From nmav at gnutls.org Sat Jun 4 22:51:51 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sat, 04 Jun 2011 22:51:51 +0200 Subject: gnutls 2.12.6 Message-ID: <4DEA9AE7.9090205@gnutls.org> Hello, I've just released gnutls 2.12.6 * Version 2.12.6 (released 2011-06-4) ** libgnutls: Allow usage of DSA signatures with truncated hash. Following: http://tools.ietf.org/html/draft-mavrogiannopoulos-tls-dss-00 ** libgnutls: Prevent the usage of write() and friends when no data are to be sent. ** libgnutls: Correctly set compression method when resuming sessions. Reported by Dash Shendy. ** libgnutls: gnutls_pubkey_get_pk_dsa_raw() and gnutls_pubkey_get_pk_rsa_raw add leading zeros to the exported values. ** libgnutls: Added gnutls_global_set_time_function() to allow overriding the default system time() function. ** API and ABI modifications: gnutls_global_set_time_function: ADDED Getting the Software ==================== GnuTLS may be downloaded from one of the GNU mirror sites or directly >From and a list of GnuTLS mirrors can be found at . Here are the BZIP2 compressed sources: ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.12.6.tar.bz2 http://ftp.gnu.org/gnu/gnutls/gnutls-2.12.6.tar.bz2 Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.12.6.tar.bz2.sig http://ftp.gnu.org/gnu/gnutls/gnutls-2.12.6.tar.bz2.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From nmav at gnutls.org Sun Jun 5 04:17:07 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 05 Jun 2011 04:17:07 +0200 Subject: gnutls 2.12.6.1 In-Reply-To: <201106050033.25387.Arfrever.FTA@gmail.com> References: <4DEA9AE7.9090205@gnutls.org> <201106050033.25387.Arfrever.FTA@gmail.com> Message-ID: <4DEAE723.9030907@gnutls.org> On 06/05/2011 12:33 AM, Arfrever Frehtes Taifersar Arahesis wrote: > Name of main library has been changed from libgnutls.so.26.20.0 to libgnutls.so.25.21.0, > but libgnutls.so.26.21.0 was probably intended. Nice catch. I've uploaded gnutls 2.12.6.1 that fixes this issue. regards, Nikos From admin at dash.za.net Mon Jun 6 19:59:42 2011 From: admin at dash.za.net (Dash Shendy) Date: Mon, 06 Jun 2011 19:59:42 +0200 Subject: Would like to contribute to mod_gnutls In-Reply-To: References: Message-ID: <4DED158E.7020403@dash.za.net> Hi Nikos, I hope that all is well. I see that you have released a new bug-fix version of GnuTLS, great work! While I was debugging that compression error, I had a look at the mod_gnutls module and it seemed a pretty straight forward implementation of GnuTLS library as an apache module, I would like to help out with maintaining the module. I have been reading this tut on apache module dev. Would you be so kind as to provide me with any relevant tutorials you might have, just to get me started? In short, my question is: Q) what skills does one require to develop mod_gnutls sanely? I can think of the following: * Apache Module Development * GnuTLS internals Your help is, as always, much appreciated. Thanks, Dash Shendy -------------- next part -------------- An HTML attachment was scrubbed... URL: From nmav at gnutls.org Tue Jun 7 07:40:14 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 07 Jun 2011 07:40:14 +0200 Subject: Would like to contribute to mod_gnutls In-Reply-To: <4DED158E.7020403@dash.za.net> References: <4DED158E.7020403@dash.za.net> Message-ID: <4DEDB9BE.7030508@gnutls.org> On 06/06/2011 07:59 PM, Dash Shendy wrote: > While I was debugging that compression error, I had a look at the > mod_gnutls module and it seemed a pretty straight forward implementation > of GnuTLS library as an apache module, I would like to help out with > maintaining the module. I've replied off-list. regards, Nikos From nmav at gnutls.org Wed Jun 8 13:36:10 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 8 Jun 2011 13:36:10 +0200 Subject: roadmap for 3.0.0 In-Reply-To: References: Message-ID: Hello, ?The last commit by Stef Walter