From tong.tang at motorola.com Tue Sep 1 12:07:29 2009 From: tong.tang at motorola.com (Tang Tong-A21500) Date: Tue, 1 Sep 2009 18:07:29 +0800 Subject: Anybody know TLS_RSA_WITH_AES_256_CBC_SHA256 is supported by gnutls or not Message-ID: <3B5C8B8FB6D8874DA89B26741B42BBA0620C77@zmy16exm69.ds.mot.com> As title. Regards Tang Tong -------------- next part -------------- An HTML attachment was scrubbed... URL: From bradh at frogmouth.net Tue Sep 1 13:03:52 2009 From: bradh at frogmouth.net (Brad Hards) Date: Tue, 1 Sep 2009 21:03:52 +1000 Subject: Anybody know TLS_RSA_WITH_AES_256_CBC_SHA256 is supported by gnutls or not In-Reply-To: <3B5C8B8FB6D8874DA89B26741B42BBA0620C77@zmy16exm69.ds.mot.com> References: <3B5C8B8FB6D8874DA89B26741B42BBA0620C77@zmy16exm69.ds.mot.com> Message-ID: <200909012103.52719.bradh@frogmouth.net> gnutls-cli --list will tell you for your configuration. I don't see any SHA256 ciphers in my list. TLS_RSA_AES_256_CBC_SHA1 looks to be the closest. Brad From bradh at frogmouth.net Tue Sep 1 14:18:23 2009 From: bradh at frogmouth.net (Brad Hards) Date: Tue, 1 Sep 2009 22:18:23 +1000 Subject: Anybody know TLS_RSA_WITH_AES_256_CBC_SHA256 is supported by gnutls or not In-Reply-To: <3B5C8B8FB6D8874DA89B26741B42BBA0620C77@zmy16exm69.ds.mot.com> References: <3B5C8B8FB6D8874DA89B26741B42BBA0620C77@zmy16exm69.ds.mot.com> Message-ID: <200909012218.24020.bradh@frogmouth.net> On Tuesday 01 September 2009 20:07:29 Tang Tong-A21500 wrote: > As title. Revision to my previous advice, after catching up on my gnutls-devel mailing list mail. It appears that gnutls now has SHA2. [bradh at conferta src]$ ./gnutls-cli --list Cipher suites: TLS_ANON_DH_ARCFOUR_MD5 0x00, 0x18 SSL3.0 TLS_ANON_DH_3DES_EDE_CBC_SHA1 0x00, 0x1b SSL3.0 TLS_ANON_DH_AES_128_CBC_SHA1 0x00, 0x34 SSL3.0 TLS_ANON_DH_AES_256_CBC_SHA1 0x00, 0x3a SSL3.0 TLS_ANON_DH_AES_128_CBC_SHA256 0x00, 0x6c TLS1.2 TLS_ANON_DH_AES_256_CBC_SHA256 0x00, 0x6d TLS1.2 TLS_PSK_SHA_ARCFOUR_SHA1 0x00, 0x8a TLS1.0 TLS_PSK_SHA_3DES_EDE_CBC_SHA1 0x00, 0x8b TLS1.0 TLS_PSK_SHA_AES_128_CBC_SHA1 0x00, 0x8c TLS1.0 TLS_PSK_SHA_AES_256_CBC_SHA1 0x00, 0x8d TLS1.0 TLS_DHE_PSK_SHA_ARCFOUR_SHA1 0x00, 0x8e TLS1.0 TLS_DHE_PSK_SHA_3DES_EDE_CBC_SHA1 0x00, 0x8f TLS1.0 TLS_DHE_PSK_SHA_AES_128_CBC_SHA1 0x00, 0x90 TLS1.0 TLS_DHE_PSK_SHA_AES_256_CBC_SHA1 0x00, 0x91 TLS1.0 TLS_SRP_SHA_3DES_EDE_CBC_SHA1 0xc0, 0x1a TLS1.0 TLS_SRP_SHA_AES_128_CBC_SHA1 0xc0, 0x1d TLS1.0 TLS_SRP_SHA_AES_256_CBC_SHA1 0xc0, 0x20 TLS1.0 TLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1 0xc0, 0x1c TLS1.0 TLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1 0xc0, 0x1b TLS1.0 TLS_SRP_SHA_DSS_AES_128_CBC_SHA1 0xc0, 0x1f TLS1.0 TLS_SRP_SHA_RSA_AES_128_CBC_SHA1 0xc0, 0x1e TLS1.0 TLS_SRP_SHA_DSS_AES_256_CBC_SHA1 0xc0, 0x22 TLS1.0 TLS_SRP_SHA_RSA_AES_256_CBC_SHA1 0xc0, 0x21 TLS1.0 TLS_DHE_DSS_ARCFOUR_SHA1 0x00, 0x66 TLS1.0 TLS_DHE_DSS_3DES_EDE_CBC_SHA1 0x00, 0x13 SSL3.0 TLS_DHE_DSS_AES_128_CBC_SHA1 0x00, 0x32 SSL3.0 TLS_DHE_DSS_AES_256_CBC_SHA1 0x00, 0x38 SSL3.0 TLS_DHE_DSS_AES_128_CBC_SHA256 0x00, 0x40 TLS1.2 TLS_DHE_DSS_AES_256_CBC_SHA256 0x00, 0x6a TLS1.2 TLS_DHE_RSA_3DES_EDE_CBC_SHA1 0x00, 0x16 SSL3.0 TLS_DHE_RSA_AES_128_CBC_SHA1 0x00, 0x33 SSL3.0 TLS_DHE_RSA_AES_256_CBC_SHA1 0x00, 0x39 SSL3.0 TLS_DHE_RSA_AES_128_CBC_SHA256 0x00, 0x67 TLS1.2 TLS_DHE_RSA_AES_256_CBC_SHA256 0x00, 0x6b TLS1.2 TLS_RSA_NULL_MD5 0x00, 0x01 SSL3.0 TLS_RSA_EXPORT_ARCFOUR_40_MD5 0x00, 0x03 SSL3.0 TLS_RSA_ARCFOUR_SHA1 0x00, 0x05 SSL3.0 TLS_RSA_ARCFOUR_MD5 0x00, 0x04 SSL3.0 TLS_RSA_3DES_EDE_CBC_SHA1 0x00, 0x0a SSL3.0 TLS_RSA_AES_128_CBC_SHA1 0x00, 0x2f SSL3.0 TLS_RSA_AES_256_CBC_SHA1 0x00, 0x35 SSL3.0 TLS_RSA_AES_128_CBC_SHA256 0x00, 0x3c TLS1.2 TLS_RSA_AES_256_CBC_SHA256 0x00, 0x3d TLS1.2 Certificate types: X.509, OPENPGP Protocols: SSL3.0, TLS1.0, TLS1.1, TLS1.2 Ciphers: AES-256-CBC, AES-128-CBC, 3DES-CBC, DES-CBC, ARCFOUR-128, ARCFOUR-40, RC2-40, NULL MACs: SHA1, MD5, SHA256, SHA384, SHA512, MD2, RIPEMD160, NULL Key exchange algorithms: ANON-DH, RSA, RSA-EXPORT, DHE-RSA, DHE-DSS, SRP-DSS, SRP-RSA, SRP, PSK, DHE-PSK Compression: DEFLATE, NULL Public Key Systems: RSA, DSA PK-signatures: RSA-SHA, RSA-SHA256, RSA-SHA384, RSA-SHA512, RSA-RMD160, DSA- SHA, RSA-MD5, RSA-MD2 From simon at josefsson.org Tue Sep 1 15:36:21 2009 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 01 Sep 2009 15:36:21 +0200 Subject: Anybody know TLS_RSA_WITH_AES_256_CBC_SHA256 is supported by gnutls or not In-Reply-To: <200909012218.24020.bradh@frogmouth.net> (Brad Hards's message of "Tue, 1 Sep 2009 22:18:23 +1000") References: <3B5C8B8FB6D8874DA89B26741B42BBA0620C77@zmy16exm69.ds.mot.com> <200909012218.24020.bradh@frogmouth.net> Message-ID: <87vdk223e2.fsf@mocca.josefsson.org> Brad Hards writes: > On Tuesday 01 September 2009 20:07:29 Tang Tong-A21500 wrote: >> As title. > Revision to my previous advice, after catching up on my gnutls-devel mailing > list mail. It appears that gnutls now has SHA2. Correct, but only on the experimental v2.9.x branch. Once we have confirmed that server-side TLS 1.2 is working, I want to release it as a stable branch and enable TLS 1.2 by default. We've delayed proper TLS 1.2 support long enough already. /Simon > [bradh at conferta src]$ ./gnutls-cli --list > Cipher suites: > TLS_ANON_DH_ARCFOUR_MD5 0x00, 0x18 SSL3.0 > TLS_ANON_DH_3DES_EDE_CBC_SHA1 0x00, 0x1b SSL3.0 > TLS_ANON_DH_AES_128_CBC_SHA1 0x00, 0x34 SSL3.0 > TLS_ANON_DH_AES_256_CBC_SHA1 0x00, 0x3a SSL3.0 > TLS_ANON_DH_AES_128_CBC_SHA256 0x00, 0x6c TLS1.2 > TLS_ANON_DH_AES_256_CBC_SHA256 0x00, 0x6d TLS1.2 > TLS_PSK_SHA_ARCFOUR_SHA1 0x00, 0x8a TLS1.0 > TLS_PSK_SHA_3DES_EDE_CBC_SHA1 0x00, 0x8b TLS1.0 > TLS_PSK_SHA_AES_128_CBC_SHA1 0x00, 0x8c TLS1.0 > TLS_PSK_SHA_AES_256_CBC_SHA1 0x00, 0x8d TLS1.0 > TLS_DHE_PSK_SHA_ARCFOUR_SHA1 0x00, 0x8e TLS1.0 > TLS_DHE_PSK_SHA_3DES_EDE_CBC_SHA1 0x00, 0x8f TLS1.0 > TLS_DHE_PSK_SHA_AES_128_CBC_SHA1 0x00, 0x90 TLS1.0 > TLS_DHE_PSK_SHA_AES_256_CBC_SHA1 0x00, 0x91 TLS1.0 > TLS_SRP_SHA_3DES_EDE_CBC_SHA1 0xc0, 0x1a TLS1.0 > TLS_SRP_SHA_AES_128_CBC_SHA1 0xc0, 0x1d TLS1.0 > TLS_SRP_SHA_AES_256_CBC_SHA1 0xc0, 0x20 TLS1.0 > TLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1 0xc0, 0x1c TLS1.0 > TLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1 0xc0, 0x1b TLS1.0 > TLS_SRP_SHA_DSS_AES_128_CBC_SHA1 0xc0, 0x1f TLS1.0 > TLS_SRP_SHA_RSA_AES_128_CBC_SHA1 0xc0, 0x1e TLS1.0 > TLS_SRP_SHA_DSS_AES_256_CBC_SHA1 0xc0, 0x22 TLS1.0 > TLS_SRP_SHA_RSA_AES_256_CBC_SHA1 0xc0, 0x21 TLS1.0 > TLS_DHE_DSS_ARCFOUR_SHA1 0x00, 0x66 TLS1.0 > TLS_DHE_DSS_3DES_EDE_CBC_SHA1 0x00, 0x13 SSL3.0 > TLS_DHE_DSS_AES_128_CBC_SHA1 0x00, 0x32 SSL3.0 > TLS_DHE_DSS_AES_256_CBC_SHA1 0x00, 0x38 SSL3.0 > TLS_DHE_DSS_AES_128_CBC_SHA256 0x00, 0x40 TLS1.2 > TLS_DHE_DSS_AES_256_CBC_SHA256 0x00, 0x6a TLS1.2 > TLS_DHE_RSA_3DES_EDE_CBC_SHA1 0x00, 0x16 SSL3.0 > TLS_DHE_RSA_AES_128_CBC_SHA1 0x00, 0x33 SSL3.0 > TLS_DHE_RSA_AES_256_CBC_SHA1 0x00, 0x39 SSL3.0 > TLS_DHE_RSA_AES_128_CBC_SHA256 0x00, 0x67 TLS1.2 > TLS_DHE_RSA_AES_256_CBC_SHA256 0x00, 0x6b TLS1.2 > TLS_RSA_NULL_MD5 0x00, 0x01 SSL3.0 > TLS_RSA_EXPORT_ARCFOUR_40_MD5 0x00, 0x03 SSL3.0 > TLS_RSA_ARCFOUR_SHA1 0x00, 0x05 SSL3.0 > TLS_RSA_ARCFOUR_MD5 0x00, 0x04 SSL3.0 > TLS_RSA_3DES_EDE_CBC_SHA1 0x00, 0x0a SSL3.0 > TLS_RSA_AES_128_CBC_SHA1 0x00, 0x2f SSL3.0 > TLS_RSA_AES_256_CBC_SHA1 0x00, 0x35 SSL3.0 > TLS_RSA_AES_128_CBC_SHA256 0x00, 0x3c TLS1.2 > TLS_RSA_AES_256_CBC_SHA256 0x00, 0x3d TLS1.2 > Certificate types: X.509, OPENPGP > Protocols: SSL3.0, TLS1.0, TLS1.1, TLS1.2 > Ciphers: AES-256-CBC, AES-128-CBC, 3DES-CBC, DES-CBC, ARCFOUR-128, ARCFOUR-40, > RC2-40, NULL > MACs: SHA1, MD5, SHA256, SHA384, SHA512, MD2, RIPEMD160, NULL > Key exchange algorithms: ANON-DH, RSA, RSA-EXPORT, DHE-RSA, DHE-DSS, SRP-DSS, > SRP-RSA, SRP, PSK, DHE-PSK > Compression: DEFLATE, NULL > Public Key Systems: RSA, DSA > PK-signatures: RSA-SHA, RSA-SHA256, RSA-SHA384, RSA-SHA512, RSA-RMD160, DSA- > SHA, RSA-MD5, RSA-MD2 From simon at josefsson.org Tue Sep 8 09:53:31 2009 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 08 Sep 2009 09:53:31 +0200 Subject: 2.8.4 release candidate Message-ID: <87my55j2is.fsf@mocca.josefsson.org> All, I'll release a new stable release 2.8.4 soon to fix OpenPGP name checking. Unless I hear anything, it will be identical to http://daily.josefsson.org/gnutls-2.8/gnutls-2.8-20090908.tar.bz2 so please test that file as if it were the next stable release! If you want to check the patches that went in since 2.8.3, see: http://git.savannah.gnu.org/cgit/gnutls.git/log/?h=gnutls_2_8_x /Simon From exa.exa at gmail.com Fri Sep 11 09:08:59 2009 From: exa.exa at gmail.com (Miroslav Kratochvil) Date: Fri, 11 Sep 2009 09:08:59 +0200 Subject: some strange decryption errors + one enhancement notice Message-ID: Hi, I'm using GnuTLS library to develop a small and secure networking tool, see [1]. Recently I came to a very strange problem: My application is used for data transfer, and all sockets used are non-blocking. When there's too much of data to send, it usually comes to the state that the application needs to write, but socket is full (resulting in returning a 'would block' from gnutls_record_send() and waiting for a writeable socket). In these cases, the application usually starts to randomly fail in this way: 1] the second peer (the one that didn't fill up the send queue) reports gnutls error "Decryption failed" thrown by a call to gnutls_record_recv() 2] the first peer then (as usual) fails with "TLS packet with unexpected length was received", which is most probably a result of having the other connection endpoint closed. My little debugging search led to gnutls_cipher.c, where the "decryption failed" error seems to originate. It is detected in line 535 (below the comment "Check padding bytes, TLS 1.x") and returned after 'if (pad_failed!