From simon at josefsson.org Fri May 1 12:14:17 2009 From: simon at josefsson.org (Simon Josefsson) Date: Fri, 01 May 2009 12:14:17 +0200 Subject: [Help-gnutls] Re: Encryption using DSA keys In-Reply-To: (Miroslav Kratochvil's message of "Tue, 21 Apr 2009 16:34:53 +0200") References: <87r5znza2w.fsf@mocca.josefsson.org> Message-ID: <871vr9f7uu.fsf@mocca.josefsson.org> Miroslav Kratochvil writes: > Thanks for adding the key generation documentation and showing me an > example, but I still have no luck. > > If anyone could generate a CA, then sign DSA key with it, and then > connect gnutls-cli and gnutls-serv using that key verified by CA... > would he please post a complete command sentence needed to achieve it? Hi! Try again using GnuTLS 2.6.6. The DSA keys generated with GnuTLS 2.6.x with x < 6 were corrupt, and cause the error you encountered. Thanks for reporting your problems. /Simon From carolin.latze at unifr.ch Fri May 1 16:56:48 2009 From: carolin.latze at unifr.ch (Carolin Latze) Date: Fri, 01 May 2009 16:56:48 +0200 Subject: [Help-gnutls] Install Problems Message-ID: <49FB0DB0.7010805@unifr.ch> Hi all, I tried to install GnuTLS, which results in errors when executing make check. libgpg-error 1.7 has been installed with ./configure; make; make install (make check completes successfully) libgcrypt 1.4.4 has been installed with ./configure --prefix=/usr --with-gpg-error-prefix=/usr/local; make; make install (make check completes successfully) gnutls 2.6.6 has been installed with ./configure --prefix=/usr --disable-srp-authentication --disable-openpgp-authentication make make install make check says "11 of 23 tests failed" most of the errors sound like server: ready. Listening to port '5556'. Launched, generating DH parameters... server: connection from 127.0.0.1, port 58289 ./resume: relocation error: /usr/local/src/gnutls-2.6.6/lib/.libs/libgnutls.so.26: symbol gcry_cipher_setkey, version GCRYPT_1.2 not defined in file libgcrypt.so.11 with link time reference ./resume: relocation error: /usr/local/src/gnutls-2.6.6/lib/.libs/libgnutls.so.26: symbol gcry_cipher_setkey, version GCRYPT_1.2 not defined in file libgcrypt.so.11 with link time reference FAIL: resume success: gnutls_psk_netconf_derive_key success: match. Self test `./netconf-psk' finished with 0 errors PASS: netconf-psk PASS: setcredcrash =================================== 11 of 23 tests failed Please report to bug-gnutls at gnu.org =================================== make[3]: *** [check-TESTS] Error 1 make[3]: Leaving directory `/usr/local/src/gnutls-2.6.6/tests' make[2]: *** [check-am] Error 2 make[2]: Leaving directory `/usr/local/src/gnutls-2.6.6/tests' make[1]: *** [check-recursive] Error 1 make[1]: Leaving directory `/usr/local/src/gnutls-2.6.6/tests' make: *** [check-recursive] Error 1 I guess, I forgot to set one parameter correctly during configure, but which one? Does anybody have an idea? Any hints are appreciated! Regards Carolin From simon at josefsson.org Fri May 1 17:56:10 2009 From: simon at josefsson.org (Simon Josefsson) Date: Fri, 01 May 2009 17:56:10 +0200 Subject: [Help-gnutls] Re: Install Problems In-Reply-To: <49FB0DB0.7010805@unifr.ch> (Carolin Latze's message of "Fri, 01 May 2009 16:56:48 +0200") References: <49FB0DB0.7010805@unifr.ch> Message-ID: <87r5z8es11.fsf@mocca.josefsson.org> Carolin Latze writes: > Hi all, > > I tried to install GnuTLS, which results in errors when executing make > check. > > libgpg-error 1.7 has been installed with > > ./configure; make; make install (make check completes successfully) > > libgcrypt 1.4.4 has been installed with > > ./configure --prefix=/usr --with-gpg-error-prefix=/usr/local; make; > make install (make check completes successfully) > > gnutls 2.6.6 has been installed with > > ./configure --prefix=/usr --disable-srp-authentication > --disable-openpgp-authentication Try adding --with-libgcrypt-prefix=/usr/local. Otherwise it likely tries to use libgcrypt from /usr. > /usr/local/src/gnutls-2.6.6/lib/.libs/libgnutls.so.26: symbol > gcry_cipher_setkey, version GCRYPT_1.2 not defined in file > libgcrypt.so.11 with link time reference Yes, it seems to use one libgcrypt during linking and another one when running. You could also try running "ldconfig" as root to make sure the ld.so.cache is uptodate. /Simon From carolin.latze at unifr.ch Fri May 1 18:02:19 2009 From: carolin.latze at unifr.ch (Carolin Latze) Date: Fri, 01 May 2009 18:02:19 +0200 Subject: [Help-gnutls] Re: Install Problems In-Reply-To: <87r5z8es11.fsf@mocca.josefsson.org> References: <49FB0DB0.7010805@unifr.ch> <87r5z8es11.fsf@mocca.josefsson.org> Message-ID: <49FB1D0B.2000408@unifr.ch> Hi Simon, > >> /usr/local/src/gnutls-2.6.6/lib/.libs/libgnutls.so.26: symbol >> gcry_cipher_setkey, version GCRYPT_1.2 not defined in file >> libgcrypt.so.11 with link time reference >> > > Yes, it seems to use one libgcrypt during linking and another one when > running. > > You could also try running "ldconfig" as root to make sure the > ld.so.cache is uptodate. > Stupid... yes, you were right. I installed libgcrypt to /usr/lib, but that was not in ld.so.conf (I thought only /usr/local/lib is missing from time to time, not /usr/lib *sigh*) Thx! Carolin From simon at josefsson.org Wed May 6 09:25:37 2009 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 06 May 2009 09:25:37 +0200 Subject: [Help-gnutls] Re: Help for Gnutls4win In-Reply-To: <7832CC77AA153E4B8A2DD5F15CB6C528B89B15@CNBEEXC007.nsn-intra.net> (Patrick Yan's message of "Wed, 6 May 2009 12:33:27 +0800") References: <7832CC77AA153E4B8A2DD5F15CB6C528B89B15@CNBEEXC007.nsn-intra.net> Message-ID: <87hbzylmku.fsf@mocca.josefsson.org> "Yan, Patrick (NSN - CN/Beijing)" writes: > Hi helper-guntls: > > I want to added a protocol dissectors in wireshark, this dissectors need Gcrypt. But when I compliing the code, here is some make error related to Gcrypt. Would you help to check that. > > I used gnutls-2.6.3. > OS is windows XP, wireshark source code is last version of wireshark-1.0.7. > > Checking for required applications: > cl: /cygdrive/c/Program Files/Microsoft Visual Studio 9.0/VC/BIN/cl > link: /cygdrive/c/Program Files/Microsoft Visual Studio 9.0/VC/BIN/link > nmake: /cygdrive/c/Program Files/Microsoft Visual Studio 9.0/VC/BIN/nmake > bash: /usr/bin/bash > bison: /usr/bin/bison > flex: /usr/bin/flex > env: /usr/bin/env > grep: /usr/bin/grep > /usr/bin/find: /usr/bin/find > perl: /usr/bin/perl > C:\Python26\python.exe: /cygdrive/c/Python26/python.exe > sed: /usr/bin/sed > unzip: /usr/bin/unzip > wget: /usr/bin/wget > > Here is the make error: > > packet-chlipx1.c > C:\wireshark-libs-1.0\gnutls-2.6.3-1\include\gcrypt.h(206) : error C2061: syntax error : identifier 'ssize_t' ... The problem is that Windows doesn't have ssize_t. Add '#define ssize_t long' or -Dssize_t=long somewhere in your build system. /Simon From simon at josefsson.org Wed May 6 09:55:59 2009 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 06 May 2009 09:55:59 +0200 Subject: [Help-gnutls] Re: Help for Gnutls4win In-Reply-To: <7832CC77AA153E4B8A2DD5F15CB6C528B89C9A@CNBEEXC007.nsn-intra.net> (Patrick Yan's message of "Wed, 6 May 2009 15:44:41 +0800") References: <7832CC77AA153E4B8A2DD5F15CB6C528B89C9A@CNBEEXC007.nsn-intra.net> Message-ID: <87d4amll68.fsf@mocca.josefsson.org> "Yan, Patrick (NSN - CN/Beijing)" writes: > Hi Simon, > > Thanks. That problem is resolved. > > But still need your help for the following errors. What's type for > pid_t, is long? It doesn't exist on Windows, I think. Try setting it to long and see if it works. Btw, rather than building it on Windows natively, you may try to use a GnuTLS DLL built using mingw instead: http://josefsson.org/gnutls4win/ It includes DLLs for libgcrypt and libgpg-error as well. /Simon > Gcrypt.h: > line 217:ssize_t (*waitpid) (pid_t pid, int *status, int options); > > > C:\wireshark-libs-1.0\gnutls-2.6.3-1\include\gcrypt.h(217) : error > C2146: syntax error : missing ')' before identifier 'pid' > C:\wireshark-libs-1.0\gnutls-2.6.3-1\include\gcrypt.h(217) : error > C2146: syntax error : missing ';' before identifier 'pid' > C:\wireshark-libs-1.0\gnutls-2.6.3-1\include\gcrypt.h(217) : error > C2061: syntax error : identifier 'pid' > C:\wireshark-libs-1.0\gnutls-2.6.3-1\include\gcrypt.h(217) : error > C2059: syntax error : ')' > C:\wireshark-libs-1.0\gnutls-2.6.3-1\include\gcrypt.h(218) : error > C2365: 'accept' : redefinition; previous definition was 'function' > C:\Program Files\Microsoft > SDKs\Windows\v6.0A\include\winsock2.h(1523) : see declaration of > 'accept' > C:\wireshark-libs-1.0\gnutls-2.6.3-1\include\gcrypt.h(219) : error > C2365: 'connect' : redefinition; previous definition was 'function' > C:\Program Files\Microsoft > SDKs\Windows\v6.0A\include\winsock2.h(1582) : see declaration of > 'connect' > C:\wireshark-libs-1.0\gnutls-2.6.3-1\include\gcrypt.h(231) : error > C2059: syntax error : '}' > packet-chlipx2.c > C:\wireshark-libs-1.0\gnutls-2.6.3-1\include\gcrypt.h(217) : error > C2146: syntax error : missing ')' before identifier 'pid' > C:\wireshark-libs-1.0\gnutls-2.6.3-1\include\gcrypt.h(217) : error > C2146: syntax error : missing ';' before identifier 'pid' > C:\wireshark-libs-1.0\gnutls-2.6.3-1\include\gcrypt.h(217) : error > C2061: syntax error : identifier 'pid' > C:\wireshark-libs-1.0\gnutls-2.6.3-1\include\gcrypt.h(217) : error > C2059: syntax error : ')' > C:\wireshark-libs-1.0\gnutls-2.6.3-1\include\gcrypt.h(218) : error > C2365: 'accept' : redefinition; previous definition was 'function' > C:\Program Files\Microsoft > SDKs\Windows\v6.0A\include\winsock2.h(1523) : see declaration of > 'accept' > C:\wireshark-libs-1.0\gnutls-2.6.3-1\include\gcrypt.h(219) : error > C2365: 'connect' : redefinition; previous definition was 'function' > C:\Program Files\Microsoft > SDKs\Windows\v6.0A\include\winsock2.h(1582) : see declaration of > 'connect' > C:\wireshark-libs-1.0\gnutls-2.6.3-1\include\gcrypt.h(231) : error > C2059: syntax error : '}' > Generating Code... > > >>-----Original Message----- >>From: ext Simon Josefsson [mailto:simon at josefsson.org] >>Sent: Wednesday, May 06, 2009 3:26 PM >>To: Yan, Patrick (NSN - CN/Beijing) >>Cc: help-gnutls at gnu.org >>Subject: Re: Help for Gnutls4win >> >>"Yan, Patrick (NSN - CN/Beijing)" writes: >> >>> Hi helper-guntls: >>> >>> I want to added a protocol dissectors in wireshark, this >>dissectors need Gcrypt. But when I compliing the code, here is >>some make error related to Gcrypt. Would you help to check that. >>> >>> I used gnutls-2.6.3. >>> OS is windows XP, wireshark source code is last version of >>wireshark-1.0.7. >>> >>> Checking for required applications: >>> cl: /cygdrive/c/Program Files/Microsoft Visual >>Studio 9.0/VC/BIN/cl >>> link: /cygdrive/c/Program Files/Microsoft Visual >>Studio 9.0/VC/BIN/link >>> nmake: /cygdrive/c/Program Files/Microsoft Visual >>Studio 9.0/VC/BIN/nmake >>> bash: /usr/bin/bash >>> bison: /usr/bin/bison >>> flex: /usr/bin/flex >>> env: /usr/bin/env >>> grep: /usr/bin/grep >>> /usr/bin/find: /usr/bin/find >>> perl: /usr/bin/perl >>> C:\Python26\python.exe: /cygdrive/c/Python26/python.exe >>> sed: /usr/bin/sed >>> unzip: /usr/bin/unzip >>> wget: /usr/bin/wget >>> >>> Here is the make error: >>> >>> packet-chlipx1.c >>> C:\wireshark-libs-1.0\gnutls-2.6.3-1\include\gcrypt.h(206) : >>error C2061: syntax error : identifier 'ssize_t' >>... >> >>The problem is that Windows doesn't have ssize_t. Add >>'#define ssize_t long' or -Dssize_t=long somewhere in your >>build system. >> >>/Simon >> From simon at josefsson.org Wed May 6 09:56:59 2009 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 