concludes the list of changes I planned for gnutls 3.0.0. Those in brief were: * Addition of Datagram TLS 1.0 (RFC4347) * Addition of Elliptic curve ciphersuites (RFC4492) * Addition of ECDSA for X.509 certificates (RFC5480,RFC5758) * Addition of SuiteB profile (RFC5430) * Addition of AES-GCM cipher (RFC5288) * Addition of hardware optimized AES and AES-GCM on CPU's that support it * Addition of a simple X.509 certificate verification subsystem (gnutls_x509_trust_list_*) * Addition of an auditing subsystem (gnutls_global_set_audit_log_function()) * Addition of a certificate retrieval function that requires no processing from gnutls (gnutls_certificate_set_retrieve_function2()) * Usage of p11-kit for PKCS #11 support * Removal of several deprecated features The documentation has also been extended to discuss the new features, and was also reorganized. If you think something is missing from this list, or other things such as bug-fixes that should have made through, but didn't please let me know. As things stand and provided that there will be a release of nettle with the GCM support included, I'll release 2.99.3 within this month and that should be considered a prerelease of 3.0.0. The license of gnutls 3.0.0 would be GNU LGPL version 3. regards, Nikos From bradh at frogmouth.net Wed Jun 8 22:46:33 2011 From: bradh at frogmouth.net (Brad Hards) Date: Thu, 9 Jun 2011 06:46:33 +1000 Subject: roadmap for 3.0.0 In-Reply-To: References: Message-ID: <201106090646.33482.bradh@frogmouth.net> On Wed, 8 Jun 2011 09:36:10 PM Nikos Mavrogiannopoulos wrote: > The license of gnutls 3.0.0 would be GNU LGPL version 3. Can you explain the rationale for this? My concern is that there is some software that is stuck on GPL v2 (only), and LGPLv2 is compatible with that, but LGPLv3 is not. Poppler is a library that comes to mind, where it is often linked to (L)GPLv2+ code in tools like Evince and Okular (amongst others), and everything reverts back to GPLv2. Would a LGPLv3 / GPLv2 license be acceptable here? Brad From tzz at lifelogs.com Wed Jun 8 17:05:43 2011 From: tzz at lifelogs.com (Ted Zlatanov) Date: Wed, 08 Jun 2011 10:05:43 -0500 Subject: roadmap for 3.0.0 References: Message-ID: <87tyc0e52w.fsf@lifelogs.com> On Wed, 8 Jun 2011 13:22:39 +0200 Nikos Mavrogiannopoulos wrote: NM> The last commit by Stef Walter concludes the list of changes I NM> planned for gnutls 3.0.0. Those in brief were: NM> * Addition of a simple X.509 certificate verification subsystem NM> (gnutls_x509_trust_list_*) NM> * Addition of a certificate retrieval function that requires no NM> processing from gnutls (gnutls_certificate_set_retrieve_function2()) These will be appreciated for the Emacs GnuTLS interface. NM> The documentation has also been extended to discuss the new features, NM> and was also reorganized. If you think something is missing from this NM> list, or other things such as bug-fixes that should have made through, NM> but didn't please let me know. I would like to repeat my request for a string-based configuration system. Take the priority strings and extend them further, since almost everything in GnuTLS can be configured that way. You'll need a decent parser and it may end up as a multi-line format, but please consider that it's useful. Thanks Ted From nmav at gnutls.org Thu Jun 9 00:46:20 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 09 Jun 2011 00:46:20 +0200 Subject: roadmap for 3.0.0 In-Reply-To: <201106090646.33482.bradh@frogmouth.net> References: <201106090646.33482.bradh@frogmouth.net> Message-ID: <4DEFFBBC.3000701@gnutls.org> On 06/08/2011 10:46 PM, Brad Hards wrote: > On Wed, 8 Jun 2011 09:36:10 PM Nikos Mavrogiannopoulos wrote: >> The license of gnutls 3.0.0 would be GNU LGPL version 3. > Can you explain the rationale for this? > > My concern is that there is some software that is stuck on GPL v2 > (only), and LGPLv2 is compatible with