=0)' on line 572 (please note that this return probably misses gnutls_assert() call, it can be helpful on debugging.. or at least it helped me after i added it;) ) Now about my question: As a reliable transport (TCP) is used to transfer the packets, how is it possible that receiving end detects corrupted data? I guess the possible causes can be those: a] I'm somehow using gnutls_record_send in a very bad manner, especially when it returns after non-successful nonblocking write; which causes some data corruption of outgoing data, which is then detected by the other communication peer. Is it possible? b] Improbable bug in GnuTLS padding-creating function. c] Very improbable bug in GnuTLS padding-checking function. d] Extremely improbable: TCP stack somehow fails, or "Decryption failed" error is caused by connection problem. I expect that it's a]. Could someone comment on correct send retrying (gnutls manual isn't very talkative at that section)? If I'm somehow wrong, please correct me. If you want to see my source, please see [2]. Thanks in advance, Mirek Kratochvil [1] http://e-x-a.org/?view=cloudvpn [2] http://e-x-a.org/repos/view.cgi/cloudvpn/tree/src/cloud/comm.cpp#n683 From simon at josefsson.org Fri Sep 11 16:28:31 2009 From: simon at josefsson.org (Simon Josefsson) Date: Fri, 11 Sep 2009 16:28:31 +0200 Subject: some strange decryption errors + one enhancement notice In-Reply-To: (Miroslav Kratochvil's message of "Fri, 11 Sep 2009 09:08:59 +0200") References: Message-ID: <878wgltv1s.fsf@mocca.josefsson.org> Miroslav Kratochvil writes: > Hi, > > I'm using GnuTLS library to develop a small and secure networking > tool, see [1]. Recently I came to a very strange problem: > > My application is used for data transfer, and all sockets used are > non-blocking. When there's too much of data to send, it usually comes > to the state that the application needs to write, but socket is full > (resulting in returning a 'would block' from gnutls_record_send() and > waiting for a writeable socket). In these cases, the application > usually starts to randomly fail in this way: Which version? 2.8.2 fixed a bug for non-blocking use: ** libgnutls: Avoid internal error when invoked after GNUTLS_E_AGAIN. Report and patch by Tim Kosse in and . I'm not sure it is the same as you are seeing though... /Simon From exa.exa at gmail.com Fri Sep 11 17:50:07 2009 From: exa.exa at gmail.com (Miroslav Kratochvil) Date: Fri, 11 Sep 2009 17:50:07 +0200 Subject: some strange decryption errors + one enhancement notice In-Reply-To: <878wgltv1s.fsf@mocca.josefsson.org> References: <878wgltv1s.fsf@mocca.josefsson.org> Message-ID: Well, I probably solved it - seems it was roughly the error from a] that I described in last post (my error was that I was calling gnutls_record_send for the same data, but with different (larger) buffer size), sometimes combined with this bug. GnuTLS 2.8.3 with my fixed version works perfectly now. I'm not sure whether there shouldn't be some kind of input checking in gnutls_record_send - if calling a retry with larger buffer size results in output data corruption, I guess it should be avoided. Anyway, this is the diff for that one assert I was missing when searching for the problem, I guess it could get helpful sometime: --- lib/gnutls_cipher.c.old 2009-09-11 17:43:18.000000000 +0200 +++ lib/gnutls_cipher.c 2009-09-11 17:43:38.000000000 +0200 @@ -571,7 +571,10 @@ * 1.0 protocol. */ if (pad_failed != 0) + { + gnutls_assert (); return pad_failed; + } /* HMAC was not the same. */ Thanks for help, Mirek Kratochvil On Fri, Sep 11, 2009 at 4:28 PM, Simon Josefsson wrote: > Miroslav Kratochvil writes: > >> Hi, >> >> I'm using GnuTLS library to develop a small and secure networking >> tool, see [1]. Recently I came to a very strange problem: >> >> My application is used for data transfer, and all sockets used are >> non-blocking. When there's too much of data to send, it usually comes >> to the state that the application needs to write, but socket is full >> (resulting in returning a 'would block' from gnutls_record_send() and >> waiting for a writeable socket). In these cases, the application >> usually starts to randomly fail in this way: > > Which version? ?2.8.2 fixed a bug for non-blocking use: > > ** libgnutls: Avoid internal error when invoked after GNUTLS_E_AGAIN. > Report and patch by Tim Kosse in > > and > . > > I'm not sure it is the same as you are seeing though... > > /Simon > From simon at josefsson.org Fri Sep 11 19:37:29 2009 From: simon at josefsson.org (Simon Josefsson) Date: Fri, 11 Sep 2009 19:37:29 +0200 Subject: some strange decryption errors + one enhancement notice In-Reply-To: (Miroslav Kratochvil's message of "Fri, 11 Sep 2009 17:50:07 +0200") References: <878wgltv1s.fsf@mocca.josefsson.org> Message-ID: <87fxats7qe.fsf@mocca.josefsson.org> Miroslav Kratochvil writes: > Well, > I probably solved it - seems it was roughly the error from a] that I > described in last post (my error was that I was calling > gnutls_record_send for the same data, but with different (larger) > buffer size), sometimes combined with this bug. GnuTLS 2.8.3 with my > fixed version works perfectly now. Great! > I'm not sure whether there shouldn't be some kind of input checking in > gnutls_record_send - if calling a retry with larger buffer size > results in output data corruption, I guess it should be avoided. Yes... although the documentation says to call it again using same parameters. > Anyway, this is the diff for that one assert I was missing when > searching for the problem, I guess it could get helpful sometime: Indeed, I have added it. /Simon > --- lib/gnutls_cipher.c.old 2009-09-11 17:43:18.000000000 +0200 > +++ lib/gnutls_cipher.c 2009-09-11 17:43:38.000000000 +0200 > @@ -571,7 +571,10 @@ > * 1.0 protocol. > */ > if (pad_failed != 0) > + { > + gnutls_assert (); > return pad_failed; > + } > > /* HMAC was not the same. > */ > > > Thanks for help, > Mirek Kratochvil > > > > On Fri, Sep 11, 2009 at 4:28 PM, Simon Josefsson wrote: >> Miroslav Kratochvil writes: >> >>> Hi, >>> >>> I'm using GnuTLS library to develop a small and secure networking >>> tool, see [1]. Recently I came to a very strange problem: >>> >>> My application is used for data transfer, and all sockets used are >>> non-blocking. When there's too much of data to send, it usually comes >>> to the state that the application needs to write, but socket is full >>> (resulting in returning a 'would block' from gnutls_record_send() and >>> waiting for a writeable socket). In these cases, the application >>> usually starts to randomly fail in this way: >> >> Which version? ?2.8.2 fixed a bug for non-blocking use: >> >> ** libgnutls: Avoid internal error when invoked after GNUTLS_E_AGAIN. >> Report and patch by Tim Kosse in >> >> and >> . >> >> I'm not sure it is the same as you are seeing though... >> >> /Simon >> From simon at josefsson.org Fri Sep 18 11:26:03 2009 From: simon at josefsson.org (Simon Josefsson) Date: Fri, 18 Sep 2009 11:26:03 +0200 Subject: GnuTLS 2.8.4 Message-ID: <87ocp861uc.fsf@mocca.josefsson.org> We are proud to announce a new stable GnuTLS release: Version 2.8.4. GnuTLS is a modern C library that implements the standard network security protocol Transport Layer Security (TLS), for use by network applications. GnuTLS is developed for GNU/Linux, but works on many Unix-like systems and comes with a binary installer for Windows. The GnuTLS library is distributed under the terms of the GNU Lesser General Public License version 2.1 (or later). The "extra" GnuTLS library (which contains TLS/IA support, LZO compression and Libgcrypt FIPS-mode handler), the OpenSSL compatibility library, the self tests and the command line tools are all distributed under the GNU General Public License version 3.0 (or later). The manual is distributed under the GNU Free Documentation License version 1.3 (or later). The project page of the library is available at: http://www.gnu.org/software/gnutls/ What's New ========== ** libgnutls: Enable Camellia ciphers by default. ** libgnutls: Make OpenPGP hostname checking work again. The patch to resolve the X.509 CN/SAN issue accidentally broken OpenPGP hostname comparison. ** libgnutls: When printing X.509 certificates, handle XMPP SANs better. Reported by Howard Chu in . ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded from one of the mirror sites or direct from . The list of mirrors can be found at . Here are the BZIP2 compressed sources (6.0MB): ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.8.4.tar.bz2 http://ftp.gnu.org/gnu/gnutls/gnutls-2.8.4.tar.bz2 Here are OpenPGP detached signatures signed using key 0xB565716F: ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.8.4.tar.bz2.sig http://ftp.gnu.org/gnu/gnutls/gnutls-2.8.4.tar.bz2.sig Note, that we don't distribute gzip compressed tarballs. In order to check that the version of GnuTLS which you are going to install is an original and unmodified one, you should verify the OpenPGP signature. You can use the command gpg --verify gnutls-2.8.4.