06 May 2009 09:56:59 +0200 Subject: [Help-gnutls] Re: Libtasn1 2.1 In-Reply-To: <1241596019.2110.15.camel@par> (Jeff Cai's message of "Wed, 06 May 2009 15:46:59 +0800") References: <87skk8xjyo.fsf@mocca.josefsson.org> <1241596019.2110.15.camel@par> Message-ID: <878wlall4k.fsf@mocca.josefsson.org> Jeff Cai writes: > Simon, > > I also found that libtasn1.pc also licensed under GPLv3. It this true? > > A library of LGPL v2 lives with a .pc file with GPL v3? Hi. I've re-licensed it to LGPLv2.1+, see: http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=009b6c20ffc0164189691b47ad5f172518b97169 /Simon From simon at josefsson.org Wed May 6 10:31:23 2009 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 06 May 2009 10:31:23 +0200 Subject: [Help-gnutls] Re: Libtasn1 2.1 In-Reply-To: <1241598069.2110.18.camel@par> (Jeff Cai's message of "Wed, 06 May 2009 16:21:09 +0800") References: <87skk8xjyo.fsf@mocca.josefsson.org> <1241596019.2110.15.camel@par> <878wlall4k.fsf@mocca.josefsson.org> <1241598069.2110.18.camel@par> Message-ID: <87zldqk4ys.fsf@mocca.josefsson.org> Jeff Cai writes: > Thanks for your quick response. > > Do you think that Makefile.am under lib also needs to be licensed to > LGPL? I don't think so, since it is not something that is include in the installed software. The GPLv3 Makefile.am is needed to build libtasn1, but so is other GPLv3 tools (e.g., bison) so I don't see the difference. /Simon From simon at josefsson.org Wed May 6 13:11:32 2009 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 06 May 2009 13:11:32 +0200 Subject: [Help-gnutls] Re: Help for Gnutls4win In-Reply-To: <7832CC77AA153E4B8A2DD5F15CB6C528B89E0A@CNBEEXC007.nsn-intra.net> (Patrick Yan's message of "Wed, 6 May 2009 19:01:28 +0800") References: <7832CC77AA153E4B8A2DD5F15CB6C528B89E0A@CNBEEXC007.nsn-intra.net> Message-ID: <8763gejxjv.fsf@mocca.josefsson.org> "Yan, Patrick (NSN - CN/Beijing)" writes: > Hi Simon, > > Thanks. The problem seems resolved, but I'm not sure is right or not. I > add > #define ssize_t long > #define pid_t long > in gcrypt.h file. > > Then I namke wireshark again, there comes two error indicated that I > redefine them. Then I comments out these two new #define in gcrypt.h, > and nmake it again. At this time, no error report by gnutls again. It's > really make me confused. GnuTLS defines ssize_t for you, so you don't want to define ssize_t when building gnutls. Only when building libgcrypt. > For your advice in last mail, which package I should use? > mingw32-gnutls_2.7.3-1_all.deb cannot used on windows, is that right? Right. Try the EXE file or the ZIP file for 2.6.6, it contains the same files. Install it and make wireshark find it. /Simon > Br-Patrick > > >>-----Original Message----- >>From: ext Simon Josefsson [mailto:simon at josefsson.org] >>Sent: Wednesday, May 06, 2009 3:56 PM >>To: Yan, Patrick (NSN - CN/Beijing) >>Cc: help-gnutls at gnu.org >>Subject: Re: Help for Gnutls4win >> >>"Yan, Patrick (NSN - CN/Beijing)" writes: >> >>> Hi Simon, >>> >>> Thanks. That problem is resolved. >>> >>> But still need your help for the following errors. What's type for >>> pid_t, is long? >> >>It doesn't exist on Windows, I think. Try setting it to long >>and see if it works. >> >>Btw, rather than building it on Windows natively, you may try >>to use a GnuTLS DLL built using mingw instead: >>http://josefsson.org/gnutls4win/ It includes DLLs for >>libgcrypt and libgpg-error as well. >> >>/Simon >> >>> Gcrypt.h: >>> line 217:ssize_t (*waitpid) (pid_t pid, int *status, int options); >>> >>> >>> C:\wireshark-libs-1.0\gnutls-2.6.3-1\include\gcrypt.h(217) : error >>> C2146: syntax error : missing ')' before identifier 'pid' >>> C:\wireshark-libs-1.0\gnutls-2.6.3-1\include\gcrypt.h(217) : error >>> C2146: syntax error : missing ';' before identifier 'pid' >>> C:\wireshark-libs-1.0\gnutls-2.6.3-1\include\gcrypt.h(217) : error >>> C2061: syntax error : identifier 'pid' >>> C:\wireshark-libs-1.0\gnutls-2.6.3-1\include\gcrypt.h(217) : error >>> C2059: syntax error : ')' >>> C:\wireshark-libs-1.0\gnutls-2.6.3-1\include\gcrypt.h(218) : error >>> C2365: 'accept' : redefinition; previous definition was 'function' >>> C:\Program Files\Microsoft >>> SDKs\Windows\v6.0A\include\winsock2.h(1523) : see declaration of >>> 'accept' >>> C:\wireshark-libs-1.0\gnutls-2.6.3-1\include\gcrypt.h(219) : error >>> C2365: 'connect' : redefinition; previous definition was 'function' >>> C:\Program Files\Microsoft >>> SDKs\Windows\v6.0A\include\winsock2.h(1582) : see declaration of >>> 'connect' >>> C:\wireshark-libs-1.0\gnutls-2.6.3-1\include\gcrypt.h(231) : error >>> C2059: syntax error : '}' >>> packet-chlipx2.c >>> C:\wireshark-libs-1.0\gnutls-2.6.3-1\include\gcrypt.h(217) : error >>> C2146: syntax error : missing ')' before identifier 'pid' >>> C:\wireshark-libs-1.0\gnutls-2.6.3-1\include\gcrypt.h(217) : error >>> C2146: syntax error : missing ';' before identifier 'pid' >>> C:\wireshark-libs-1.0\gnutls-2.6.3-1\include\gcrypt.h(217) : error >>> C2061: syntax error : identifier 'pid' >>> C:\wireshark-libs-1.0\gnutls-2.6.3-1\include\gcrypt.h(217) : error >>> C2059: syntax error : ')' >>> C:\wireshark-libs-1.0\gnutls-2.6.3-1\include\gcrypt.h(218) : error >>> C2365: 'accept' : redefinition; previous definition was 'function' >>> C:\Program Files\Microsoft >>> SDKs\Windows\v6.0A\include\winsock2.h(1523) : see declaration of >>> 'accept' >>> C:\wireshark-libs-1.0\gnutls-2.6.3-1\include\gcrypt.h(219) : error >>> C2365: 'connect' : redefinition; previous definition was 'function' >>> C:\Program Files\Microsoft >>> SDKs\Windows\v6.0A\include\winsock2.h(1582) : see declaration of >>> 'connect' >>> C:\wireshark-libs-1.0\gnutls-2.6.3-1\include\gcrypt.h(231) : error >>> C2059: syntax error : '}' >>> Generating Code... >>> >>> >>>>-----Original Message----- >>>>From: ext Simon Josefsson [mailto:simon at josefsson.org] >>>>Sent: Wednesday, May 06, 2009 3:26 PM >>>>To: Yan, Patrick (NSN - CN/Beijing) >>>>Cc: help-gnutls at gnu.org >>>>Subject: Re: Help for Gnutls4win >>>> >>>>"Yan, Patrick (NSN - CN/Beijing)" writes: >>>> >>>>> Hi helper-guntls: >>>>> >>>>> I want to added a protocol dissectors in wireshark, this >>>>dissectors need Gcrypt. But when I compliing the code, here is some >>>>make error related to Gcrypt. Would you help to check that. >>>>> >>>>> I used gnutls-2.6.3. >>>>> OS is windows XP, wireshark source code is last version of >>>>wireshark-1.0.7. >>>>> >>>>> Checking for required applications: >>>>> cl: /cygdrive/c/Program Files/Microsoft Visual >>>>Studio 9.0/VC/BIN/cl >>>>> link: /cygdrive/c/Program Files/Microsoft Visual >>>>Studio 9.0/VC/BIN/link >>>>> nmake: /cygdrive/c/Program Files/Microsoft Visual >>>>Studio 9.0/VC/BIN/nmake >>>>> bash: /usr/bin/bash >>>>> bison: /usr/bin/bison >>>>> flex: /usr/bin/flex >>>>> env: /usr/bin/env >>>>> grep: /usr/bin/grep >>>>> /usr/bin/find: /usr/bin/find >>>>> perl: /usr/bin/perl >>>>> C:\Python26\python.exe: /cygdrive/c/Python26/python.exe >>>>> sed: /usr/bin/sed >>>>> unzip: /usr/bin/unzip >>>>> wget: /usr/bin/wget >>>>> >>>>> Here is the make error: >>>>> >>>>> packet-chlipx1.c >>>>> C:\wireshark-libs-1.0\gnutls-2.6.3-1\include\gcrypt.h(206) : >>>>error C2061: syntax error : identifier 'ssize_t' >>>>... >>>> >>>>The problem is that Windows doesn't have ssize_t. Add '#define >>>>ssize_t long' or -Dssize_t=long somewhere in your build system. >>>> >>>>/Simon >>>> >> From darlingm at gmail.com Thu May 7 04:43:52 2009 From: darlingm at gmail.com (Michael Darling) Date: Wed, 6 May 2009 22:43:52 -0400 Subject: [Help-gnutls] /usr/local/lib/libgnuttls.so: undefined reference to `gcry_cipher_setkey@GCRYPT_1.2' Message-ID: I'm building an application that uses vmime. vmime uses libgnuttls, and I'm getting a linker error as shown below. Searching on google for "undefined reference to gcry_cipher_setkey at GCRYPT_1.2" returns no results. Any ideas? I assume there's probably another library I need to link in? I originally didn't have "-lgcrypt" included, but tried that, and had no effect. using from source libvmime-0.9.0, gnutls-2.6.6, libgcrypt-1.4.4, and libgsasl-1.1 -- and rpm installed GNU Make 3.81, g++ 4.1.2, CentOS 5.3, kernel 2.6.18-128.1.6.el5 (Application and library names changed to be more clear) $ make /bin/sh ../libtool --tag=CXX --mode=link g++ -g -O2 -o application application.o ../libraryA/libraryA.a ../libraryB/libraryB.a ../libraryC/libraryC.a -lgnutls -lgcrypt -lvmime -lssl -lgsoapssl++ g++ -g -O2 -o application application.o ../libraryA/libraryA.a ../libraryB/libraryB.a ../libraryC/libraryC.a -lgnutls -lgcrypt -lvmime -lssl -lgsoapssl++ /usr/local/lib/libgnutls.so: undefined reference to `gcry_cipher_setkey at GCRYPT_1.2' /usr/local/lib/libgnutls.so: undefined reference to `gcry_cipher_setiv at GCRYPT_1.2' collect2: ld returned 1 exit status make: *** [application] Error 1 -------------- next part -------------- An HTML attachment was scrubbed... URL: From darlingm at gmail.com Thu May 7 04:49:35 2009 From: darlingm at gmail.com (Michael Darling) Date: Wed, 6 May 2009 22:49:35 -0400 Subject: [Help-gnutls] Re: /usr/local/lib/libgnuttls.so: undefined reference to `gcry_cipher_setkey@GCRYPT_1.2' In-Reply-To: References: Message-ID: Also, in case needed : $ locate libgnutls /usr/lib/libgnutls-extra.so.13 /usr/lib/libgnutls-extra.so.13.0.6 /usr/lib/libgnutls-openssl.so.13 /usr/lib/libgnutls-openssl.so.13.0.6 /usr/lib/libgnutls.so.13 /usr/lib/libgnutls.so.13.0.6 /usr/lib64/libgnutls-extra.so.13 /usr/lib64/libgnutls-extra.so.13.0.6 /usr/lib64/libgnutls-openssl.so.13 /usr/lib64/libgnutls-openssl.so.13.0.6 /usr/lib64/libgnutls.so.13 /usr/lib64/libgnutls.so.13.0.6 /usr/local/bin/libgnutls-config /usr/local/bin/libgnutls-extra-config /usr/local/lib/libgnutls-extra.a /usr/local/lib/libgnutls-extra.la /usr/local/lib/libgnutls-extra.so /usr/local/lib/libgnutls-extra.so.26 /usr/local/lib/libgnutls-extra.so.26.11.7 /usr/local/lib/libgnutls-openssl.a /usr/local/lib/libgnutls-openssl.la /usr/local/lib/libgnutls-openssl.so /usr/local/lib/libgnutls-openssl.so.26 /usr/local/lib/libgnutls-openssl.so.26.11.7 /usr/local/lib/libgnutls.a /usr/local/lib/libgnutls.la /usr/local/lib/libgnutls.so /usr/local/lib/libgnutls.so.26 /usr/local/lib/libgnutls.so.26.11.7 /usr/local/lib/libgnutlsxx.a /usr/local/lib/libgnutlsxx.la /usr/local/lib/libgnutlsxx.so /usr/local/lib/libgnutlsxx.so.26 /usr/local/lib/libgnutlsxx.so.26.11.7 /usr/local/share/aclocal/libgnutls-extra.m4 /usr/local/share/aclocal/libgnutls.m4 # ldconfig -v | grep libgnutls libgnutls-openssl.so.13 -> libgnutls-openssl.so.13.0.6 libgnutls-extra.so.13 -> libgnutls-extra.so.13.0.6 libgnutls.so.13 -> libgnutls.so.13.0.6 libgnutls-openssl.so.13 -> libgnutls-openssl.so.13.0.6 libgnutls-extra.so.13 -> libgnutls-extra.so.13.0.6 libgnutls.so.13 -> libgnutls.so.13.0.6 (adding /usr/local/lib to ldconfig) # ldconfig -v | grep libgnutls libgnutls.so.26 -> libgnutls.so.26.11.7 libgnutlsxx.so.26 -> libgnutlsxx.so.26.11.7 libgnutls-extra.so.26 -> libgnutls-extra.so.26.11.7 libgnutls-openssl.so.26 -> libgnutls-openssl.so.26.11.7 libgnutls-openssl.so.13 -> libgnutls-openssl.so.13.0.6 libgnutls-extra.so.13 -> libgnutls-extra.so.13.0.6 libgnutls.so.13 -> libgnutls.so.13.0.6 libgnutls-openssl.so.13 -> libgnutls-openssl.so.13.0.6 libgnutls-extra.so.13 -> libgnutls-extra.so.13.0.6 libgnutls.so.13 -> libgnutls.so.13.0.6 Even with /usr/local/lib added to ldconfig, still get the same linker error. On Wed, May 6, 2009 at 10:43 PM, Michael Darling wrote: > I'm building an application that uses vmime. vmime uses libgnuttls, and > I'm getting a linker error as shown below. Searching on google for > "undefined reference to gcry_cipher_setkey at GCRYPT_1.2" returns no results. > Any ideas? I assume there's probably another library I need to link in? I > originally didn't have "-lgcrypt" included, but tried that, and had no > effect. > > using from source libvmime-0.9.0, gnutls-2.6.6, libgcrypt-1.4.4, and > libgsasl-1.1 -- and rpm installed GNU Make 3.81, g++ 4.1.2, CentOS 5.3, > kernel 2.6.18-128.1.6.el5 > > (Application and library names changed to be more clear) > > $ make > /bin/sh ../libtool --tag=CXX --mode=link g++ -g -O2 -o application > application.o ../libraryA/libraryA.a ../libraryB/libraryB.a > ../libraryC/libraryC.a -lgnutls -lgcrypt -lvmime -lssl -lgsoapssl++ > g++ -g -O2 -o application application.o ../libraryA/libraryA.a > ../libraryB/libraryB.a ../libraryC/libraryC.a -lgnutls -lgcrypt -lvmime > -lssl -lgsoapssl++ > /usr/local/lib/libgnutls.so: undefined reference to > `gcry_cipher_setkey at GCRYPT_1.2' > /usr/local/lib/libgnutls.so: undefined reference to > `gcry_cipher_setiv at GCRYPT_1.2' > collect2: ld returned 1 exit status > make: *** [application] Error 1 > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From simon at josefsson.org Thu May 7 11:15:01 2009 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 07 May 2009 11:15:01 +0200 Subject: [Help-gnutls] Re: /usr/local/lib/libgnuttls.so: undefined reference to `gcry_cipher_setkey@GCRYPT_1.2' In-Reply-To: (Michael Darling's message of "Wed, 6 May 2009 22:43:52 -0400") References: Message-ID: <87eiv1e0kq.fsf@mocca.josefsson.org> Michael Darling writes: > I'm building an application that uses vmime. vmime uses libgnuttls, and I'm > getting a linker error as shown below. Searching on google for "undefined > reference to gcry_cipher_setkey at GCRYPT_1.2" returns no results. Any ideas? > I assume there's probably another library I need to link in? I originally > didn't have "-lgcrypt" included, but tried that, and had no effect. > > using from source libvmime-0.9.0, gnutls-2.6.6, libgcrypt-1.4.4, and > libgsasl-1.1 -- and rpm installed GNU Make 3.81, g++ 4.1.2, CentOS 5.3, > kernel 2.6.18-128.1.6.el5 I recall seeing a report of something similar recently... it seems like a problem with two libgcrypt's installed on the same machine: one used for linking gnutls and another when running gnutls applications or linking to libgnutls. Do you have multiple installed libgcrypt's? Even if you uninstall one of the libgcrypt's, you may need to re-build gnutls against the proper libgcrypt to make things work. /Simon > (Application and library names changed to be more clear) > > $ make > /bin/sh ../libtool --tag=CXX --mode=link g++ -g -O2 -o application > application.o ../libraryA/libraryA.a ../libraryB/libraryB.a > ../libraryC/libraryC.a -lgnutls -lgcrypt -lvmime -lssl -lgsoapssl++ > g++ -g -O2 -o application application.o ../libraryA/libraryA.a > ../libraryB/libraryB.a ../libraryC/libraryC.a -lgnutls -lgcrypt -lvmime > -lssl -lgsoapssl++ > /usr/local/lib/libgnutls.so: undefined reference to > `gcry_cipher_setkey at GCRYPT_1.2' > /usr/local/lib/libgnutls.so: undefined reference to > `gcry_cipher_setiv at GCRYPT_1.2' > collect2: ld returned 1 exit status > make: *** [application] Error 1 > _______________________________________________ > Help-gnutls mailing list > Help-gnutls at gnu.org > http://lists.gnu.org/mailman/listinfo/help-gnutls From simon at josefsson.org Thu May 7 11:15:38 2009 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 07 May 2009 11:15:38 +0200 Subject: [Help-gnutls] Re: /usr/local/lib/libgnuttls.so: undefined reference to `gcry_cipher_setkey@GCRYPT_1.2' In-Reply-To: (Michael Darling's message of "Wed, 6 May 2009 22:49:35 -0400") References: Message-ID: <87ab5pe0jp.fsf@mocca.josefsson.org> Michael Darling writes: > Also, in case needed : > $ locate libgnutls Thanks. Can you do the same for libgcrypt? I think your problem is really a libgcrypt issue. /Simon From carolin.latze at unifr.ch Thu May 7 15:29:47 2009 From: carolin.latze at unifr.ch (Carolin Latze) Date: Thu, 07 May 2009 15:29:47 +0200 Subject: [Help-gnutls] Token Support in GnuTLS? Message-ID: <4A02E24B.6030207@unifr.ch> Hi everybody, shy question: Is there any cryptographic token support in GnuTLS? Cheers Carolin From darlingm at gmail.com Thu May 7 16:26:03 2009 From: darlingm at gmail.com (Michael Darling) Date: Thu, 7 May 2009 10:26:03 -0400 Subject: [Help-gnutls] Re: /usr/local/lib/libgnuttls.so: undefined reference to `gcry_cipher_setkey@GCRYPT_1.2' In-Reply-To: <87ab5pe0jp.fsf@mocca.josefsson.org> References: <87ab5pe0jp.fsf@mocca.josefsson.org> Message-ID: Hi, You are correct, there are multiple versions of libgcrypt installed. How do I proceed? I was thinking it was important to leave the CentOS installed version for compatibility with all of its other installed packages expecting that version. Perhaps I'm completely wrong here, I have a decent amount of unix/CentOS experience but I haven't studied up on multiple library versions. Through yum, installed packages: libgcrypt-1.2.4-1.el5.i386 libgcrypt-1.2.4-1.el5.x86_64 libgcrypt-devel-1.2.4-1.el5.i386 libgcrypt-devel-1.2.4-1.el5.x86_64 I can't remember which, but one of the dependencies of vmime required a more recent gcrypt, so either libvmime libgnutls or libgsasl. Installed libgcrypt-1.4.4 from source. $ locate libgcrypt /usr/bin/libgcrypt-config /usr/lib/libgcrypt.a /usr/lib/libgcrypt.so /usr/lib/libgcrypt.so.11 /usr/lib/libgcrypt.so.11.2.3 /usr/lib64/libgcrypt.a /usr/lib64/libgcrypt.so /usr/lib64/libgcrypt.so.11 /usr/lib64/libgcrypt.so.11.2.3 /usr/local/bin/libgcrypt-config /usr/local/lib/libgcrypt.a /usr/local/lib/libgcrypt.la /usr/local/lib/libgcrypt.so /usr/local/lib/libgcrypt.so.11 /usr/local/lib/libgcrypt.so.11.5.2 /usr/local/share/aclocal/libgcrypt.m4 /usr/share/aclocal/libgcrypt.m4 /var/cache/yum/base/headers/libgcrypt-devel-1.2.3-1.x86_64.hdr /var/cache/yum/base/packages/libgcrypt-1.2.4-1.el5.i386.rpm /var/cache/yum/base/packages/libgcrypt-1.2.4-1.el5.x86_64.rpm /var/cache/yum/base/packages/libgcrypt-devel-1.2.3-1.x86_64.rpm /var/cache/yum/base/packages/libgcrypt-devel-1.2.4-1.el5.i386.rpm /var/cache/yum/base/packages/libgcrypt-devel-1.2.4-1.el5.x86_64.rpm # ldconfig -v | grep libgcrypt libgcrypt.so.11 -> libgcrypt.so.11.5.2 libgcrypt.so.11 -> libgcrypt.so.11.2.3 libgcrypt.so.11 -> libgcrypt.so.11.2.3 Thanks! Mike On Thu, May 7, 2009 at 5:15 AM, Simon Josefsson wrote: > Michael Darling writes: > > > Also, in case needed : > > $ locate libgnutls > > Thanks. Can you do the same for libgcrypt? I think your problem is > really a libgcrypt issue. > > /Simon > -------------- next part -------------- An HTML attachment was scrubbed... URL: From simon at josefsson.org Fri May 8 12:56:22 2009 From: simon at josefsson.org (Simon Josefsson) Date: Fri, 08 May 2009 12:56:22 +0200 Subject: [Help-gnutls] Re: Token Support in GnuTLS? In-Reply-To: <4A02E24B.6030207@unifr.ch> (Carolin Latze's message of "Thu, 07 May 2009 15:29:47 +0200") References: <4A02E24B.6030207@unifr.ch> Message-ID: <87zldnx3qh.fsf@mocca.josefsson.org> Carolin Latze writes: > Hi everybody, > > shy question: Is there any cryptographic token support in GnuTLS? Not directly, but you can use gnutls_sign_callback_set to set a callback to perform signing operations during the handshake. I've tested this with a Swedish X.509 eID ID card and it worked fine. There is an old PKCS#11 branch of GnuTLS that adds a library libgnutls-pkcs11 that is linked to a PKCS#11 library; it uses the callback interface. /Simon From simon at josefsson.org Fri May 8 13:00:52 2009 From: simon at josefsson.org (Simon Josefsson) Date: Fri, 08 May 2009 13:00:52 +0200 Subject: [Help-gnutls] Re: /usr/local/lib/libgnuttls.so: undefined reference to `gcry_cipher_setkey@GCRYPT_1.2' In-Reply-To: (Michael Darling's message of "Thu, 7 May 2009 10:26:03 -0400") References: <87ab5pe0jp.fsf@mocca.josefsson.org> Message-ID: <87vdobx3iz.fsf@mocca.josefsson.org> Michael Darling writes: > Hi, > > You are correct, there are multiple versions of libgcrypt installed. How do > I proceed? You need to make sure all software that links to some software that eventually links to your new libgcrypt also links to your new libgcrypt. If this is on a development machine, it is often easiest to just replace the system library with your own build. If you don't want to do that, you must make sure all the projects you build really use the libgcrypt from /usr/local and not from /usr. In the error you quoted, it seemed as if gnutls was linked against libgcrypt in /usr/local but the other code you built linked against libgcrypt in /usr. /Simon From simon at josefsson.org Mon May 11 20:16:43 2009 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 11 May 2009 20:16:43 +0200 Subject: [Help-gnutls] GnuTLS 2.7.9 - release candidate 1 of GnuTLS 2.8.0 Message-ID: <8763g7bj3o.fsf@mocca.josefsson.org> To accelerate the GnuTLS 2.8.0 release, I've prepared a first release candidate. Please test this as if it were a new stable release. If I don't hear any complains about regressions compared to 2.6.x I will release this as 2.8.0 in two weeks. Here are the compressed sources: http://alpha.gnu.org/gnu/gnutls/gnutls-2.7.9.tar.bz2 (5.9MB) ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.7.9.tar.bz2 Here is the OpenPGP signature: http://alpha.gnu.org/gnu/gnutls/gnutls-2.7.9.tar.bz2.sig ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.7.9.tar.bz2.sig The Windows binary installer and PGP signature: http://josefsson.org/gnutls4win/gnutls-2.7.9.exe (15MB) http://josefsson.org/gnutls4win/gnutls-2.7.9.exe.sig A ZIP archive containing the Windows binaries: http://josefsson.org/gnutls4win/gnutls-2.7.9.zip (5.3MB) http://josefsson.org/gnutls4win/gnutls-2.7.9.zip.sig A Debian mingw32 package is also available: http://josefsson.org/gnutls4win/mingw32-gnutls_2.7.9-1_all.deb (4.8MB) Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult AB, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. /Simon * Version 2.7.9 (released 2009-05-11) ** doc: Fix strings in man page of gnutls_priority_init. ** doc: Fix tables of error codes and supported algorithms. ** Fix build failure when cross-compiled using MinGW. ** Fix build failure when LZO is enabled. Reported by Arfrever Frehtes Taifersar Arahesis in . ** Fix build failure on systems without AF_INET6, e.g., Solaris 2.6. Reported by "Tom G. Christensen" in . ** Fix warnings in self-tests. ** API and ABI modifications: No changes since last version. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From simon at josefsson.org Wed May 13 19:31:11 2009 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 13 May 2009 19:31:11 +0200 Subject: [Help-gnutls] GnuTLS 2.7.10 - release candidate 2 of GnuTLS 2.8.0 Message-ID: <87octwkizk.fsf@mocca.josefsson.org> The GnuTLS 2.8.0 release is getting closer; no major problem has been feedback in 2.7.9 so far. This is a second release candidate. Please test this as if it were the new stable release. If I don't hear any complains about regressions compared to 2.6.x I will release this as 2.8.0 within two weeks. Here are the compressed sources: http://alpha.gnu.org/gnu/gnutls/gnutls-2.7.10.tar.bz2 (5.9MB) ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.7.10.tar.bz2 Here is the OpenPGP signature: http://alpha.gnu.org/gnu/gnutls/gnutls-2.7.10.tar.bz2.sig ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.7.10.tar.bz2.sig The Windows binary installer and PGP signature: http://josefsson.org/gnutls4win/gnutls-2.7.10.exe (15MB) http://josefsson.org/gnutls4win/gnutls-2.7.10.exe.sig A ZIP archive containing the Windows binaries: http://josefsson.org/gnutls4win/gnutls-2.7.10.zip (5.3MB) http://josefsson.org/gnutls4win/gnutls-2.7.10.zip.sig A Debian mingw32 package is also available: http://josefsson.org/gnutls4win/mingw32-gnutls_2.7.10-1_all.deb (4.8MB) Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult AB, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. /Simon * Version 2.7.10 (released 2009-05-13) ** examples: Now released into the public domain. This makes the license of the example code compatible with more licenses, including the (L)GPL. ** minitasn1: Internal copy updated to libtasn1 v2.1. GnuTLS should work fine with libtasn1 v1.x and that is still supported. ** libgnutls: Fix crash in signature verification The fix for the CVE-2009-1415 problem wasn't merged completely. ** doc: Fixes for GTK-DOC output. ** API and ABI modifications: No changes since last version. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From Tobias.Soder at swisscom.com Fri May 15 14:39:13 2009 From: Tobias.Soder at swisscom.com (Tobias.Soder at swisscom.com) Date: Fri, 15 May 2009 14:39:13 +0200 Subject: [Help-gnutls] Using the gnutls_sign_callback_set method Message-ID: <7221B8073F7BE6478B99431027431FEA7104379DCB@SG1923Z.corproot.net> Hi everybody We're trying to get gnutls to work with a cryptographic token. Therefore I've had a look at the gnutls_sign_callback_set method. What I don't understand is: At which point is the method called that I'm passing to gnutls_sign_callback_set? I've tried it out by doing this: char* testString; int custom_gnutls_sign(gnutls_session_t session, void *userdata, gnutls_certificate_type_t cert_type, const gnutls_datum_t * cert, const gnutls_datum_t * hash, gnutls_datum_t * signature) { testString = "Changed!!\n"; } int main (void) { // ... declarations testString = "Not changed!\n"; gnutls_global_init(); gnutls_certificate_allocate_credentials(&xcred); gnutls_certificate_set_x509_trust_file(xcred,CAFILE,GNUTLS_X509_FMT_PEM); gnutls_certificate_set_x509_key_file(xcred,CERTFILE,KEYFILE,GNUTLS_X509_FMT_PEM); /* initialize TLS session */ gnutls_init(&session, GNUTLS_CLIENT); /* for doc about gnutls_priority_init read the man page */ ret=gnutls_priority_set_direct(session,"PERFORMANCE",&err); if (ret<0) { if (ret==GNUTLS_E_INVALID_REQUEST) fprintf(stdout,"ERROR: Syntax error at %s\n",err); exit(1); } gnutls_credentials_set(session,GNUTLS_CRD_CERTIFICATE,xcred); /* Setting Callback */ gnutls_sign_callback_set(session, custom_gnutls_sign, NULL); /* connect to peer */ sd=tcp_connect(); gnutls_transport_set_ptr(session,(gnutls_transport_ptr_t)sd); /* perform handshake */ ret=gnutls_handshake(session); if(ret<0) { fprintf(stdout,"ERROR: Handshake failed\n"); gnutls_perror(ret); goto end; } else printf("INFO: Handshake was completed\n"); /* verify the server's certificate */ if(ret==0) { int rc; unsigned int status; /* abort if verification fails */ rc = gnutls_certificate_verify_peers2(session,&status); if(rc!=0 || status!=0) { printf("ERROR: Verifying server certificate failed!\n"); exit(1); } printf("INFO: server verified\n"); } printf("INFO: handshake and server verification completed\n"); /* print TLS version */ tmp = gnutls_protocol_get_name (gnutls_protocol_get_version (session)); printf ("INFO: TLS Protocol: %s\n", tmp); /* test the connection with a sample message */ gnutls_record_send(session,MSG,strlen(MSG)); ret=gnutls_record_recv(session,buffer,MAX_BUF); if(ret==0) { printf("INFO: Peer has closed the connection\n"); goto end; } else if(ret<0) { fprintf(stdout,"ERROR: %s\n",gnutls_strerror(ret)); goto end; } printf("INFO: Received %d bytes: ", ret); for(ii=0;ii From carolin.latze at unifr.ch Fri May 15 16:34:29 2009 From: carolin.latze at unifr.ch (Carolin Latze) Date: Fri, 15 May 2009 16:34:29 +0200 Subject: [Help-gnutls] BIO_s_mem Replacement in GnuTLS Message-ID: <4A0D7D75.3060303@unifr.ch> Hi all, I am trying to port an application from OpenSSL to GnuTLS (in oder to get TLS 1.2 support). I found the following line in the application: state->into_ssl = BIO_new(BIO_s_mem()); state->from_ssl = BIO_new(BIO_s_mem()); As BIOs are usually just fds I thought I could easily replace them, but those are special. The BIO_s_mem man page says: BIO_s_mem() return the memory BIO method function. A memory BIO is a source/sink BIO which uses memory for its I/O. Data written to a memory BIO is stored in a BUF_MEM structure which is extended as appropriate to accommodate the stored data. Is there anything like that in GnuTLS? Or should I rewrite it to use normal fds? (Or did I just misunderstand something? ;-)) Cheers Carolin From dh.herrmann at googlemail.com Fri May 15 23:25:07 2009 From: dh.herrmann at googlemail.com (David Herrmann) Date: Fri, 15 May 2009 23:25:07 +0200 Subject: [Help-gnutls] OpenSSL <-> GnuTLS imcompatibilities Message-ID: Hi I know that OpenSSL only implements SSL2/3 and partly TLS1 but is there a way to connect with an OpenSSL client to a simple GnuTLS server? I used the following code to initialize my ssl listener: ?? ?gnutls_dh_params_init(&ssl_dhparams); ?? ?gnutls_dh_params_generate2(ssl_dhparams, SSL_DH_BITS); ?? ?gnutls_certificate_allocate_credentials(&ssl_cred); ?? ?gnutls_certificate_set_x509_key_file(ssl_cred, pemfile, pemfile, GNUTLS_X509_FMT_PEM); ?? ?gnutls_certificate_set_dh_params(ssl_cred, ssl_dhparams); and later: ?? ? ? ?gnutls_init(&ssl->session, GNUTLS_SERVER); ?? ? ? ?gnutls_priority_set(ssl->session, ssl_priority); ?? ? ? ?gnutls_credentials_set(ssl->session, GNUTLS_CRD_CERTIFICATE, ssl_cred); ?? ? ? ?gnutls_certificate_server_set_request(ssl->session, GNUTLS_CERT_REQUEST); And then if I connect with a simple SSLv3 OpenSSL connection, my gnutls_handshake returns either GNUTLS_E_UNEXPECTED_PACKET_LENGTH or GNUTLS_E_UNKNOWN_CIPHER_SUITE. However, the weird thing is, the OpenSSL handshake call blocks and does not return any error. Even when I kill the process of the GnuTLS listener the OpenSSL handshake still blocks. It would be nice to hear whether there are known compatibility problems between GnuTLS and OpenSSL and whether there are ways to force SSLv3 on GnuTLS to connect to OpenSSL without any problems. Another problem is the following code: static gnutls_rsa_params_t ssl_rsaparams; gnutls_rsa_params_init(&ssl_rsaparams); gnutls_rsa_params_generate2(ssl_rsaparams, 512); The last function blocks and does not return. gdb gives me something like: ?(gdb) backtrace #0 ?0xb800e430 in __kernel_vsyscall () #1 ?0xb7ea577d in select () from /lib/tls/i686/cmov/libc.so.6 #2 ?0xb7d7f782 in ?? () from /lib/libgcrypt.so.11 #3 ?0xb7d5334b in ?? () from /lib/libgcrypt.so.11 #4 ?0xb7d54946 in ?? () from /lib/libgcrypt.so.11 #5 ?0xb7d54cf9 in ?? () from /lib/libgcrypt.so.11 #6 ?0xb7d862dc in ?? () from /lib/libgcrypt.so.11 #7 ?0xb7d51bc7 in ?? () from /lib/libgcrypt.so.11 #8 ?0xb7d531c9 in ?? () from /lib/libgcrypt.so.11 #9 ?0xb7d719c4 in ?? () from /lib/libgcrypt.so.11 #10 0xb7d4920f in ?? () from /lib/libgcrypt.so.11 #11 0xb7d3dc24 in gcry_pk_genkey () from /lib/libgcrypt.so.11 #12 0xb7f6a545 in _gnutls_rsa_generate_params () from /usr/lib/libgnutls.so.26 #13 0xb7f8b6e9 in gnutls_x509_privkey_generate () from /usr/lib/libgnutls.so.26 #14 0xb7f6a3b4 in gnutls_rsa_params_generate2 () from /usr/lib/libgnutls.so.26 #15 0x080b878d in ssl_init () at ssl.c:73 ?#16 0x0805fa28 in main (argc=4, argv=0xbfa29a64) at ircd.c:730 However, I had to interrupt the process myself. It looks like gcrypt calls some function which actually is no function. The select() syscall may be some random data in the memory. I hope someone can help me David Herrmann From mrsam at courier-mta.com Sat May 16 01:43:54 2009 From: mrsam at courier-mta.com (Sam Varshavchik) Date: Fri, 15 May 2009 19:43:54 -0400 Subject: [Help-gnutls] BIO_s_mem Replacement in GnuTLS References: <4A0D7D75.3060303@unifr.ch> Message-ID: Carolin Latze writes: > BIO_s_mem() return the memory BIO method function. > > A memory BIO is a source/sink BIO which uses memory for its I/O. > Data written to a memory BIO is stored in a BUF_MEM > structure which is extended as appropriate to accommodate the > stored data. > > Is there anything like that in GnuTLS? Or should I rewrite it to use > normal fds? (Or did I just misunderstand something? ;-)) gnutls_transport_set_pull_function() and gnutls_transport_set_push_function() install a "pull" and a "push" function for a gnutls_session_t. Basically you'd instantiate a gnutls_session_t, and attach a pull and a push function that reads and writes from a memory buffer. It's a little bit more work, but it's a far more generic abstraction that can be used to encapsulate any kind of a source/sink encryption channel. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: From simon at josefsson.org Mon May 18 11:52:53 2009 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 18 May 2009 11:52:53 +0200 Subject: [Help-gnutls] Re: Using the gnutls_sign_callback_set method In-Reply-To: <7221B8073F7BE6478B99431027431FEA7104379DCB@SG1923Z.corproot.net> (Tobias Soder's message of "Fri, 15 May 2009 14:39:13 +0200") References: <7221B8073F7BE6478B99431027431FEA7104379DCB@SG1923Z.corproot.net> Message-ID: <87y6supwju.fsf@mocca.josefsson.org> writes: > Hi everybody > > We're trying to get gnutls to work with a cryptographic > token. Therefore I've had a look at the gnutls_sign_callback_set > method. What I don't understand is: At which point is the method > called that I'm passing to gnutls_sign_callback_set? During the call to gnutls_handshake. See the self-test tests/x509signself.c, it forks a server and client that talks to each other using the sign callback, without any private key being available elsewhere in the code. > I've tried it out by doing this: ... > gnutls_certificate_set_x509_key_file(xcred,CERTFILE,KEYFILE,GNUTLS_X509_FMT_PEM); I think this is your problem, you need to set a NULL keyfile. Otherwise you supply the library with a private key, so it will use that instead of invoking the callback. From the x509signself.c code: gnutls_certificate_set_x509_key_mem (xcred, &cert, NULL, GNUTLS_X509_FMT_PEM); I think the example looks fine otherwise, although I didn't try to run it. /Simon From simon at josefsson.org Mon May 18 12:03:13 2009 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 18 May 2009 12:03:13 +0200 Subject: [Help-gnutls] Re: OpenSSL <-> GnuTLS imcompatibilities In-Reply-To: (David Herrmann's message of "Fri, 15 May 2009 23:25:07 +0200") References: Message-ID: <87tz3ipw2m.fsf@mocca.josefsson.org> David Herrmann writes: > Hi > I know that OpenSSL only implements SSL2/3 and partly TLS1 but is > there a way to connect with an OpenSSL > client to a simple GnuTLS server? Hi. Sure, you can try the 'gnutls-serv' tool that comes with GnuTLS. See the manual: http://www.gnu.org/software/gnutls/manual/html_node/Invoking-gnutls_002dserv.html > I used the following code to initialize my ssl listener: > ?? ?gnutls_dh_params_init(&ssl_dhparams); > ?? ?gnutls_dh_params_generate2(ssl_dhparams, SSL_DH_BITS); This is one problem, you are generating DH parameters which is a slow cryptographic process. There is a sample client in the manual: http://www.gnu.org/software/gnutls/manual/html_node/Simple-client-example-with-X_002e509-certificate-support.html > And then if I connect with a simple SSLv3 OpenSSL connection, my > gnutls_handshake returns either > GNUTLS_E_UNEXPECTED_PACKET_LENGTH or GNUTLS_E_UNKNOWN_CIPHER_SUITE. Please enable debug logging and post more information. > However, the weird thing is, the OpenSSL handshake call blocks and > does not return any error. > Even when I kill the process of the GnuTLS listener the OpenSSL > handshake still blocks. This is because the DH issue. > It would be nice to hear whether there are known compatibility > problems between GnuTLS and > OpenSSL and whether there are ways to force SSLv3 on GnuTLS to connect > to OpenSSL > without any problems. I'm not aware of any compatibility problems with OpenSSL. You can force GnuTLS to use SSLv3 with a NORMAL:-VERS-TLS1.0:-VERS-TLS1.1 priority string. But if you need that, there is most likely some other problem that should be fixed instead. > Another problem is the following code: > static gnutls_rsa_params_t ssl_rsaparams; > gnutls_rsa_params_init(&ssl_rsaparams); > gnutls_rsa_params_generate2(ssl_rsaparams, 512); These functions are for export ciphers, I would recommend you to not use them at all. > The last function blocks and does not return. gdb gives me something like: > ?(gdb) backtrace > #0 ?0xb800e430 in __kernel_vsyscall () > #1 ?0xb7ea577d in select () from /lib/tls/i686/cmov/libc.so.6 > #2 ?0xb7d7f782 in ?? () from /lib/libgcrypt.so.11 > #3 ?0xb7d5334b in ?? () from /lib/libgcrypt.so.11 > #4 ?0xb7d54946 in ?? () from /lib/libgcrypt.so.11 > #5 ?0xb7d54cf9 in ?? () from /lib/libgcrypt.so.11 > #6 ?0xb7d862dc in ?? () from /lib/libgcrypt.so.11 > #7 ?0xb7d51bc7 in ?? () from /lib/libgcrypt.so.11 > #8 ?0xb7d531c9 in ?? () from /lib/libgcrypt.so.11 > #9 ?0xb7d719c4 in ?? () from /lib/libgcrypt.so.11 > #10 0xb7d4920f in ?? () from /lib/libgcrypt.so.11 > #11 0xb7d3dc24 in gcry_pk_genkey () from /lib/libgcrypt.so.11 > #12 0xb7f6a545 in _gnutls_rsa_generate_params () from /usr/lib/libgnutls.so.26 > #13 0xb7f8b6e9 in gnutls_x509_privkey_generate () from /usr/lib/libgnutls.so.26 > #14 0xb7f6a3b4 in gnutls_rsa_params_generate2 () from /usr/lib/libgnutls.so.26 > #15 0x080b878d in ssl_init () at ssl.c:73 > ?#16 0x0805fa28 in main (argc=4, argv=0xbfa29a64) at ircd.c:730 > However, I had to interrupt the process myself. It looks like gcrypt calls some > function which actually is no function. The select() syscall may be some random > data in the memory. > I hope someone can help me Generating a key is a slow process, and it takes time. Just give the process a few minutes to finish. /Simon From simon at josefsson.org Mon May 18 12:56:44 2009 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 18 May 2009 12:56:44 +0200 Subject: [Help-gnutls] Re: Odd issue with gnu-tls 2.6.4 running as a subprocess of emacs-23 on Windows XP In-Reply-To: (Iver Odin Kvello's message of "Wed, 15 Apr 2009 00:44:24 +0200") References: <874owst6hg.fsf@mocca.josefsson.org> <87ws9nnsox.fsf@mocca.josefsson.org> Message-ID: <87iqjyptlf.fsf@mocca.josefsson.org> Iver Odin Kvello writes: >> The solution in 2.8.x. will be to avoid select() and use poll() instead, >> for which there is (allegedly) a more reliable wrapper implementation in >> gnulib: >> http://git.savannah.gnu.org/cgit/gnulib.git/tree/lib/poll.c > > I see, that sounds great. > > I actually managed to find and fix the bug in select.c (without any > extensive testing of course) - I've attached the patch in case this > could be useful temporarily or something. Hi again. GnuTLS 2.8.x is close to being released, and it now does use poll. If you have time, I'd appreciate if you could test whether it solves the problem for you under Windows. I have tested gnutls-cli in a cmd.exe windows on Windows XP, and I was able to talk to a SMTP server without problem, but I can't test from within Emacs easily. /Simon From iverodin at gmail.com Mon May 18 14:18:03 2009 From: iverodin at gmail.com (Iver Odin Kvello) Date: Mon, 18 May 2009 14:18:03 +0200 Subject: [Help-gnutls] Re: Odd issue with gnu-tls 2.6.4 running as a subprocess of emacs-23 on Windows XP In-Reply-To: <87iqjyptlf.fsf@mocca.josefsson.org> References: <874owst6hg.fsf@mocca.josefsson.org> <87ws9nnsox.fsf@mocca.josefsson.org> <87iqjyptlf.fsf@mocca.josefsson.org> Message-ID: (forgot to reply to the list) > Hi again. ?GnuTLS 2.8.x is close to being released, and it now does use > poll. ?If you have time, I'd appreciate if you could test whether it > solves the problem for you under Windows. ?I have tested gnutls-cli in a > cmd.exe windows on Windows XP, and I was able to talk to a SMTP server > without problem, but I can't test from within Emacs easily. GnuTLS 2.7.10 fixes this problem; Jabber.el now works with Gtalk with no problems. Regards, Iver From simon at josefsson.org Mon May 18 14:30:34 2009 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 18 May 2009 14:30:34 +0200 Subject: [Help-gnutls] Re: Odd issue with gnu-tls 2.6.4 running as a subprocess of emacs-23 on Windows XP In-Reply-To: (Iver Odin Kvello's message of "Mon, 18 May 2009 14:18:03 +0200") References: <874owst6hg.fsf@mocca.josefsson.org> <87ws9nnsox.fsf@mocca.josefsson.org> <87iqjyptlf.fsf@mocca.josefsson.org> Message-ID: <8763fypp91.fsf@mocca.josefsson.org> Iver Odin Kvello writes: > (forgot to reply to the list) > >> Hi again. ?GnuTLS 2.8.x is close to being released, and it now does use >> poll. ?If you have time, I'd appreciate if you could test whether it >> solves the problem for you under Windows. ?I have tested gnutls-cli in a >> cmd.exe windows on Windows XP, and I was able to talk to a SMTP server >> without problem, but I can't test from within Emacs easily. > > GnuTLS 2.7.10 fixes this problem; Jabber.el now works with Gtalk with > no problems. Wow that was quick. More confidence in GnuTLS on Windows then. Thanks! /Simon From simon at josefsson.org Mon May 18 22:21:39 2009 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 18 May 2009 22:21:39 +0200 Subject: [Help-gnutls] GnuTLS 2.7.11 - release candidate 3 of GnuTLS 2.8.0 Message-ID: <87eium17sc.fsf@mocca.josefsson.org> A few build problems has been fixed, but nothing critical has been reported, so we are on track to release 2.8.0 within a week or so. Please test this release as if it were the new stable release. There have been many e-mails (both on-list and off-list) about different problems lately, and I have probably forgotten to reply to some of them. Some of the patches introduced may also lead to new problems, of course. So, please try and build 2.7.11 again, even if you tried earlier RCs. If you can reproduce a problem with 2.7.11 that you have reported earlier, please send me a ping about it. I'm not actively working on fixing anything right now. Btw, josefsson.org and gnutls.org is currently down and may remain so for a few days. But when it is back up, the URLs below will start to work. Here are the compressed sources: http://alpha.gnu.org/gnu/gnutls/gnutls-2.7.11.tar.bz2 (5.9MB) ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.7.11.tar.bz2 Here is the OpenPGP signature: http://alpha.gnu.org/gnu/gnutls/gnutls-2.7.11.tar.bz2.sig ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.7.11.tar.bz2.sig The Windows binary installer and PGP signature: http://josefsson.org/gnutls4win/gnutls-2.7.11.exe (15MB) http://josefsson.org/gnutls4win/gnutls-2.7.11.exe.sig A ZIP archive containing the Windows binaries: http://josefsson.org/gnutls4win/gnutls-2.7.11.zip (5.3MB) http://josefsson.org/gnutls4win/gnutls-2.7.11.zip.sig A Debian mingw32 package is also available: http://josefsson.org/gnutls4win/mingw32-gnutls_2.7.11-1_all.deb (4.8MB) Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult AB, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. /Simon * Version 2.7.11 (released 2009-05-18) ** minitasn1: Fix build failure when using internal libtasn1. Reported by "Tom G. Christensen" in . ** libgnutls: Fix build failure with --disable-cxx. Reported by Andreas Metzler in . ** gnutls-serv: Fix build failure for unportable NI_MAXHOST/NI_MAXSERV. Reported by "Tom G. Christensen" in ** Building with many warning flags now requires --enable-gcc-warnings. This avoids crying wolf for normal compiles. ** API and ABI modifications: No changes since last version. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From simon at josefsson.org Wed May 20 12:12:53 2009 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 20 May 2009 12:12:53 +0200 Subject: [Help-gnutls] Libtasn2 2.2 Message-ID: <873ab0hyl6.fsf@mocca.josefsson.org> Libtasn1 is a standalone library written in C for manipulating ASN.1 objects including DER/BER encoding and DER/BER decoding. Libtasn1 is used by GnuTLS to manipulate X.509 objects and by Shishi to handle Kerberos V5 packets. Version 2.2 (released 2009-05-20) - Change how the ASN1_API decorator is used in libtasn1.h, for GTK-DOC. - Changed license of libtasn1.pc from GPLv3+ to LGPLv2.1+. Reported by Jeff Cai . - Building with many warning flags now requires --enable-gcc-warnings. - Some warnings fixed. Commercial support contracts for Libtasn1 are available, and they help finance continued maintenance. Simon Josefsson Datakonsult AB, a Stockholm based privately held company, is currently funding Libtasn1 maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. If you need help to use Libtasn1, or want to help others, you are invited to join the help-gnutls mailing list, see: . Homepage: http://josefsson.org/libtasn1/ Here are the compressed sources (1.6MB): ftp://ftp.gnu.org/gnu/gnutls/libtasn1-2.2.tar.gz http://ftp.gnu.org/gnu/gnutls/libtasn1-2.2.tar.gz Here are GPG detached signatures using key 0xB565716F: ftp://ftp.gnu.org/gnu/gnutls/libtasn1-2.2.tar.gz.sig http://ftp.gnu.org/gnu/gnutls/libtasn1-2.2.tar.gz.sig A ZIP archive containing the Windows binaries (284KB): http://josefsson.org/gnutls4win/libtasn1-2.2.zip http://josefsson.org/gnutls4win/libtasn1-2.2.zip.sig A Debian mingw32 package is also available (256KB): http://josefsson.org/gnutls4win/mingw32-libtasn1_2.2-1_all.deb The software is cryptographically signed by the author using an OpenPGP key identified by the following information: pub 1280R/B565716F 2002-05-05 [expires: 2010-04-21] Key fingerprint = 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F uid Simon Josefsson uid Simon Josefsson sub 1280R/4D5D40AE 2002-05-05 [expires: 2010-04-21] The key is available from: http://josefsson.org/key.txt dns:b565716f.josefsson.org?TYPE=CERT Here are the SHA-1 and SHA-224 checksums: d6e0d449cf2da04c93f498d2cf4415f572611b46 libtasn1-2.2.tar.gz 312f9db820bab1203032215c99f44c038381c940952e92cafef23aca libtasn1-2.2.tar.gz fb176e35da39d8c767aa881512dc07aac35b7d35 libtasn1-2.2.zip a30bbdbca8bd4efffbd43b1d1bfcde4b3c891080e4010fafe66f061f libtasn1-2.2.zip b73cee7d754fec2451b208bb17a383da95b4b1b0 mingw32-libtasn1_2.2-1_all.deb 2ea355177983beb522423b983c4105e933ede1822e05130352b18a75 mingw32-libtasn1_2.2-1_all.deb Happy hacking, Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From simon at josefsson.org Wed May 20 13:15:23 2009 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 20 May 2009 13:15:23 +0200 Subject: [Help-gnutls] GnuTLS 2.7.12 - release candidate 4 of GnuTLS 2.8.0 Message-ID: <87r5ykgh4k.fsf@mocca.josefsson.org> This makes gnutls-serv and gnutls-cli-debug work on Windows, and fixes some other minor things. We are on track to release this as 2.8.0 within a week or so. I'll be away on vacation in Budapest until Monday, so don't expect any quick replies. Use the time to test the RC! :) Please test this release as if it were the new stable release! Here are the compressed sources: http://alpha.gnu.org/gnu/gnutls/gnutls-2.7.12.tar.bz2 (6.0MB) ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.7.12.tar.bz2 Here is the OpenPGP signature: http://alpha.gnu.org/gnu/gnutls/gnutls-2.7.12.tar.bz2.sig ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.7.12.tar.bz2.sig The Windows binary installer and PGP signature: http://josefsson.org/gnutls4win/gnutls-2.7.12.exe (15MB) http://josefsson.org/gnutls4win/gnutls-2.7.12.exe.sig A ZIP archive containing the Windows binaries: http://josefsson.org/gnutls4win/gnutls-2.7.12.zip (5.3MB) http://josefsson.org/gnutls4win/gnutls-2.7.12.zip.sig A Debian mingw32 package is also available: http://josefsson.org/gnutls4win/mingw32-gnutls_2.7.12-1_all.deb (4.8MB) Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult AB, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. /Simon * Version 2.7.12 (released 2009-05-20) ** gnutls-serv, gnutls-cli-debug: Make them work on Windows. ** tests/crq_key_id: Don't read entropy from /dev/random in self-test. Reported by Andreas Metzler in . ** Fix build failures. Missing sa_family_t and vsnprintf on IRIX. Reported by "Tom G. Christensen" in . ** minitasn1: Internal copy updated to libtasn1 v2.2. GnuTLS should work fine with libtasn1 v1.x and that is still supported. ** API and ABI modifications: No changes since last version. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From simon at josefsson.org Mon May 25 12:32:36 2009 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 25 May 2009 12:32:36 +0200 Subject: [Help-gnutls] GnuTLS 2.7.13 - release candidate 5 of GnuTLS 2.8.0 Message-ID: <87k5458ocb.fsf@mocca.josefsson.org> Hopefully this will be the final RC. I'll release this as v2.8.0 tomorrow morning unless I hear objections. Meanwhile, please build it and proof read the release notes: http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3589 Here are the compressed sources: http://alpha.gnu.org/gnu/gnutls/gnutls-2.7.13.tar.bz2 (6.0MB) ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.7.13.tar.bz2 Here is the OpenPGP signature: http://alpha.gnu.org/gnu/gnutls/gnutls-2.7.13.tar.bz2.sig ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.7.13.tar.bz2.sig The Windows binary installer and PGP signature: http://josefsson.org/gnutls4win/gnutls-2.7.13.exe (15MB) http://josefsson.org/gnutls4win/gnutls-2.7.13.exe.sig A ZIP archive containing the Windows binaries: http://josefsson.org/gnutls4win/gnutls-2.7.13.zip (5.3MB) http://josefsson.org/gnutls4win/gnutls-2.7.13.zip.sig A Debian mingw32 package is also available: http://josefsson.org/gnutls4win/mingw32-gnutls_2.7.13-1_all.deb (4.8MB) Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult AB, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. /Simon * Version 2.7.13 (released 2009-05-25) ** libgnutls: Fix version of some exported symbols in the shared library. Reported by Andreas Metzler in . ** tests: Handle recently expired certificates in chainverify self-test. Reported by Andreas Metzler in . ** API and ABI modifications: No changes since last version. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From simon at josefsson.org Tue May 26 11:46:32 2009 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 26 May 2009 11:46:32 +0200 Subject: [Help-gnutls] GnuTLS 2.7.14 - release candidate 6 of GnuTLS 2.8.0 Message-ID: <87eiucyz5z.fsf@mocca.josefsson.org> Good feedback on RC5 resulted in one important change, so let's do a RC6. I'll release this as v2.8.0 tomorrow morning unless I hear objections. Meanwhile, please build it and proof read the release notes: http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3589 Here are the compressed sources: http://alpha.gnu.org/gnu/gnutls/gnutls-2.7.14.tar.bz2 (6.0MB) ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.7.14.tar.bz2 Here is the OpenPGP signature: http://alpha.gnu.org/gnu/gnutls/gnutls-2.7.14.tar.bz2.sig ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.7.14.tar.bz2.sig The Windows binary installer and PGP signature: http://josefsson.org/gnutls4win/gnutls-2.7.14.exe (15MB) http://josefsson.org/gnutls4win/gnutls-2.7.14.exe.sig A ZIP archive containing the Windows binaries: http://josefsson.org/gnutls4win/gnutls-2.7.14.zip (5.3MB) http://josefsson.org/gnutls4win/gnutls-2.7.14.zip.sig A Debian mingw32 package is also available: http://josefsson.org/gnutls4win/mingw32-gnutls_2.7.14-1_all.deb (4.8MB) Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult AB, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. /Simon * Version 2.7.14 (released 2009-05-26) ** libgnutls: Fix namespace issue with version symbol for libgnutls-extra. The symbol LIBGNUTLS_EXTRA_VERSION were renamed to GNUTLS_EXTRA_VERSION. The old symbol will continue to work but is deprecated. ** Doc: Several typo fixes in documentation. Reported by Peter Hendrickson . ** API and ABI modifications: GNUTLS_VERSION: ADDED, replaces LIBGNUTLS_EXTRA_VERSION. LIBGNUTLS_EXTRA_VERSION: DEPRECATED. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From simon at josefsson.org Wed May 27 07:41:56 2009 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 27 May 2009 07:41:56 +0200 Subject: [Help-gnutls] Re: libtasn1 compile issue in ANS1.c In-Reply-To: (Didier Godefroy's message of "Tue, 26 May 2009 19:17:45 +0200") References: Message-ID: <87vdnn14rf.fsf@mocca.josefsson.org> Didier Godefroy writes: > on 5/26/09 11:11 AM, Simon Josefsson at simon at josefsson.org uttered the > following: > >>> I just noticed that this enumeration is auto-generated with bison from >>> the given grammar's tokens, thus TRUE/FALSE cannot be replaced. However >>> would adding #undef TRUE and #undef FALSE solve the compilation issue >>> for you? >> >> We can change the bison source, can't we? Like this: >> >> /Simon >> >> diff --git a/lib/ASN1.y b/lib/ASN1.y > > Ok, I applied the patch and reverted ASN1.c to original, but configure > doesn't cause the generation of a new ASN1.c it appears (making my patch on > it useless). > How do we get the new ASN1.c regenerated? Make sure ASN1.y has a newer timestamp than ASN1.c, and it should be re-built automatically. E.g., try 'touch lib/ASN1.y'. You could also remove the built file, 'rm lib/ASN1.c', then it will be re-built for sure. Thanks for testing! /Simon From simon at josefsson.org Thu May 28 10:10:00 2009 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 28 May 2009 10:10:00 +0200 Subject: [Help-gnutls] GnuTLS 2.8.0 Message-ID: <878wkhabs7.fsf@mocca.josefsson.org> We are proud to announce a new stable GnuTLS release: Version 2.8.0. GnuTLS is a modern C library that implements the standard network security protocol Transport Layer Security (TLS), for use by network applications. GnuTLS is developed for GNU/Linux, but works on many Unix-like systems and comes with a binary installer for Windows. The GnuTLS library is distributed under the terms of the GNU Lesser General Public License version 2.1 (or later). The "extra" GnuTLS library (which contains TLS/IA support, LZO compression and Libgcrypt FIPS-mode handler), the OpenSSL compatibility library, the self tests and the command line tools are all distributed under the GNU General Public License version 3.0 (or later). The manual is distributed under the GNU Free Documentation License version 1.3 (or later). The project page of the library is available at: http://www.gnu.org/software/gnutls/ What's New ========== Version 2.8.0 is the first stable release on the 2.8.x branch and is the result of 7 months of work on the experimental 2.7.x branch. The GnuTLS 2.8.x branch replaces the GnuTLS 2.6.x branch as the supported stable branch, although we will continue to support GnuTLS 2.6.x for some time. ** lib: Linker version scripts reduces number of exported symbols. The linker version script now lists all exported ABIs explicitly, to avoid accidentally exporting unintended functions. Compared to before, most symbols beginning with _gnutls* are no longer exported. These functions have never been intended for use by applications, and there were no prototypes for these function in the public header files. Thus we believe it is possible to do this without incrementing the library ABI version which normally has to be done when removing an interface. ** lib: Limit exported symbols on systems without LD linker scripts. Before all symbols were exported. Now we limit the exported symbols to (for libgnutls and libgnutls-extra) gnutls* and (for libgnutls) _gnutls*. This is a superset of the actual supported ABI, but still an improvement compared to before. This is implemented using Libtool -export-symbols-regex. It is more portable than linker version scripts. ** libgnutls: Fix namespace issue with version symbols. The symbols LIBGNUTLS_VERSION, LIBGNUTLS_VERSION_MAJOR, LIBGNUTLS_VERSION_MINOR, LIBGNUTLS_VERSION_PATCH, and LIBGNUTLS_VERSION_NUMBER were renamed to GNUTLS_VERSION_NUMBER, GNUTLS_VERSION_MAJOR, GNUTLS_VERSION_MINOR, GNUTLS_VERSION_PATCH, and GNUTLS_VERSION_NUMBER respectively. The old symbols will continue to work but are deprecated. ** libgnutls: Fix namespace issue with version symbol for libgnutls-extra. The symbol LIBGNUTLS_EXTRA_VERSION were renamed to GNUTLS_EXTRA_VERSION. The old symbol will continue to work but is deprecated. ** libgnutls: Add functions to verify a hash against a certificate. gnutls_x509_crt_verify_hash: ADDED gnutls_x509_crt_get_verify_algorithm: ADDED ** gnutls-serv: Listen on all interfaces, including both IPv4 and IPv6. ** i18n: The GnuTLS gettext domain is now 'libgnutls' instead of 'gnutls'. It is currently only used by the core library. This will enable a new domain 'gnutls' for translations of the command line tools. ** certtool: Query for multiple dnsName subjectAltName in interactive mode. This applies both to generating certificates and certificate requests. ** gnutls-cli: No longer accepts V1 CAs by default during X.509 chain verify. Use --priority NORMAL:%VERIFY_ALLOW_X509_V1_CA_CRT to permit V1 CAs to be used for chain verification. ** gnutls-serv: No longer disable MAC padding by default. Use --priority NORMAL:%COMPAT to disable MAC padding again. ** gnutls-cli: Certificate information output format changed. The tool now uses libgnutls' functions to print certificate information. This avoids code duplication. ** libgnutls: New priority strings %VERIFY_ALLOW_SIGN_RSA_MD5 ** and %VERIFY_ALLOW_X509_V1_CA_CRT. They can be used to override the default certificate chain validation behaviour. ** libgnutls: gnutls_x509_crt_print prints signature algorithm in oneline mode. ** libgnutls: gnutls_openpgp_crt_print supports oneline mode. ** libgnutls: gnutls_handshake when sending client hello during a rehandshake, will not offer a version number larger than the current. ** libgnutls: New interface to get key id for certificate requests. gnutls_x509_crq_get_key_id: ADDED. ** libgnutls: gnutls_x509_crq_print will now also print public key id. ** certtool: --verify-chain now prints results of using library verification. Earlier, certtool --verify-chain used its own validation algorithm which wasn't guaranteed to give the same result as the libgnutls internal validation algorithm. Now this command print a new final line with header 'Chain verification output:' that contains the result From using the internal verification algorithm on the same chain. ** libgnutls: Libgcrypt initialization changed. If libgcrypt has not already been initialized, GnuTLS will now initialize libgcrypt with disabled secure memory. Initialize libgcrypt explicitly in your application if you want to enable secure memory. Before GnuTLS initialized libgcrypt to use GnuTLS's memory allocation functions, which doesn't use secure memory, so there is no real change in behaviour. ** libgnutls: Small byte reads via gnutls_record_recv() optimized. ** gnutls-cli: Return non-zero exit code on error conditions. ** gnutls-cli: Corrected bug which caused a rehandshake request to be ignored. ** certtool: allow setting arbitrary key purpose object identifiers. ** libgnutls: Change detection of when to use a linker version script. Use --enable-ld-version-script or --disable-ld-version-script to override auto-detection logic. ** Fix warnings and build GnuTLS with more warnings enabled. ** New API to set X.509 credentials from PKCS#12 memory structure. gnutls_certificate_set_x509_simple_pkcs12_mem: ADDED ** Old libgnutls.m4 and libgnutls-config scripts removed. Please use pkg-config instead. ** libgnutls: Added functions to handle CRL extensions. gnutls_x509_crl_get_authority_key_id: ADDED gnutls_x509_crl_get_number: ADDED gnutls_x509_crl_get_extension_oid: ADDED gnutls_x509_crl_get_extension_info: ADDED gnutls_x509_crl_get_extension_data: ADDED gnutls_x509_crl_set_authority_key_id: ADDED gnutls_x509_crl_set_number: ADDED ** libgnutls: Added functions to handle X.509 extensions in Certificate Requests. gnutls_x509_crq_get_key_rsa_raw: ADDED gnutls_x509_crq_get_attribute_info: ADDED gnutls_x509_crq_get_attribute_data: ADDED gnutls_x509_crq_get_extension_info: ADDED gnutls_x509_crq_get_extension_data: ADDED gnutls_x509_crq_get_key_usage: ADDED gnutls_x509_crq_get_basic_constraints: ADDED gnutls_x509_crq_get_subject_alt_name: ADDED gnutls_x509_crq_get_subject_alt_othername_oid: ADDED gnutls_x509_crq_get_extension_by_oid: ADDED gnutls_x509_crq_set_subject_alt_name: ADDED gnutls_x509_crq_set_basic_constraints: ADDED gnutls_x509_crq_set_key_usage: ADDED gnutls_x509_crq_get_key_purpose_oid: ADDED gnutls_x509_crq_set_key_purpose_oid: ADDED gnutls_x509_crq_print: ADDED gnutls_x509_crt_set_crq_extensions: ADDED ** certtool: Print and set CRL and CRQ extensions. ** minitasn1: Internal copy updated to libtasn1 v2.1. GnuTLS should work fine with libtasn1 v1.x and that is still supported. ** examples: Now released into the public domain. This makes the license of the example code compatible with more licenses, including the (L)GPL. ** The Texinfo and GTK-DOC manuals were improved. ** Several self-tests were added and others improved. API/ABI changes in GnuTLS 2.8 ============================= No offically supported interfaces have been modified or removed. The library should be completely backwards compatible on both the source and binary level. The shared library no longer exports some symbols that have never been officially supported, i.e., not mentioned in any of the header files. The symbols are: _gnutls* gnutls_asn1_tab Normally when symbols are removed, the shared library version has to be incremented. This leads to a significant cost for everyone using the library. Because none of the above symbols have ever been intended for use by well-behaved applications, we decided that the it would be better for those applications to pay the price rather than incurring problems on the majority of applications. If it turns out that applications have been using unofficial interfaces, we will need to release a follow-on release on the v2.8 branch to exports additional interfaces. However, initial testing suggests that few if any applications have been using any of the internal symbols. Although not a new change compared to 2.6.x, we'd like to remind you interfaces have been modified so that X.509 chain verification now also checks activation/expiration times on certificates. The affected functions are: gnutls_x509_crt_list_verify: CHANGED, checks activation/expiration times. gnutls_certificate_verify_peers: Likewise. gnutls_certificate_verify_peers2: Likewise. GNUTLS_CERT_NOT_ACTIVATED: ADDED. GNUTLS_CERT_EXPIRED: ADDED. GNUTLS_VERIFY_DISABLE_TIME_CHECKS: ADDED. This change in behaviour was made during the GnuTLS 2.6.x cycle, and we gave our rationale for it in earlier release notes. The following symbols have been added to the library: gnutls_certificate_set_x509_simple_pkcs12_mem: ADDED gnutls_x509_crl_get_authority_key_id: ADDED gnutls_x509_crl_get_extension_data: ADDED gnutls_x509_crl_get_extension_info: ADDED gnutls_x509_crl_get_extension_oid: ADDED gnutls_x509_crl_get_number: ADDED gnutls_x509_crl_set_authority_key_id: ADDED gnutls_x509_crl_set_number: ADDED gnutls_x509_crq_get_attribute_data: ADDED gnutls_x509_crq_get_attribute_info: ADDED gnutls_x509_crq_get_basic_constraints: ADDED gnutls_x509_crq_get_extension_by_oid: ADDED gnutls_x509_crq_get_extension_data: ADDED gnutls_x509_crq_get_extension_info: ADDED gnutls_x509_crq_get_key_id: ADDED. gnutls_x509_crq_get_key_purpose_oid: ADDED gnutls_x509_crq_get_key_rsa_raw: ADDED gnutls_x509_crq_get_key_usage: ADDED gnutls_x509_crq_get_subject_alt_name: ADDED gnutls_x509_crq_get_subject_alt_othername_oid: ADDED gnutls_x509_crq_print: ADDED gnutls_x509_crq_set_basic_constraints: ADDED gnutls_x509_crq_set_key_purpose_oid: ADDED gnutls_x509_crq_set_key_usage: ADDED gnutls_x509_crq_set_subject_alt_name: ADDED gnutls_x509_crt_get_verify_algorithm: ADDED gnutls_x509_crt_set_crq_extensions: ADDED gnutls_x509_crt_verify_hash: ADDED The following interfaces have been added to the header files: GNUTLS_VERSION: ADDED, replaces LIBGNUTLS_VERSION. GNUTLS_VERSION_MAJOR: ADDED, replaces LIBGNUTLS_VERSION_MAJOR. GNUTLS_VERSION_MINOR: ADDED, replaces LIBGNUTLS_VERSION_MINOR. GNUTLS_VERSION_PATCH: ADDED, replaces LIBGNUTLS_VERSION_PATCH. GNUTLS_VERSION_NUMBER: ADDED, replaces LIBGNUTLS_VERSION_NUMBER. GNUTLS_EXTRA_VERSION: ADDED, replaces LIBGNUTLS_EXTRA_VERSION. The following interfaces have been deprecated: LIBGNUTLS_VERSION: DEPRECATED. LIBGNUTLS_VERSION_MAJOR: DEPRECATED. LIBGNUTLS_VERSION_MINOR: DEPRECATED. LIBGNUTLS_VERSION_PATCH: DEPRECATED. LIBGNUTLS_VERSION_NUMBER: DEPRECATED. LIBGNUTLS_EXTRA_VERSION: DEPRECATED. Getting the Software ==================== GnuTLS may be downloaded from one of the mirror sites or direct from . The list of mirrors can be found at . Here are the BZIP2 compressed sources (6.0MB): ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.8.0.tar.bz2 http://ftp.gnu.org/gnu/gnutls/gnutls-2.8.0.tar.bz2 Here are OpenPGP detached signatures signed using key 0xB565716F: ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.8.0.tar.bz2.sig http://ftp.gnu.org/gnu/gnutls/gnutls-2.8.0.tar.bz2.sig Note, that we don't distribute gzip compressed tarballs. In order to check that the version of GnuTLS which you are going to install is an original and unmodified one, you should verify the OpenPGP signature. You can use the command gpg --verify gnutls-2.8.0.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. The signing key can be identified with the following information: pub 1280R/B565716F 2002-05-05 [expires: 2010-04-21] Key fingerprint = 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F uid Simon Josefsson uid Simon Josefsson sub 1280R/4D5D40AE 2002-05-05 [expires: 2010-04-21] The key is available from: http://josefsson.org/key.txt dns:b565716f.josefsson.org?TYPE=CERT Alternatively, after successfully verifying the OpenPGP signature of this announcement, you could verify that the files match the following checksum values. The values are for SHA-1 and SHA-224 respectively: 7c102253bb4e817f393b9979a62c647010312eac gnutls-2.8.0.tar.bz2 57ee306f261ed331b8386baf854f737fbf24da7b3bcc32331d34176b gnutls-2.8.0.tar.bz2 Documentation ============= The manual is available online at: http://www.gnu.org/software/gnutls/documentation.html In particular the following formats are available: HTML: http://www.gnu.org/software/gnutls/manual/html_node/index.html PDF: http://www.gnu.org/software/gnutls/manual/gnutls.pdf For developers there is a GnuTLS API reference manual formatted using the GTK-DOC tools: http://www.gnu.org/software/gnutls/reference/gnutls-gnutls.html Community ========= If you need help to use GnuTLS, or want to help others, you are invited to join our help-gnutls mailing list, see: http://lists.gnu.org/mailman/listinfo/help-gnutls If you wish to participate in the development of GnuTLS, you are invited to join our gnutls-dev mailing list, see: http://lists.gnu.org/mailman/listinfo/gnutls-devel Windows installer ================= GnuTLS has been ported to the Windows operating system, and a binary installer is available. The installer contains DLLs for application development, manuals, examples, and source code. The installer uses libgpg-error v1.7, libgcrypt v1.4.4, libtasn1 v2.2, and GnuTLS v2.8.0. For more information about GnuTLS for Windows: http://josefsson.org/gnutls4win/ The Windows binary installer and PGP signature: http://josefsson.org/gnutls4win/gnutls-2.8.0.exe (15MB) http://josefsson.org/gnutls4win/gnutls-2.8.0.exe.sig The checksum values for SHA-1 and SHA-224 are: 8a7965168c542edec3259469b6c0e87a9a2b4626 gnutls-2.8.0.exe 5f76c907eac768b714dc7187a17f87c0393439cf1ef44ab145aab6e3 gnutls-2.8.0.exe A ZIP archive containing the Windows binaries: http://josefsson.org/gnutls4win/gnutls-2.8.0.zip (5.3MB) http://josefsson.org/gnutls4win/gnutls-2.8.0.zip.sig A Debian mingw32 package is also available: http://josefsson.org/gnutls4win/mingw32-gnutls_2.7.10-1_all.deb (4.8MB) The checksum values for SHA-1 and SHA-224 are: aca9f9f1adba09b952e095039595d4c5d9e67d46 mingw32-gnutls_2.8.0-1_all.deb 269020738a9f36135e3f231a94cdb2cabc0edd3658092d76b87c27dc mingw32-gnutls_2.8.0-1_all.deb Internationalization ==================== The GnuTLS library messages have been translated into Czech, Dutch, French, German, Malay, Polish, Swedish, and Vietnamese. We welcome the addition of more translations. Support ======= Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult AB, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. The GnuTLS service directory is available at: http://www.gnu.org/software/gnutls/commercial.html Happy Hacking, Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From carolin.latze at unifr.ch Thu May 28 16:46:38 2009 From: carolin.latze at unifr.ch (Carolin Latze) Date: Thu, 28 May 2009 16:46:38 +0200 Subject: [Help-gnutls] Flushing Sessions Message-ID: <4A1EA3CE.9050408@unifr.ch> Hi everybody, thanks to the hint regarding push and pull functions and a lot of Google search I was able to replace a lot of OpenSSL related code in my application with GnuTLS functions. At the moment, I am stuck with replacing SSL_CTX_flush_sessions. This method removes all the expired session for a context. I didn't find an equivalent in GnuTLS and got the impression that GnuTLS does not need that function. Is that right? Cheers Carolin From nmav at gnutls.org Thu May 28 17:01:30 2009 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 28 May 2009 18:01:30 +0300 Subject: [Help-gnutls] Flushing Sessions In-Reply-To: <4A1EA3CE.9050408@unifr.ch> References: <4A1EA3CE.9050408@unifr.ch> Message-ID: On Thu, May 28, 2009 at 5:46 PM, Carolin Latze wrote: > Hi everybody, > > thanks to the hint regarding push and pull functions and a lot of Google > search I was able to replace a lot of OpenSSL related code in my application > with GnuTLS functions. At the moment, I am stuck with replacing > SSL_CTX_flush_sessions. This method removes all the expired session for a > context. I didn't find an equivalent in GnuTLS and got the impression that > GnuTLS does not need that function. Is that right? Indeed. That is because in gnutls the application is responsible to save/reuse session data. regards, Nikos From Roland.Winkler at physik.uni-erlangen.de Sat May 30 18:51:56 2009 From: Roland.Winkler at physik.uni-erlangen.de (Roland Winkler) Date: Sat, 30 May 2009 18:51:56 +0200 Subject: [Help-gnutls] Re: Key usage violation in certificate Message-ID: <18977.25644.672665.705939@tfkp07.physik.uni-erlangen.de> Hi, I've been trying to use gnutls-cli with the GNU emacs smtpmail package. After some fiddling I got to the point that my sessions looks like the following: Process SMTP finished 220 foo.bar.com ESMTP Postfix EHLO baz.bar.com 250-foo.bar.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250 8BITMIME STARTTLS 220 Ready to start TLS *** Starting TLS handshake *** Fatal error: Key usage violation in certificate has been detected. *** Handshake has failed EHLO baz.bar.com QUIT I couldn't get any further. -- I know that the SMTP server I am trying to reach works fine with other mail clients. So I replaced gnutls-cli (GnuTLS 2.4.1) with starttls (0.10), and this works fine, too. Is some known problem of gnutls responsible for this? Thanks, Roland From nmav at gnutls.org Sat May 30 19:50:44 2009 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sat, 30 May 2009 20:50:44 +0300 Subject: [Help-gnutls] Re: Key usage violation in certificate In-Reply-To: <18977.25644.672665.705939@tfkp07.physik.uni-erlangen.de> References: <18977.25644.672665.705939@tfkp07.physik.uni-erlangen.de> Message-ID: <4A2171F4.4010800@gnutls.org> Roland Winkler wrote: > Hi, > > I've been trying to use gnutls-cli with the GNU emacs smtpmail package. > After some fiddling I got to the point that my sessions looks like > the following: > > Process SMTP finished > 220 foo.bar.com ESMTP Postfix > EHLO baz.bar.com > 250-foo.bar.com > 250-PIPELINING > 250-SIZE 10240000 > 250-VRFY > 250-ETRN > 250-STARTTLS > 250 8BITMIME > STARTTLS > 220 Ready to start TLS > *** Starting TLS handshake > *** Fatal error: Key usage violation in certificate has been detected. > *** Handshake has failed > EHLO baz.bar.com > QUIT > > > I couldn't get any further. -- I know that the SMTP server I am > trying to reach works fine with other mail clients. So I replaced > gnutls-cli (GnuTLS 2.4.1) with starttls (0.10), and this works fine, > too. Is some known problem of gnutls responsible for this? No. Please check the certificate with certtool -i. regards, Nikos From Roland.Winkler at physik.uni-erlangen.de Sat May 30 21:03:46 2009 From: Roland.Winkler at physik.uni-erlangen.de (Roland Winkler) Date: Sat, 30 May 2009 21:03:46 +0200 Subject: [Help-gnutls] Re: Key usage violation in certificate In-Reply-To: <4A2171F4.4010800@gnutls.org> References: <18977.25644.672665.705939@tfkp07.physik.uni-erlangen.de> <4A2171F4.4010800@gnutls.org> Message-ID: <18977.33554.217818.177800@tfkp07.physik.uni-erlangen.de> On Sat May 30 2009 Nikos Mavrogiannopoulos wrote: > > I couldn't get any further. -- I know that the SMTP server I am > > trying to reach works fine with other mail clients. So I replaced > > gnutls-cli (GnuTLS 2.4.1) with starttls (0.10), and this works fine, > > too. Is some known problem of gnutls responsible for this? > > No. Please check the certificate with certtool -i. I am sorry for my ignorance. Is this something I can do locally, or is this a command that I need to run on the remote SMTP server I am trying to contact? If I can run this command locally, how do I specify the remote server? Is there anything else I can do locally? (I've made gnutls-cli more verbose and it gave me a lot of information, though in the end nothing appeared useful to me to resolve this problem.) Though I can login on the SMTP server, I am not sure I found the right certificate, and this file is not readable for ordinary users. Thanks, Roland From dkg at fifthhorseman.net Sat May 30 22:18:54 2009 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Sat, 30 May 2009 16:18:54 -0400 Subject: [Help-gnutls] Re: Key usage violation in certificate In-Reply-To: <18977.33554.217818.177800@tfkp07.physik.uni-erlangen.de> References: <18977.25644.672665.705939@tfkp07.physik.uni-erlangen.de> <4A2171F4.4010800@gnutls.org> <18977.33554.217818.177800@tfkp07.physik.uni-erlangen.de> Message-ID: <4A2194AE.4040006@fifthhorseman.net> On 05/30/2009 03:03 PM, Roland Winkler wrote: > I am sorry for my ignorance. Is this something I can do locally, or > is this a command that I need to run on the remote SMTP server I am > trying to contact? If I can run this command locally, how do I > specify the remote server? Is there anything else I can do locally? > (I've made gnutls-cli more verbose and it gave me a lot of > information, though in the end nothing appeared useful to me to > resolve this problem.) You can try this: echo QUIT | gnutls-cli --print-cert --starttls --port 25 foo.bar.com If that doesn't work (i'm having difficulty getting it to behave as i would expect right now), and you have access to openssl, you could do: echo QUIT | openssl s_client -starttls smtp -connect foo.bar.com:25 That would print out the certificate at least, which you could paste into a file to inspect with certtool -i. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 890 bytes Desc: OpenPGP digital signature URL: From Roland.Winkler at physik.uni-erlangen.de Sun May 31 01:05:33 2009 From: Roland.Winkler at physik.uni-erlangen.de (Roland Winkler) Date: Sun, 31 May 2009 01:05:33 +0200 Subject: [Help-gnutls] Re: Key usage violation in certificate In-Reply-To: <4A2194AE.4040006@fifthhorseman.net> References: <18977.25644.672665.705939@tfkp07.physik.uni-erlangen.de> <4A2171F4.4010800@gnutls.org> <18977.33554.217818.177800@tfkp07.physik.uni-erlangen.de> <4A2194AE.4040006@fifthhorseman.net> Message-ID: <18977.48061.604507.486413@tfkp07.physik.uni-erlangen.de> On Sat May 30 2009 Daniel Kahn Gillmor wrote: > You can try this: > > echo QUIT | gnutls-cli --print-cert --starttls --port 25 foo.bar.com > > If that doesn't work (i'm having difficulty getting it to behave as i > would expect right now), Thank you. The above doesn't work for me either: Resolving 'foo.bar.com'... Connecting to '64.34.161.100:25'... - Simple Client Mode: *** Starting TLS handshake *** Non fatal error: Function was interrupted. *** Fatal error: A TLS packet with unexpected length was received. *** Handshake has failed > and you have access to openssl, you could do: > > echo QUIT | openssl s_client -starttls smtp -connect foo.bar.com:25 Yes, that worked for me, too. So when I run the certificate through certtool, everything looks fine to me (no complaints from certtool). The output of certtool is below. So what's wrong here? Thanks a lot for your help, Roland X.509 Certificate Information: Version: 3 Serial Number (hex): 05 Issuer: C=DE,ST=Bavaria,L=Erlangen,O=Universitaet Erlangen,OU=Physik,CN=Physik CA,EMAIL=postmaster at foo.bar.com Validity: Not Before: Wed May 21 13:22:56 UTC 2008 Not After: Fri Apr 29 13:22:56 UTC 2016 Subject: C=DE,ST=Bavaria,L=Erlangen,O=Universitaet Erlangen,OU=Physik,CN=server.foo.bar.com,EMAIL=admins at server.foo.bar.com Subject Public Key Algorithm: RSA Modulus (bits 2048): a7:ff:4b:d9:75:4c:82:96:5a:16:df:88:e9:b9:23:bd ed:c2:b6:4b:c0:3a:d0:94:ed:77:70:2a:17:c6:65:5c 01:c9:0b:6e:eb:7d:c2:c5:e2:e3:4d:e6:f9:fd:c4:86 7f:13:9f:e1:fa:9f:7d:a9:12:52:14:e7:59:64:43:10 d3:9c:d2:7a:61:15:e0:2d:2e:63:ff:7a:74:c1:e6:d8 36:b4:bb:6e:18:78:2d:ec:ad:c5:61:56:8b:34:5d:a0 6b:c6:ed:83:d2:8b:70:85:bf:59:5d:2c:69:59:a6:09 fc:c4:9b:1e:7e:fa:bb:d5:cd:f1:3b:e5:ec:e9:6a:f3 a7:6e:7d:8c:ce:55:98:b3:c3:a2:bd:b0:83:32:20:a1 9e:2f:67:ce:bc:86:8e:8f:93:3b:b4:71:23:d5:77:ab d9:8f:75:c5:d7:aa:33:73:73:fe:b8:60:16:e0:56:67 30:a7:39:8a:36:96:d3:a2:a3:b6:c8:6a:e2:2f:5c:27 a6:4f:e1:35:5d:72:9d:8d:0d:33:8f:fd:e5:f9:cd:13 cc:56:38:e9:ae:9b:f7:02:ce:f1:77:16:e0:ba:a0:e9 60:95:79:b3:cd:cb:f0:46:4a:72:07:81:0f:ab:e4:66 4f:1a:90:a8:99:e3:07:2c:c5:0b:cf:de:7a:63:70:47 Exponent: 01:00:01 Extensions: Basic Constraints (not critical): Certificate Authority (CA): FALSE Unknown extension 2.16.840.1.113730.1.13 (not critical): ASCII: .!YaST Generated Server Certificate Hexdump: 1621596153542047656e65726174656420536572766572204365727469666963617465 Unknown extension 2.16.840.1.113730.1.1 (not critical): ASCII: ...@ Hexdump: 03020640 Key Usage (not critical): Key encipherment. Subject Key Identifier (not critical): ebd32842114e32fb4a59e96e7f368844c82a0fdc Authority Key Identifier (not critical): 26a9c14bf99be19e4e3a1598b18e8a28e20246af Subject Alternative Name (not critical): RFC822name: admins at server.foo.bar.com Unknown extension 2.5.29.18 (not critical): ASCII: 0#.!postmaster at foo.bar.com Hexdump: 30238121706f73746d61737465724070687973696b2e756e692d65726c616e67656e2e6465 Signature Algorithm: RSA-SHA Signature: 73:dd:04:eb:07:67:aa:ef:37:fe:8a:25:66:d4:26:67 92:06:cb:81:61:c4:9d:e7:b1:76:fa:2d:12:3a:ce:79 2c:52:cb:aa:53:58:84:35:e9:55:27:df:fb:9f:96:07 b0:b0:cb:2a:88:c9:f0:73:6a:33:6e:c2:65:7c:71:51 b5:f8:b5:29:41:ba:64:70:4c:95:20:33:84:f9:dc:a5 b0:9e:d1:1e:3f:cc:7d:40:af:81:9c:93:d7:ed:8d:0f b4:45:5f:50:0d:c9:8e:0e:d0:d0:6c:36:af:4a:c3:f2 b1:14:da:e3:ec:c6:13:7a:ba:92:61:23:bc:03:77:c1 96:39:6d:24:81:8d:74:39:72:55:af:6c:19:c1:5f:00 81:2f:54:ad:3c:6e:ca:a0:fb:7d:c6:e0:80:02:3b:38 15:b3:55:2c:06:b4:3b:7f:7a:07:da:8f:ac:a2:44:4b f8:90:40:16:4f:b4:1c:fc:dc:3d:aa:41:fa:5d:47:59 b8:df:9e:25:c0:83:b6:bf:ed:5d:2a:21:d0:7b:a6:64 00:c3:31:a0:31:c9:d8:93:ca:9b:87:ce:8d:3b:d9:08 05:a2:7f:9d:4a:79:7f:75:66:2a:97:33:6b:11:3a:2c 48:7b:44:8e:61:b4:0c:29:8f:44:5b:55:4e:94:bc:38 Other Information: MD5 fingerprint: 3d1adc22cc153763e422e38fb3a0f8a4 SHA-1 fingerprint: a71ffdcd5b09e4901cff2160a8e8f97137cdc2fb Public Key Id: e0ac4c05064b23d6ab821b860c5c69eb6d5e5d39 From nmav at gnutls.org Sun May 31 07:39:22 2009 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 31 May 2009 08:39:22 +0300 Subject: [Help-gnutls] Re: Key usage violation in certificate In-Reply-To: <18977.48061.604507.486413@tfkp07.physik.uni-erlangen.de> References: <18977.25644.672665.705939@tfkp07.physik.uni-erlangen.de> <4A2171F4.4010800@gnutls.org> <18977.33554.217818.177800@tfkp07.physik.uni-erlangen.de> <4A2194AE.4040006@fifthhorseman.net> <18977.48061.604507.486413@tfkp07.physik.uni-erlangen.de> Message-ID: <20090531083922.1725e860@nmav-eee> On Sun, 31 May 2009 01:05:33 +0200 "Roland Winkler" wrote: This certificate restricts its usage to key encipherment. For TLS this is restricted to only the RSA key exchange. By misconfiguration however the server allows you to connect with a ciphersuite that violates this usage and that's why gnutls-cli fails to connect. Try to connect using this priority string: gnutls-cli --priority "normal:-dhe-rsa" > Key Usage (not critical): > Key encipherment. regards, Nikos From Roland.Winkler at physik.uni-erlangen.de Sun May 31 17:14:42 2009 From: Roland.Winkler at physik.uni-erlangen.de (Roland Winkler) Date: Sun, 31 May 2009 17:14:42 +0200 Subject: [Help-gnutls] Re: Key usage violation in certificate In-Reply-To: <20090531083922.1725e860@nmav-eee> References: <18977.25644.672665.705939@tfkp07.physik.uni-erlangen.de> <4A2171F4.4010800@gnutls.org> <18977.33554.217818.177800@tfkp07.physik.uni-erlangen.de> <4A2194AE.4040006@fifthhorseman.net> <18977.48061.604507.486413@tfkp07.physik.uni-erlangen.de> <20090531083922.1725e860@nmav-eee> Message-ID: <18978.40674.253965.602796@tfkp07.physik.uni-erlangen.de> > Try to connect using this priority string: > gnutls-cli --priority "normal:-dhe-rsa" Hi Nikos, Great, thanks a lot, now gnutls-cli works perfect (for emacs, I do not need quotes for the second arg). > By misconfiguration however the server allows you to connect with > a ciphersuite that violates this usage and that's why gnutls-cli > fails to connect. Is this a misconfiguration of the server that its sysadmins can fix? Is it a part of the communication protocol between server and client that the server should tell the client the allowed usage of its certificate? I mean, the server knows the allowed usage of its certificate. So I would guess that in an ideal world (that we don't have...) no extra configuration of the server was necessary. Thanks, Roland