> oops. It was 2.0. Looking at the wrong list when writing the email.
>
> I was able to reproduce this.  Please test this daily snapshot:
>
> http://daily.josefsson.org/libtasn1/libtasn1-20090416.tar.gz
>
> If you can confirm that it solves the problem, I'll release it.
>
> /Simon


The snapshot builds successfully. I haven't tested function yet, but  
the build problem is gone.

Dave
--
David Reiser
dbreiser at gmail.com







From simon at josefsson.org  Thu Apr 16 19:39:59 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Thu, 16 Apr 2009 19:39:59 +0200
Subject: [Help-gnutls] Re: build problem for libtasn1 on OS X
In-Reply-To: <16672F77-ADC3-47D8-BDE3-65FBF0DAB847@gmail.com> (David Reiser's
	message of "Thu, 16 Apr 2009 13:35:35 -0400")
References: <F4AE6EBB-0F7A-4810-B1C5-15464811499B@gmail.com>
	<878wm0g1qc.fsf@mocca.josefsson.org>
	<64202E36-563A-4712-96B4-AA621EBE5237@gmail.com>
	<87fxg81urq.fsf@mocca.josefsson.org>
	<16672F77-ADC3-47D8-BDE3-65FBF0DAB847@gmail.com>
Message-ID: <87vdp4zeds.fsf@mocca.josefsson.org>

David Reiser <dbreiser at gmail.com> writes:

> The snapshot builds successfully. I haven't tested function yet, but
> the build problem is gone.

Thanks, I'll make a release of it now, the problem probably affects some
other systems as well.

/Simon




From simon at josefsson.org  Fri Apr 17 01:22:23 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Fri, 17 Apr 2009 01:22:23 +0200
Subject: [Help-gnutls] Libtasn1 2.1
Message-ID: <87skk8xjyo.fsf@mocca.josefsson.org>

Libtasn1 is a standalone library written in C for manipulating ASN.1
objects including DER/BER encoding and DER/BER decoding.  Libtasn1 is
used by GnuTLS to manipulate X.509 objects and by Shishi to handle
Kerberos V5 packets.

Version 2.1 (released 2009-04-17)
- Fix compilation failure on platforms that can't generate empty archives,
  e.g., Mac OS X.  Reported by David Reiser <dbreiser at gmail.com>.

Commercial support contracts for Libtasn1 are available, and they help
finance continued maintenance.  Simon Josefsson Datakonsult AB, a
Stockholm based privately held company, is currently funding Libtasn1
maintenance.  We are always looking for interesting development
projects.  See http://josefsson.org/ for more details.

If you need help to use Libtasn1, or want to help others, you are
invited to join the help-gnutls mailing list, see:
<http://lists.gnu.org/mailman/listinfo/help-gnutls>.

Homepage:
  http://josefsson.org/libtasn1/

Here are the compressed sources (1.6MB):
  ftp://ftp.gnu.org/gnu/gnutls/libtasn1-2.1.tar.gz
  http://ftp.gnu.org/gnu/gnutls/libtasn1-2.1.tar.gz

Here are GPG detached signatures using key 0xB565716F:
  ftp://ftp.gnu.org/gnu/gnutls/libtasn1-2.1.tar.gz.sig
  http://ftp.gnu.org/gnu/gnutls/libtasn1-2.1.tar.gz.sig

The software is cryptographically signed by the author using an
OpenPGP key identified by the following information:

pub   1280R/B565716F 2002-05-05 [expires: 2010-02-22]
      Key fingerprint = 0424 D4EE 81A0 E3D1 19C6  F835 EDA2 1E94 B565 716F
uid                  Simon Josefsson <simon at josefsson.org>
uid                  Simon Josefsson <jas at extundo.com>
sub   1280R/4D5D40AE 2002-05-05 [expires: 2009-04-21]

The key is available from:
  http://josefsson.org/key.txt
  dns:b565716f.josefsson.org?TYPE=CERT

Here are the SHA-1 and SHA-224 checksums:

884cc6609d7694a834a767b4b2975d6c5ab0d566  libtasn1-2.1.tar.gz

3e78a2af893cde0eda9820d46077bde6f1a6b083b3cc2ed90df2420d  libtasn1-2.1.tar.gz

Happy hacking,
Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 419 bytes
Desc: not available
URL: </pipermail/attachments/20090417/f2c78d9b/attachment.pgp>

From madhu.boddu at tcs.com  Mon Apr 20 13:07:32 2009
From: madhu.boddu at tcs.com (Madhu Boddu)
Date: Mon, 20 Apr 2009 16:37:32 +0530
Subject: [Help-gnutls] Re: Welcome to the "Help-gnutls" mailing list
In-Reply-To: <mailman.136909.1240224938.31688.help-gnutls@gnu.org>
Message-ID: <OF4649F895.1C40A669-ON6525759E.003D009F-E525759E.003D1D79@tcs.com>

Madhu Priyanka Boddu
Tata Consultancy Services
Mailto: madhu.boddu at tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty.   IT Services
                        Business Solutions
                        Outsourcing
____________________________________________
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you


-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20090420/c816b879/attachment.htm>

From exa.exa at gmail.com  Mon Apr 20 15:56:47 2009
From: exa.exa at gmail.com (Miroslav Kratochvil)
Date: Mon, 20 Apr 2009 15:56:47 +0200
Subject: [Help-gnutls] Encryption using DSA keys
Message-ID: <a37929f0904200656o5487bbffn496eba81f9981aeb@mail.gmail.com>

Hi everyone,

well, after I solved the problem at [1], I got to real problems problems:

I want gnutls to negotiate encrypted connection using DSA keys. I
realized that I will have to use DHE_DSS algorithm, but I have no idea
how to generate a certificate for one. Googling failed, and
documentation says only that "DHE_DSS uses DSA keys in certificates."

In OpenSSL world (from where I'm migrating) it was easy, one just
appended "-dsa" to key generating parameters, and it was done.
Nevertheless; with gnutls and --dsa option; I'm getting error -89
(Public key signature verification has failed.). RSA alternative
(--rsa with the same commands) works ok.

So, is there any tutorial or howto on generating suitable DSA keys for
use with encryption? Ideally with a complete certtool script for
generating one selfsigned CA keypair and other that-ca-signed keypair.

If I'm totally wrong and using DSA for encryption is lame, and
therefore it doesn't and won't ever work, please tell me ;)

Thanks in advance

Mirek Kratochvil

-----
[1] is gnutls-devel thread, can be seen at gmane:
http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3488




From simon at josefsson.org  Mon Apr 20 16:14:15 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Mon, 20 Apr 2009 16:14:15 +0200
Subject: [Help-gnutls] Re: Encryption using DSA keys
In-Reply-To: <a37929f0904200656o5487bbffn496eba81f9981aeb@mail.gmail.com>
	(Miroslav Kratochvil's message of "Mon, 20 Apr 2009 15:56:47 +0200")
References: <a37929f0904200656o5487bbffn496eba81f9981aeb@mail.gmail.com>
Message-ID: <87r5znza2w.fsf@mocca.josefsson.org>

Miroslav Kratochvil <exa.exa at gmail.com> writes:

> Hi everyone,
>
> well, after I solved the problem at [1], I got to real problems problems:
>
> I want gnutls to negotiate encrypted connection using DSA keys. I
> realized that I will have to use DHE_DSS algorithm, but I have no idea
> how to generate a certificate for one. Googling failed, and
> documentation says only that "DHE_DSS uses DSA keys in certificates."
>
> In OpenSSL world (from where I'm migrating) it was easy, one just
> appended "-dsa" to key generating parameters, and it was done.
> Nevertheless; with gnutls and --dsa option; I'm getting error -89
> (Public key signature verification has failed.). RSA alternative
> (--rsa with the same commands) works ok.
>
> So, is there any tutorial or howto on generating suitable DSA keys for
> use with encryption? Ideally with a complete certtool script for
> generating one selfsigned CA keypair and other that-ca-signed keypair.

Check the manual:

http://www.gnu.org/software/gnutls/manual/html_node/Invoking-certtool.html

Generating a certificate using those instructions seems to work fine
here, see log below.

You are right that the manual doesn't give an example for DSA keys, so I
added one:

http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=7ffeba022859b2b9d909bc3fb8a89057a309ae06

Can you explain exactly what you did to get the -89 error?