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. The signing key can be identified with the following information: pub 1280R/B565716F 2002-05-05 [expires: 2010-04-21] Key fingerprint = 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F uid Simon Josefsson uid Simon Josefsson sub 1280R/4D5D40AE 2002-05-05 [expires: 2010-04-21] The key is available from: http://josefsson.org/key.txt dns:b565716f.josefsson.org?TYPE=CERT Alternatively, after successfully verifying the OpenPGP signature of this announcement, you could verify that the files match the following checksum values. The values are for SHA-1 and SHA-224 respectively: 27bea240164b9287807543387682c7052f7318c2 gnutls-2.8.4.tar.bz2 01199002c127f3399a9c983e89c0a32de2983855cf20c10ffbe182a1 gnutls-2.8.4.tar.bz2 Documentation ============= The manual is available online at: http://www.gnu.org/software/gnutls/documentation.html In particular the following formats are available: HTML: http://www.gnu.org/software/gnutls/manual/html_node/index.html PDF: http://www.gnu.org/software/gnutls/manual/gnutls.pdf For developers there is a GnuTLS API reference manual formatted using the GTK-DOC tools: http://www.gnu.org/software/gnutls/reference/gnutls-gnutls.html For developers interested in improving code quality, we publish Cyclomatic code complexity charts that help you find code that may need review and improvements: http://www.gnu.org/software/gnutls/cyclo/ Also useful are code coverage charts which indicate parts of the source code that needs to be tested better by the included self-tests: http://www.gnu.org/software/gnutls/coverage/ Community ========= If you need help to use GnuTLS, or want to help others, you are invited to join our help-gnutls mailing list, see: http://lists.gnu.org/mailman/listinfo/help-gnutls If you wish to participate in the development of GnuTLS, you are invited to join our gnutls-dev mailing list, see: http://lists.gnu.org/mailman/listinfo/gnutls-devel Windows installer ================= GnuTLS has been ported to the Windows operating system, and a binary installer is available. The installer contains DLLs for application development, manuals, examples, and source code. The installer includes libgpg-error v1.7, libgcrypt v1.4.4, libtasn1 v2.3, and GnuTLS v2.8.4. For more information about GnuTLS for Windows: http://josefsson.org/gnutls4win/ The Windows binary installer and PGP signature: http://josefsson.org/gnutls4win/gnutls-2.8.4.exe (15MB) http://josefsson.org/gnutls4win/gnutls-2.8.4.exe.sig The checksum values for SHA-1 and SHA-224 are: 0205a1ce535744e675a9d5f1087d03a671d785e8 gnutls-2.8.4.exe 84033d1d26140bf705758cb4cc813d0eb6ab59b059103c6980abf60a gnutls-2.8.4.exe A ZIP archive containing the Windows binaries: http://josefsson.org/gnutls4win/gnutls-2.8.4.zip (5.3MB) http://josefsson.org/gnutls4win/gnutls-2.8.4.zip.sig The checksum values for SHA-1 and SHA-224 are: 38aa360a5b4471abf66ef9f08e0cdb7374ed6957 gnutls-2.8.4.zip cf6e475623dc581a9f5b5a5deccbd764d56eddb7256c298b2d98c38b gnutls-2.8.4.zip A Debian mingw32 package is also available: http://josefsson.org/gnutls4win/mingw32-gnutls_2.8.4-1_all.deb (4.8MB) The checksum values for SHA-1 and SHA-224 are: e8d222b86fe89a3819da73c8b0391e9512a9f140 mingw32-gnutls_2.8.4-1_all.deb 73fc1a233713539c454d277b1858f63fe62954c8a212ec964481c545 mingw32-gnutls_2.8.4-1_all.deb Internationalization ==================== The GnuTLS library messages have been translated into Czech, Dutch, French, German, Malay, Polish, Swedish, and Vietnamese. We welcome the addition of more translations. Support ======= Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult AB, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. The GnuTLS service directory is available at: http://www.gnu.org/software/gnutls/commercial.html Happy Hacking, Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From exa.exa at gmail.com Sat Sep 19 19:51:28 2009 From: exa.exa at gmail.com (Miroslav Kratochvil) Date: Sat, 19 Sep 2009 19:51:28 +0200 Subject: some possible errors on sparc? Message-ID: Hi, today I was trying to run GnuTLS on sparc and connect it to an amd64 machine, well, result is that connection dies because of: Error: Decryption has failed. on one side, and with Fatal error: A TLS fatal alert has been received. on the other side. Note that sparc-sparc connects without any problem. The exact machine is 'TI UltraSparc IIe (Hummingbird) GNU/Linux' running gentoo. If anyone had an idea about what's wrong on sparc, please comment this. Seems like some data sizing problem to me, but i'm not really sure (at least I haven't found any obvious cause yet.) Full logs from disconnecting gnutls-cli and -serv are attached below. Thanks in advance, Mirek Kratochvil ---- Now for the logs: ## server side (sparc) ## # gnutls-serv --debug 9 --x509cafile ca.crt --x509keyfile ssl.key --x509certfile ssl.crt --echo -p 15135 Set static Diffie Hellman parameters, consider --dhparams. Processed 1 CA certificate(s). |<2>| ASSERT: x509_b64.c:452 |<2>| Could not find '-----BEGIN RSA PRIVATE KEY' Echo Server ready. Listening to port '15135'. |<4>| REC[746a0]: Expected Packet[0] Handshake(22) with length: 1 |<4>| REC[746a0]: Received Packet[0] Handshake(22) with length: 121 |<2>| ASSERT: gnutls_cipher.c:204 |<4>| REC[746a0]: Decrypted Packet[0] Handshake(22) with length: 121 |<3>| HSK[746a0]: CLIENT HELLO was received [121 bytes] |<3>| HSK[746a0]: Client's version: 3.2 |<2>| ASSERT: gnutls_db.c:326 |<2>| ASSERT: gnutls_db.c:246 |<2>| EXT[746a0]: Received extension 'CERT_TYPE/9' |<2>| EXT[746a0]: Received extension 'SERVER_NAME/0' |<2>| EXT[746a0]: Received extension 'CERT_TYPE/9' |<2>| EXT[746a0]: Received extension 'SERVER_NAME/0' |<3>| HSK[746a0]: Removing ciphersuite: PSK_SHA_ARCFOUR_SHA1 |<3>| HSK[746a0]: Removing ciphersuite: PSK_SHA_3DES_EDE_CBC_SHA1 |<3>| HSK[746a0]: Removing ciphersuite: PSK_SHA_AES_128_CBC_SHA1 |<3>| HSK[746a0]: Removing ciphersuite: PSK_SHA_AES_256_CBC_SHA1 |<3>| HSK[746a0]: Removing ciphersuite: DHE_PSK_SHA_ARCFOUR_SHA1 |<3>| HSK[746a0]: Removing ciphersuite: DHE_PSK_SHA_3DES_EDE_CBC_SHA1 |<3>| HSK[746a0]: Removing ciphersuite: DHE_PSK_SHA_AES_128_CBC_SHA1 |<3>| HSK[746a0]: Removing ciphersuite: DHE_PSK_SHA_AES_256_CBC_SHA1 |<3>| HSK[746a0]: Removing ciphersuite: SRP_SHA_3DES_EDE_CBC_SHA1 |<3>| HSK[746a0]: Removing ciphersuite: SRP_SHA_AES_128_CBC_SHA1 |<3>| HSK[746a0]: Removing ciphersuite: SRP_SHA_AES_256_CBC_SHA1 |<3>| HSK[746a0]: Removing ciphersuite: SRP_SHA_DSS_3DES_EDE_CBC_SHA1 |<3>| HSK[746a0]: Removing ciphersuite: SRP_SHA_RSA_3DES_EDE_CBC_SHA1 |<3>| HSK[746a0]: Removing ciphersuite: SRP_SHA_DSS_AES_128_CBC_SHA1 |<3>| HSK[746a0]: Removing ciphersuite: SRP_SHA_RSA_AES_128_CBC_SHA1 |<3>| HSK[746a0]: Removing ciphersuite: SRP_SHA_DSS_AES_256_CBC_SHA1 |<3>| HSK[746a0]: Removing ciphersuite: SRP_SHA_RSA_AES_256_CBC_SHA1 |<3>| HSK[746a0]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1 |<3>| HSK[746a0]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1 |<3>| HSK[746a0]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1 |<3>| HSK[746a0]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1 |<3>| HSK[746a0]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1 |<3>| HSK[746a0]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1 |<3>| HSK[746a0]: Removing ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1 |<3>| HSK[746a0]: Removing ciphersuite: DHE_RSA_AES_128_CBC_SHA1 |<3>| HSK[746a0]: Removing ciphersuite: DHE_RSA_AES_256_CBC_SHA1 |<3>| HSK[746a0]: Removing ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1 |<3>| HSK[746a0]: Removing ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1 |<3>| HSK[746a0]: Removing ciphersuite: RSA_ARCFOUR_SHA1 |<3>| HSK[746a0]: Removing ciphersuite: RSA_ARCFOUR_MD5 |<3>| HSK[746a0]: Removing ciphersuite: RSA_3DES_EDE_CBC_SHA1 |<3>| HSK[746a0]: Removing ciphersuite: RSA_AES_128_CBC_SHA1 |<3>| HSK[746a0]: Removing ciphersuite: RSA_AES_256_CBC_SHA1 |<3>| HSK[746a0]: Removing ciphersuite: RSA_CAMELLIA_128_CBC_SHA1 |<3>| HSK[746a0]: Removing ciphersuite: RSA_CAMELLIA_256_CBC_SHA1 |<3>| HSK[746a0]: Selected cipher suite: DHE_DSS_AES_128_CBC_SHA1 |<3>| HSK[746a0]: Selected Compression Method: NULL |<3>| HSK[746a0]: SessionID: 3dd101d3c7914ac90c3ee763390c2d3e983d5b54a2f3a9142bd5db94cea5b867 |<3>| HSK[746a0]: SERVER HELLO was send [74 bytes] |<4>| REC[746a0]: Sending Packet[0] Handshake(22) with length: 74 |<2>| ASSERT: gnutls_cipher.c:204 |<4>| REC[746a0]: Sent Packet[1] Handshake(22) with length: 79 |<3>| HSK[746a0]: CERTIFICATE was send [2351 bytes] |<4>| REC[746a0]: Sending Packet[1] Handshake(22) with length: 2351 |<2>| ASSERT: gnutls_cipher.c:204 |<4>| REC[746a0]: Sent Packet[2] Handshake(22) with length: 2356 |<3>| HSK[746a0]: SERVER KEY EXCHANGE was send [331 bytes] |<4>| REC[746a0]: Sending Packet[2] Handshake(22) with length: 331 |<2>| ASSERT: gnutls_cipher.c:204 |<4>| REC[746a0]: Sent Packet[3] Handshake(22) with length: 336 |<3>| HSK[746a0]: CERTIFICATE REQUEST was send [70 bytes] |<4>| REC[746a0]: Sending Packet[3] Handshake(22) with length: 70 |<2>| ASSERT: gnutls_cipher.c:204 |<4>| REC[746a0]: Sent Packet[4] Handshake(22) with length: 75 |<3>| HSK[746a0]: SERVER HELLO DONE was send [4 bytes] |<4>| REC[746a0]: Sending Packet[4] Handshake(22) with length: 4 |<2>| ASSERT: gnutls_cipher.c:204 |<4>| REC[746a0]: Sent Packet[5] Handshake(22) with length: 9 |<2>| ASSERT: gnutls_buffers.c:360 |<2>| ASSERT: gnutls_buffers.c:1151 |<2>| ASSERT: gnutls_handshake.c:1045 |<4>| REC[746a0]: Expected Packet[1] Handshake(22) with length: 1 |<4>| REC[746a0]: Received Packet[1] Handshake(22) with length: 2351 |<2>| ASSERT: gnutls_cipher.c:204 |<4>| REC[746a0]: Decrypted Packet[1] Handshake(22) with length: 2351 |<3>| HSK[746a0]: CERTIFICATE was received [2351 bytes] |<2>| ASSERT: gnutls_buffers.c:360 |<2>| ASSERT: gnutls_buffers.c:1151 |<2>| ASSERT: gnutls_handshake.c:1045 |<4>| REC[746a0]: Expected Packet[2] Handshake(22) with length: 1 |<4>| REC[746a0]: Received Packet[2] Handshake(22) with length: 134 |<2>| ASSERT: gnutls_cipher.c:204 |<4>| REC[746a0]: Decrypted Packet[2] Handshake(22) with length: 134 |<3>| HSK[746a0]: CLIENT KEY EXCHANGE was received [134 bytes] |<4>| REC[746a0]: Expected Packet[3] Handshake(22) with length: 1 |<4>| REC[746a0]: Received Packet[3] Handshake(22) with length: 68 |<2>| ASSERT: gnutls_cipher.c:204 |<4>| REC[746a0]: Decrypted Packet[3] Handshake(22) with length: 68 |<3>| HSK[746a0]: CERTIFICATE VERIFY was received [68 bytes] |<4>| REC[746a0]: Expected Packet[4] Change Cipher Spec(20) with length: 1 |<4>| REC[746a0]: Received Packet[4] Change Cipher Spec(20) with length: 1 |<2>| ASSERT: gnutls_cipher.c:204 |<4>| REC[746a0]: ChangeCipherSpec Packet was received |<9>| INT: PREMASTER SECRET[128]: 653c0772433e1eea046a891f8290cb5e27681e50bb07d206f59048350d1847ced5179b2acc933b669b7ff378d0b2d298323f06334782e4cf4f37759847553116e0a409bd2afb9cfd6c26c44245108b04571c7660b23cb0f035f0d39c5a9868f6a4d14f102a2486152a7d4a836581b17c32dfb4ea9d1309fa0aa85576d7cac73b |<9>| INT: CLIENT RANDOM[32]: 4ab5145766276591b6df4f3d3603b5602ca7272dac4fa03d39ed2e5ac9d8f21a |<9>| INT: SERVER RANDOM[32]: 4ab5146f5e9d0f5915218d467006e3a55e8ce0fbac3936f00ce092612aae4b93 |<9>| INT: MASTER SECRET: 0a290575d29c8aa4a96944f7dff67b9b4a3a1a763373a2bc5b267c0e67d1f5dce018670478b022df232575b535f1cfce |<9>| INT: KEY BLOCK[104]: d0faedea6c8baa006af6f09330be9b74cfdb49ccce6571c18cf5452788225f4f |<9>| INT: CLIENT WRITE KEY [16]: c33896bce2ebfefd2a0b650a05c92e87 |<9>| INT: SERVER WRITE KEY [16]: 7931f6300477f3e94563703092d07ee8 |<3>| HSK[746a0]: Cipher Suite: DHE_DSS_AES_128_CBC_SHA1 |<3>| HSK[746a0]: Initializing internal [read] cipher sessions AES-128 test encryption failed. |<4>| REC[746a0]: Expected Packet[0] Handshake(22) with length: 1 |<4>| REC[746a0]: Received Packet[0] Handshake(22) with length: 80 |<2>| ASSERT: gnutls_cipher.c:516 |<4>| REC[746a0]: Short record length 54 > 64 - 20 (under attack?) |<2>| ASSERT: gnutls_record.c:1002 |<2>| ASSERT: gnutls_buffers.c:1151 |<2>| ASSERT: gnutls_handshake.c:1045 |<2>| ASSERT: gnutls_handshake.c:599 |<2>| ASSERT: gnutls_handshake.c:2553 |<2>| ASSERT: gnutls_handshake.c:2685 Error in handshake Error: Decryption has failed. |<4>| REC: Sending Alert[2|20] - Bad record MAC |<4>| REC[746a0]: Sending Packet[5] Alert(21) with length: 2 |<2>| ASSERT: gnutls_cipher.c:204 |<4>| REC[746a0]: Sent Packet[6] Alert(21) with length: 7 |<2>| ASSERT: gnutls_record.c:262 ## client side (amd64) ## # gnutls-cli --debug 9 --x509keyfile ssl.key --x509certfile ssl.crt -p 15135 someserver Processed 1 client certificates... |<2>| ASSERT: x509_b64.c:452 |<2>| Could not find '-----BEGIN RSA PRIVATE KEY' Processed 1 client X.509 certificates... Resolving 'someserver'... Connecting to '....:15135'... |<3>| HSK[0x12d9e60]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1 |<3>| HSK[0x12d9e60]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1 |<3>| HSK[0x12d9e60]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1 |<3>| HSK[0x12d9e60]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1 |<3>| HSK[0x12d9e60]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1 |<3>| HSK[0x12d9e60]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1 |<3>| HSK[0x12d9e60]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1 |<3>| HSK[0x12d9e60]: Keeping ciphersuite: DHE_PSK_SHA_AES_128_CBC_SHA1 |<3>| HSK[0x12d9e60]: Keeping ciphersuite: DHE_PSK_SHA_AES_256_CBC_SHA1 |<3>| HSK[0x12d9e60]: Keeping ciphersuite: DHE_PSK_SHA_3DES_EDE_CBC_SHA1 |<3>| HSK[0x12d9e60]: Keeping ciphersuite: DHE_PSK_SHA_ARCFOUR_SHA1 |<3>| HSK[0x12d9e60]: Removing ciphersuite: SRP_SHA_RSA_AES_128_CBC_SHA1 |<3>| HSK[0x12d9e60]: Removing ciphersuite: SRP_SHA_RSA_AES_256_CBC_SHA1 |<3>| HSK[0x12d9e60]: Removing ciphersuite: SRP_SHA_RSA_3DES_EDE_CBC_SHA1 |<3>| HSK[0x12d9e60]: Removing ciphersuite: SRP_SHA_DSS_AES_128_CBC_SHA1 |<3>| HSK[0x12d9e60]: Removing ciphersuite: SRP_SHA_DSS_AES_256_CBC_SHA1 |<3>| HSK[0x12d9e60]: Removing ciphersuite: SRP_SHA_DSS_3DES_EDE_CBC_SHA1 |<3>| HSK[0x12d9e60]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1 |<3>| HSK[0x12d9e60]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1 |<3>| HSK[0x12d9e60]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1 |<3>| HSK[0x12d9e60]: Keeping ciphersuite: RSA_ARCFOUR_SHA1 |<3>| HSK[0x12d9e60]: Keeping ciphersuite: RSA_ARCFOUR_MD5 |<3>| HSK[0x12d9e60]: Keeping ciphersuite: PSK_SHA_AES_128_CBC_SHA1 |<3>| HSK[0x12d9e60]: Keeping ciphersuite: PSK_SHA_AES_256_CBC_SHA1 |<3>| HSK[0x12d9e60]: Keeping ciphersuite: PSK_SHA_3DES_EDE_CBC_SHA1 |<3>| HSK[0x12d9e60]: Keeping ciphersuite: PSK_SHA_ARCFOUR_SHA1 |<3>| HSK[0x12d9e60]: Removing ciphersuite: SRP_SHA_AES_128_CBC_SHA1 |<3>| HSK[0x12d9e60]: Removing ciphersuite: SRP_SHA_AES_256_CBC_SHA1 |<3>| HSK[0x12d9e60]: Removing ciphersuite: SRP_SHA_3DES_EDE_CBC_SHA1 |<2>| EXT[0x12d9e60]: Sending extension CERT_TYPE |<2>| EXT[0x12d9e60]: Sending extension SERVER_NAME |<3>| HSK[0x12d9e60]: CLIENT HELLO was send [121 bytes] |<4>| REC[0x12d9e60]: Sending Packet[0] Handshake(22) with length: 121 |<2>| ASSERT: gnutls_cipher.c:204 |<4>| REC[0x12d9e60]: Sent Packet[1] Handshake(22) with length: 126 |<4>| REC[0x12d9e60]: Expected Packet[0] Handshake(22) with length: 1 |<4>| REC[0x12d9e60]: Received Packet[0] Handshake(22) with length: 74 |<2>| ASSERT: gnutls_cipher.c:204 |<4>| REC[0x12d9e60]: Decrypted Packet[0] Handshake(22) with length: 74 |<3>| HSK[0x12d9e60]: SERVER HELLO was received [74 bytes] |<3>| HSK[0x12d9e60]: Server's version: 3.2 |<3>| HSK[0x12d9e60]: SessionID length: 32 |<3>| HSK[0x12d9e60]: SessionID: 3dd101d3c7914ac90c3ee763390c2d3e983d5b54a2f3a9142bd5db94cea5b867 |<3>| HSK[0x12d9e60]: Selected cipher suite: DHE_DSS_AES_128_CBC_SHA1 |<2>| ASSERT: gnutls_extensions.c:124 |<4>| REC[0x12d9e60]: Expected Packet[1] Handshake(22) with length: 1 |<4>| REC[0x12d9e60]: Received Packet[1] Handshake(22) with length: 2351 |<2>| ASSERT: gnutls_cipher.c:204 |<4>| REC[0x12d9e60]: Decrypted Packet[1] Handshake(22) with length: 2351 |<3>| HSK[0x12d9e60]: CERTIFICATE was received [2351 bytes] |<4>| REC[0x12d9e60]: Expected Packet[2] Handshake(22) with length: 1 |<4>| REC[0x12d9e60]: Received Packet[2] Handshake(22) with length: 331 |<2>| ASSERT: gnutls_cipher.c:204 |<4>| REC[0x12d9e60]: Decrypted Packet[2] Handshake(22) with length: 331 |<3>| HSK[0x12d9e60]: SERVER KEY EXCHANGE was received [331 bytes] |<4>| REC[0x12d9e60]: Expected Packet[3] Handshake(22) with length: 1 |<4>| REC[0x12d9e60]: Received Packet[3] Handshake(22) with length: 70 |<2>| ASSERT: gnutls_cipher.c:204 |<4>| REC[0x12d9e60]: Decrypted Packet[3] Handshake(22) with length: 70 |<3>| HSK[0x12d9e60]: CERTIFICATE REQUEST was received [70 bytes] |<4>| REC[0x12d9e60]: Expected Packet[4] Handshake(22) with length: 1 |<4>| REC[0x12d9e60]: Received Packet[4] Handshake(22) with length: 4 |<2>| ASSERT: gnutls_cipher.c:204 |<4>| REC[0x12d9e60]: Decrypted Packet[4] Handshake(22) with length: 4 |<3>| HSK[0x12d9e60]: SERVER HELLO DONE was received [4 bytes] |<3>| HSK[0x12d9e60]: CERTIFICATE was send [2351 bytes] |<4>| REC[0x12d9e60]: Sending Packet[1] Handshake(22) with length: 2351 |<2>| ASSERT: gnutls_cipher.c:204 |<4>| REC[0x12d9e60]: Sent Packet[2] Handshake(22) with length: 2356 |<3>| HSK[0x12d9e60]: CLIENT KEY EXCHANGE was send [134 bytes] |<4>| REC[0x12d9e60]: Sending Packet[2] Handshake(22) with length: 134 |<2>| ASSERT: gnutls_cipher.c:204 |<4>| REC[0x12d9e60]: Sent Packet[3] Handshake(22) with length: 139 |<3>| HSK[0x12d9e60]: CERTIFICATE VERIFY was send [68 bytes] |<4>| REC[0x12d9e60]: Sending Packet[3] Handshake(22) with length: 68 |<2>| ASSERT: gnutls_cipher.c:204 |<4>| REC[0x12d9e60]: Sent Packet[4] Handshake(22) with length: 73 |<3>| REC[0x12d9e60]: Sent ChangeCipherSpec |<4>| REC[0x12d9e60]: Sending Packet[4] Change Cipher Spec(20) with length: 1 |<2>| ASSERT: gnutls_cipher.c:204 |<4>| REC[0x12d9e60]: Sent Packet[5] Change Cipher Spec(20) with length: 6 |<9>| INT: PREMASTER SECRET[128]: 653c0772433e1eea046a891f8290cb5e27681e50bb07d206f59048350d1847ced5179b2acc933b669b7ff378d0b2d298323f06334782e4cf4f37759847553116e0a409bd2afb9cfd6c26c44245108b04571c7660b23cb0f035f0d39c5a9868f6a4d14f102a2486152a7d4a836581b17c32dfb4ea9d1309fa0aa85576d7cac73b |<9>| INT: CLIENT RANDOM[32]: 4ab5145766276591b6df4f3d3603b5602ca7272dac4fa03d39ed2e5ac9d8f21a |<9>| INT: SERVER RANDOM[32]: 