that, but LGPLv3 is not. > Poppler is a library that comes to mind, where it is often linked to > (L)GPLv2+ code in tools like Evince and Okular (amongst others), and > everything reverts back to GPLv2. Would a LGPLv3 / GPLv2 license be > acceptable here? We thought about that, but it wouldn't be adequate. That is because gmp that now gnutls is linked to, is LGPLv3. Even if we allow dual license gmp doesn't. Note however that the problem is not in LGPLv3 which allows linking with everything, even proprietary programs. It is GPLv2-only that causes the issue. It can be easily solved by the authors of GPLv2-only programs by allowing linking with an LGPLv3 library (see [0]). regards, Nikos [0]. http://price.sourceforge.net/exception.html From bradh at frogmouth.net Thu Jun 9 11:38:47 2011 From: bradh at frogmouth.net (Brad Hards) Date: Thu, 9 Jun 2011 19:38:47 +1000 Subject: roadmap for 3.0.0 In-Reply-To: <4DEFFBBC.3000701@gnutls.org> References: <201106090646.33482.bradh@frogmouth.net> <4DEFFBBC.3000701@gnutls.org> Message-ID: <201106091938.47894.bradh@frogmouth.net> On Thursday 09 June 2011 08:46:20 Nikos Mavrogiannopoulos wrote: > We thought about that, but it wouldn't be adequate. That is because gmp > that now gnutls is linked to, is LGPLv3. Even if we allow dual > license gmp doesn't. Note however that the problem is not in LGPLv3 > which allows linking with everything, even proprietary programs. It is > GPLv2-only that causes the issue. It can be easily solved by the > authors of GPLv2-only programs by allowing linking with an > LGPLv3 library (see [0]). Unfortunately the poppler code is based on xpdf code, for which the original author does not appear willing to relicense. The poppler additions are GPLv2+. Is there any scope for asking gmp to do GPLv2/LGPLv3+? Is that the only issue? Brad From nmav at gnutls.org Thu Jun 9 11:44:44 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 9 Jun 2011 11:44:44 +0200 Subject: roadmap for 3.0.0 In-Reply-To: <87tyc0e52w.fsf@lifelogs.com> References: <87tyc0e52w.fsf@lifelogs.com> Message-ID: 2011/6/8 Ted Zlatanov : > On Wed, 8 Jun 2011 13:22:39 +0200 Nikos Mavrogiannopoulos wrote: > NM> ?The last commit by Stef Walter concludes the list of changes I > NM> planned for gnutls 3.0.0. Those in brief were: > NM> * Addition of a simple X.509 certificate verification subsystem > NM> (gnutls_x509_trust_list_*) > NM> * Addition of a certificate retrieval function that requires no > NM> processing from gnutls (gnutls_certificate_set_retrieve_function2()) > These will be appreciated for the Emacs GnuTLS interface. If you have any comments on their usage, or think something is missing let me know. > I would like to repeat my request for a string-based configuration > system. ?Take the priority strings and extend them further, since almost > everything in GnuTLS can be configured that way. ?You'll need a decent > parser and it may end up as a multi-line format, but please consider > that it's useful. I can see its usefulness in your use-case, but not in a generic case for a typical C program or library that will not be able to utilized them anyway. I still believe that something like that should be built on top of gnutls. regards, Nikos From nmav at gnutls.org Thu Jun 9 11:57:04 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 9 Jun 2011 11:57:04 +0200 Subject: roadmap for 3.0.0 In-Reply-To: <201106091938.47894.bradh@frogmouth.net> References: <201106090646.33482.bradh@frogmouth.net> <4DEFFBBC.3000701@gnutls.org> <201106091938.47894.bradh@frogmouth.net> Message-ID: On Thu, Jun 9, 2011 at 11:38 AM, Brad Hards wrote: >> We thought about that, but it wouldn't be adequate. That is because gmp >> that now gnutls is linked to, is LGPLv3. Even if we allow dual >> license gmp doesn't. Note however that the problem is not in LGPLv3 >> which allows linking with everything, even proprietary programs. It is >> GPLv2-only that causes the issue. It can be easily solved by the >> authors of GPLv2-only programs by allowing linking with an >> LGPLv3 library (see [0]). > Unfortunately the poppler code is based on xpdf code, for which the original > author does not appear willing to relicense. A re-license to GPLv3 is not really necessary. An exception to the license to allow linking to LGPLv3 libraries would be. This is a very sad situation, as the problem GnuTLS was solving (the need for openssl library exceptions) is now introduced by GnuTLS itself on GPLv2-only projects. > The poppler additions are GPLv2+. > Is there any scope for asking gmp to do GPLv2/LGPLv3+? Is that the only issue? We have already asked gmp and they didn't seem to be willing for the relicense. I'd suggest to contact licensing at fsf.org, not so to get a solution, but mostly to make them know this is a real problem they need to work on. I don't know how I can help here. For us dual-licensing to GPLv2/LGPLv3+ would be possible, if all the libraries in the chain (now only gmp) do the same. This is not an easy choice from the library makers also, since such a dual-license would prohibit them from copying code from plain LGPLv3+ projects. regards, Nikos From sebastiankolbe at gmail.com Sat Jun 11 00:15:29 2011 From: sebastiankolbe at gmail.com (Sebastian Kolbe) Date: Sat, 11 Jun 2011 00:15:29 +0200 Subject: Support for PKCS12 client certificate files Message-ID: Hello I'm having trouble reading / importing a p12 certificate file (with public/private key for client authentication). I used the function "gnutls_pkcs12_import" for this, but without success. Error message was "base64 decode error" (or similar). Changing some of the other parameters (crt format, flags) only brought different error messages. At last the comand line tool (certtool) produced the same error message. Version of library was 2.8.6 (standard in ubuntu) and 2.12.6.1 (latest available for download). I tried on command line with: certtool --p12-info --infile cert.p12 (The certificate itself is ok, the tools "pk12util" from NSS and openSSL were able to open the file and presenting all stored certificates.) Is there something I can do here? Is there a error in syntax or is some more initialization needed in prior? Or are PKCS12 files not fully supported? BTW: the documentation is very "skinny" at this point... Thank you in advance Sebastian -------------- next part -------------- An HTML attachment was scrubbed... URL: From nmav at gnutls.org Sat Jun 11 09:08:53 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sat, 11 Jun 2011 09:08:53 +0200 Subject: Support for PKCS12 client certificate files In-Reply-To: References: Message-ID: <4DF31485.3040608@gnutls.org> On 06/11/2011 12:15 AM, Sebastian Kolbe wrote: > Hello > I'm having trouble reading / importing a p12 certificate file (with > public/private key for > client authentication). I used the function "gnutls_pkcs12_import" for this, > but without > success. Error message was "base64 decode error" (or similar). So you get a base64 decode error? Is your PKCS12 file base64 encoded? Did you try the GNUTLS_X509_FMT_DER flag? > Changing some of the other parameters (crt format, flags) only brought > different error messages. > At last the comand line tool (certtool) produced the same error message. > Version of library was 2.8.6 (standard in ubuntu) and 2.12.6.1 (latest > available > for download). > > I tried on command line with: > certtool --p12-info --infile cert.p12 Try adding --inder option if your pkcs12 file is not base64 encoded. > BTW: the documentation is very "skinny" at this point... Suggestions and patches are always welcome. regards, Nikos From mike at cchtml.com Mon Jun 13 18:22:17 2011 From: mike at cchtml.com (Michael Cronenworth) Date: Mon, 13 Jun 2011 11:22:17 -0500 Subject: random blocking under Windows XP Message-ID: <4DF63939.7060603@cchtml.com> Hello, I am using GnuTLS as a transport layer for an XMLRPC-like interface. The program is a cross-platform client that speaks to a Linux server. Using GnuTLS 2.8, I did not have any problems with communication. Upon recently upgrading to 2.10 I am seeing blocking under Windows XP 32-bit clients. I have tested thoroughly under Windows 7 64-bit and 32-bit and do not see blocking. My Linux clients do not see blocking either. The blocking happens randomly. Sometimes the client is never blocked the entire time the client is running. Other times the first write/read operation blocks. When the blocking occurs and I view the server, the server had already sent its data back and was waiting for the client's next move. The following is a backtrace taken with the client is blocked: (gdb) bt #0 0x7c90e514 in ntdll!LdrAccessResource () from C:\WINDOWS\system32\ntdll.dll #1 0x7c90df5a in ntdll!ZwWaitForSingleObject () from C:\WINDOWS\system32\ntdll.dll #2 0x71a5402b in ?? () from C:\WINDOWS\system32\mswsock.dll #3 0x71a557c9 in ?? () from C:\WINDOWS\system32\mswsock.dll #4 0x71ab67de in WSACancelAsyncRequest () from C:\WINDOWS\system32\ws2_32.dll #5 0x66784525 in ?? () from C:\Documents and Settings\mcronenworth\Desktop\2011-06-13-win32\bin\libgnutls-26.dll #6 0x66784d5e in ?? () from C:\Documents and Settings\mcronenworth\Desktop\2011-06-13-win32\bin\libgnutls-26.dll #7 0x667818a3 in ?? () from C:\Documents and Settings\mcronenworth\Desktop\2011-06-13-win32\bin\libgnutls-26.dll #8 0x6678293f in ?? () from C:\Documents and Settings\mcronenworth\Desktop\2011-06-13-win32\bin\libgnutls-26.dll (snipped to remove proprietary functions, but the 9th frame was a call to gnutls_record_recv()) Each time it blocks, it is in the WSACancelAsyncRequest() function. My compile environment is Fedora 15 x86_64 with mingw32-gnutls-2.10.5 installed. Any help would be appreciated. Thanks, Michael From nmav at gnutls.org Mon Jun 13 20:24:40 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 13 Jun 2011 20:24:40 +0200 Subject: random blocking under Windows XP In-Reply-To: <4DF63939.7060603@cchtml.com> References: <4DF63939.7060603@cchtml.com> Message-ID: On Mon, Jun 13, 2011 at 6:22 PM, Michael Cronenworth wrote: > Hello, > I am using GnuTLS as a transport layer for an XMLRPC-like interface. The > program is a cross-platform client that speaks to a Linux server. > Using GnuTLS 2.8, I did not have any problems with communication. Upon > recently upgrading to 2.10 I am seeing blocking under Windows XP 32-bit > clients. Does the issue exist in the latest released version (2.12.6.1)? regards, Nikos From mike at cchtml.com Mon Jun 13 21:45:34 2011 From: mike at cchtml.com (Michael Cronenworth) Date: Mon, 13 Jun 2011 14:45:34 -0500 Subject: random blocking under Windows XP In-Reply-To: References: <4DF63939.7060603@cchtml.com> Message-ID: <4DF668DE.6070909@cchtml.com> Nikos Mavrogiannopoulos on 06/13/2011 01:24 PM wrote: > Does the issue exist in the latest released version (2.12.6.1)? Yes, I see the same behavior under 2.12.6.1, compiled for Win32. Thanks. From mike at cchtml.com Mon Jun 13 22:12:19 2011 From: mike at cchtml.com (Michael Cronenworth) Date: Mon, 13 Jun 2011 15:12:19 -0500 Subject: output from gnutls 2.12.6.1 for Win32 Message-ID: <4DF66F23.30905@cchtml.com> Upon building the latest GnuTLS release for Win32 using MinGW, I had the following DLLS: libgnutls-26.def libgnutls-26.dll libgnutls-extra-26.def libgnutls-extra-26.dll libgnutls-openssl-26.def libgnutls-openssl-27.dll libgnutlsxx-27.dll Is it expected to have the -openssl lib to have a different versioned definition file? From mike at cchtml.com Tue Jun 14 00:16:40 2011 From: mike at cchtml.com (Michael Cronenworth) Date: Mon, 13 Jun 2011 17:16:40 -0500 Subject: random blocking under Windows XP In-Reply-To: References: <4DF63939.7060603@cchtml.com> Message-ID: <4DF68C48.3030308@cchtml.com> Nikos Mavrogiannopoulos on 06/13/2011 01:24 PM wrote: > Does the issue exist in the latest released version (2.12.6.1)? I have a better feeling that the problem is in my app and not the GnuTLS library after some more testing today. If I still believe it is GnuTLS I will try to provide more information. Thanks, Michael From nmav at gnutls.org Wed Jun 15 21:35:04 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 15 Jun 2011 21:35:04 +0200 Subject: output from gnutls 2.12.6.1 for Win32 In-Reply-To: <4DF66F23.30905@cchtml.com> References: <4DF66F23.30905@cchtml.com> Message-ID: <4DF90968.9030109@gnutls.org> On 06/13/2011 10:12 PM, Michael Cronenworth wrote: > Upon building the latest GnuTLS release for Win32 using MinGW, I had the > following DLLS: > > libgnutls-26.def > libgnutls-26.dll > libgnutls-extra-26.def > libgnutls-extra-26.dll > libgnutls-openssl-26.def > libgnutls-openssl-27.dll > libgnutlsxx-27.dll > Is it expected to have the -openssl lib to have a different versioned > definition file? Indeed they are not related. regards, Nikos From nmav at gnutls.org Sat Jun 18 21:30:16 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sat, 18 Jun 2011 21:30:16 +0200 Subject: gnutls 2.99.3 Message-ID: <4DFCFCC8.1020707@gnutls.org> Hello, I've just released gnutls 2.99.3. Currently it depends on the cvs version of nettle (http://www.lysator.liu.se/~nisse/nettle/). The changes since last version are attached below. The GnuTLS 2.99.x branch is NOT what you want for your stable system. It is intended for developers and experienced users. The changes since the development release are: * Version 2.99.3 (released 2011-06-18) ** libgnutls: Added new PKCS #11 flags to force an object being private or not. (GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE and GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_PRIVATE) ** libgnutls: Added SUITEB128 and SUITEB192 priority strings to enable the NSA SuiteB cryptography ciphersuites. ** libgnutls: Added gnutls_pubkey_verify_data2() that will verify data provided the signature algorithm. ** libgnutls: Simplified the handling of handshake messages to be hashed. Instead of hashing during the handshake process we now keep the data until handshake is over and hash them on request. This uses more memory but eliminates issues with TLS 1.2 and simplifies code. ** libgnutls: Added AES-GCM optimizations using the PCLMULQDQ instruction. Uses Andy Polyakov's assembly code. ** libgnutls: Added gnutls_x509_trust_list_add_named_crt() and gnutls_x509_trust_list_verify_named_crt() that allow having a list of certificates in the trusted list that will be associated with a name (e.g. server name) and will not be used as CAs. ** libgnutls: PKCS #11 back-end rewritten to use p11-kit http://p11-glue.freedesktop.org/p11-kit.html. Rewrite by Stef Walter. ** libgnutls: Added ECDHE-PSK ciphersuites for TLS (RFC 5489). ** API and ABI modifications: gnutls_pubkey_verify_data2: ADDED gnutls_ecc_curve_get: ADDED gnutls_x509_trust_list_add_named_crt: ADDED gnutls_x509_trust_list_verify_named_crt: ADDED gnutls_x509_privkey_verify_data: REMOVED gnutls_crypto_bigint_register: REMOVED gnutls_crypto_cipher_register: REMOVED gnutls_crypto_digest_register: REMOVED gnutls_crypto_mac_register: REMOVED gnutls_crypto_pk_register: REMOVED gnutls_crypto_rnd_register: REMOVED gnutls_crypto_single_cipher_register: REMOVED gnutls_crypto_single_digest_register: REMOVED gnutls_crypto_single_mac_register: REMOVED GNUTLS_KX_ECDHE_PSK: New key exchange method GNUTLS_VERIFY_DISABLE_CRL_CHECKS: New certificate verification flag. GNUTLS_PKCS11_OBJ_FLAG_MARK_PRIVATE: New PKCS#11 object flag. GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_PRIVATE: New PKCS#11 object flag. Here are the compressed sources: ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.99.3.tar.xz ftp://ftp.gnutls.org/pub/gnutls/devel/gnutls-2.99.3.tar.xz Here is the OpenPGP signature: ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.99.3.tar.xz.sig ftp://ftp.gnutls.org/pub/gnutls/devel/gnutls-2.99.3.tar.xz.sig regards, Nikos From nmav at gnutls.org Sat Jun 18 21:35:01 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sat, 18 Jun 2011 21:35:01 +0200 Subject: gnutls 2.12.7 Message-ID: <4DFCFDE5.3000505@gnutls.org> Hello, I've just released gnutls 2.12.7. * Version 2.12.7 (released 2011-06-18) ** p11tool: Require login as security officer if --trusted option is provided. Reported by Rickard Bellgrim. ** libgnutls: The CKA_SUBJECT field is specified when copying certificates in PKCS #11 smart-cards. Patch by Rickard Bellgrim. ** libgnutls: Write label when writing private keys in PKCS #11 tokens. Reported by Rickard Bellgrim. ** libgnutls: Accept CKR_USER_ALREADY_LOGGED_IN as a valid error code when logging in to PKCS #11 tokens. ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded from one of the GNU mirror sites or directly >From and a list of GnuTLS mirrors can be found at . Here are the BZIP2 compressed sources: ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.12.7.tar.bz2 http://ftp.gnu.org/gnu/gnutls/gnutls-2.12.7.tar.bz2 Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.12.7.tar.bz2.sig http://ftp.gnu.org/gnu/gnutls/gnutls-2.12.7.tar.bz2.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From tobias-lists at 23.gs Sun Jun 19 20:38:04 2011 From: tobias-lists at 23.gs (Tobias Gruetzmacher) Date: Sun, 19 Jun 2011 20:38:04 +0200 Subject: roadmap for 3.0.0 In-Reply-To: References: Message-ID: <20110619183804.GA3838@23.gs> Hi, On Wed, Jun 08, 2011 at 01:36:10PM +0200, Nikos Mavrogiannopoulos wrote: > * Addition of hardware optimized AES and AES-GCM on CPU's that support it does this include VIA Padlock support or just AES-NI? Greetings, Tobi -- My blog: http://blog.23.gs/ GPG-Key 0xE2BEA341 - signed/encrypted mail preferred http://www.fli4l.de/ - ISDN- & DSL-Router on one disk! Registered FLI4L-User #00000003 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: From nmav at gnutls.org Sun Jun 19 23:40:43 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 19 Jun 2011 23:40:43 +0200 Subject: roadmap for 3.0.0 In-Reply-To: <20110619183804.GA3838@23.gs> References: <20110619183804.GA3838@23.gs> Message-ID: <4DFE6CDB.9040104@gnutls.org> On 06/19/2011 08:38 PM, Tobias Gruetzmacher wrote: > Hi, > > On Wed, Jun 08, 2011 at 01:36:10PM +0200, Nikos Mavrogiannopoulos wrote: >> * Addition of hardware optimized AES and AES-GCM on CPU's that support it > does this include VIA Padlock support or just AES-NI? Just AES-NI, unless someone contributes padlock code. regards, Nikos From nmav at gnutls.org Mon Jun 20 18:00:43 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 20 Jun 2011 18:00:43 +0200 Subject: gnutls 2.12.7 In-Reply-To: <1308555305.3370.423.camel@vespa.frost.loc> References: <4DFCFDE5.3000505@gnutls.org> <1308555305.3370.423.camel@vespa.frost.loc> Message-ID: <4DFF6EAB.2060004@gnutls.org> On 06/20/2011 09:35 AM, Tomas Mraz wrote: >> GnuTLS may be downloaded from one of the GNU mirror sites or directly >> From > found at and a list of GnuTLS mirrors >> can be found at . >> >> Here are the BZIP2 compressed sources: >> >> ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.12.7.tar.bz2 >> http://ftp.gnu.org/gnu/gnutls/gnutls-2.12.7.tar.bz2 > > It seems to be missing here. It is only in the > ftp://ftp.gnu.org/pub/gnutls/ Thanks, it seems I've uploaded it to alpha.gnu.org. It is now at the expected place. regards, Nikos From lucas.demarchi at profusion.mobi Wed Jun 22 02:45:29 2011 From: lucas.demarchi at profusion.mobi (Lucas De Marchi) Date: Tue, 21 Jun 2011 21:45:29 -0300 Subject: deprecating gnutls_transport_set_lowat() Message-ID: I'm a contributor of ConnMan project and we use gnutls. Recently gnutls deprecated the function gnutls_transport_set_lowat() and it seems there's no active developer in ConnMan to know what we have to do. Should we just remove that call or do we have to do something else? The code I'm talking about is this one: http://git.kernel.org/?p=network/connman/connman.git;a=blob;f=gweb/giognutls.c;h=6856a2abbaf2d63c1bbebc6ff4367a9d98cab8eb;hb=HEAD I appreciate if you could give a look in this file. Thanks Lucas De Marchi From nmav at gnutls.org Wed Jun 22 08:47:21 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 22 Jun 2011 08:47:21 +0200 Subject: deprecating gnutls_transport_set_lowat() In-Reply-To: References: Message-ID: On Wed, Jun 22, 2011 at 2:36 AM, Lucas De Marchi wrote: > Hi, > I'm a contributor of ConnMan project and we use gnutls. Recently > gnutls deprecated the function gnutls_transport_set_lowat() and it > seems there's no active developer in ConnMan to know what we have to > do. Should we just remove that call or do we have to do something > else? Hello, If you are using gnutls 2.12.0 or later removing it is the right option. That is because you disable the lowat functionality by calling it as: gnutls_transport_set_lowat(gnutls_channel->session, 0). I also see that you use the priority string "NORMAL:!VERS-TLS1.1:!VERS-TLS1.0", which disables everything except SSL 3.0. This is not the best balance between interoperability and security. I'd suggest you follow the guidelines at: http://www.gnu.org/software/gnutls/manual/html_node/Interoperability.html#Interoperability regards, Nikos From mike at cchtml.com Tue Jun 28 18:59:00 2011 From: mike at cchtml.com (Michael Cronenworth) Date: Tue, 28 Jun 2011 11:59:00 -0500 Subject: return value of gnutls_record_check_pending Message-ID: <4E0A0854.6010901@cchtml.com> Hi all, My understanding of the man page for the function gnutls_record_check_pending() says that it should return the number of bytes waiting to be read, or 0 bytes if nothing is to be read. I have run in to a case where the function is returning 0, but there really is data to be read (if I use gdb to jump past the gnutls call, data is read). Is there something I'm not understanding? example pseudo-code: while( 1 ) { ret = select( fd ); // ret == 1 ret = gnutls_record_check_pending( session ); // ret == 0 if ( ret == 0 ) continue; gnutls_record_recv( session ); } Thanks, Michael -------------- next part -------------- An HTML attachment was scrubbed... URL: From nmav at gnutls.org Tue Jun 28 22:35:08 2011 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 28 Jun 2011 23:35:08 +0300 Subject: return value of gnutls_record_check_pending In-Reply-To: <4E0A0854.6010901@cchtml.com> References: <4E0A0854.6010901@cchtml.com> Message-ID: On Tue, Jun 28, 2011 at 7:59 PM, Michael Cronenworth wrote: > Hi all, > > My understanding of the man page for the function > gnutls_record_check_pending() says that it should return the number of bytes > waiting to be read, or 0 bytes if nothing is to be read. The description of the function mentions "in the gnutls buffers". I believe this clarifies the discrepancy you see in the example below. select() checks the kernel buffers. regards, Nikos > example pseudo-code: > while( 1 ) { > ??? ret = select( fd ); > ??? // ret == 1 > ??? ret = gnutls_record_check_pending( session ); > ??? // ret == 0 > ??? if ( ret == 0 ) > ??? ??? continue; > ??? gnutls_record_recv( session ); > } > From mike at cchtml.com Wed Jun 29 00:04:38 2011 From: mike at cchtml.com (Michael Cronenworth) Date: Tue, 28 Jun 2011 17:04:38 -0500 Subject: return value of gnutls_record_check_pending In-Reply-To: References: <4E0A0854.6010901@cchtml.com> Message-ID: <4E0A4FF6.7000908@cchtml.com> Nikos Mavrogiannopoulos on 06/28/2011 03:35 PM wrote: > The description of the function mentions "in the gnutls buffers". I believe this > clarifies the discrepancy you see in the example below. select() > checks the kernel > buffers. OK. Thanks for confirming one of my theories.