/Simon

jas at mocca:~$ certtool --generate-privkey --outfile key.pem --dsa
Generating a 2048 bit DSA private key...
jas at mocca:~$ cat key.pem 
-----BEGIN DSA PRIVATE KEY-----
MIIDGQIBAAKCAQEAw8xAilE8wNbdQZJVRGpOjEYdibjT3N5vpDMmsqf4unH1Mlht
w/ZPmkUs5vww+XpTCs64QKfJmBSmoXFAFJMiKm8J8yacnd7PdYBmSFIizZJ9S+BJ
SDY+SAb0lz9F/De/jJNZg9cIAtpcD7oDduoD9pS/rI74JFpwO8v48BuQYnuBb+0y
h95rKGkFSy2yEgQcRjb8H+utddMV57U/w9j80NGJABYevEpzIFttnREpdoXmEk9j
5aqg/eh33fCXXsknhVEq/onojmswXE3zUfyGOxcuTzhaUWU9edN9c28+RusBJFsH
u9E9VJEeNYd2zj4/vxixQZtVRbzfNJuVlXZlOQIDAQABAoIBAEJQysdOTopt+9B6
tKCQdPwzv0tnK3LSb/OoU4INPERB1q9vnfXSVhHFPjkZz6if0sKFU4iqi7ATxoBF
sFOHpfnDVBZjzIX38kI08++oyhrgc8mgNJHdtWiF2o/joVuUsi71tUrfKNp2hNna
wdOj3SXGKclTPx5o9zx5kF4ap+OConIh9t1q1cNntF+slzGh2X8FIJQOV20NrSrm
nsi3O6uLzu6Mg+9j2d9kLF8tph9JhtbV88BsoQVAALwpXsWYEQ4/7FVZfYPr2HNM
sGbm7SKMsYNaDTUB6608Tt6kPUh1b7E8OD2UtE/abtqnM7SW+1Uop8E98ePYPBG+
pYVyc3UCgYEAxYo5RbY5gP9zszToGFNM6/X1wNUsWp5QDFA4qKiy9ZExAhTDnxtL
KIbVHW509LuQnDWES+XmM3KmjIPdKHSb2pgGqCwSShd4xbdUfsy+XDuWCPcsQG+M
geZSZNtYT6a3Y72vWEZrFO71jNaHi2NZrVvY8ekrWY1lc6S7DKBzB0MCgYEA/b4M
Hl9JGQEv0axXQl4jEVlBRVXO+t/ZXyM2Z0wp+s6QCm1LhuhJJXLmWhumSE19eER3
eNmB9SPRIy6Ar96ZfxebMJaLGZZQEpCGT+5CZXIWc9liZZK9W1ef6UkztUOAeyy0
010Hv8kMhryRJtOvpbogv1uxd3YGV/HI5o7949M=
-----END DSA PRIVATE KEY-----
jas at mocca:~$ certtool --generate-certificate --load-privkey key.pem --outfile cert.pem --load-ca-certificate ~/src/www-gnutls/test-credentials/x509-ca.pem --load-ca-privkey ~/src/www-gnutls/test-credentials/x509-ca-key.pem 
Generating a signed certificate...
Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
Country name (2 chars): SE
Organization name: 
Organizational unit name: 
Locality name: 
State or province name: 
Common name: foo.bar.com
UID: 
This field should not be used in new certificates.
E-mail: 
Enter the certificate's serial number in decimal (default: 1240236605): 


Activation/Expiration time.
The certificate will expire in (days): 
The certificate will expire in (days): 180


Extensions.
Does the certificate belong to an authority? (y/N): 
Is this a TLS web client certificate? (y/N): y
Is this also a TLS web server certificate? (y/N): y
Enter the dnsName of the subject of the certificate: foo.bar.com
Enter the dnsName of the subject of the certificate: 
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 49ec823d
	Validity:
		Not Before: Mon Apr 20 14:10:06 UTC 2009
		Not After: Sat Oct 17 14:10:08 UTC 2009
	Subject: C=SE,CN=foo.bar.com
	Subject Public Key Algorithm: DSA
		Public key (bits 1024):
			c5:8a:39:45:b6:39:80:ff:73:b3:34:e8:18:53:4c:eb
			f5:f5:c0:d5:2c:5a:9e:50:0c:50:38:a8:a8:b2:f5:91
			31:02:14:c3:9f:1b:4b:28:86:d5:1d:6e:74:f4:bb:90
			9c:35:84:4b:e5:e6:33:72:a6:8c:83:dd:28:74:9b:da
			98:06:a8:2c:12:4a:17:78:c5:b7:54:7e:cc:be:5c:3b
			96:08:f7:2c:40:6f:8c:81:e6:52:64:db:58:4f:a6:b7
			63:bd:af:58:46:6b:14:ee:f5:8c:d6:87:8b:63:59:ad
			5b:d8:f1:e9:2b:59:8d:65:73:a4:bb:0c:a0:73:07:43
		P:
			c3:cc:40:8a:51:3c:c0:d6:dd:41:92:55:44:6a:4e:8c
			46:1d:89:b8:d3:dc:de:6f:a4:33:26:b2:a7:f8:ba:71
			f5:32:58:6d:c3:f6:4f:9a:45:2c:e6:fc:30:f9:7a:53
			0a:ce:b8:40:a7:c9:98:14:a6:a1:71:40:14:93:22:2a
			6f:09:f3:26:9c:9d:de:cf:75:80:66:48:52:22:cd:92
			7d:4b:e0:49:48:36:3e:48:06:f4:97:3f:45:fc:37:bf
			8c:93:59:83:d7:08:02:da:5c:0f:ba:03:76:ea:03:f6
			94:bf:ac:8e:f8:24:5a:70:3b:cb:f8:f0:1b:90:62:7b
			81:6f:ed:32:87:de:6b:28:69:05:4b:2d:b2:12:04:1c
			46:36:fc:1f:eb:ad:75:d3:15:e7:b5:3f:c3:d8:fc:d0
			d1:89:00:16:1e:bc:4a:73:20:5b:6d:9d:11:29:76:85
			e6:12:4f:63:e5:aa:a0:fd:e8:77:dd:f0:97:5e:c9:27
			85:51:2a:fe:89:e8:8e:6b:30:5c:4d:f3:51:fc:86:3b
			17:2e:4f:38:5a:51:65:3d:79:d3:7d:73:6f:3e:46:eb
			01:24:5b:07:bb:d1:3d:54:91:1e:35:87:76:ce:3e:3f
			bf:18:b1:41:9b:55:45:bc:df:34:9b:95:95:76:65:39
		Q:
			01:00:01
		G:
			42:50:ca:c7:4e:4e:8a:6d:fb:d0:7a:b4:a0:90:74:fc
			33:bf:4b:67:2b:72:d2:6f:f3:a8:53:82:0d:3c:44:41
			d6:af:6f:9d:f5:d2:56:11:c5:3e:39:19:cf:a8:9f:d2
			c2:85:53:88:aa:8b:b0:13:c6:80:45:b0:53:87:a5:f9
			c3:54:16:63:cc:85:f7:f2:42:34:f3:ef:a8:ca:1a:e0
			73:c9:a0:34:91:dd:b5:68:85:da:8f:e3:a1:5b:94:b2
			2e:f5:b5:4a:df:28:da:76:84:d9:da:c1:d3:a3:dd:25
			c6:29:c9:53:3f:1e:68:f7:3c:79:90:5e:1a:a7:e3:82
			a2:72:21:f6:dd:6a:d5:c3:67:b4:5f:ac:97:31:a1:d9
			7f:05:20:94:0e:57:6d:0d:ad:2a:e6:9e:c8:b7:3b:ab
			8b:ce:ee:8c:83:ef:63:d9:df:64:2c:5f:2d:a6:1f:49
			86:d6:d5:f3:c0:6c:a1:05:40:00:bc:29:5e:c5:98:11
			0e:3f:ec:55:59:7d:83:eb:d8:73:4c:b0:66:e6:ed:22
			8c:b1:83:5a:0d:35:01:eb:ad:3c:4e:de:a4:3d:48:75
			6f:b1:3c:38:3d:94:b4:4f:da:6e:da:a7:33:b4:96:fb
			55:28:a7:c1:3d:f1:e3:d8:3c:11:be:a5:85:72:73:75
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): FALSE
		Key Purpose (not critical):
			TLS WWW Client.
			TLS WWW Server.
		Subject Alternative Name (not critical):
			DNSname: foo.bar.com
		Key Usage (critical):
			Digital signature.
		Subject Key Identifier (not critical):
			e9e00d4ee9ccf3c9ecd6ca2aa988077628a0d75f
		Authority Key Identifier (not critical):
			e93c1cfbad926ee606a4562ca2e1c05327c8f295
Other Information:
	Public Key Id:
		e9e00d4ee9ccf3c9ecd6ca2aa988077628a0d75f

Is the above information ok? (Y/N): y


Signing certificate...
jas at mocca:~$ certtool -v
certtool (GnuTLS) 2.6.5
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by Nikos Mavrogiannopoulos and Simon Josefsson.
jas at mocca:~$ 




From exa.exa at gmail.com  Mon Apr 20 17:25:19 2009
From: exa.exa at gmail.com (Miroslav Kratochvil)
Date: Mon, 20 Apr 2009 17:25:19 +0200
Subject: [Help-gnutls] Re: some crashes on using DSA keys
In-Reply-To: <a37929f0904200822r164dbd78r41205af8336c522a@mail.gmail.com>
References: <a37929f0904200354o4621b53er9e2e682c4d091c01@mail.gmail.com>
	<87vdozzayo.fsf@mocca.josefsson.org>
	<a37929f0904200705h2386e296od17becca46f4ec92@mail.gmail.com>
	<87myabz9vx.fsf@mocca.josefsson.org>
	<a37929f0904200822r164dbd78r41205af8336c522a@mail.gmail.com>
Message-ID: <a37929f0904200825m5122111ct2b246ea905acc109@mail.gmail.com>

First, sorry again for sending this to Simon twice, I havent been
using mailinglists for a while. :(

> It would be great if you could try to reproduce the problem using only
> gnutls-cli and gnutls-serv.
...
> Please see if you can make an unmodified 2.6.5 server crash.



ok, good news

gnutls-serv and gnutls-cli from 2.6.5 are affected too, but it shots
down only the misconfigured gnutls-cli. gnutls-serv only throws
message:

Error: A TLS packet with unexpected length was received.

I'm gonna fixed-client&unfixed-server combination in few minutes, hope
it doesn't die.

I'm posting the keys used to do this below. If you want full output of
crashed gnutls-cli, please tell me.

I run it this way:

gnutls-serv --x509cafile ca.crt --dhparams dh1024.pem --x509dsakeyfile
ssl.key --x509dsacertfile ssl.crt ?--require-cert

and

gnutls-cli --x509cafile ca.crt --x509keyfile c.key --x509certfile
c.crt ?localhost -p 5556

Keys are:


c.crt
-----BEGIN CERTIFICATE-----
MIIFJjCCBBCgAwIBAgIESeyRtTALBgkqhkiG9w0BAQUwVzELMAkGA1UEBhMCQ1ox
DjAMBgNVBAoTBXByYWhhMQswCQYDVQQLEwJuZTENMAsGA1UEBxMEdm9sZTEOMAwG
A1UECBMFbmV2aW0xDDAKBgNVBAMTA2V4YTAeFw0wOTA0MjAxNTE2MDdaFw0wOTEw
MTcxNTE2MTBaMFMxCzAJBgNVBAYTAkNaMQwwCgYDVQQKEwNhc2QxDDAKBgNVBAsT
A2FzZDEMMAoGA1UEBxMDYXNkMQwwCgYDVQQIEwNhc2QxDDAKBgNVBAMTA2FzZDCC
AqMwggIYBgcqhkjOOAQBMIICCwKCAQDEN3nB6G8hSwKVdDRwZBJHO2S4bvcfAcd7
gR8Sdk8UzPhTidThYPuKvRUZFwSnicAeuudQdXDcE6wH1R1FdwpQ5frSkzcaduZJ
1AGnoc+FFC/zzUqopB7H1W6Ucb0gWn+5z/hdtY/zgJMyAgBULe6WxJVWXElOLWpB
BJA34mbhw2fhncjcj+k3pUZXbxfbYGUUP174Zr9Dz2nbQ2j/rTXhoLb4GmgPvbYS
KC/YZjBFKVsLVt+swsPJU4duA8ezlQ8YjgL2Yg7UR0lhzXRvaqoT15aw76vnF576
n/sAS+oua4psgO05dd4/430XqLX4uxOcCQ9vaWoTcYHm6bxPWrObAgMBAAECgf9d
ghKEVkCfnR+eGcLjzMzpJWTagAdEv5RRRzeHlNobD5NIPGc3AQDfHTzwuAd/0CW+
f1O9BDrEpptVIDrS3+gKpY7iy0V3VzJn/KDNQk+jG/u+NBdgRtZkZVJNa+a1hGta
IcI65kuzv5JmQo3lj/4j24tPnKtSllIMqiAQgdSFwcPJkN9nTvGUG6/Uf4pUE3xg
CwKV3Ow0NLJZuLE31ekqHpzls1XNEdsv2vbiq9FdjrSq44c7ThRfTkXZxIV8lXKI
UPzYZ2mb94O3QFufY9rpB9L0z/cLmHmzO1b6mzvDP2rXZYReZb/AQxozTEyv07Qy
5yFoypuh+3y1gaYs7XEDgYQAAoGA08QKPf1foRPElVoKzAs19O3iONMdhPBlrw5Y
j+9GgUjqyc6n4YOYV+TNdXyKJdJIZd7qgxVfgQVhRHgF8WQatREkdxyCyPXxSi9w
bltPBp2Fg00rvnaGjJCbo38DeWuDkkkDhMurLFnxp1r2+ndvDxGpyXSsow4hcmQc
cbw6K1WjgYAwfjAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggr
BgEFBQcDATAPBgNVHQ8BAf8EBQMDB4AAMB0GA1UdDgQWBBQAC0nawvJC+1JatXiY
NDyIcJh/djAfBgNVHSMEGDAWgBTZbe4eoATyPzAYVtkaOaB4Dcl57zALBgkqhkiG
9w0BAQUDggEBAHaNN88xcVgOyT1o1n20aSv7ntZ2ZVKxn9JbtiLJg/06Ie7qk7/I
RMn240dwvI5fP6rWwdPRtMV7F3ccWp4L/ACedrTZuisz/m9vDPfZ/BVECP9EKZ7p
NPXxXGIpC4Mlb613apVYEEmKHQvbFER+2TyXduhk6SVeeIDmO+ksSigWgG6SsbDG
hs8vNR5ZrFeIvUXnj1tSdSbEcq8ItWXrEzSl3bI5L9wePBmL1VOEB1UphU5pn+sy
R68ywzb4aFE4eWcPeazI5r/JwfBQXlkeli27ZdOOoZcZ28CwziT9XENlasPEr2aq
RypSk+e2p22ntOqDt/tlaYtcdcGwe/ZGeNw=
-----END CERTIFICATE-----

c.key
-----BEGIN DSA PRIVATE KEY-----
MIIDFwIBAAKCAQEAxDd5wehvIUsClXQ0cGQSRztkuG73HwHHe4EfEnZPFMz4U4nU
4WD7ir0VGRcEp4nAHrrnUHVw3BOsB9UdRXcKUOX60pM3GnbmSdQBp6HPhRQv881K
qKQex9VulHG9IFp/uc/4XbWP84CTMgIAVC3ulsSVVlxJTi1qQQSQN+Jm4cNn4Z3I
3I/pN6VGV28X22BlFD9e+Ga/Q89p20No/6014aC2+BpoD722Eigv2GYwRSlbC1bf
rMLDyVOHbgPHs5UPGI4C9mIO1EdJYc10b2qqE9eWsO+r5xee+p/7AEvqLmuKbIDt
OXXeP+N9F6i1+LsTnAkPb2lqE3GB5um8T1qzmwIDAQABAoH/XYIShFZAn50fnhnC
48zM6SVk2oAHRL+UUUc3h5TaGw+TSDxnNwEA3x088LgHf9Alvn9TvQQ6xKabVSA6
0t/oCqWO4stFd1cyZ/ygzUJPoxv7vjQXYEbWZGVSTWvmtYRrWiHCOuZLs7+SZkKN
5Y/+I9uLT5yrUpZSDKogEIHUhcHDyZDfZ07xlBuv1H+KVBN8YAsCldzsNDSyWbix
N9XpKh6c5bNVzRHbL9r24qvRXY60quOHO04UX05F2cSFfJVyiFD82Gdpm/eDt0Bb
n2Pa6QfS9M/3C5h5sztW+ps7wz9q12WEXmW/wEMaM0xMr9O0MuchaMqboft8tYGm
LO1xAoGBANPECj39X6ETxJVaCswLNfTt4jjTHYTwZa8OWI/vRoFI6snOp+GDmFfk
zXV8iiXSSGXe6oMVX4EFYUR4BfFkGrURJHccgsj18UovcG5bTwadhYNNK752hoyQ
m6N/A3lrg5JJA4TLqyxZ8ada9vp3bw8Rqcl0rKMOIXJkHHG8OitVAoGBAO0z9uD3
/TFLo0gzj5WenCOpc2wr2PLXVw2RSS85QsNI6MEPnAFMWHKfRW1DcaWmjN+3xBT+
jqxcUW6ywk1iJHUQTS0V5yAR/7RSVHnAs9D+9DT9tWdxfRgWsmwL40YFC0N+HCGT
vduNykYT/DlwPpuRfg7EWAUU3GYw+rQo/8Mv
-----END DSA PRIVATE KEY-----