4ab5146f5e9d0f5915218d467006e3a55e8ce0fbac3936f00ce092612aae4b93 |<9>| INT: MASTER SECRET: 0a290575d29c8aa4a96944f7dff67b9b4a3a1a763373a2bc5b267c0e67d1f5dce018670478b022df232575b535f1cfce |<9>| INT: KEY BLOCK[104]: d0faedea6c8baa006af6f09330be9b74cfdb49ccce6571c18cf5452788225f4f |<9>| INT: CLIENT WRITE KEY [16]: c33896bce2ebfefd2a0b650a05c92e87 |<9>| INT: SERVER WRITE KEY [16]: 7931f6300477f3e94563703092d07ee8 |<3>| HSK[0x12d9e60]: Cipher Suite: DHE_DSS_AES_128_CBC_SHA1 |<3>| HSK[0x12d9e60]: Initializing internal [write] cipher sessions |<3>| HSK[0x12d9e60]: FINISHED was send [16 bytes] |<4>| REC[0x12d9e60]: Sending Packet[0] Handshake(22) with length: 16 |<4>| REC[0x12d9e60]: Sent Packet[1] Handshake(22) with length: 85 |<4>| REC[0x12d9e60]: Expected Packet[5] Change Cipher Spec(20) with length: 1 |<4>| REC[0x12d9e60]: Received Packet[5] Alert(21) with length: 2 |<2>| ASSERT: gnutls_cipher.c:204 |<4>| REC[0x12d9e60]: Decrypted Packet[5] Alert(21) with length: 2 |<4>| REC[0x12d9e60]: Alert[2|20] - Bad record MAC - was received |<2>| ASSERT: gnutls_record.c:695 |<2>| ASSERT: gnutls_record.c:1048 |<2>| ASSERT: gnutls_handshake.c:2525 |<2>| ASSERT: gnutls_handshake.c:2697 *** Fatal error: A TLS fatal alert has been received. *** Received alert [20]: Bad record MAC *** Handshake has failed GNUTLS ERROR: A TLS fatal alert has been received. From simon at josefsson.org Tue Sep 22 14:14:17 2009 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 22 Sep 2009 14:14:17 +0200 Subject: some possible errors on sparc? In-Reply-To: (Miroslav Kratochvil's message of "Sat, 19 Sep 2009 19:51:28 +0200") References: Message-ID: <87d45jkwh2.fsf@mocca.josefsson.org> Miroslav Kratochvil writes: > Hi, > today I was trying to run GnuTLS on sparc and connect it to an amd64 > machine, well, result is that connection dies because of: Which GnuTLS version? > Error: Decryption has failed. > > on one side, and with > > Fatal error: A TLS fatal alert has been received. > > on the other side. Note that sparc-sparc connects without any problem. > The exact machine is 'TI UltraSparc IIe (Hummingbird) GNU/Linux' > running gentoo. > > If anyone had an idea about what's wrong on sparc, please comment > this. Seems like some data sizing problem to me, but i'm not really > sure (at least I haven't found any obvious cause yet.) Full logs from > disconnecting gnutls-cli and -serv are attached below. Do the builds pass 'make check' on your systems? /Simon > Thanks in advance, > Mirek Kratochvil > > > ---- > Now for the logs: > > ## server side (sparc) ## > > # gnutls-serv --debug 9 --x509cafile ca.crt --x509keyfile ssl.key > --x509certfile ssl.crt --echo -p 15135 > Set static Diffie Hellman parameters, consider --dhparams. > Processed 1 CA certificate(s). > |<2>| ASSERT: x509_b64.c:452 > |<2>| Could not find '-----BEGIN RSA PRIVATE KEY' > Echo Server ready. Listening to port '15135'. > > |<4>| REC[746a0]: Expected Packet[0] Handshake(22) with length: 1 > |<4>| REC[746a0]: Received Packet[0] Handshake(22) with length: 121 > |<2>| ASSERT: gnutls_cipher.c:204 > |<4>| REC[746a0]: Decrypted Packet[0] Handshake(22) with length: 121 > |<3>| HSK[746a0]: CLIENT HELLO was received [121 bytes] > |<3>| HSK[746a0]: Client's version: 3.2 > |<2>| ASSERT: gnutls_db.c:326 > |<2>| ASSERT: gnutls_db.c:246 > |<2>| EXT[746a0]: Received extension 'CERT_TYPE/9' > |<2>| EXT[746a0]: Received extension 'SERVER_NAME/0' > |<2>| EXT[746a0]: Received extension 'CERT_TYPE/9' > |<2>| EXT[746a0]: Received extension 'SERVER_NAME/0' > |<3>| HSK[746a0]: Removing ciphersuite: PSK_SHA_ARCFOUR_SHA1 > |<3>| HSK[746a0]: Removing ciphersuite: PSK_SHA_3DES_EDE_CBC_SHA1 > |<3>| HSK[746a0]: Removing ciphersuite: PSK_SHA_AES_128_CBC_SHA1 > |<3>| HSK[746a0]: Removing ciphersuite: PSK_SHA_AES_256_CBC_SHA1 > |<3>| HSK[746a0]: Removing ciphersuite: DHE_PSK_SHA_ARCFOUR_SHA1 > |<3>| HSK[746a0]: Removing ciphersuite: DHE_PSK_SHA_3DES_EDE_CBC_SHA1 > |<3>| HSK[746a0]: Removing ciphersuite: DHE_PSK_SHA_AES_128_CBC_SHA1 > |<3>| HSK[746a0]: Removing ciphersuite: DHE_PSK_SHA_AES_256_CBC_SHA1 > |<3>| HSK[746a0]: Removing ciphersuite: SRP_SHA_3DES_EDE_CBC_SHA1 > |<3>| HSK[746a0]: Removing ciphersuite: SRP_SHA_AES_128_CBC_SHA1 > |<3>| HSK[746a0]: Removing ciphersuite: SRP_SHA_AES_256_CBC_SHA1 > |<3>| HSK[746a0]: Removing ciphersuite: SRP_SHA_DSS_3DES_EDE_CBC_SHA1 > |<3>| HSK[746a0]: Removing ciphersuite: SRP_SHA_RSA_3DES_EDE_CBC_SHA1 > |<3>| HSK[746a0]: Removing ciphersuite: SRP_SHA_DSS_AES_128_CBC_SHA1 > |<3>| HSK[746a0]: Removing ciphersuite: SRP_SHA_RSA_AES_128_CBC_SHA1 > |<3>| HSK[746a0]: Removing ciphersuite: SRP_SHA_DSS_AES_256_CBC_SHA1 > |<3>| HSK[746a0]: Removing ciphersuite: SRP_SHA_RSA_AES_256_CBC_SHA1 > |<3>| HSK[746a0]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1 > |<3>| HSK[746a0]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1 > |<3>| HSK[746a0]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1 > |<3>| HSK[746a0]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1 > |<3>| HSK[746a0]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1 > |<3>| HSK[746a0]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1 > |<3>| HSK[746a0]: Removing ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1 > |<3>| HSK[746a0]: Removing ciphersuite: DHE_RSA_AES_128_CBC_SHA1 > |<3>| HSK[746a0]: Removing ciphersuite: DHE_RSA_AES_256_CBC_SHA1 > |<3>| HSK[746a0]: Removing ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1 > |<3>| HSK[746a0]: Removing ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1 > |<3>| HSK[746a0]: Removing ciphersuite: RSA_ARCFOUR_SHA1 > |<3>| HSK[746a0]: Removing ciphersuite: RSA_ARCFOUR_MD5 > |<3>| HSK[746a0]: Removing ciphersuite: RSA_3DES_EDE_CBC_SHA1 > |<3>| HSK[746a0]: Removing ciphersuite: RSA_AES_128_CBC_SHA1 > |<3>| HSK[746a0]: Removing ciphersuite: RSA_AES_256_CBC_SHA1 > |<3>| HSK[746a0]: Removing ciphersuite: RSA_CAMELLIA_128_CBC_SHA1 > |<3>| HSK[746a0]: Removing ciphersuite: RSA_CAMELLIA_256_CBC_SHA1 > |<3>| HSK[746a0]: Selected cipher suite: DHE_DSS_AES_128_CBC_SHA1 > |<3>| HSK[746a0]: Selected Compression Method: NULL > |<3>| HSK[746a0]: SessionID: > 3dd101d3c7914ac90c3ee763390c2d3e983d5b54a2f3a9142bd5db94cea5b867 > |<3>| HSK[746a0]: SERVER HELLO was send [74 bytes] > |<4>| REC[746a0]: Sending Packet[0] Handshake(22) with length: 74 > |<2>| ASSERT: gnutls_cipher.c:204 > |<4>| REC[746a0]: Sent Packet[1] Handshake(22) with length: 79 > |<3>| HSK[746a0]: CERTIFICATE was send [2351 bytes] > |<4>| REC[746a0]: Sending Packet[1] Handshake(22) with length: 2351 > |<2>| ASSERT: gnutls_cipher.c:204 > |<4>| REC[746a0]: Sent Packet[2] Handshake(22) with length: 2356 > |<3>| HSK[746a0]: SERVER KEY EXCHANGE was send [331 bytes] > |<4>| REC[746a0]: Sending Packet[2] Handshake(22) with length: 331 > |<2>| ASSERT: gnutls_cipher.c:204 > |<4>| REC[746a0]: Sent Packet[3] Handshake(22) with length: 336 > |<3>| HSK[746a0]: CERTIFICATE REQUEST was send [70 bytes] > |<4>| REC[746a0]: Sending Packet[3] Handshake(22) with length: 70 > |<2>| ASSERT: gnutls_cipher.c:204 > |<4>| REC[746a0]: Sent Packet[4] Handshake(22) with length: 75 > |<3>| HSK[746a0]: SERVER HELLO DONE was send [4 bytes] > |<4>| REC[746a0]: Sending Packet[4] Handshake(22) with length: 4 > |<2>| ASSERT: gnutls_cipher.c:204 > |<4>| REC[746a0]: Sent Packet[5] Handshake(22) with length: 9 > |<2>| ASSERT: gnutls_buffers.c:360 > |<2>| ASSERT: gnutls_buffers.c:1151 > |<2>| ASSERT: gnutls_handshake.c:1045 > |<4>| REC[746a0]: Expected Packet[1] Handshake(22) with length: 1 > |<4>| REC[746a0]: Received Packet[1] Handshake(22) with length: 2351 > |<2>| ASSERT: gnutls_cipher.c:204 > |<4>| REC[746a0]: Decrypted Packet[1] Handshake(22) with length: 2351 > |<3>| HSK[746a0]: CERTIFICATE was received [2351 bytes] > |<2>| ASSERT: gnutls_buffers.c:360 > |<2>| ASSERT: gnutls_buffers.c:1151 > |<2>| ASSERT: gnutls_handshake.c:1045 > |<4>| REC[746a0]: Expected Packet[2] Handshake(22) with length: 1 > |<4>| REC[746a0]: Received Packet[2] Handshake(22) with length: 134 > |<2>| ASSERT: gnutls_cipher.c:204 > |<4>| REC[746a0]: Decrypted Packet[2] Handshake(22) with length: 134 > |<3>| HSK[746a0]: CLIENT KEY EXCHANGE was received [134 bytes] > |<4>| REC[746a0]: Expected Packet[3] Handshake(22) with length: 1 > |<4>| REC[746a0]: Received Packet[3] Handshake(22) with length: 68 > |<2>| ASSERT: gnutls_cipher.c:204 > |<4>| REC[746a0]: Decrypted Packet[3] Handshake(22) with length: 68 > |<3>| HSK[746a0]: CERTIFICATE VERIFY was received [68 bytes] > |<4>| REC[746a0]: Expected Packet[4] Change Cipher Spec(20) with length: 1 > |<4>| REC[746a0]: Received Packet[4] Change Cipher Spec(20) with length: 1 > |<2>| ASSERT: gnutls_cipher.c:204 > |<4>| REC[746a0]: ChangeCipherSpec Packet was received > |<9>| INT: PREMASTER SECRET[128]: > 653c0772433e1eea046a891f8290cb5e27681e50bb07d206f59048350d1847ced5179b2acc933b669b7ff378d0b2d298323f06334782e4cf4f37759847553116e0a409bd2afb9cfd6c26c44245108b04571c7660b23cb0f035f0d39c5a9868f6a4d14f102a2486152a7d4a836581b17c32dfb4ea9d1309fa0aa85576d7cac73b > |<9>| INT: CLIENT RANDOM[32]: > 4ab5145766276591b6df4f3d3603b5602ca7272dac4fa03d39ed2e5ac9d8f21a > |<9>| INT: SERVER RANDOM[32]: > 4ab5146f5e9d0f5915218d467006e3a55e8ce0fbac3936f00ce092612aae4b93 > |<9>| INT: MASTER SECRET: > 0a290575d29c8aa4a96944f7dff67b9b4a3a1a763373a2bc5b267c0e67d1f5dce018670478b022df232575b535f1cfce > |<9>| INT: KEY BLOCK[104]: > d0faedea6c8baa006af6f09330be9b74cfdb49ccce6571c18cf5452788225f4f > |<9>| INT: CLIENT WRITE KEY [16]: c33896bce2ebfefd2a0b650a05c92e87 > |<9>| INT: SERVER WRITE KEY [16]: 7931f6300477f3e94563703092d07ee8 > |<3>| HSK[746a0]: Cipher Suite: DHE_DSS_AES_128_CBC_SHA1 > |<3>| HSK[746a0]: Initializing internal [read] cipher sessions > AES-128 test encryption failed. > |<4>| REC[746a0]: Expected Packet[0] Handshake(22) with length: 1 > |<4>| REC[746a0]: Received Packet[0] Handshake(22) with length: 80 > |<2>| ASSERT: gnutls_cipher.c:516 > |<4>| REC[746a0]: Short record length 54 > 64 - 20 (under attack?) > |<2>| ASSERT: gnutls_record.c:1002 > |<2>| ASSERT: gnutls_buffers.c:1151 > |<2>| ASSERT: gnutls_handshake.c:1045 > |<2>| ASSERT: gnutls_handshake.c:599 > |<2>| ASSERT: gnutls_handshake.c:2553 > |<2>| ASSERT: gnutls_handshake.c:2685 > Error in handshake > Error: Decryption has failed. > |<4>| REC: Sending Alert[2|20] - Bad record MAC > |<4>| REC[746a0]: Sending Packet[5] Alert(21) with length: 2 > |<2>| ASSERT: gnutls_cipher.c:204 > |<4>| REC[746a0]: Sent Packet[6] Alert(21) with length: 7 > |<2>| ASSERT: gnutls_record.c:262 > > > > > > > ## client side (amd64) ## > > # gnutls-cli --debug 9 --x509keyfile ssl.key --x509certfile ssl.crt -p > 15135 someserver > Processed 1 client certificates... > |<2>| ASSERT: x509_b64.c:452 > |<2>| Could not find '-----BEGIN RSA PRIVATE KEY' > Processed 1 client X.509 certificates... > Resolving 'someserver'... > Connecting to '....:15135'... > |<3>| HSK[0x12d9e60]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1 > |<3>| HSK[0x12d9e60]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1 > |<3>| HSK[0x12d9e60]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1 > |<3>| HSK[0x12d9e60]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1 > |<3>| HSK[0x12d9e60]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1 > |<3>| HSK[0x12d9e60]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1 > |<3>| HSK[0x12d9e60]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1 > |<3>| HSK[0x12d9e60]: Keeping ciphersuite: DHE_PSK_SHA_AES_128_CBC_SHA1 > |<3>| HSK[0x12d9e60]: Keeping ciphersuite: DHE_PSK_SHA_AES_256_CBC_SHA1 > |<3>| HSK[0x12d9e60]: Keeping ciphersuite: DHE_PSK_SHA_3DES_EDE_CBC_SHA1 > |<3>| HSK[0x12d9e60]: Keeping ciphersuite: DHE_PSK_SHA_ARCFOUR_SHA1 > |<3>| HSK[0x12d9e60]: Removing ciphersuite: SRP_SHA_RSA_AES_128_CBC_SHA1 > |<3>| HSK[0x12d9e60]: Removing ciphersuite: SRP_SHA_RSA_AES_256_CBC_SHA1 > |<3>| HSK[0x12d9e60]: Removing ciphersuite: SRP_SHA_RSA_3DES_EDE_CBC_SHA1 > |<3>| HSK[0x12d9e60]: Removing ciphersuite: SRP_SHA_DSS_AES_128_CBC_SHA1 > |<3>| HSK[0x12d9e60]: Removing ciphersuite: SRP_SHA_DSS_AES_256_CBC_SHA1 > |<3>| HSK[0x12d9e60]: Removing ciphersuite: SRP_SHA_DSS_3DES_EDE_CBC_SHA1 > |<3>| HSK[0x12d9e60]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1 > |<3>| HSK[0x12d9e60]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1 > |<3>| HSK[0x12d9e60]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1 > |<3>| HSK[0x12d9e60]: Keeping ciphersuite: RSA_ARCFOUR_SHA1 > |<3>| HSK[0x12d9e60]: Keeping ciphersuite: RSA_ARCFOUR_MD5 > |<3>| HSK[0x12d9e60]: Keeping ciphersuite: PSK_SHA_AES_128_CBC_SHA1 > |<3>| HSK[0x12d9e60]: Keeping ciphersuite: PSK_SHA_AES_256_CBC_SHA1 > |<3>| HSK[0x12d9e60]: Keeping ciphersuite: PSK_SHA_3DES_EDE_CBC_SHA1 > |<3>| HSK[0x12d9e60]: Keeping ciphersuite: PSK_SHA_ARCFOUR_SHA1 > |<3>| HSK[0x12d9e60]: Removing ciphersuite: SRP_SHA_AES_128_CBC_SHA1 > |<3>| HSK[0x12d9e60]: Removing ciphersuite: SRP_SHA_AES_256_CBC_SHA1 > |<3>| HSK[0x12d9e60]: Removing ciphersuite: SRP_SHA_3DES_EDE_CBC_SHA1 > |<2>| EXT[0x12d9e60]: Sending extension CERT_TYPE > |<2>| EXT[0x12d9e60]: Sending extension SERVER_NAME > |<3>| HSK[0x12d9e60]: CLIENT HELLO was send [121 bytes] > |<4>| REC[0x12d9e60]: Sending Packet[0] Handshake(22) with length: 121 > |<2>| ASSERT: gnutls_cipher.c:204 > |<4>| REC[0x12d9e60]: Sent Packet[1] Handshake(22) with length: 126 > |<4>| REC[0x12d9e60]: Expected Packet[0] Handshake(22) with length: 1 > |<4>| REC[0x12d9e60]: Received Packet[0] Handshake(22) with length: 74 > |<2>| ASSERT: gnutls_cipher.c:204 > |<4>| REC[0x12d9e60]: Decrypted Packet[0] Handshake(22) with length: 74 > |<3>| HSK[0x12d9e60]: SERVER HELLO was received [74 bytes] > |<3>| HSK[0x12d9e60]: Server's version: 3.2 > |<3>| HSK[0x12d9e60]: SessionID length: 32 > |<3>| HSK[0x12d9e60]: SessionID: > 3dd101d3c7914ac90c3ee763390c2d3e983d5b54a2f3a9142bd5db94cea5b867 > |<3>| HSK[0x12d9e60]: Selected cipher suite: DHE_DSS_AES_128_CBC_SHA1 > |<2>| ASSERT: gnutls_extensions.c:124 > |<4>| REC[0x12d9e60]: Expected Packet[1] Handshake(22) with length: 1 > |<4>| REC[0x12d9e60]: Received Packet[1] Handshake(22) with length: 2351 > |<2>| ASSERT: gnutls_cipher.c:204 > |<4>| REC[0x12d9e60]: Decrypted Packet[1] Handshake(22) with length: 2351 > |<3>| HSK[0x12d9e60]: CERTIFICATE was received [2351 bytes] > |<4>| REC[0x12d9e60]: Expected Packet[2] Handshake(22) with length: 1 > |<4>| REC[0x12d9e60]: Received Packet[2] Handshake(22) with length: 331 > |<2>| ASSERT: gnutls_cipher.c:204 > |<4>| REC[0x12d9e60]: Decrypted Packet[2] Handshake(22) with length: 331 > |<3>| HSK[0x12d9e60]: SERVER KEY EXCHANGE was received [331 bytes] > |<4>| REC[0x12d9e60]: Expected Packet[3] Handshake(22) with length: 1 > |<4>| REC[0x12d9e60]: Received Packet[3] Handshake(22) with length: 70 > |<2>| ASSERT: gnutls_cipher.c:204 > |<4>| REC[0x12d9e60]: Decrypted Packet[3] Handshake(22) with length: 70 > |<3>| HSK[0x12d9e60]: CERTIFICATE REQUEST was received [70 bytes] > |<4>| REC[0x12d9e60]: Expected Packet[4] Handshake(22) with length: 1 > |<4>| REC[0x12d9e60]: Received Packet[4] Handshake(22) with length: 4 > |<2>| ASSERT: gnutls_cipher.c:204 > |<4>| REC[0x12d9e60]: Decrypted Packet[4] Handshake(22) with length: 4 > |<3>| HSK[0x12d9e60]: SERVER HELLO DONE was received [4 bytes] > |<3>| HSK[0x12d9e60]: CERTIFICATE was send [2351 bytes] > |<4>| REC[0x12d9e60]: Sending Packet[1] Handshake(22) with length: 2351 > |<2>| ASSERT: gnutls_cipher.c:204 > |<4>| REC[0x12d9e60]: Sent Packet[2] Handshake(22) with length: 2356 > |<3>| HSK[0x12d9e60]: CLIENT KEY EXCHANGE was send [134 bytes] > |<4>| REC[0x12d9e60]: Sending Packet[2] Handshake(22) with length: 134 > |<2>| ASSERT: gnutls_cipher.c:204 > |<4>| REC[0x12d9e60]: Sent Packet[3] Handshake(22) with length: 139 > |<3>| HSK[0x12d9e60]: CERTIFICATE VERIFY was send [68 bytes] > |<4>| REC[0x12d9e60]: Sending Packet[3] Handshake(22) with length: 68 > |<2>| ASSERT: gnutls_cipher.c:204 > |<4>| REC[0x12d9e60]: Sent Packet[4] Handshake(22) with length: 73 > |<3>| REC[0x12d9e60]: Sent ChangeCipherSpec > |<4>| REC[0x12d9e60]: Sending Packet[4] Change Cipher Spec(20) with length: 1 > |<2>| ASSERT: gnutls_cipher.c:204 > |<4>| REC[0x12d9e60]: Sent Packet[5] Change Cipher Spec(20) with length: 6 > |<9>| INT: PREMASTER SECRET[128]: > 653c0772433e1eea046a891f8290cb5e27681e50bb07d206f59048350d1847ced5179b2acc933b669b7ff378d0b2d298323f06334782e4cf4f37759847553116e0a409bd2afb9cfd6c26c44245108b04571c7660b23cb0f035f0d39c5a9868f6a4d14f102a2486152a7d4a836581b17c32dfb4ea9d1309fa0aa85576d7cac73b > |<9>| INT: CLIENT RANDOM[32]: > 4ab5145766276591b6df4f3d3603b5602ca7272dac4fa03d39ed2e5ac9d8f21a > |<9>| INT: SERVER RANDOM[32]: > 4ab5146f5e9d0f5915218d467006e3a55e8ce0fbac3936f00ce092612aae4b93 > |<9>| INT: MASTER SECRET: > 0a290575d29c8aa4a96944f7dff67b9b4a3a1a763373a2bc5b267c0e67d1f5dce018670478b022df232575b535f1cfce > |<9>| INT: KEY BLOCK[104]: > d0faedea6c8baa006af6f09330be9b74cfdb49ccce6571c18cf5452788225f4f > |<9>| INT: CLIENT WRITE KEY [16]: c33896bce2ebfefd2a0b650a05c92e87 > |<9>| INT: SERVER WRITE KEY [16]: 7931f6300477f3e94563703092d07ee8 > |<3>| HSK[0x12d9e60]: Cipher Suite: DHE_DSS_AES_128_CBC_SHA1 > |<3>| HSK[0x12d9e60]: Initializing internal [write] cipher sessions > |<3>| HSK[0x12d9e60]: FINISHED was send [16 bytes] > |<4>| REC[0x12d9e60]: Sending Packet[0] Handshake(22) with length: 16 > |<4>| REC[0x12d9e60]: Sent Packet[1] Handshake(22) with length: 85 > |<4>| REC[0x12d9e60]: Expected Packet[5] Change Cipher Spec(20) with length: 1 > |<4>| REC[0x12d9e60]: Received Packet[5] Alert(21) with length: 2 > |<2>| ASSERT: gnutls_cipher.c:204 > |<4>| REC[0x12d9e60]: Decrypted Packet[5] Alert(21) with length: 2 > |<4>| REC[0x12d9e60]: Alert[2|20] - Bad record MAC - was received > |<2>| ASSERT: gnutls_record.c:695 > |<2>| ASSERT: gnutls_record.c:1048 > |<2>| ASSERT: gnutls_handshake.c:2525 > |<2>| ASSERT: gnutls_handshake.c:2697 > *** Fatal error: A TLS fatal alert has been received. > *** Received alert [20]: Bad record MAC > *** Handshake has failed > GNUTLS ERROR: A TLS fatal alert has been received. From imp at hannover.ccc.de Tue Sep 22 18:32:23 2009 From: imp at hannover.ccc.de (imp) Date: Tue, 22 Sep 2009 16:32:23 +0000 (UTC) Subject: some possible errors on sparc? References: <87d45jkwh2.fsf@mocca.josefsson.org> Message-ID: Simon Josefsson josefsson.org> writes: > > Miroslav Kratochvil gmail.com> writes: > > > Hi, > > today I was trying to run GnuTLS on sparc and connect it to an amd64 > > machine, well, result is that connection dies because of: > > Which GnuTLS version? > on the amd64: net-libs/gnutls-2.8.3 and on the sparc: net-libs/gnutls-2.8.3 (before it was 2.6.6, updated it right now - still