ca.crt
-----BEGIN CERTIFICATE-----
MIIDfTCCAmegAwIBAgIESew9qDALBgkqhkiG9w0BAQUwVzELMAkGA1UEBhMCQ1ox
DjAMBgNVBAoTBXByYWhhMQswCQYDVQQLEwJuZTENMAsGA1UEBxMEdm9sZTEOMAwG
A1UECBMFbmV2aW0xDDAKBgNVBAMTA2V4YTAeFw0wOTA0MjAwOTE3MzBaFw0xOTA0
MTgwOTE3MzRaMFcxCzAJBgNVBAYTAkNaMQ4wDAYDVQQKEwVwcmFoYTELMAkGA1UE
CxMCbmUxDTALBgNVBAcTBHZvbGUxDjAMBgNVBAgTBW5ldmltMQwwCgYDVQQDEwNl
eGEwggEfMAsGCSqGSIb3DQEBAQOCAQ4AMIIBCQKCAQCiqkB7quCFmp0nNCpuZRpT
2sZNoEb6zyu9WLzs6tU6y7af+zIj6nIS1x7URuWwcAsmCrceUEStIuBbMpkpeqxI
U5gzwFuVZKOn9/LcuvX2xTHqzDXyY7R3V+neQgJCS8nYF2jQm/QjzqKqzMDo/2Is
RLm7SJGhZc8A87W6VWPEqQSsqzSNIZKevmQj+fCjEebF0qtsImMLZbHQEmmlgEtH
zbavtqt8rB6saIPdw10XUMja+1yJipaxTm74z6C19C/hX3xROH91wtGXLsJgBI9a
UrdBdRVJtgIOoNfoP/TgnhU01a7Hb4vXf8s7pkUy86bJVzIhqL4+n0Q9DFXDuYAV
AgMBAAGjWDBWMA8GA1UdEwEB/wQFMAMBAf8wEwYDVR0lBAwwCgYIKwYBBQUHAwgw
DwYDVR0PAQH/BAUDAwcGADAdBgNVHQ4EFgQU2W3uHqAE8j8wGFbZGjmgeA3Jee8w
CwYJKoZIhvcNAQEFA4IBAQCJOZQO8yzDXrGUIUhcmxT5Q29/iftxsKGHtGJ/ywmQ
rNFKdM0xWAP08B+kp/CviHrRe8AD1qOzT7NOxFq5R9jdLWGWpxTx78nZ/AqoI06Z
K95cAPwlY38s9I5v/naNYWSLvJBjD+cCRzvtoYodG0a7alNDXVXgELevw/M0WQ0m
bBcgJ4uIv6sF8LwDnf9imkGuT7T6n0ltepQ24SdNDjKJUwIisl3MC69bd8SeRqNQ
bi9nWTQWgJ9CqzENoKsL5gyQ6IcedKgIujTwq9CXESFWMu6yrRS8lE3xBuaUu42S
pvvCRa6KORJmR0Kf3efGoTf3E7kB/SAuVafoLAI2qDDy
-----END CERTIFICATE-----

ca.key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAoqpAe6rghZqdJzQqbmUaU9rGTaBG+s8rvVi87OrVOsu2n/sy
I+pyEtce1EblsHALJgq3HlBErSLgWzKZKXqsSFOYM8BblWSjp/fy3Lr19sUx6sw1
8mO0d1fp3kICQkvJ2Bdo0Jv0I86iqszA6P9iLES5u0iRoWXPAPO1ulVjxKkErKs0
jSGSnr5kI/nwoxHmxdKrbCJjC2Wx0BJppYBLR822r7arfKwerGiD3cNdF1DI2vtc
iYqWsU5u+M+gtfQv4V98UTh/dcLRly7CYASPWlK3QXUVSbYCDqDX6D/04J4VNNWu
x2+L13/LO6ZFMvOmyVcyIai+Pp9EPQxVw7mAFQIDAQABAoIBAAvnEFPcQ5STJTe2
qfos/LmxEvygI0F8AlPXF+/wGQ011dWsAFW/dHxrcE6RJ4J7GF2+v/qAXh4bJLaX
o7x0xQF/2G3FAA6U8CK80nETXycg88+eBL6JTC3FaZABXX/zYsAkql9FYh5yotWD
qQQDl+/sUXjiTQG13OlRa/VIBUZhB97aQDkG9HvB2zZGspRNAvX/npBdZ2TK1vJm
SDgJV+M8VRyxj77IK8b93OU3ve9TqFD6W2htjeY1FdkLKbRKNRCWGdfr8RnwWSOt
K7A6htSvRJsjeqirxusb83gY41JGYJ6MSW4RHgNlN9ChX4NikyUp42w7Omb5quLU
wpOxb7ECgYEAx4Pw3PP7csIvzMUt84LPd8PX3CJayjNUOrzVi354VTgtW9dD4vDE
+wMFBfJ+KJBUOSD3uFTFbuSEglOIo3UVLSRu/bHqxWNzO3RCqefnf7fmKJjqTESu
6DnXPV3OLwcWsg2H9Ny3WiWnsCzRGuBStkYIozxtXuj3lwHKrdLDitkCgYEA0LeM
dIRmZcF5Nn/EEa2/T2Cmnux3nWys0x88nwlLEXFHj0sUdU2wZDheWK4IQolpG+Cg
umX925ufnXifHKwLAaDFVoDi9XeHSbCqTsrK+x+8e70rljeje5UOAqLEp6cY/wKi
XeRIx1q1y69Ysb4chTnt+6hd54E2TDvjpx3GgZ0CgYEAwW4HrQ/WLnJZyVs5q6ac
4e47by7XesW82Z2OI0mf/G8Uer//DxyCvSE2U4fADC+xmBmAUXPOXi6q0XePN3oh
57w05z0A8hHy/CdBIly1MjvmpmFqdjr4oCjDprk1Vp62wDUiJKGAGaP8KW+p4zas
ug63/Rpupt+SexK/nzqBXjECgYEAyGyJttXxUqOAV4JHcMaM4JeqSRBAKO7T4wSq
/Pk6mexS0FpDsgVBbmvmxXeRPPug8IE7NuN76+e8VcYf3LOk+hI9jbzEtPzr8Cpy
0KjSVGX8ZEKa2WxiU+klhAhzmZ7PVQpdipYOAUmtK4QdQsmRr6maS0A5tHaTAo+8
I51nIs0CgYAJ84MewGdo7VH4me2oEF7EQRySoov7RzQAI3JJ/0aBi6T64CKGxCJk
CHrDfnCjH2qyYPT+QuvphzMoE8kgObhd49PwuXV+0uHFMfy+mNMZUpagolsz1i03
BdROt5J6ekwOvF0TuBusCM3uV7JHqQ1Apadru7bMz/piYGgAJfudxA==
-----END RSA PRIVATE KEY-----

dh1024.pem

Generator: 05

Prime: ad:a9:66:71:7a:34:72:ee:e2:5b:93:f4
? ? ? ?1e:21:2b:9d:67:86:52:47:f6:b0:3f:78
? ? ? ?88:31:44:ff:24:74:54:c7:1f:56:e7:c2
? ? ? ?0f:88:66:ae:91:ea:c4:14:c3:16:35:91
? ? ? ?66:5b:5a:80:e1:fd:5e:52:54:00:b2:43
? ? ? ?83:1c:a1:e4:8e:a8:e4:dd:87:0d:7c:f6
? ? ? ?88:7e:4b:5b:0d:5a:1e:ed:7b:ca:5e:9d
? ? ? ?22:71:9a:1b:86:24:aa:b0:84:98:14:2e
? ? ? ?0d:33:b6:94:77:a9:d0:07:02:0c:53:04
? ? ? ?6e:8a:07:d3:6a:32:2a:32:3f:23:0f:42
? ? ? ?4d:63:79:57:48:c8:05:a7


-----BEGIN DH PARAMETERS-----
MIGHAoGBAK2pZnF6NHLu4luT9B4hK51nhlJH9rA/eIgxRP8kdFTHH1bnwg+IZq6R
6sQUwxY1kWZbWoDh/V5SVACyQ4McoeSOqOTdhw189oh+S1sNWh7te8penSJxmhuG
JKqwhJgULg0ztpR3qdAHAgxTBG6KB9NqMioyPyMPQk1jeVdIyAWnAgEF
-----END DH PARAMETERS-----

ssl.crt
-----BEGIN CERTIFICATE-----
MIIFLDCCBBagAwIBAgIESexK4DALBgkqhkiG9w0BAQUwVzELMAkGA1UEBhMCQ1ox
DjAMBgNVBAoTBXByYWhhMQswCQYDVQQLEwJuZTENMAsGA1UEBxMEdm9sZTEOMAwG
A1UECBMFbmV2aW0xDDAKBgNVBAMTA2V4YTAeFw0wOTA0MjAxMDEzNTNaFw0xOTA0
MTgxMDEzNTdaMFcxCzAJBgNVBAYTAkNaMQwwCgYDVQQKEwNCbGUxDTALBgNVBAsT
BFNtcnQxDjAMBgNVBAcTBUt0ZXJhMQ4wDAYDVQQIEwVCbGlqZTELMAkGA1UEAxMC
TmUwggKlMIICGgYHKoZIzjgEATCCAg0CggEAygAmvvWeV4auzm9ZFG1+omVlyVqH
elM0qqJ717DdaKoJlIiCAgwsg7r+zpz4ekncShy0UxRm2yElW6p90Otx9QrCWTpv
jP6wHiTptk/vUEDSQ6/Zlqax7mI946XfoIxx3JCavVzBvNgUQAOai6BpjJ4a9ZVL
BdP2gSldt9XJ4CTuSdosBBjrCwTWn1oaZWFsXt6bgZdyZiZvAVizpDDkrV0RH6Fo
6PqfLAn3hyoesM5SeAllHba6cGibyXxsuocwwjwynq3Y1W4SIZomh63OYNWBh6uY
+9pYrdJsYtkQxhJwDSGg9yhyL3agmx2OmOD8S7we6r3j8/D8XJgW6rszTwIDAQAB
AoIBAANXfbMBCzqPDtgTCk06A0znRbs1of7v3qb7NlzhUl7Hf8F5gXUZNtwco6SC
MklYbKpWAtTkOVAv7zDiB2AFoezLRCw67EEcrlTOIlOsZNzvnzFH30Vy9bsBqXZy
3KbVfyvswUwxFNkHIuagNW+3Gqfp4a/lMi8jGSiv3E4M3ZPorcW1qiv5i/UZX3wB
rphD9dLKwgdTwmtyz+hp/zFKwtThIuhb2qZKbYZzMqI6d4FhLufcvvXFrZ3LoTEd
sprZ3fZI1M7IdvsGTZLnHQ4Bws32hPNSaA7/b3yxK3wfBZRs8+92LYE3kiGojylN
REsD8PXH5epas5+bS8A3RL284AkDgYQAAoGA3a5KHeltiQKAE2nO4zFZirFmG5Oe
e4Z84oRWjz3NujAy7B8OaZmSBQbXe8XdS67/bIHO+ULzStGEjQqs8xaev90rzJ/H
Y5q4G5SbwCo9AB+a99waDV+H06CdcH2aWzuphx88VgkoNTTjT/rsgUUw6i9GOTd0
CaM8UhirdOSRRCWjgYAwfjAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUF
BwMCBggrBgEFBQcDATAPBgNVHQ8BAf8EBQMDB4AAMB0GA1UdDgQWBBRdOw6fAlG3
powcRYMbekXDEG0QGjAfBgNVHSMEGDAWgBTZbe4eoATyPzAYVtkaOaB4Dcl57zAL
BgkqhkiG9w0BAQUDggEBAC1ErfpfBUAKsdBCDUaQmqzoiMQ5Bm6jX7vzht7HG0Bq
MA89SOrr09tTMkEIkab3LN+pCs2cSRRtHRNBk+tzn+cyq4VptFnV+EhpB32YCLro
SnfYD0eclv3yO2GnzP6tADDuHWyOq0bSYOxcnUZuEe7X/rl7Zj8meiE48i9jNQYD
lX0YayTBR1eYbtNEaZASUvrFO4JkBZlTjXR/qNRjj1SidVLfAayZtct40usEH+9V
EgpmZmtIqCPsmF8f3KVEcxwz7xwAtjI820qCRzFUmgboZ65jm3IWr4CibIgjlhs7
tzclPT9WeIZdeP7QWlFmhjbiY5yFfjCiyvlf3mechow=
-----END CERTIFICATE-----

ssl.key
-----BEGIN DSA PRIVATE KEY-----
MIIDGQIBAAKCAQEAygAmvvWeV4auzm9ZFG1+omVlyVqHelM0qqJ717DdaKoJlIiC
Agwsg7r+zpz4ekncShy0UxRm2yElW6p90Otx9QrCWTpvjP6wHiTptk/vUEDSQ6/Z
lqax7mI946XfoIxx3JCavVzBvNgUQAOai6BpjJ4a9ZVLBdP2gSldt9XJ4CTuSdos
BBjrCwTWn1oaZWFsXt6bgZdyZiZvAVizpDDkrV0RH6Fo6PqfLAn3hyoesM5SeAll
Hba6cGibyXxsuocwwjwynq3Y1W4SIZomh63OYNWBh6uY+9pYrdJsYtkQxhJwDSGg
9yhyL3agmx2OmOD8S7we6r3j8/D8XJgW6rszTwIDAQABAoIBAANXfbMBCzqPDtgT
Ck06A0znRbs1of7v3qb7NlzhUl7Hf8F5gXUZNtwco6SCMklYbKpWAtTkOVAv7zDi
B2AFoezLRCw67EEcrlTOIlOsZNzvnzFH30Vy9bsBqXZy3KbVfyvswUwxFNkHIuag
NW+3Gqfp4a/lMi8jGSiv3E4M3ZPorcW1qiv5i/UZX3wBrphD9dLKwgdTwmtyz+hp
/zFKwtThIuhb2qZKbYZzMqI6d4FhLufcvvXFrZ3LoTEdsprZ3fZI1M7IdvsGTZLn
HQ4Bws32hPNSaA7/b3yxK3wfBZRs8+92LYE3kiGojylNREsD8PXH5epas5+bS8A3
RL284AkCgYEA3a5KHeltiQKAE2nO4zFZirFmG5Oee4Z84oRWjz3NujAy7B8OaZmS
BQbXe8XdS67/bIHO+ULzStGEjQqs8xaev90rzJ/HY5q4G5SbwCo9AB+a99waDV+H
06CdcH2aWzuphx88VgkoNTTjT/rsgUUw6i9GOTd0CaM8UhirdOSRRCUCgYEA6UXj
26jtOpcysQhn5FaDxpUbjvlPHO8k6FUUXnbVCl4BKEkSW5kzeL1ezog65RUyPKdm
SXKgQcvWRXF76GRgAiqgUI1/tSYyKXTjljiyZZPjYhZB1hTcxVcZROHFvskLXmsn
UcdCdUM7POtFT/Cy3Nx1ZvyTYqwCH0Jomvx6pWM=
-----END DSA PRIVATE KEY-----




From exa.exa at gmail.com  Tue Apr 21 16:34:53 2009
From: exa.exa at gmail.com (Miroslav Kratochvil)
Date: Tue, 21 Apr 2009 16:34:53 +0200
Subject: [Help-gnutls] Re: Encryption using DSA keys
In-Reply-To: <87r5znza2w.fsf@mocca.josefsson.org>
References: <a37929f0904200656o5487bbffn496eba81f9981aeb@mail.gmail.com>
	<87r5znza2w.fsf@mocca.josefsson.org>
Message-ID: <a37929f0904210734x1913fean880b9e4384fe58db@mail.gmail.com>

Thanks for adding the key generation documentation and showing me an
example, but I still have no luck.

If anyone could generate a CA, then sign DSA key with it, and then
connect gnutls-cli and gnutls-serv using that key verified by CA...
would he please post a complete command sentence needed to achieve it?

Because all my attempts still fail on the same error:


For each failed client attempt, server says:

......
|<7>| READ: -1 returned from 5, errno=11 gerrno=0
|<2>| ASSERT: gnutls_buffers.c:360
|<2>| ASSERT: gnutls_buffers.c:1151
|<2>| ASSERT: gnutls_handshake.c:1045
|<7>| READ: -1 returned from 5, errno=104 gerrno=0
|<2>| ASSERT: gnutls_buffers.c:368
|<2>| ASSERT: gnutls_buffers.c:623
|<2>| ASSERT: gnutls_record.c:909
|<2>| ASSERT: gnutls_buffers.c:1151
|<2>| ASSERT: gnutls_handshake.c:1045
|<2>| ASSERT: gnutls_handshake.c:2647
|<6>| BUF[HSK]: Cleared Data from buffer
Error in handshake
Error: A TLS packet with unexpected length was received.
|<4>| REC: Sending Alert[2|22] - Record overflow
|<4>| REC[64c780]: Sending Packet[5] Alert(21) with length: 2
|<2>| ASSERT: gnutls_cipher.c:204
|<7>| WRITE: Will write 7 bytes to 5.
|<2>| ASSERT: gnutls_buffers.c:834
|<2>| ASSERT: gnutls_record.c:461
|<2>| ASSERT: gnutls_record.c:262
....

And client dies on:

....
|<7>| RB: Have 5 bytes into buffer. Adding 279 bytes.
|<7>| RB: Requested 284 bytes
|<2>| ASSERT: gnutls_cipher.c:204
|<4>| REC[64aaa0]: Decrypted Packet[2] Handshake(22) with length: 279
|<6>| BUF[HSK]: Inserted 279 bytes of Data(22)
|<6>| BUF[REC][HD]: Read 1 bytes of Data(22)
|<6>| BUF[REC][HD]: Read 3 bytes of Data(22)
|<3>| HSK[64aaa0]: SERVER KEY EXCHANGE was received [279 bytes]
|<6>| BUF[REC][HD]: Read 275 bytes of Data(22)
|<6>| BUF[HSK]: Peeked 1941 bytes of Data
|<6>| BUF[HSK]: Emptied buffer
|<6>| BUF[HSK]: Inserted 4 bytes of Data
|<6>| BUF[HSK]: Inserted 275 bytes of Data
|<2>| ASSERT: pk-libgcrypt.c:519
|<2>| ASSERT: gnutls_pk.c:515
|<2>| ASSERT: gnutls_sig.c:347
|<2>| ASSERT: gnutls_sig.c:506
|<2>| ASSERT: auth_dhe.c:232
|<2>| ASSERT: gnutls_kx.c:415
|<2>| ASSERT: gnutls_handshake.c:2386
|<6>| BUF[HSK]: Cleared Data from buffer
*** Fatal error: Public key signature verification has failed.
*** Handshake has failed
GNUTLS ERROR: Public key signature verification has failed.



On Mon, Apr 20, 2009 at 4:14 PM, Simon Josefsson <simon at josefsson.org> wrote:
> Miroslav Kratochvil <exa.exa at gmail.com> writes:
>
>> Hi everyone,
>>
>> well, after I solved the problem at [1], I got to real problems problems:
>>
>> I want gnutls to negotiate encrypted connection using DSA keys. I
>> realized that I will have to use DHE_DSS algorithm, but I have no idea
>> how to generate a certificate for one. Googling failed, and
>> documentation says only that "DHE_DSS uses DSA keys in certificates."
>>
>> In OpenSSL world (from where I'm migrating) it was easy, one just
>> appended "-dsa" to key generating parameters, and it was done.
>> Nevertheless; with gnutls and --dsa option; I'm getting error -89
>> (Public key signature verification has failed.). RSA alternative
>> (--rsa with the same commands) works ok.
>>
>> So, is there any tutorial or howto on generating suitable DSA keys for
>> use with encryption? Ideally with a complete certtool script for
>> generating one selfsigned CA keypair and other that-ca-signed keypair.
>
> Check the manual:
>
> http://www.gnu.org/software/gnutls/manual/html_node/Invoking-certtool.html
>
> Generating a certificate using those instructions seems to work fine
> here, see log below.
>
> You are right that the manual doesn't give an example for DSA keys, so I
> added one:
>
> http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=7ffeba022859b2b9d909bc3fb8a89057a309ae06
>
> Can you explain exactly what you did to get the -89 error?
>
> /Simon
>
> jas at mocca:~$ certtool --generate-privkey --outfile key.pem --dsa
> Generating a 2048 bit DSA private key...
> jas at mocca:~$ cat key.pem
> -----BEGIN DSA PRIVATE KEY-----
> MIIDGQIBAAKCAQEAw8xAilE8wNbdQZJVRGpOjEYdibjT3N5vpDMmsqf4unH1Mlht
> w/ZPmkUs5vww+XpTCs64QKfJmBSmoXFAFJMiKm8J8yacnd7PdYBmSFIizZJ9S+BJ
> SDY+SAb0lz9F/De/jJNZg9cIAtpcD7oDduoD9pS/rI74JFpwO8v48BuQYnuBb+0y
> h95rKGkFSy2yEgQcRjb8H+utddMV57U/w9j80NGJABYevEpzIFttnREpdoXmEk9j
> 5aqg/eh33fCXXsknhVEq/onojmswXE3zUfyGOxcuTzhaUWU9edN9c28+RusBJFsH
> u9E9VJEeNYd2zj4/vxixQZtVRbzfNJuVlXZlOQIDAQABAoIBAEJQysdOTopt+9B6
> tKCQdPwzv0tnK3LSb/OoU4INPERB1q9vnfXSVhHFPjkZz6if0sKFU4iqi7ATxoBF
> sFOHpfnDVBZjzIX38kI08++oyhrgc8mgNJHdtWiF2o/joVuUsi71tUrfKNp2hNna
> wdOj3SXGKclTPx5o9zx5kF4ap+OConIh9t1q1cNntF+slzGh2X8FIJQOV20NrSrm
> nsi3O6uLzu6Mg+9j2d9kLF8tph9JhtbV88BsoQVAALwpXsWYEQ4/7FVZfYPr2HNM
> sGbm7SKMsYNaDTUB6608Tt6kPUh1b7E8OD2UtE/abtqnM7SW+1Uop8E98ePYPBG+
> pYVyc3UCgYEAxYo5RbY5gP9zszToGFNM6/X1wNUsWp5QDFA4qKiy9ZExAhTDnxtL
> KIbVHW509LuQnDWES+XmM3KmjIPdKHSb2pgGqCwSShd4xbdUfsy+XDuWCPcsQG+M
> geZSZNtYT6a3Y72vWEZrFO71jNaHi2NZrVvY8ekrWY1lc6S7DKBzB0MCgYEA/b4M
> Hl9JGQEv0axXQl4jEVlBRVXO+t/ZXyM2Z0wp+s6QCm1LhuhJJXLmWhumSE19eER3
> eNmB9SPRIy6Ar96ZfxebMJaLGZZQEpCGT+5CZXIWc9liZZK9W1ef6UkztUOAeyy0
> 010Hv8kMhryRJtOvpbogv1uxd3YGV/HI5o7949M=
> -----END DSA PRIVATE KEY-----
> jas at mocca:~$ certtool --generate-certificate --load-privkey key.pem --outfile cert.pem --load-ca-certificate ~/src/www-gnutls/test-credentials/x509-ca.pem --load-ca-privkey ~/src/www-gnutls/test-credentials/x509-ca-key.pem
> Generating a signed certificate...
> Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
> Country name (2 chars): SE
> Organization name:
> Organizational unit name:
> Locality name:
> State or province name:
> Common name: foo.bar.com
> UID:
> This field should not be used in new certificates.
> E-mail:
> Enter the certificate's serial number in decimal (default: 1240236605):
>
>
> Activation/Expiration time.
> The certificate will expire in (days):
> The certificate will expire in (days): 180
>
>
> Extensions.
> Does the certificate belong to an authority? (y/N):
> Is this a TLS web client certificate? (y/N): y
> Is this also a TLS web server certificate? (y/N): y
> Enter the dnsName of the subject of the certificate: foo.bar.com
> Enter the dnsName of the subject of the certificate:
> X.509 Certificate Information:
> ? ? ? ?Version: 3
> ? ? ? ?Serial Number (hex): 49ec823d
> ? ? ? ?Validity:
> ? ? ? ? ? ? ? ?Not Before: Mon Apr 20 14:10:06 UTC 2009
> ? ? ? ? ? ? ? ?Not After: Sat Oct 17 14:10:08 UTC 2009
> ? ? ? ?Subject: C=SE,CN=foo.bar.com
> ? ? ? ?Subject Public Key Algorithm: DSA
> ? ? ? ? ? ? ? ?Public key (bits 1024):
> ? ? ? ? ? ? ? ? ? ? ? ?c5:8a:39:45:b6:39:80:ff:73:b3:34:e8:18:53:4c:eb
> ? ? ? ? ? ? ? ? ? ? ? ?f5:f5:c0:d5:2c:5a:9e:50:0c:50:38:a8:a8:b2:f5:91
> ? ? ? ? ? ? ? ? ? ? ? ?31:02:14:c3:9f:1b:4b:28:86:d5:1d:6e:74:f4:bb:90
> ? ? ? ? ? ? ? ? ? ? ? ?9c:35:84:4b:e5:e6:33:72:a6:8c:83:dd:28:74:9b:da
> ? ? ? ? ? ? ? ? ? ? ? ?98:06:a8:2c:12:4a:17:78:c5:b7:54:7e:cc:be:5c:3b
> ? ? ? ? ? ? ? ? ? ? ? ?96:08:f7:2c:40:6f:8c:81:e6:52:64:db:58:4f:a6:b7
> ? ? ? ? ? ? ? ? ? ? ? ?63:bd:af:58:46:6b:14:ee:f5:8c:d6:87:8b:63:59:ad
> ? ? ? ? ? ? ? ? ? ? ? ?5b:d8:f1:e9:2b:59:8d:65:73:a4:bb:0c:a0:73:07:43
> ? ? ? ? ? ? ? ?P:
> ? ? ? ? ? ? ? ? ? ? ? ?c3:cc:40:8a:51:3c:c0:d6:dd:41:92:55:44:6a:4e:8c
> ? ? ? ? ? ? ? ? ? ? ? ?46:1d:89:b8:d3:dc:de:6f:a4:33:26:b2:a7:f8:ba:71
> ? ? ? ? ? ? ? ? ? ? ? ?f5:32:58:6d:c3:f6:4f:9a:45:2c:e6:fc:30:f9:7a:53
> ? ? ? ? ? ? ? ? ? ? ? ?0a:ce:b8:40:a7:c9:98:14:a6:a1:71:40:14:93:22:2a
> ? ? ? ? ? ? ? ? ? ? ? ?6f:09:f3:26:9c:9d:de:cf:75:80:66:48:52:22:cd:92
> ? ? ? ? ? ? ? ? ? ? ? ?7d:4b:e0:49:48:36:3e:48:06:f4:97:3f:45:fc:37:bf
> ? ? ? ? ? ? ? ? ? ? ? ?8c:93:59:83:d7:08:02:da:5c:0f:ba:03:76:ea:03:f6
> ? ? ? ? ? ? ? ? ? ? ? ?94:bf:ac:8e:f8:24:5a:70:3b:cb:f8:f0:1b:90:62:7b
> ? ? ? ? ? ? ? ? ? ? ? ?81:6f:ed:32:87:de:6b:28:69:05:4b:2d:b2:12:04:1c
> ? ? ? ? ? ? ? ? ? ? ? ?46:36:fc:1f:eb:ad:75:d3:15:e7:b5:3f:c3:d8:fc:d0
> ? ? ? ? ? ? ? ? ? ? ? ?d1:89:00:16:1e:bc:4a:73:20:5b:6d:9d:11:29:76:85
> ? ? ? ? ? ? ? ? ? ? ? ?e6:12:4f:63:e5:aa:a0:fd:e8:77:dd:f0:97:5e:c9:27
> ? ? ? ? ? ? ? ? ? ? ? ?85:51:2a:fe:89:e8:8e:6b:30:5c:4d:f3:51:fc:86:3b
> ? ? ? ? ? ? ? ? ? ? ? ?17:2e:4f:38:5a:51:65:3d:79:d3:7d:73:6f:3e:46:eb
> ? ? ? ? ? ? ? ? ? ? ? ?01:24:5b:07:bb:d1:3d:54:91:1e:35:87:76:ce:3e:3f
> ? ? ? ? ? ? ? ? ? ? ? ?bf:18:b1:41:9b:55:45:bc:df:34:9b:95:95:76:65:39
> ? ? ? ? ? ? ? ?Q:
> ? ? ? ? ? ? ? ? ? ? ? ?01:00:01
> ? ? ? ? ? ? ? ?G:
> ? ? ? ? ? ? ? ? ? ? ? ?42:50:ca:c7:4e:4e:8a:6d:fb:d0:7a:b4:a0:90:74:fc
> ? ? ? ? ? ? ? ? ? ? ? ?33:bf:4b:67:2b:72:d2:6f:f3:a8:53:82:0d:3c:44:41
> ? ? ? ? ? ? ? ? ? ? ? ?d6:af:6f:9d:f5:d2:56:11:c5:3e:39:19:cf:a8:9f:d2
> ? ? ? ? ? ? ? ? ? ? ? ?c2:85:53:88:aa:8b:b0:13:c6:80:45:b0:53:87:a5:f9
> ? ? ? ? ? ? ? ? ? ? ? ?c3:54:16:63:cc:85:f7:f2:42:34:f3:ef:a8:ca:1a:e0
> ? ? ? ? ? ? ? ? ? ? ? ?73:c9:a0:34:91:dd:b5:68:85:da:8f:e3:a1:5b:94:b2
> ? ? ? ? ? ? ? ? ? ? ? ?2e:f5:b5:4a:df:28:da:76:84:d9:da:c1:d3:a3:dd:25
> ? ? ? ? ? ? ? ? ? ? ? ?c6:29:c9:53:3f:1e:68:f7:3c:79:90:5e:1a:a7:e3:82
> ? ? ? ? ? ? ? ? ? ? ? ?a2:72:21:f6:dd:6a:d5:c3:67:b4:5f:ac:97:31:a1:d9
> ? ? ? ? ? ? ? ? ? ? ? ?7f:05:20:94:0e:57:6d:0d:ad:2a:e6:9e:c8:b7:3b:ab
> ? ? ? ? ? ? ? ? ? ? ? ?8b:ce:ee:8c:83:ef:63:d9:df:64:2c:5f:2d:a6:1f:49
> ? ? ? ? ? ? ? ? ? ? ? ?86:d6:d5:f3:c0:6c:a1:05:40:00:bc:29:5e:c5:98:11
> ? ? ? ? ? ? ? ? ? ? ? ?0e:3f:ec:55:59:7d:83:eb:d8:73:4c:b0:66:e6:ed:22
> ? ? ? ? ? ? ? ? ? ? ? ?8c:b1:83:5a:0d:35:01:eb:ad:3c:4e:de:a4:3d:48:75
> ? ? ? ? ? ? ? ? ? ? ? ?6f:b1:3c:38:3d:94:b4:4f:da:6e:da:a7:33:b4:96:fb
> ? ? ? ? ? ? ? ? ? ? ? ?55:28:a7:c1:3d:f1:e3:d8:3c:11:be:a5:85:72:73:75
> ? ? ? ?Extensions:
> ? ? ? ? ? ? ? ?Basic Constraints (critical):
> ? ? ? ? ? ? ? ? ? ? ? ?Certificate Authority (CA): FALSE
> ? ? ? ? ? ? ? ?Key Purpose (not critical):
> ? ? ? ? ? ? ? ? ? ? ? ?TLS WWW Client.
> ? ? ? ? ? ? ? ? ? ? ? ?TLS WWW Server.
> ? ? ? ? ? ? ? ?Subject Alternative Name (not critical):
> ? ? ? ? ? ? ? ? ? ? ? ?DNSname: foo.bar.com
> ? ? ? ? ? ? ? ?Key Usage (critical):
> ? ? ? ? ? ? ? ? ? ? ? ?Digital signature.
> ? ? ? ? ? ? ? ?Subject Key Identifier (not critical):
> ? ? ? ? ? ? ? ? ? ? ? ?e9e00d4ee9ccf3c9ecd6ca2aa988077628a0d75f
> ? ? ? ? ? ? ? ?Authority Key Identifier (not critical):
> ? ? ? ? ? ? ? ? ? ? ? ?e93c1cfbad926ee606a4562ca2e1c05327c8f295
> Other Information:
> ? ? ? ?Public Key Id:
> ? ? ? ? ? ? ? ?e9e00d4ee9ccf3c9ecd6ca2aa988077628a0d75f
>
> Is the above information ok? (Y/N): y
>
>
> Signing certificate...
> jas at mocca:~$ certtool -v
> certtool (GnuTLS) 2.6.5
> Copyright (C) 2008 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
>
> Written by Nikos Mavrogiannopoulos and Simon Josefsson.
> jas at mocca:~$
>




From madhu.boddu at tcs.com  Wed Apr 22 07:39:26 2009
From: madhu.boddu at tcs.com (madhubodd)
Date: Tue, 21 Apr 2009 22:39:26 -0700 (PDT)
Subject: [Help-gnutls] (very urgent) Need Help for server communication with
	GNUTLS in c# windows
Message-ID: <23134237.post@talk.nabble.com>


I downloaded GNUTLS2.7.3
I copied the dlls
libgnutls-26.dll,libgnutls-extra-26.dll,libgnutls-openssl26.dll,libgpg-error-0.dll,libtasn1-3.dll
I generated libgnutls.lib internal obj file also.

Now i need to write code for socket communication with Gnu Tls for windows
environment..
Needed help regarding the syntax.
Also what name spaces i need to write..

Please kindly help
-- 
View this message in context: http://www.nabble.com/%28very-urgent%29-Need-Help-for-server-communication-with-GNUTLS-in-c--windows-tp23134237p23134237.html
Sent from the Gnu - TLS mailing list archive at Nabble.com.





From simon at josefsson.org  Wed Apr 22 13:23:30 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Wed, 22 Apr 2009 13:23:30 +0200
Subject: [Help-gnutls] Re: (very urgent) Need Help for server communication
	with GNUTLS in c# windows
In-Reply-To: <23134237.post@talk.nabble.com> (madhubodd's message of "Tue, 21
	Apr 2009 22:39:26 -0700 (PDT)")
References: <23134237.post@talk.nabble.com>
Message-ID: <87mya9aq4t.fsf@mocca.josefsson.org>

madhubodd <madhu.boddu at tcs.com> writes:

> I downloaded GNUTLS2.7.3
> I copied the dlls
> libgnutls-26.dll,libgnutls-extra-26.dll,libgnutls-openssl26.dll,libgpg-error-0.dll,libtasn1-3.dll
> I generated libgnutls.lib internal obj file also.
>
> Now i need to write code for socket communication with Gnu Tls for windows
> environment..
> Needed help regarding the syntax.

See the examples in the manual, for example:

http://www.gnu.org/software/gnutls/manual/html_node/Simple-client-example-with-X_002e509-certificate-support.html

> Also what name spaces i need to write..

Name spaces?  GnuTLS is a C library.  There is a C++ library and header
file gnutlsxx.h but alas it isn't documented, so if you want to use it,
you need to look in the header file and source code.

/Simon




From simon at josefsson.org  Mon Apr 27 13:06:53 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Mon, 27 Apr 2009 13:06:53 +0200
Subject: [Help-gnutls] Re: (very urgent) Need Help for server communication
	with GNUTLS in c# windows
In-Reply-To: <OFF45AE1B6.8323EC0A-ON652575A5.00235E12-652575A5.0023AF8F@tcs.com>
	(Madhu Boddu's message of "Mon, 27 Apr 2009 11:59:49 +0530")
References: <OFF45AE1B6.8323EC0A-ON652575A5.00235E12-652575A5.0023AF8F@tcs.com>
Message-ID: <87d4ayfj8y.fsf@mocca.josefsson.org>

Madhu Boddu <madhu.boddu at tcs.com> writes:

> Hi Simon,
>
> Thank you very much for the link u had given. But actually  i was trying 
> the code in c#. Even I tried with converters also but i couldnt.
> Could you help me in getting the code in c#.

Hi Madhu.  Oh, sorry about that.  I'm not aware of any documentation on
using GnuTLS in C#, anyone else?  You should be able to follow generic
instructions on using C libraries in C#, though, if you can find
documentation on that.

/Simon




From simon at josefsson.org  Wed Apr 29 10:54:53 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Wed, 29 Apr 2009 10:54:53 +0200
Subject: [Help-gnutls] Re: Libtasn1 2.1
In-Reply-To: <1240993763.8756.25.camel@par> (Jeff Cai's message of "Wed, 29
	Apr 2009 16:29:23 +0800")
References: <87skk8xjyo.fsf@mocca.josefsson.org> <1240993763.8756.25.camel@par>
Message-ID: <87iqkn4z6q.fsf@mocca.josefsson.org>

Jeff Cai <Jeff.Cai at Sun.COM> writes:

> I found that lib/ASN1.c is licensed under GPL v3, is that correct? I
> don't think a LGPLv2 library comes from a GPL v3 source file.

That file is generated by GNU Bison from the LGPLv2+ lib/ASN1.y, and
there is license exception:

/* As a special exception, you may create a larger work that contains
   part or all of the Bison parser skeleton and distribute that work
   under terms of your choice, so long as that work isn't itself a
   parser generator using the skeleton or a modified version thereof
   as a parser skeleton.  Alternatively, if you modify or redistribute
   the parser skeleton itself, you may (at your option) remove this
   special exception, which will cause the skeleton and the resulting
   Bison output files to be licensed under the GNU General Public
   License without this special exception.
   
   This special exception was added by the Free Software Foundation in
   version 2.2 of Bison.  */

As far as I understand, it is fine to use Bison generated output in a
LGPLv2 project.  But you may want to ask the FSF or a lawyer for further
clarification or an authoritative answer.

/Simon




From simon at josefsson.org  Thu Apr 30 12:36:07 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Thu, 30 Apr 2009 12:36:07 +0200
Subject: [Help-gnutls] GnuTLS 2.6.6 - Security Release
Message-ID: <87hc0677jc.fsf@mocca.josefsson.org>

We are proud to announce a new stable GnuTLS release: Version 2.6.6.

GnuTLS is a modern C library that implement the standard network
security protocol Transport Layer Security (TLS), for use by network
applications.  GnuTLS is developed for GNU/Linux, but works on many
Unix-like systems and comes with a binary installer for Windows.

The GnuTLS library is distributed under the terms of the GNU Lesser
General Public License version 2.1 (or later).  The "extra" GnuTLS
library (which contains TLS/IA support, LZO compression and Libgcrypt
FIPS-mode handler), the OpenSSL compatibility library, the self tests
and the command line tools are all distributed under the GNU General
Public License version 3.0 (or later).  The manual is distributed under
the GNU Free Documentation License version 1.2 (or later).

The project page of the library is available at:
  http://www.gnu.org/software/gnutls/

What's New
==========

Version 2.6.6 is a maintenance and security release on our stable
branch.

** libgnutls: Corrected double free on signature verification failure.
Reported by Miroslav Kratochvil <exa.exa at gmail.com>.  See the advisory
for more details.  [GNUTLS-SA-2009-1] [CVE-2009-1415]

** libgnutls: Fix DSA key generation.
Noticed when investigating the previous GNUTLS-SA-2009-1 problem.  All
DSA keys generated using GnuTLS 2.6.x are corrupt.  See the advisory
for more details.  [GNUTLS-SA-2009-2] [CVE-2009-1416]

** libgnutls: Check expiration/activation time on untrusted certificates.
Reported by Romain Francoise <romain at orebokech.com>.  Before the
library did not check activation/expiration times on certificates, and
was documented as not doing so.  We have realized that many
applications that use libgnutls, including gnutls-cli, fail to perform
proper checks.  Implementing similar logic in all applications leads
to code duplication.  Hence, we decided to check whether the current
time (as reported by the time function) is within the
activation/expiration period of certificates when verifying untrusted
certificates.

This changes the semantics of gnutls_x509_crt_list_verify, which in
turn is used by gnutls_certificate_verify_peers and
gnutls_certificate_verify_peers2.  We add two new
gnutls_certificate_status_t codes for reporting the new error
condition, GNUTLS_CERT_NOT_ACTIVATED and GNUTLS_CERT_EXPIRED.  We also
add a new gnutls_certificate_verify_flags flag,
GNUTLS_VERIFY_DISABLE_TIME_CHECKS, that can be used to disable the new
behaviour.

More details about the vulnerabilities will be posted at
<http://www.gnu.org/software/gnutls/security.html>.

** gnutls-cli, gnutls-cli-debug: Fix AIX build problem.
Reported by LAUPRETRE Fran?ois (P) <francois.laupretre at ratp.fr> in
<http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3468>.

** tests: Fix linking of tests/openpgp/keyring self-test.
Reported by Daniel Black in <https://savannah.gnu.org/support/?106543>.

** API and ABI modifications:
gnutls_x509_crt_list_verify: CHANGED, checks activation/expiration times.
gnutls_certificate_verify_peers: Likewise.
gnutls_certificate_verify_peers2: Likewise.
GNUTLS_CERT_NOT_ACTIVATED: ADDED.
GNUTLS_CERT_EXPIRED: ADDED.
GNUTLS_VERIFY_DISABLE_TIME_CHECKS: ADDED.

Getting the Software
====================

GnuTLS may be downloaded from one of the mirror sites or direct from
<ftp://ftp.gnu.org/gnu/gnutls/>.  The list of mirrors can be found at
<http://www.gnu.org/software/gnutls/download.html>.

Here are the BZIP2 compressed sources (4.9MB):

  ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.6.6.tar.bz2
  http://ftp.gnu.org/gnu/gnutls/gnutls-2.6.6.tar.bz2

Here are OpenPGP detached signatures signed using key 0xB565716F:

  ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.6.6.tar.bz2.sig
  http://ftp.gnu.org/gnu/gnutls/gnutls-2.6.6.tar.bz2.sig

Note, that we don't distribute gzip compressed tarballs.

In order to check that the version of GnuTLS which you are going to
install is an original and unmodified one, you should verify the OpenPGP
signature.  You can use the command

     gpg --verify gnutls-2.6.6.tar.bz2.sig

This checks whether the signature file matches the source file.  You
should see a message indicating that the signature is good and made by
that signing key.  Make sure that you have the right key, either by
checking the fingerprint of that key with other sources or by checking
that the key has been signed by a trustworthy other key.  The signing
key can be identified with the following information:

pub   1280R/B565716F 2002-05-05 [expires: 2010-04-21]
      Key fingerprint = 0424 D4EE 81A0 E3D1 19C6  F835 EDA2 1E94 B565 716F
uid                  Simon Josefsson <simon at josefsson.org>
uid                  Simon Josefsson <jas at extundo.com>
sub   1280R/4D5D40AE 2002-05-05 [expires: 2010-04-21]

The key is available from:
  http://josefsson.org/key.txt
  dns:b565716f.josefsson.org?TYPE=CERT

Alternatively, after successfully verifying the OpenPGP signature of
this announcement, you could verify that the files match the following
checksum values.  The values are for SHA-1 and SHA-224 respectively:

d1693e611aa7270f14bc500bd56ef529ffcb1703  gnutls-2.6.6.tar.bz2

5e5bc180293b0854b7e8c27a5eb55f172579b346fba61b2d4b0b0c61  gnutls-2.6.6.tar.bz2

Documentation
=============

The manual is available online at:

  http://www.gnu.org/software/gnutls/documentation.html

In particular the following formats are available:

 HTML: http://www.gnu.org/software/gnutls/manual/html_node/index.html
 PDF: http://www.gnu.org/software/gnutls/manual/gnutls.pdf

For developers there is a GnuTLS API reference manual formatted using
the GTK-DOC tools:

  http://www.gnu.org/software/gnutls/reference/gnutls-gnutls.html

Community
=========

If you need help to use GnuTLS, or want to help others, you are invited
to join our help-gnutls mailing list, see:

  http://lists.gnu.org/mailman/listinfo/help-gnutls

If you wish to participate in the development of GnuTLS, you are invited
to join our gnutls-dev mailing list, see:

  http://lists.gnu.org/mailman/listinfo/gnutls-devel

Windows installer
=================

GnuTLS has been ported to the Windows operating system, and a binary
installer is available.  The installer contains DLLs for application
development, manuals, examples, and source code.  The installer uses
libgpg-error v1.7, libgcrypt v1.4.4, libtasn1 v2.1, and GnuTLS v2.6.6.

For more information about GnuTLS for Windows:
  http://josefsson.org/gnutls4win/

The Windows binary installer and PGP signature:
  http://josefsson.org/gnutls4win/gnutls-2.6.6.exe (14MB)
  http://josefsson.org/gnutls4win/gnutls-2.6.6.exe.sig

The checksum values for SHA-1 and SHA-224 are:

8a86a846cbdc16b6c21442c706854a5c02416336  gnutls-2.6.6.exe

555afa0c1524d8ad05a12384e1bd1b09da720b03058f0089dc812cfc  gnutls-2.6.6.exe

Thanks to Enrico Tassi, we also have mingw32 *.deb's available:
  http://josefsson.org/gnutls4win/mingw32-gnutls_2.6.6-1_all.deb

The checksum values for SHA-1 and SHA-224 are:

b141f97c196d408bf12b8a58ede6bda8fb291be6  mingw32-gnutls_2.6.6-1_all.deb

541e2fca8248460b419e2224a138b292020de1724c86c77b9478da93  mingw32-gnutls_2.6.6-1_all.deb

Internationalization
====================

GnuTLS messages have been translated into Dutch, French, German,
Malay, Polish, Swedish, and Vietnamese.  We welcome the addition of
more translations.

Support
=======

Improving GnuTLS is costly, but you can help!  We are looking for
organizations that find GnuTLS useful and wish to contribute back.
You can contribute by reporting bugs, improve the software, or donate
money or equipment.

Commercial support contracts for GnuTLS are available, and they help
finance continued maintenance.  Simon Josefsson Datakonsult AB, a
Stockholm based privately held company, is currently funding GnuTLS
maintenance.  We are always looking for interesting development
projects.  See http://josefsson.org/ for more details.

The GnuTLS service directory is available at:

  http://www.gnu.org/software/gnutls/commercial.html

Happy Hacking,
Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 419 bytes
Desc: not available
URL: </pipermail/attachments/20090430/bc3c1cba/attachment.pgp>