the same). both pass "make check" - at least the return value is 0 and are no tests reported as failed. (and both skiped pkcs1-pad). besides this, there's some strange stuff going on the the sparc: ## server: ready. Listening to port '5556'. server: connection from 127.0.0.1, port 56158 psk: username test AES-128 test encryption failed. AES-128 test encryption failed. server: Handshake was completed client: Handshake was completed server: Peer has closed the GNUTLS connection server: finished Self test `./pskself' finished with 0 errors Self test `./pskself' finished with 0 errors PASS: pskself Launched, generating DH parameters... server: ready. Listening to port '5556'. server: connection from 127.0.0.1, port 56159 AES-128 test encryption failed. psk callback to get test's password AES-128 test encryption failed. ## and the build on the amd64 spits some leak summarys (guess it's because if've valgrind installed?). imp From simon at josefsson.org Tue Sep 22 22:52:51 2009 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 22 Sep 2009 22:52:51 +0200 Subject: some possible errors on sparc? In-Reply-To: (imp@hannover.ccc.de's message of "Tue, 22 Sep 2009 16:32:23 +0000 (UTC)") References: <87d45jkwh2.fsf@mocca.josefsson.org> Message-ID: <87d45iem70.fsf@mocca.josefsson.org> imp writes: > both pass "make check" - at least the return value is 0 and are no tests > reported as failed. (and both skiped pkcs1-pad). OK. > besides this, there's some strange stuff going on the the sparc: > ## > server: ready. Listening to port '5556'. > server: connection from 127.0.0.1, port 56158 > psk: username test > AES-128 test encryption failed. > AES-128 test encryption failed. That is a quite severe libgcrypt error -- did libgcrypt compile and pass the self-tests properly on this platform? I suspect you have a libgcrypt problem. > and the build on the amd64 spits some leak summarys (guess it's because if've > valgrind installed?). Yes. There are many known memory leaks in the self tests. /Simon From jawad.ssuet at gmail.com Wed Sep 23 12:23:37 2009 From: jawad.ssuet at gmail.com (Jawad hussain) Date: Wed, 23 Sep 2009 12:23:37 +0200 Subject: TLS server key and certificate generation Message-ID: <2bb4c8ca0909230323j2f4f9801te97d455655a33210@mail.gmail.com> Hi, I am trying to setting up a OpenXcap server and doing so I encounter following error. So can someone suggest how to generate TLS server certificate and key for OpenXcap server. Sep 23 16:13:55 jawad-desktop openxcap[2710]: fatal error: the TLS certificates or the private key could not be loaded -- Regards Jawad Hussain -------------- next part -------------- An HTML attachment was scrubbed... URL: From simon at josefsson.org Wed Sep 23 22:43:37 2009 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 23 Sep 2009 22:43:37 +0200 Subject: TLS server key and certificate generation In-Reply-To: <2bb4c8ca0909230323j2f4f9801te97d455655a33210@mail.gmail.com> (Jawad hussain's message of "Wed, 23 Sep 2009 12:23:37 +0200") References: <2bb4c8ca0909230323j2f4f9801te97d455655a33210@mail.gmail.com> Message-ID: <87pr9hz91i.fsf@mocca.josefsson.org> Jawad hussain writes: > Hi, > > I am trying to setting up a OpenXcap server and doing so I encounter > following error. So can someone suggest how to generate TLS server > certificate and key for OpenXcap server. > > Sep 23 16:13:55 jawad-desktop openxcap[2710]: fatal error: the TLS > certificates or the private key could not be loaded There is not much information to go on here, can you provide more information on what commands you invoke and the files you use as input? I'm not familiar with OpenXcap though, so you may find better answers on a OpenXcap forum. Generating keys and certificates is covered in the GnuTLS manual: http://www.gnu.org/software/gnutls/manual/html_node/Invoking-certtool.html I blogged about how to create CACert keys/certs some time ago: http://blog.josefsson.org/2009/04/16/cacert-and-gnutls/ /Simon From imp at hannover.ccc.de Thu Sep 24 16:49:32 2009 From: imp at hannover.ccc.de (imp) Date: Thu, 24 Sep 2009 14:49:32 +0000 (UTC) Subject: some possible errors on sparc? References: <87d45jkwh2.fsf@mocca.josefsson.org> <87d45iem70.fsf@mocca.josefsson.org> Message-ID: Simon Josefsson josefsson.org> writes: > That is a quite severe libgcrypt error -- did libgcrypt compile and pass > the self-tests properly on this platform? I suspect you have a > libgcrypt problem. > that's it :). libgcrypt doesn't work porperly, if it's compiled with -O3 (see http://bugs.gentoo.org/show_bug.cgi?id=263589 ). already had some contact with a guy from gnupg/libgcrypt and i'll fill a ticket later. thanks for your pointer, simon :) imp From jawad.ssuet at gmail.com Thu Sep 24 17:27:36 2009 From: jawad.ssuet at gmail.com (jawad.ssuet) Date: Thu, 24 Sep 2009 17:27:36 +0200 Subject: TLS server key and certificate generation In-Reply-To: <87pr9hz91i.fsf@mocca.josefsson.org> References: <2bb4c8ca0909230323j2f4f9801te97d455655a33210@mail.gmail.com> <87pr9hz91i.fsf@mocca.josefsson.org> Message-ID: <2bb4c8ca0909240827i38b5b3a5v6b231eb707b2b718@mail.gmail.com> Thanks, Actually for OpenXCAP to work I have to generate one server.crt and server.key by using gnutls (as this is only one post on OpenXCAP forum) and put them under my openxcap/tls folder, so that would my server certification and key. By the time I emailed I was unable to find method to do this by gnutls so did this by openssl but I struggled to load the cert/key with openssl. On OpenXCAP website this is the only information about certificates. "" When using TLS you must generate an X.509 certificate and a key. Consult Internet resources for how to do this. The procedure is the same as for any other TLS server like Apache web server. "" I generate a certificate and private key for OpenXCAP server by using openssl as follows. - openssl genrsa -des3 out server.key 1024 - openssl req -new -key server.key -out server.csr - openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt So in short I have to generate one server certificate and private key using gnutls and I will follow procedures on the provided links by you and will report if that work. I have installed gnutls but havent seen certtool command ?. Regards, Jawad Hussain On Wed, Sep 23, 2009 at 10:43 PM, Simon Josefsson wrote: > Jawad hussain writes: > > > Hi, > > > > I am trying to setting up a OpenXcap server and doing so I encounter > > following error. So can someone suggest how to generate TLS server > > certificate and key for OpenXcap server. > > > > Sep 23 16:13:55 jawad-desktop openxcap[2710]: fatal error: the TLS > > certificates or the private key could not be loaded > > There is not much information to go on here, can you provide more > information on what commands you invoke and the files you use as input? > I'm not familiar with OpenXcap though, so you may find better answers on > a OpenXcap forum. > > Generating keys and certificates is covered in the GnuTLS manual: > > http://www.gnu.org/software/gnutls/manual/html_node/Invoking-certtool.html > > I blogged about how to create CACert keys/certs some time ago: > > http://blog.josefsson.org/2009/04/16/cacert-and-gnutls/ > > /Simon > - -------------- next part -------------- An HTML attachment was scrubbed... URL: From simon at josefsson.org Thu Sep 24 17:34:01 2009 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 24 Sep 2009 17:34:01 +0200 Subject: TLS server key and certificate generation In-Reply-To: <2bb4c8ca0909240827i38b5b3a5v6b231eb707b2b718@mail.gmail.com> (jawad ssuet's message of "Thu, 24 Sep 2009 17:27:36 +0200") References: <2bb4c8ca0909230323j2f4f9801te97d455655a33210@mail.gmail.com> <87pr9hz91i.fsf@mocca.josefsson.org> <2bb4c8ca0909240827i38b5b3a5v6b231eb707b2b718@mail.gmail.com> Message-ID: <87iqf8pdau.fsf@mocca.josefsson.org> "jawad.ssuet" writes: > I have installed gnutls but havent seen certtool command ?. It is part of the GnuTLS distribution. If you installed a dpkg/rpm or similar you need to make sure you get all components. /Simon From tang__tong at hotmail.com Fri Sep 25 08:17:46 2009 From: tang__tong at hotmail.com (tangtong) Date: Fri, 25 Sep 2009 06:17:46 +0000 Subject: PKCS encryption schema Message-ID: Hi, I meet some question when I display an encrypted key info created by openssl. The following steps show the scenario: openssl genrsa -des3 -out key1.pem openssl pkcs8 -topk8 -in key1.pem -out key2.pem certtool -k --infile key2.pem |<1>| PKCS encryption schema OID '1.2.840.113549.1.5.3' is unsupported. certtool: import error: The cipher type is unsupported. I double check the source codes, it is found only the following schema are supported for a pkcs8 key for gnutls: PKCS12_PBE_3DES_SHA1_OID "1.2.840.113549.1.12.1.3" PKCS12_PBE_ARCFOUR_SHA1_OID "1.2.840.113549.1.12.1.1" PKCS12_PBE_RC2_40_SHA1_OID "1.2.840.113549.1.12.1.6" PBES2_OID "1.2.840.113549.1.5.13" Only the last one is for PKCS5 schema. According to PKCS8 specification, PKCS8's encryption algorithm is based on PKCS5's encryption schema. I am not sure if this means gnutls dones't fully support PKCS5 and my understanding about PKCS8 and PKCS5 is right or not. Regards _________________________________________________________________ ?Windows Live ??????????Messenger? http://www.windowslive.cn -------------- next part -------------- An HTML attachment was scrubbed... URL: From simon at josefsson.org Fri Sep 25 10:14:52 2009 From: simon at josefsson.org (Simon Josefsson) Date: Fri, 25 Sep 2009 10:14:52 +0200 Subject: PKCS encryption schema In-Reply-To: (tangtong's message of "Fri, 25 Sep 2009 06:17:46 +0000") References: Message-ID: <87zl8jh24j.fsf@mocca.josefsson.org> tangtong writes: > Hi, > I meet some question when I display an encrypted key info created by openssl. The following steps show the scenario: > openssl genrsa -des3 -out key1.pem > openssl pkcs8 -topk8 -in key1.pem -out key2.pem > certtool -k --infile key2.pem > |<1>| PKCS encryption schema OID '1.2.840.113549.1.5.3' is unsupported. > certtool: import error: The cipher type is unsupported. That is pbeWithMD5AndDES-CBC. Both MD5 and DES are broken, so I'm not sure it is worthwhile to support it. Try the -v2 parameter to openssl pkcs8, although I'm not sure what the string for any strong cipher would be. I would accept a patch that made GnuTLS read files on this format (but make sure it can't generate them). /Simon > > I double check the source codes, it is found only the following schema are supported for a pkcs8 key for gnutls: > PKCS12_PBE_3DES_SHA1_OID "1.2.840.113549.1.12.1.3" > PKCS12_PBE_ARCFOUR_SHA1_OID "1.2.840.113549.1.12.1.1" > PKCS12_PBE_RC2_40_SHA1_OID "1.2.840.113549.1.12.1.6" > PBES2_OID "1.2.840.113549.1.5.13" > > Only the last one is for PKCS5 schema. According to PKCS8 specification, PKCS8's encryption algorithm is based on PKCS5's encryption schema. I am not sure if this means gnutls dones't fully support PKCS5 and my understanding about PKCS8 and PKCS5 is right or not. > > > Regards > > > > _________________________________________________________________ > ?Windows Live ??????????Messenger? > http://www.windowslive.cn_______________________________________________ > Help-gnutls mailing list > Help-gnutls at gnu.org > http://lists.gnu.org/mailman/listinfo/help-gnutls From jawad.ssuet at gmail.com Fri Sep 25 18:35:46 2009 From: jawad.ssuet at gmail.com (Jawad hussain) Date: Fri, 25 Sep 2009 12:35:46 -0400 Subject: TLS server key and certificate generation In-Reply-To: <87pr9hz91i.fsf@mocca.josefsson.org> References: <2bb4c8ca0909230323j2f4f9801te97d455655a33210@mail.gmail.com> <87pr9hz91i.fsf@mocca.josefsson.org> Message-ID: <2bb4c8ca0909250935h47d60098tf736d9da63b90339@mail.gmail.com> Thanks, Now I got one error related with GNUTLS so can you please help in resolving this. Sep 25 18:29:03 jawad-desktop openxcap[2781]: Log opened. Sep 25 18:29:03 jawad-desktop openxcap[2781]: Starting OpenXCAP 1.1.2 Sep 25 18:29:04 jawad-desktop openxcap[2781]: /etc/openxcap/openxcap-1.1.2/xcap/tweaks.py:1: exceptions.DeprecationWarning: the md5 module is deprecated; use hashlib instead Sep 25 18:29:04 jawad-desktop openxcap[2781]: *fatal error: failed to create OpenXCAP 1.1.2: /usr/local/lib/libgnutls.so.26: undefined symbol: gnutls_certificate_get_x509_cas* Sep 25 18:29:04 jawad-desktop openxcap[2781]: Traceback (most recent call last): Sep 25 18:29:04 jawad-desktop openxcap[2781]: --- --- Sep 25 18:29:04 jawad-desktop openxcap[2781]: File "./openxcap", line 61, in Sep 25 18:29:04 jawad-desktop openxcap[2781]: from xcap.server import XCAPServer Sep 25 18:29:04 jawad-desktop openxcap[2781]: File "/etc/openxcap/openxcap-1.1.2/xcap/server.py", line 24, in Sep 25 18:29:04 jawad-desktop openxcap[2781]: from xcap.tls import Certificate, PrivateKey Sep 25 18:29:04 jawad-desktop openxcap[2781]: File "/etc/openxcap/openxcap-1.1.2/xcap/tls.py", line 8, in Sep 25 18:29:04 jawad-desktop openxcap[2781]: from gnutls.crypto import X509Certificate, X509PrivateKey Sep 25 18:29:04 jawad-desktop openxcap[2781]: File "/usr/lib/pymodules/python2.6/gnutls/crypto.py", line 11, in Sep 25 18:29:04 jawad-desktop openxcap[2781]: from gnutls.validators import method_args, one_of Sep 25 18:29:04 jawad-desktop openxcap[2781]: File "/usr/lib/pymodules/python2.6/gnutls/validators.py", line 9, in Sep 25 18:29:04 jawad-desktop openxcap[2781]: from gnutls.constants import * Sep 25 18:29:04 jawad-desktop openxcap[2781]: File "/usr/lib/pymodules/python2.6/gnutls/constants.py", line 38, in Sep 25 18:29:04 jawad-desktop openxcap[2781]: from gnutls.library import constants Sep 25 18:29:04 jawad-desktop openxcap[2781]: File "/usr/lib/pymodules/python2.6/gnutls/library/__init__.py", line 7, in Sep 25 18:29:04 jawad-desktop openxcap[2781]: from gnutls.library import errors Sep 25 18:29:04 jawad-desktop openxcap[2781]: File "/usr/lib/pymodules/python2.6/gnutls/library/errors.py", line 15, in Sep 25 18:29:04 jawad-desktop openxcap[2781]: from gnutls.library.functions import gnutls_strerror, gnutls_alert_get Sep 25 18:29:04 jawad-desktop openxcap[2781]: File "/usr/lib/pymodules/python2.6/gnutls/library/functions.py", line 505, in Sep 25 18:29:04 jawad-desktop openxcap[2781]: gnutls_certificate_get_x509_cas = _libraries['libgnutls.so.26'].gnutls_certificate_get_x509_cas Sep 25 18:29:04 jawad-desktop openxcap[2781]: File "/usr/lib/python2.6/ctypes/__init__.py", line 366, in __getattr__ Sep 25 18:29:04 jawad-desktop openxcap[2781]: func = self.__getitem__(name) Sep 25 18:29:04 jawad-desktop openxcap[2781]: File "/usr/lib/python2.6/ctypes/__init__.py", line 371, in __getitem__ Sep 25 18:29:04 jawad-desktop openxcap[2781]: func = self._FuncPtr((name_or_ordinal, self)) Sep 25 18:29:04 jawad-desktop openxcap[2781]: exceptions.AttributeError: /usr/local/lib/libgnutls.so.26: undefined symbol: gnutls_certificate_get_x509_cas Regards, Jawad Hussain On Wed, Sep 23, 2009 at 4:43 PM, Simon Josefsson wrote: > Jawad hussain writes: > > > Hi, > > > > I am trying to setting up a OpenXcap server and doing so I encounter > > following error. So can someone suggest how to generate TLS server > > certificate and key for OpenXcap server. > > > > Sep 23 16:13:55 jawad-desktop openxcap[2710]: fatal error: the TLS > > certificates or the private key could not be loaded > > There is not much information to go on here, can you provide more > information on what commands you invoke and the files you use as input? > I'm not familiar with OpenXcap though, so you may find better answers on > a OpenXcap forum. > > Generating keys and certificates is covered in the GnuTLS manual: > > http://www.gnu.org/software/gnutls/manual/html_node/Invoking-certtool.html > > I blogged about how to create CACert keys/certs some time ago: > > http://blog.josefsson.org/2009/04/16/cacert-and-gnutls/ > > /Simon > -- -------------- next part -------------- An HTML attachment was scrubbed... URL: From simon at josefsson.org Sat Sep 26 11:59:05 2009 From: simon at josefsson.org (Simon Josefsson) Date: Sat, 26 Sep 2009 11:59:05 +0200 Subject: TLS server key and certificate generation In-Reply-To: <2bb4c8ca0909250935h47d60098tf736d9da63b90339@mail.gmail.com> (Jawad hussain's message of "Fri, 25 Sep 2009 12:35:46 -0400") References: <2bb4c8ca0909230323j2f4f9801te97d455655a33210@mail.gmail.com> <87pr9hz91i.fsf@mocca.josefsson.org> <2bb4c8ca0909250935h47d60098tf736d9da63b90339@mail.gmail.com> Message-ID: <87bpkyc9hy.fsf@mocca.josefsson.org> Jawad hussain writes: > Thanks, > > Now I got one error related with GNUTLS so can you please help in resolving > this. > > Sep 25 18:29:03 jawad-desktop openxcap[2781]: Log opened. > Sep 25 18:29:03 jawad-desktop openxcap[2781]: Starting OpenXCAP 1.1.2 > Sep 25 18:29:04 jawad-desktop openxcap[2781]: > /etc/openxcap/openxcap-1.1.2/xcap/tweaks.py:1: > exceptions.DeprecationWarning: the md5 module is deprecated; use hashlib > instead > > Sep 25 18:29:04 jawad-desktop openxcap[2781]: *fatal error: failed to create > OpenXCAP 1.1.2: /usr/local/lib/libgnutls.so.26: undefined symbol: > gnutls_certificate_get_x509_cas* You may need a newer GnuTLS version, that symbol was added in 2.4.0. /Simon From jawad.ssuet at gmail.com Mon Sep 28 12:41:42 2009 From: jawad.ssuet at gmail.com (Jawad hussain) Date: Mon, 28 Sep 2009 12:41:42 +0200 Subject: TLS server key and certificate generation In-Reply-To: <87bpkyc9hy.fsf@mocca.josefsson.org> References: <2bb4c8ca0909230323j2f4f9801te97d455655a33210@mail.gmail.com> <87pr9hz91i.fsf@mocca.josefsson.org> <2bb4c8ca0909250935h47d60098tf736d9da63b90339@mail.gmail.com> <87bpkyc9hy.fsf@mocca.josefsson.org> Message-ID: <2bb4c8ca0909280341xa4778ccxa3199997b4b6f92@mail.gmail.com> On Sat, Sep 26, 2009 at 11:59 AM, Simon Josefsson wrote: > Jawad hussain writes: > > > Thanks, > > > > Now I got one error related with GNUTLS so can you please help in > resolving > > this. > > > > Sep 25 18:29:03 jawad-desktop openxcap[2781]: Log opened. > > Sep 25 18:29:03 jawad-desktop openxcap[2781]: Starting OpenXCAP 1.1.2 > > Sep 25 18:29:04 jawad-desktop openxcap[2781]: > > /etc/openxcap/openxcap-1.1.2/xcap/tweaks.py:1: > > exceptions.DeprecationWarning: the md5 module is deprecated; use hashlib > > instead > > > > Sep 25 18:29:04 jawad-desktop openxcap[2781]: *fatal error: failed to > create > > OpenXCAP 1.1.2: /usr/local/lib/libgnutls.so.26: undefined symbol: > > gnutls_certificate_get_x509_cas* > > You may need a newer GnuTLS version, that symbol was added in 2.4.0. > > /Simon > Thanks Simon, Yes you are rite and I really appreciate your support. Regards, Jawad Hussain -------------- next part -------------- An HTML attachment was scrubbed... URL: