From danut_12 at yahoo.com Wed Aug 1 14:44:05 2012
From: danut_12 at yahoo.com (slobozian daniel)
Date: Wed, 1 Aug 2012 13:44:05 +0100 (BST)
Subject: GNUTLS partial build
Message-ID: <1343825045.86185.YahooMailNeo@web29504.mail.ird.yahoo.com>
Hello,
I have a question concerning the GNUTLS build settings. I want to use only AES, RSA, SHA1 and MD5 algorithmes for the project i am working in. Therefor i was searching if there is a way to compile GNUTLS with the needed algorithmes in the output and nothing else.
Thank you in advance for your help
Daniel Slobozian
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From r.korthaus at sirrix.com Fri Aug 3 14:39:29 2012
From: r.korthaus at sirrix.com (=?ISO-8859-15?Q?Ren=E9_Korthaus?=)
Date: Fri, 3 Aug 2012 14:39:29 +0200
Subject: Importing a PKCS#1 RSAPublicKey structure into a gnutls_pubkey_t
Message-ID: <501BC681.3010005@sirrix.com>
Hello list,
I have a smartcard that gives me a PKCS#1 RSAPublicKey structure of the
public key on the card and I need to generate a X.509
SubjectPublicKeyInfo structure from it. I already have a C++ wrapper
class that uses gnutls_pubkey_export to generate the
SubjectPublicKeyInfo structure. The question is how to import the
RSAPublicKey structure right.
As there seems to be no direct way to import from PCKS#1 I tried the
following approach, which failed:
1) Use gnutls_rsa_params_import_pkcs1 to import PKCS1 structure into
rsa_params structure
2) Use gnutls_rsa_params_export_raw to export modulus and exponent
3) Use gnutls_pubkey_import_rsa_raw to finally import modulus and
exponent into gnutls_pubkey_t
The call to gnutls_rsa_params_import_pkcs1 fails with a
GNUTLS_E_ASN1_DER_ERROR. The data can be viewed fine from within an ASN1
viewer.
Questions:
* Is there an onbvious way to import PKCS#1 RSAPublicKey into a
gnutls_pubkey_t structure?
* From my short look into the code of gnutls_rsa_params_import_pkcs1, it
seems that it calls gnutls_x509_privkey_import which uses
_gnutls_privkey_decode_pkcs1_rsa_key to import a _private key_ from a
_RSAPrivateKey_ structure although it according to doc "should contain a
PKCS1 RSAPublicKey structure PEM or DER encoded". Of course this fails
in my case, as what I hand over is a RSAPublicKey structure, not a
RSAPrivatekey. What's wrong here?
Please CC me when answering, as I am not on the list. Thx.
Best regards, Ren?
--
Sirrix AG security technologies - http://www.sirrix.com
Ren? Korthaus eMail: r.korthaus at sirrix.com
Tel +49(681) 959 86-163 Fax +49(681) 959 86-5163
PGP Key ID 0x688EF9C8 Fingerprint 1FB6 2405 51C4 79DB C008 D1D2 C2E0 1A14 688E F9C8
Vorstand: Ammar Alkassar (Vors.), Christian St?ble, Markus Bernhammer
Vorsitzender des Aufsichtsrates: Harald St?ber
Sitz der Gesellschaft: Homburg/Saar, HRB 3857 Amtsgericht Saarbr?cken
This message may contain confidential and/or privileged information. If you are not the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and
delete this message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From nmav at gnutls.org Sat Aug 4 21:14:33 2012
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Sat, 04 Aug 2012 21:14:33 +0200
Subject: gnutls 3.0.22
Message-ID: <501D7499.2020507@gnutls.org>
Hello,
I've just released gnutls 3.0.22. This is a bug-fix release on the
current stable branch.
* Version 3.0.22 (released 2012-08-04)
** libgnutls: gnutls_certificate_set_x509_system_trust()
is now supported on OpenBSD.
** libgnutls: When verifying a certificate chain make sure it is chain.
If the chain is wronly interrupted at some point then truncate it,
and only try to verify the correct part. Patch by David Woodhouse
** libgnutls: Restored the behavior of gnutls_x509_privkey_import_pkcs8()
which now may (again) accept a NULL password.
** certtool: Allow the user to choose the hash algorithm
when signing certificate request or certificate revocation list.
** API and ABI modifications:
No changes since last version.
Getting the Software
====================
GnuTLS may be downloaded from one of the GNU mirror sites or directly
>From . The list of GNU mirrors can be
found at and a list of GnuTLS mirrors
can be found at .
Here are the XZ compressed sources:
ftp://ftp.gnu.org/gnu/gnutls/gnutls-3.0.22.tar.xz
http://ftp.gnu.org/gnu/gnutls/gnutls-3.0.22.tar.xz
ftp://ftp.gnutls.org/pub/gnutls/gnutls-3.0.22.tar.xz
Here are the LZIP compressed sources:
ftp://ftp.gnu.org/gnu/gnutls/gnutls-3.0.22.tar.lz
http://ftp.gnu.org/gnu/gnutls/gnutls-3.0.22.tar.lz
ftp://ftp.gnutls.org/pub/gnutls/gnutls-3.0.22.tar.lz
Here are OpenPGP detached signatures signed using key 0x96865171:
ftp://ftp.gnu.org/gnu/gnutls/gnutls-3.0.22.tar.xz.sig
http://ftp.gnu.org/gnu/gnutls/gnutls-3.0.22.tar.xz.sig
ftp://ftp.gnutls.org/pub/gnutls/gnutls-3.0.22.tar.xz.sig
ftp://ftp.gnu.org/gnu/gnutls/gnutls-3.0.22.tar.lz.sig
http://ftp.gnu.org/gnu/gnutls/gnutls-3.0.22.tar.lz.sig
ftp://ftp.gnutls.org/pub/gnutls/gnutls-3.0.22.tar.lz.sig
Note that it has been signed with my openpgp key:
pub 3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid Nikos Mavrogiannopoulos gnutls.org>
uid Nikos Mavrogiannopoulos
gmail.com>
sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02]
regards,
Nikos
From nmav at gnutls.org Sat Aug 4 22:31:40 2012
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Sat, 04 Aug 2012 22:31:40 +0200
Subject: Importing a PKCS#1 RSAPublicKey structure into a gnutls_pubkey_t
In-Reply-To: <501BC681.3010005@sirrix.com>
References: <501BC681.3010005@sirrix.com>
Message-ID: <501D86AC.8030305@gnutls.org>
On 08/03/2012 02:39 PM, Ren? Korthaus wrote:
> Hello list,
>
> I have a smartcard that gives me a PKCS#1 RSAPublicKey structure of the
> public key on the card and I need to generate a X.509
> SubjectPublicKeyInfo structure from it. I already have a C++ wrapper
> class that uses gnutls_pubkey_export to generate the
> SubjectPublicKeyInfo structure. The question is how to import the
> RSAPublicKey structure right.
There is no exported function in gnutls that can read the RSAPublicKey
structure. gnutls_rsa_params_t reads the private key not the public (the
documentation has a typo which I just fixed).
You can read this DER structure by using libtasn1. Check
lib/x509/key_decode.c, and the function _gnutls_x509_read_rsa_pubkey().
After extracting the values you can import them using
gnutls_pubkey_import_rsa_raw().
regards,
Nikos
From nmav at gnutls.org Sun Aug 5 12:38:40 2012
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Sun, 05 Aug 2012 12:38:40 +0200
Subject: gnutls 3.1.0 pre-release
Message-ID: <501E4D30.6090901@gnutls.org>
Hello,
One of the next few weeks I plan to release gnutls 3.1.0. This includes
quite some changes comparing to 3.0.x, the most prominent being:
* Dependence on nettle for RSA PKCS #1 1.5 operations.
* Support for TPM keys (if trousers is available).
The former means that we save quite some code by not reimplementing this
stuff in gnutls. The TPM support means that you can use your TPM chip
to secure your private key similarly to a smart-card. Keys are referred
to by using a (for now custom) URL-like format that looks like:
tpmkey:uuid=58ad734b-bde6-45c7-89d8-756a55ad1891;storage=user
tpmkey:file=/path/to/tpmkey.pem
I've put some pre-release versions at alpha.gnu.org. Please try them and
feel free to report any issues you encounter or any other comments.
ftp://alpha.gnu.org/gnu/gnutls/gnutls-3.1.0pre0.tar.lz
ftp://alpha.gnu.org/gnu/gnutls/gnutls-3.1.0pre0.tar.xz
ftp://alpha.gnu.org/gnu/gnutls/gnutls-3.1.0pre0.tar.lz.sig
ftp://alpha.gnu.org/gnu/gnutls/gnutls-3.1.0pre0.tar.xz.sig
A more detailed changelog follows.
* Version 3.1.0pre0 (released 2012-08-05)
** libgnutls: Added direct support for TPM as a cryptographic module
in gnutls/tpm.h.
** libgnutls: requires libnettle 2.5.
** libgnutls: Use the PKCS #1 1.5 encoding provided by nettle (2.5)
for encryption and signatures.
** libgnutls: Added GNUTLS_CERT_SIGNATURE_FAILURE to differentiate between
generic errors and signature verification errors in the verification
functions.
** libgnutls: Added gnutls_pkcs12_simple_parse() as a helper function
to simplify parsing in most PKCS #12 use cases.
** libgnutls: gnutls_certificate_set_x509_simple_pkcs12_file() adds
the whole certificate chain (if any) to the credentials structure, instead
of only the end-user certificate.
** libgnutls: Key import functions such as gnutls_pkcs12_simple_parse()
and gnutls_x509_privkey_import_pkcs8(), return consistently
GNUTLS_E_DECRYPTION_FAILED if the input structure is encrypted but no
password was provided.
** libgnutlsxx: Added session::set_transport_vec_push_function. Patch
by Alexandre Bique.
** tpmtool: Added. It is a tool to generate private keys in the
TPM.
** gnutls-cli: --benchmark-tls was split to --benchmark-tls-kx
and --benchmark-tls-ciphers
** certtool: generated PKCS #12 structures may hold more than one
private key. Patch by Lucas Fisher.
** certtool: Added option --null-password to generate/decrypt keys
that use a NULL password (in schemas that distinguish between NULL
an empty passwords).
** minitasn1: Upgraded to libtasn1 version 2.13.
** API and ABI modifications:
GNUTLS_CERT_SIGNATURE_FAILURE: Added
GNUTLS_CAMELLIA_192_CBC: Added
GNUTLS_PKCS_NULL_PASSWORD: Added
gnutls_url_is_supported: Added
gnutls_pkcs11_obj_list_import_url2: Added
gnutls_pkcs11_obj_set_pin_function: Added
gnutls_pkcs11_privkey_set_pin_function: Added
gnutls_pkcs11_get_pin_function: Added
gnutls_privkey_import_tpm_raw: Added
gnutls_privkey_import_tpm_url: Added
gnutls_privkey_import_pkcs11_url: Added
gnutls_privkey_import_openpgp_raw: Added
gnutls_privkey_import_x509_raw: Added
gnutls_privkey_import_ext2: Added
gnutls_privkey_import_url: Added
gnutls_privkey_set_pin_function: Added
gnutls_tpm_privkey_generate: Added
gnutls_tpm_key_list_deinit: Added
gnutls_tpm_key_list_get_url: Added
gnutls_tpm_get_registered: Added
gnutls_tpm_privkey_delete: Added
gnutls_pubkey_import_tpm_raw: Added
gnutls_pubkey_import_tpm_url: Added
gnutls_pubkey_import_url: Added
gnutls_pubkey_verify_hash2: Added
gnutls_pubkey_set_pin_function: Added
gnutls_x509_privkey_import2: Added
gnutls_x509_privkey_import_openssl: Added
gnutls_x509_crt_set_pin_function: Added
gnutls_load_file: Added
gnutls_pkcs12_simple_parse: Added
gnutls_certificate_set_x509_system_trust: Added
gnutls_certificate_set_pin_function: Added
gnutls_x509_trust_list_add_system_trust: Added
gnutls_x509_trust_list_add_trust_file: Added
gnutls_x509_trust_list_add_trust_mem: Added
gnutls_pk_to_sign: Added
gnutls_pubkey_verify_hash: Deprecated (use gnutls_pubkey_verify_hash2)
gnutls_pubkey_verify_data: Deprecated (use gnutls_pubkey_verify_data2)
regards,
Nikos
From r.korthaus at sirrix.com Tue Aug 7 09:11:23 2012
From: r.korthaus at sirrix.com (=?ISO-8859-1?Q?Ren=E9_Korthaus?=)
Date: Tue, 7 Aug 2012 09:11:23 +0200
Subject: Importing a PKCS#1 RSAPublicKey structure into a gnutls_pubkey_t
In-Reply-To: <501D86AC.8030305@gnutls.org>
References: <501BC681.3010005@sirrix.com> <501D86AC.8030305@gnutls.org>
Message-ID: <5020BF9B.1010905@sirrix.com>
Thanks for the clarification. Then is there a reason that gnutls offers
no method to import a PKCS#1 RSAPublicKey structure - given that it is a
standard format and almost all smartcards speak it plus RSAPublicKey is
very similar to RSAPrivateKey and gnutls can already decode
RSAPrivateKey structures with _gnutls_privkey_decode_pkcs1_rsa_key. From
the code I've seen it should be fairly easy to implement and would make
us very happy. :)
Regards, Ren?
Am 04.08.2012 22:31, schrieb Nikos Mavrogiannopoulos:
> On 08/03/2012 02:39 PM, Ren? Korthaus wrote:
>
>> Hello list,
>>
>> I have a smartcard that gives me a PKCS#1 RSAPublicKey structure of the
>> public key on the card and I need to generate a X.509
>> SubjectPublicKeyInfo structure from it. I already have a C++ wrapper
>> class that uses gnutls_pubkey_export to generate the
>> SubjectPublicKeyInfo structure. The question is how to import the
>> RSAPublicKey structure right.
>
> There is no exported function in gnutls that can read the RSAPublicKey
> structure. gnutls_rsa_params_t reads the private key not the public (the
> documentation has a typo which I just fixed).
>
> You can read this DER structure by using libtasn1. Check
> lib/x509/key_decode.c, and the function _gnutls_x509_read_rsa_pubkey().
> After extracting the values you can import them using
> gnutls_pubkey_import_rsa_raw().
>
> regards,
> Nikos
--
Sirrix AG security technologies - http://www.sirrix.com
Ren? Korthaus eMail: r.korthaus at sirrix.com
Tel +49(681) 959 86-163 Fax +49(681) 959 86-5163
PGP Key ID 0x688EF9C8 Fingerprint 1FB6 2405 51C4 79DB C008 D1D2 C2E0 1A14 688E F9C8
Vorstand: Ammar Alkassar (Vors.), Christian St?ble, Markus Bernhammer
Vorsitzender des Aufsichtsrates: Harald St?ber
Sitz der Gesellschaft: Homburg/Saar, HRB 3857 Amtsgericht Saarbr?cken
This message may contain confidential and/or privileged information. If you are not the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and
delete this message.
From kristian.fiskerstrand at sumptuouscapital.com Wed Aug 8 02:24:38 2012
From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand)
Date: Wed, 08 Aug 2012 02:24:38 +0200
Subject: Error in handshake - Error: Could not negotiate a supported cipher
suite.
Message-ID: <5021B1C6.9030102@sumptuouscapital.com>
Hi,
I'm trying to set up mod_gnutls on apache to use OpenPGP key for a TLS
session but I'm having some trouble getting gnutls set up correctly for
a handshake. If I'm not too mistaken alert(21) indicate a decryption
error - any hints for how I should debug this?
What I have so far is - using gnutls-serv and gnutls-cli - the following;
Version information:
alpha ~ # gnutls-serv -v
gnutls-serv (GnuTLS) 2.12.20
Invocation of serv:
gnutls-serv \
-p 18000 \
-g \
--http \
--priority NORMAL:+ANON-DH \
--pgpcertfile /etc/apache2/conf/sks-keyservers.net.pub.asc \
--pgpkeyfile /etc/apache2/conf/ss/sks-keyservers.net.sec.asc \
--pgpsubkey 19EA3DAE12200409
Where the keyset is generated with the following properties, and the
secret key has no passphrase
---------------
pub 4096R/BD7B1BE43776D70C created: 2012-08-08 expires: 2014-08-08
usage: CA
trust: ultimate validity: ultimate
sub 4096R/19EA3DAE12200409 created: 2012-08-08 expires: 2014-08-08
usage: E
[ultimate] (1). sks-keyservers.net
And the files are exported using
gpg2 --homedir . -a --export 3776D70C
gpg2 --homedir . -a --export-secret-keys 3776D70C
and stored in ASCII armored format:
alpha ~ # head -1 /etc/apache2/conf/sks-keyservers.net.pub.asc
-----BEGIN PGP PUBLIC KEY BLOCK-----
alpha ~ # head -1 /etc/apache2/conf/ss/sks-keyservers.net.sec.asc
-----BEGIN PGP PRIVATE KEY BLOCK-----
This results in
alpha ss # gnutls-serv -p 18000 -g --http --priority
NORMAL:+ANON-DH --pgpcertfile
/etc/apache2/conf/sks-keyservers.net.pub.asc --pgpkeyfile
/etc/apache2/conf/ss/sks-keyservers.net.sec.asc --pgpsubkey
19EA3DAE12200409
Generating temporary RSA parameters. Please wait...
Generating Diffie-Hellman parameters [768]. Please wait...
HTTP Server listening on IPv4 0.0.0.0 port 18000...done
HTTP Server listening on IPv6 :: port 18000...bind() failed: Address
already in use
* Accepted connection from IPv4 127.0.0.1 port 35976 on Wed Aug 8
02:16:48 2012
Error in handshake
Error: Could not negotiate a supported cipher suite.
[ ... repeated for multiple attempts ...]
gnutls-cli-debug on its side reports
alpha ~ # gnutls-cli-debug -d 10 -p 18000 127.0.0.1
Resolving '127.0.0.1'...
Connecting to '127.0.0.1:18000'...
|<4>| REC[0x61d280]: Allocating epoch #0
|<2>| ASSERT: gnutls_constate.c:695
|<4>| REC[0x61d280]: Allocating epoch #1
|<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_ARCFOUR_SHA1
|<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_ARCFOUR_MD5
|<3>| HSK[0x61d280]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x61d280]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[0x61d280]: Removing ciphersuite: ANON_DH_3DES_EDE_CBC_SHA1
|<3>| HSK[0x61d280]: Removing ciphersuite: ANON_DH_ARCFOUR_MD5
|<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_EXPORT_ARCFOUR_40_MD5
|<3>| HSK[0x61d280]: CLIENT HELLO was sent [57 bytes]
|<6>| BUF[HSK]: Inserted 57 bytes of Data
|<7>| HWRITE: enqueued 57. Total 57 bytes.
|<7>| HWRITE FLUSH: 57 bytes in buffer.
|<4>| REC[0x61d280]: Sending Packet[0] Handshake(22) with length: 57
|<7>| WRITE: enqueued 62 bytes for 0x4. Total 62 bytes.
|<4>| REC[0x61d280]: Sent Packet[1] Handshake(22) with length: 62
|<7>| HWRITE: wrote 57 bytes, 0 bytes left.
|<7>| WRITE FLUSH: 62 bytes in buffer.
|<7>| WRITE: wrote 62 bytes, 0 bytes left.
|<7>| READ: Got 5 bytes from 0x4
|<7>| READ: read 5 bytes from 0x4
|<7>| RB: Have 0 bytes into buffer. Adding 5 bytes.
|<7>| RB: Requested 5 bytes
|<4>| REC[0x61d280]: Expected Packet[0] Handshake(22) with length: 1
|<4>| REC[0x61d280]: Received Packet[0] Alert(21) with length: 2
|<7>| READ: Got 2 bytes from 0x4
|<7>| READ: read 2 bytes from 0x4
|<7>| RB: Have 5 bytes into buffer. Adding 2 bytes.
|<7>| RB: Requested 7 bytes
|<4>| REC[0x61d280]: Decrypted Packet[0] Alert(21) with length: 2
|<4>| REC[0x61d280]: Alert[2|40] - Handshake failed - was received
|<2>| ASSERT: gnutls_record.c:726
|<2>| ASSERT: gnutls_record.c:1122
|<2>| ASSERT: gnutls_handshake.c:2762
|<6>| BUF[HSK]: Cleared Data from buffer
Checking for SSL 3.0 support... no
|<6>| BUF[HSK]: Cleared Data from buffer
|<4>| REC[0x61d280]: Epoch #0 freed
|<4>| REC[0x61d280]: Epoch #1 freed
|<4>| REC[0x61d280]: Allocating epoch #0
|<2>| ASSERT: gnutls_constate.c:695
|<4>| REC[0x61d280]: Allocating epoch #1
|<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1
|<3>| HSK[0x61d280]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x61d280]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1
|<3>| HSK[0x61d280]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[0x61d280]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1
|<3>| HSK[0x61d280]: Removing ciphersuite: ANON_DH_3DES_EDE_CBC_SHA1
|<3>| HSK[0x61d280]: Removing ciphersuite: ANON_DH_AES_128_CBC_SHA1
|<2>| EXT[0x61d280]: Sending extension SAFE RENEGOTIATION (1 bytes)
|<3>| HSK[0x61d280]: CLIENT HELLO was sent [62 bytes]
|<6>| BUF[HSK]: Inserted 62 bytes of Data
|<7>| HWRITE: enqueued 62. Total 62 bytes.
|<7>| HWRITE FLUSH: 62 bytes in buffer.
|<4>| REC[0x61d280]: Sending Packet[0] Handshake(22) with length: 62
|<7>| WRITE: enqueued 67 bytes for 0x4. Total 67 bytes.
|<4>| REC[0x61d280]: Sent Packet[1] Handshake(22) with length: 67
|<7>| HWRITE: wrote 62 bytes, 0 bytes left.
|<7>| WRITE FLUSH: 67 bytes in buffer.
|<7>| WRITE: wrote 67 bytes, 0 bytes left.
|<7>| READ: Got 5 bytes from 0x4
|<7>| READ: read 5 bytes from 0x4
|<7>| RB: Have 0 bytes into buffer. Adding 5 bytes.
|<7>| RB: Requested 5 bytes
|<4>| REC[0x61d280]: Expected Packet[0] Handshake(22) with length: 1
|<4>| REC[0x61d280]: Received Packet[0] Alert(21) with length: 2
|<7>| READ: Got 2 bytes from 0x4
|<7>| READ: read 2 bytes from 0x4
|<7>| RB: Have 5 bytes into buffer. Adding 2 bytes.
|<7>| RB: Requested 7 bytes
|<4>| REC[0x61d280]: Decrypted Packet[0] Alert(21) with length: 2
|<4>| REC[0x61d280]: Alert[2|40] - Handshake failed - was received
|<2>| ASSERT: gnutls_record.c:726
|<2>| ASSERT: gnutls_record.c:1122
|<2>| ASSERT: gnutls_handshake.c:2762
|<6>| BUF[HSK]: Cleared Data from buffer
Checking whether %COMPAT is required... yes
|<6>| BUF[HSK]: Cleared Data from buffer
|<4>| REC[0x61d280]: Epoch #0 freed
|<4>| REC[0x61d280]: Epoch #1 freed
|<4>| REC[0x61d280]: Allocating epoch #0
|<2>| ASSERT: gnutls_constate.c:695
|<4>| REC[0x61d280]: Allocating epoch #1
|<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_ARCFOUR_SHA1
|<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_ARCFOUR_MD5
|<3>| HSK[0x61d280]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x61d280]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[0x61d280]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1
|<3>| HSK[0x61d280]: Removing ciphersuite: ANON_DH_3DES_EDE_CBC_SHA1
|<3>| HSK[0x61d280]: Removing ciphersuite: ANON_DH_ARCFOUR_MD5
|<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_EXPORT_ARCFOUR_40_MD5
|<2>| EXT[0x61d280]: Sending extension SAFE RENEGOTIATION (1 bytes)
|<3>| HSK[0x61d280]: CLIENT HELLO was sent [64 bytes]
|<6>| BUF[HSK]: Inserted 64 bytes of Data
|<7>| HWRITE: enqueued 64. Total 64 bytes.
|<7>| HWRITE FLUSH: 64 bytes in buffer.
|<4>| REC[0x61d280]: Sending Packet[0] Handshake(22) with length: 64
|<7>| WRITE: enqueued 69 bytes for 0x4. Total 69 bytes.
|<4>| REC[0x61d280]: Sent Packet[1] Handshake(22) with length: 69
|<7>| HWRITE: wrote 64 bytes, 0 bytes left.
|<7>| WRITE FLUSH: 69 bytes in buffer.
|<7>| WRITE: wrote 69 bytes, 0 bytes left.
|<7>| READ: Got 5 bytes from 0x4
|<7>| READ: read 5 bytes from 0x4
|<7>| RB: Have 0 bytes into buffer. Adding 5 bytes.
|<7>| RB: Requested 5 bytes
|<4>| REC[0x61d280]: Expected Packet[0] Handshake(22) with length: 1
|<4>| REC[0x61d280]: Received Packet[0] Alert(21) with length: 2
|<7>| READ: Got 2 bytes from 0x4
|<7>| READ: read 2 bytes from 0x4
|<7>| RB: Have 5 bytes into buffer. Adding 2 bytes.
|<7>| RB: Requested 7 bytes
|<4>| REC[0x61d280]: Decrypted Packet[0] Alert(21) with length: 2
|<4>| REC[0x61d280]: Alert[2|40] - Handshake failed - was received
|<2>| ASSERT: gnutls_record.c:726
|<2>| ASSERT: gnutls_record.c:1122
|<2>| ASSERT: gnutls_handshake.c:2762
|<6>| BUF[HSK]: Cleared Data from buffer
Checking for TLS 1.0 support... no
|<6>| BUF[HSK]: Cleared Data from buffer
|<4>| REC[0x61d280]: Epoch #0 freed
|<4>| REC[0x61d280]: Epoch #1 freed
|<4>| REC[0x61d280]: Allocating epoch #0
|<2>| ASSERT: gnutls_constate.c:695
|<4>| REC[0x61d280]: Allocating epoch #1
|<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_ARCFOUR_SHA1
|<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_ARCFOUR_MD5
|<3>| HSK[0x61d280]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x61d280]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[0x61d280]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1
|<3>| HSK[0x61d280]: Removing ciphersuite: ANON_DH_3DES_EDE_CBC_SHA1
|<3>| HSK[0x61d280]: Removing ciphersuite: ANON_DH_ARCFOUR_MD5
|<2>| EXT[0x61d280]: Sending extension SAFE RENEGOTIATION (1 bytes)
|<3>| HSK[0x61d280]: CLIENT HELLO was sent [62 bytes]
|<6>| BUF[HSK]: Inserted 62 bytes of Data
|<7>| HWRITE: enqueued 62. Total 62 bytes.
|<7>| HWRITE FLUSH: 62 bytes in buffer.
|<4>| REC[0x61d280]: Sending Packet[0] Handshake(22) with length: 62
|<7>| WRITE: enqueued 67 bytes for 0x4. Total 67 bytes.
|<4>| REC[0x61d280]: Sent Packet[1] Handshake(22) with length: 67
|<7>| HWRITE: wrote 62 bytes, 0 bytes left.
|<7>| WRITE FLUSH: 67 bytes in buffer.
|<7>| WRITE: wrote 67 bytes, 0 bytes left.
|<7>| READ: Got 5 bytes from 0x4
|<7>| READ: read 5 bytes from 0x4
|<7>| RB: Have 0 bytes into buffer. Adding 5 bytes.
|<7>| RB: Requested 5 bytes
|<4>| REC[0x61d280]: Expected Packet[0] Handshake(22) with length: 1
|<4>| REC[0x61d280]: Received Packet[0] Alert(21) with length: 2
|<7>| READ: Got 2 bytes from 0x4
|<7>| READ: read 2 bytes from 0x4
|<7>| RB: Have 5 bytes into buffer. Adding 2 bytes.
|<7>| RB: Requested 7 bytes
|<4>| REC[0x61d280]: Decrypted Packet[0] Alert(21) with length: 2
|<4>| REC[0x61d280]: Alert[2|40] - Handshake failed - was received
|<2>| ASSERT: gnutls_record.c:726
|<2>| ASSERT: gnutls_record.c:1122
|<2>| ASSERT: gnutls_handshake.c:2762
|<6>| BUF[HSK]: Cleared Data from buffer
Checking for TLS 1.1 support... no
|<6>| BUF[HSK]: Cleared Data from buffer
|<4>| REC[0x61d280]: Epoch #0 freed
|<4>| REC[0x61d280]: Epoch #1 freed
|<4>| REC[0x61d280]: Allocating epoch #0
|<2>| ASSERT: gnutls_constate.c:695
|<4>| REC[0x61d280]: Allocating epoch #1
|<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_ARCFOUR_SHA1
|<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_ARCFOUR_MD5
|<3>| HSK[0x61d280]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x61d280]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[0x61d280]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1
|<3>| HSK[0x61d280]: Removing ciphersuite: ANON_DH_3DES_EDE_CBC_SHA1
|<3>| HSK[0x61d280]: Removing ciphersuite: ANON_DH_ARCFOUR_MD5
|<2>| EXT[0x61d280]: Sending extension SAFE RENEGOTIATION (1 bytes)
|<3>| HSK[0x61d280]: CLIENT HELLO was sent [62 bytes]
|<6>| BUF[HSK]: Inserted 62 bytes of Data
|<7>| HWRITE: enqueued 62. Total 62 bytes.
|<7>| HWRITE FLUSH: 62 bytes in buffer.
|<4>| REC[0x61d280]: Sending Packet[0] Handshake(22) with length: 62
|<7>| WRITE: enqueued 67 bytes for 0x4. Total 67 bytes.
|<4>| REC[0x61d280]: Sent Packet[1] Handshake(22) with length: 67
|<7>| HWRITE: wrote 62 bytes, 0 bytes left.
|<7>| WRITE FLUSH: 67 bytes in buffer.
|<7>| WRITE: wrote 67 bytes, 0 bytes left.
|<7>| READ: Got 5 bytes from 0x4
|<7>| READ: read 5 bytes from 0x4
|<7>| RB: Have 0 bytes into buffer. Adding 5 bytes.
|<7>| RB: Requested 5 bytes
|<4>| REC[0x61d280]: Expected Packet[0] Handshake(22) with length: 1
|<4>| REC[0x61d280]: Received Packet[0] Alert(21) with length: 2
|<7>| READ: Got 2 bytes from 0x4
|<7>| READ: read 2 bytes from 0x4
|<7>| RB: Have 5 bytes into buffer. Adding 2 bytes.
|<7>| RB: Requested 7 bytes
|<4>| REC[0x61d280]: Decrypted Packet[0] Alert(21) with length: 2
|<4>| REC[0x61d280]: Alert[2|40] - Handshake failed - was received
|<2>| ASSERT: gnutls_record.c:726
|<2>| ASSERT: gnutls_record.c:1122
|<2>| ASSERT: gnutls_handshake.c:2762
|<6>| BUF[HSK]: Cleared Data from buffer
Checking fallback from TLS 1.1 to... failed
|<6>| BUF[HSK]: Cleared Data from buffer
|<4>| REC[0x61d280]: Epoch #0 freed
|<4>| REC[0x61d280]: Epoch #1 freed
|<4>| REC[0x61d280]: Allocating epoch #0
|<2>| ASSERT: gnutls_constate.c:695
|<4>| REC[0x61d280]: Allocating epoch #1
|<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_ARCFOUR_SHA1
|<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_ARCFOUR_MD5
|<3>| HSK[0x61d280]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x61d280]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[0x61d280]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1
|<3>| HSK[0x61d280]: Removing ciphersuite: ANON_DH_3DES_EDE_CBC_SHA1
|<3>| HSK[0x61d280]: Removing ciphersuite: ANON_DH_ARCFOUR_MD5
|<2>| EXT[0x61d280]: Sending extension SAFE RENEGOTIATION (1 bytes)
|<3>| HSK[0x61d280]: CLIENT HELLO was sent [62 bytes]
|<6>| BUF[HSK]: Inserted 62 bytes of Data
|<7>| HWRITE: enqueued 62. Total 62 bytes.
|<7>| HWRITE FLUSH: 62 bytes in buffer.
|<4>| REC[0x61d280]: Sending Packet[0] Handshake(22) with length: 62
|<7>| WRITE: enqueued 67 bytes for 0x4. Total 67 bytes.
|<4>| REC[0x61d280]: Sent Packet[1] Handshake(22) with length: 67
|<7>| HWRITE: wrote 62 bytes, 0 bytes left.
|<7>| WRITE FLUSH: 67 bytes in buffer.
|<7>| WRITE: wrote 67 bytes, 0 bytes left.
|<7>| READ: Got 5 bytes from 0x4
|<7>| READ: read 5 bytes from 0x4
|<7>| RB: Have 0 bytes into buffer. Adding 5 bytes.
|<7>| RB: Requested 5 bytes
|<4>| REC[0x61d280]: Expected Packet[0] Handshake(22) with length: 1
|<4>| REC[0x61d280]: Received Packet[0] Alert(21) with length: 2
|<7>| READ: Got 2 bytes from 0x4
|<7>| READ: read 2 bytes from 0x4
|<7>| RB: Have 5 bytes into buffer. Adding 2 bytes.
|<7>| RB: Requested 7 bytes
|<4>| REC[0x61d280]: Decrypted Packet[0] Alert(21) with length: 2
|<4>| REC[0x61d280]: Alert[2|40] - Handshake failed - was received
|<2>| ASSERT: gnutls_record.c:726
|<2>| ASSERT: gnutls_record.c:1122
|<2>| ASSERT: gnutls_handshake.c:2762
|<6>| BUF[HSK]: Cleared Data from buffer
Checking for TLS 1.2 support... no
|<6>| BUF[HSK]: Cleared Data from buffer
|<4>| REC[0x61d280]: Epoch #0 freed
|<4>| REC[0x61d280]: Epoch #1 freed
|<4>| REC[0x61d280]: Allocating epoch #0
|<2>| ASSERT: gnutls_constate.c:695
|<4>| REC[0x61d280]: Allocating epoch #1
|<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_ARCFOUR_SHA1
|<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_ARCFOUR_MD5
|<3>| HSK[0x61d280]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x61d280]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[0x61d280]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1
|<3>| HSK[0x61d280]: Removing ciphersuite: ANON_DH_3DES_EDE_CBC_SHA1
|<3>| HSK[0x61d280]: Removing ciphersuite: ANON_DH_ARCFOUR_MD5
|<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_EXPORT_ARCFOUR_40_MD5
|<2>| EXT[0x61d280]: Sending extension SAFE RENEGOTIATION (1 bytes)
|<3>| HSK[0x61d280]: CLIENT HELLO was sent [64 bytes]
|<6>| BUF[HSK]: Inserted 64 bytes of Data
|<7>| HWRITE: enqueued 64. Total 64 bytes.
|<7>| HWRITE FLUSH: 64 bytes in buffer.
|<4>| REC[0x61d280]: Sending Packet[0] Handshake(22) with length: 64
|<7>| WRITE: enqueued 69 bytes for 0x4. Total 69 bytes.
|<4>| REC[0x61d280]: Sent Packet[1] Handshake(22) with length: 69
|<7>| HWRITE: wrote 64 bytes, 0 bytes left.
|<7>| WRITE FLUSH: 69 bytes in buffer.
|<7>| WRITE: wrote 69 bytes, 0 bytes left.
|<7>| READ: Got 5 bytes from 0x4
|<7>| READ: read 5 bytes from 0x4
|<7>| RB: Have 0 bytes into buffer. Adding 5 bytes.
|<7>| RB: Requested 5 bytes
|<4>| REC[0x61d280]: Expected Packet[0] Handshake(22) with length: 1
|<4>| REC[0x61d280]: Received Packet[0] Alert(21) with length: 2
|<7>| READ: Got 2 bytes from 0x4
|<7>| READ: read 2 bytes from 0x4
|<7>| RB: Have 5 bytes into buffer. Adding 2 bytes.
|<7>| RB: Requested 7 bytes
|<4>| REC[0x61d280]: Decrypted Packet[0] Alert(21) with length: 2
|<4>| REC[0x61d280]: Alert[2|40] - Handshake failed - was received
|<2>| ASSERT: gnutls_record.c:726
|<2>| ASSERT: gnutls_record.c:1122
|<2>| ASSERT: gnutls_handshake.c:2762
|<6>| BUF[HSK]: Cleared Data from buffer
Checking whether we need to disable TLS 1.0... yes
|<6>| BUF[HSK]: Cleared Data from buffer
|<4>| REC[0x61d280]: Epoch #0 freed
|<4>| REC[0x61d280]: Epoch #1 freed
Server does not support any of SSL 3.0, TLS 1.0 and TLS 1.1
--
----------------------------
Kristian Fiskerstrand
http://www.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Docendo discimus
We learn by teaching
----------------------------
This email was digitally signed using the OpenPGP
standard. If you want to read more about this
The book: Sending Emails - The Safe Way: An
introduction to OpenPGP security is now
available in both Amazon Kindle and Paperback
format at
http://www.amazon.com/dp/B006RSG1S4/
----------------------------
Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL:
From nmav at gnutls.org Wed Aug 8 15:10:51 2012
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Wed, 8 Aug 2012 15:10:51 +0200
Subject: Error in handshake - Error: Could not negotiate a supported
cipher suite.
In-Reply-To: <5021B1C6.9030102@sumptuouscapital.com>
References: <5021B1C6.9030102@sumptuouscapital.com>
Message-ID:
On Wed, Aug 8, 2012 at 2:24 AM, Kristian Fiskerstrand
wrote:
> Hi,
> I'm trying to set up mod_gnutls on apache to use OpenPGP key for a TLS
> session but I'm having some trouble getting gnutls set up correctly for
> a handshake. If I'm not too mistaken alert(21) indicate a decryption
> error - any hints for how I should debug this?
> What I have so far is - using gnutls-serv and gnutls-cli - the following;
[...]
> --priority NORMAL:+ANON-DH \
Shouldn't you enable openpgp support as well? You can do that by adding
+CTYPE-OPENPGP.
regards,
Nikos
From daniel.otte at rub.de Wed Aug 8 18:51:11 2012
From: daniel.otte at rub.de (Daniel Otte)
Date: 8 Aug 2012 18:51:11 +0200
Subject: testing error cases of tls implementation
Message-ID: <502298FF.4050306@rub.de>
Hello,
I'm currently implementing an TLS1.2 server for embedded devices (which are too
small for gnutls or openssl and all the others).
For testing I'm using gnutls (especially gnutls-cli) to get the communication
working and this currently works.
My problem is that I would like to test all the error cases (those where the
other side does not follow rfc5246). Many things can go wrong there (wrong
behavior, security leaks, memory leaks, ...) and I want to find as much of my
programming errors by testing as possible.
You get this E-Mail from me since I hope you have experience and maybe also code
which could be used.
regards,
Daniel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL:
From nmav at gnutls.org Thu Aug 9 12:28:54 2012
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Thu, 9 Aug 2012 12:28:54 +0200
Subject: testing error cases of tls implementation
In-Reply-To: <502298FF.4050306@rub.de>
References: <502298FF.4050306@rub.de>
Message-ID:
On Wed, Aug 8, 2012 at 6:51 PM, Daniel Otte wrote:
> Hello,
> I'm currently implementing an TLS1.2 server for embedded devices (which are too
> small for gnutls or openssl and all the others).
> For testing I'm using gnutls (especially gnutls-cli) to get the communication
> working and this currently works.
> My problem is that I would like to test all the error cases (those where the
> other side does not follow rfc5246). Many things can go wrong there (wrong
> behavior, security leaks, memory leaks, ...) and I want to find as much of my
> programming errors by testing as possible.
Have you checked gnutls-cli-debug?
regards,
Nikos
From nmav at gnutls.org Thu Aug 9 14:49:13 2012
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Thu, 9 Aug 2012 14:49:13 +0200
Subject: Importing a PKCS#1 RSAPublicKey structure into a gnutls_pubkey_t
In-Reply-To: <5020BF9B.1010905@sirrix.com>
References: <501BC681.3010005@sirrix.com> <501D86AC.8030305@gnutls.org>
<5020BF9B.1010905@sirrix.com>
Message-ID:
On Tue, Aug 7, 2012 at 9:11 AM, Ren? Korthaus wrote:
> Thanks for the clarification. Then is there a reason that gnutls offers no
> method to import a PKCS#1 RSAPublicKey structure - given that it is a
> standard format and almost all smartcards speak it plus RSAPublicKey is very
> similar to RSAPrivateKey and gnutls can already decode RSAPrivateKey
> structures with _gnutls_privkey_decode_pkcs1_rsa_key. From the code I've
> seen it should be fairly easy to implement and would make us very happy. :)
The problem is that RSAPublicKey structure is RSA specific. GnuTLS
supports the generic SubjectPublicKeyInfo structure for public keys
which may contain RSA, DSA, or ECDSA keys. If however you provide a
simple patch that reads the structure for an gnutls_pubkey_t, I'll be
happy to include it in the 3.1 release.
regards,
Nikos
From kristian.fiskerstrand at sumptuouscapital.com Thu Aug 9 21:24:03 2012
From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand)
Date: Thu, 09 Aug 2012 21:24:03 +0200
Subject: Error in handshake - Error: Could not negotiate a supported cipher
suite.
In-Reply-To:
References: <5021B1C6.9030102@sumptuouscapital.com>
Message-ID: <50240E53.3000501@sumptuouscapital.com>
On 08/08/2012 03:10 PM, Nikos Mavrogiannopoulos wrote:
> On Wed, Aug 8, 2012 at 2:24 AM, Kristian Fiskerstrand
> wrote:
>> Hi,
>> I'm trying to set up mod_gnutls on apache to use OpenPGP key for a TLS
>> session but I'm having some trouble getting gnutls set up correctly for
>> a handshake. If I'm not too mistaken alert(21) indicate a decryption
>> error - any hints for how I should debug this?
>> What I have so far is - using gnutls-serv and gnutls-cli - the following;
> [...]
>> --priority NORMAL:+ANON-DH \
>
> Shouldn't you enable openpgp support as well? You can do that by adding
> +CTYPE-OPENPGP.
>
> regards,
> Nikos
>
Hi Nikos,
Thank you for the response and sorry for my late reply, got a bit
pre-occupied for a while there.
I adjusted the command to
gnutls-serv \
-p 18000 \
-g \
--http \
--priority NORMAL:+CTYPE-OPENPGP:+ANON-DH \
--pgpcertfile /etc/apache2/conf/sks-keyservers.net.pub.asc \
--pgpkeyfile /etc/apache2/conf/ss/sks-keyservers.net.sec.asc \
--pgpsubkey 19EA3DAE12200409
but I still get the same error ..
I also tried to generate dh info by certtool --generate-dh-params
and putting the params in a dh file to run
gnutls-serv \
-p 18000 \
--dhparams /root/dh \
--http \
--priority NORMAL:+CTYPE-OPENPGP:+ANON-DH \
--pgpcertfile /etc/apache2/conf/sks-keyservers.net.pub.asc \
--pgpkeyfile /etc/apache2/conf/ss/sks-keyservers.net.sec.asc \
--pgpsubkey 19EA3DAE12200409
with the same result. Any other hints?
--
----------------------------
Kristian Fiskerstrand
http://www.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Nil desperandum
Never give up
----------------------------
This email was digitally signed using the OpenPGP
standard. If you want to read more about this
The book: Sending Emails - The Safe Way: An
introduction to OpenPGP security is now
available in both Amazon Kindle and Paperback
format at
http://www.amazon.com/dp/B006RSG1S4/
----------------------------
Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL:
From nmav at gnutls.org Fri Aug 10 09:45:50 2012
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Fri, 10 Aug 2012 09:45:50 +0200
Subject: Error in handshake - Error: Could not negotiate a supported cipher
suite.
In-Reply-To: <50240E53.3000501@sumptuouscapital.com>
References: <5021B1C6.9030102@sumptuouscapital.com>
<50240E53.3000501@sumptuouscapital.com>
Message-ID: <5024BC2E.7090402@gnutls.org>
On 08/09/2012 09:24 PM, Kristian Fiskerstrand wrote:
> On 08/08/2012 03:10 PM, Nikos Mavrogiannopoulos wrote:
>> On Wed, Aug 8, 2012 at 2:24 AM, Kristian Fiskerstrand
>> wrote:
>>> Hi,
>>> I'm trying to set up mod_gnutls on apache to use OpenPGP key for a TLS
>>> session but I'm having some trouble getting gnutls set up correctly for
>>> a handshake. If I'm not too mistaken alert(21) indicate a decryption
>>> error - any hints for how I should debug this?
>>> What I have so far is - using gnutls-serv and gnutls-cli - the following;
>> [...]
>>> --priority NORMAL:+ANON-DH \
>>
>> Shouldn't you enable openpgp support as well? You can do that by adding
>> +CTYPE-OPENPGP.
> Thank you for the response and sorry for my late reply, got a bit
> pre-occupied for a while there.
> I adjusted the command to
> gnutls-serv \
> -p 18000 \
> -g \
> --http \
> --priority NORMAL:+CTYPE-OPENPGP:+ANON-DH \
> --pgpcertfile /etc/apache2/conf/sks-keyservers.net.pub.asc \
> --pgpkeyfile /etc/apache2/conf/ss/sks-keyservers.net.sec.asc \
> --pgpsubkey 19EA3DAE12200409
> but I still get the same error ..
Did you add the same priority string to the client as well? If I try the
doc/credentials/gnutls-http-serv script with a client that has the
CTYPE-OPENPGP enabled it works.
regards,
Nikos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 554 bytes
Desc: OpenPGP digital signature
URL:
From kristian.fiskerstrand at sumptuouscapital.com Fri Aug 10 14:27:26 2012
From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand)
Date: Fri, 10 Aug 2012 14:27:26 +0200
Subject: [Solved] Re: Error in handshake - Error: Could not negotiate a
supported cipher suite.
In-Reply-To: <5024BC2E.7090402@gnutls.org>
References: <5021B1C6.9030102@sumptuouscapital.com>
<50240E53.3000501@sumptuouscapital.com>
<5024BC2E.7090402@gnutls.org>
Message-ID: <5024FE2E.5040206@sumptuouscapital.com>
On 08/10/2012 09:45 AM, Nikos Mavrogiannopoulos wrote:
> On 08/09/2012 09:24 PM, Kristian Fiskerstrand wrote:
>
...
> Did you add the same priority string to the client as well? If I try the
> doc/credentials/gnutls-http-serv script with a client that has the
> CTYPE-OPENPGP enabled it works.
Thank you for the help Nikos,
my problems were unrelated to gnutls
--
----------------------------
Kristian Fiskerstrand
http://www.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Primum ego, tum ego, deinde ego
First I, then I, thereafter I.
----------------------------
This email was digitally signed using the OpenPGP
standard. If you want to read more about this
The book: Sending Emails - The Safe Way: An
introduction to OpenPGP security is now
available in both Amazon Kindle and Paperback
format at
http://www.amazon.com/dp/B006RSG1S4/
----------------------------
Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL:
From latze at angry-red-pla.net Fri Aug 10 17:49:55 2012
From: latze at angry-red-pla.net (Carolin Latze)
Date: Fri, 10 Aug 2012 17:49:55 +0200
Subject: GnuTLS without nettle on Ubuntu 12.04
Message-ID: <50252DA3.2060202@angry-red-pla.net>
Hi all,
I moved to Ubuntu 12.04. which comes with libnettle 2.4.x. When I try to
install GnuTLS from GIT checkout, it asks for libnettle 2.5. Are the
changes that major or could I easily run it with 2.4.x too?
Regards
Carolin
From nmav at gnutls.org Fri Aug 10 18:02:22 2012
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Fri, 10 Aug 2012 18:02:22 +0200
Subject: GnuTLS without nettle on Ubuntu 12.04
In-Reply-To: <50252DA3.2060202@angry-red-pla.net>
References: <50252DA3.2060202@angry-red-pla.net>
Message-ID: <5025308E.7090201@gnutls.org>
On 08/10/2012 05:49 PM, Carolin Latze wrote:
> Hi all,
>
> I moved to Ubuntu 12.04. which comes with libnettle 2.4.x. When I try to
> install GnuTLS from GIT checkout, it asks for libnettle 2.5. Are the
> changes that major or could I easily run it with 2.4.x too?
Unfortunately no, the master branch (gnutls 3.1.0) requires nettle 2.5.
regards,
Nikos
From nmav at gnutls.org Wed Aug 15 22:50:47 2012
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Wed, 15 Aug 2012 22:50:47 +0200
Subject: gnutls 3.1.0
Message-ID: <502C0BA7.7090302@gnutls.org>
Hello,
I've just released gnutls 3.1.0. This is release is a major feature
update on gnutls 3.0.x, but is fully binary and source compatible with
it. The main addition are support for the TPM module to store
cryptographic keys, and simplified functions to access encrypted structures.
* Version 3.1.0 (released 2012-08-15)
** libgnutls: Added direct support for TPM as a cryptographic module
in gnutls/tpm.h. TPM keys can be used in functions accepting files
using URLs of the following types:
tpmkey:file=/path/to/file
tpmkey:uuid=7f468c16-cb7f-11e1-824d-b3a4f4b20343;storage=user
** libgnutls: Priority string level keywords can be combined.
For example the string "SECURE256:+SUITEB128" is now allowed.
** libgnutls: requires libnettle 2.5.
** libgnutls: Use the PKCS #1 1.5 encoding provided by nettle (2.5)
for encryption and signatures.
** libgnutls: Added GNUTLS_CERT_SIGNATURE_FAILURE to differentiate
between generic errors and signature verification errors in the
verification functions.
** libgnutls: Added gnutls_pkcs12_simple_parse() as a helper function
to simplify parsing in most PKCS #12 use cases.
** libgnutls: gnutls_certificate_set_x509_simple_pkcs12_file() adds
the whole certificate chain (if any) to the credentials structure,
instead of only the end-user certificate.
** libgnutls: Key import functions such as gnutls_pkcs12_simple_parse()
and gnutls_x509_privkey_import_pkcs8(), return consistently
GNUTLS_E_DECRYPTION_FAILED if the input structure is encrypted but no
password was provided.
** libgnutls: Added gnutls_handshake_set_timeout() a function that
allows to set the maximum time spent in a handshake.
** libgnutlsxx: Added session::set_transport_vec_push_function. Patch
by Alexandre Bique.
** tpmtool: Added. It is a tool to generate private keys in the
TPM.
** gnutls-cli: --benchmark-tls was split to --benchmark-tls-kx
and --benchmark-tls-ciphers
** certtool: generated PKCS #12 structures may hold more than one
private key. Patch by Lucas Fisher.
** certtool: Added option --null-password to generate/decrypt keys
that use a NULL password (in schemas that distinguish between NULL
an empty passwords).
** minitasn1: Upgraded to libtasn1 version 2.13.
** API and ABI modifications:
GNUTLS_CERT_SIGNATURE_FAILURE: Added
GNUTLS_CAMELLIA_192_CBC: Added
GNUTLS_PKCS_NULL_PASSWORD: Added
gnutls_url_is_supported: Added
gnutls_pkcs11_obj_list_import_url2: Added
gnutls_pkcs11_obj_set_pin_function: Added
gnutls_pkcs11_privkey_set_pin_function: Added
gnutls_pkcs11_get_pin_function: Added
gnutls_privkey_import_tpm_raw: Added
gnutls_privkey_import_tpm_url: Added
gnutls_privkey_import_pkcs11_url: Added
gnutls_privkey_import_openpgp_raw: Added
gnutls_privkey_import_x509_raw: Added
gnutls_privkey_import_ext2: Added
gnutls_privkey_import_url: Added
gnutls_privkey_set_pin_function: Added
gnutls_tpm_privkey_generate: Added
gnutls_tpm_key_list_deinit: Added
gnutls_tpm_key_list_get_url: Added
gnutls_tpm_get_registered: Added
gnutls_tpm_privkey_delete: Added
gnutls_pubkey_import_tpm_raw: Added
gnutls_pubkey_import_tpm_url: Added
gnutls_pubkey_import_url: Added
gnutls_pubkey_verify_hash2: Added
gnutls_pubkey_set_pin_function: Added
gnutls_x509_privkey_import2: Added
gnutls_x509_privkey_import_openssl: Added
gnutls_x509_crt_set_pin_function: Added
gnutls_load_file: Added
gnutls_pkcs12_simple_parse: Added
gnutls_certificate_set_x509_system_trust: Added
gnutls_certificate_set_pin_function: Added
gnutls_x509_trust_list_add_system_trust: Added
gnutls_x509_trust_list_add_trust_file: Added
gnutls_x509_trust_list_add_trust_mem: Added
gnutls_pk_to_sign: Added
gnutls_handshake_set_timeout: Added
gnutls_pubkey_verify_hash: Deprecated (use gnutls_pubkey_verify_hash2)
gnutls_pubkey_verify_data: Deprecated (use gnutls_pubkey_verify_data2)
Getting the Software
====================
GnuTLS may be downloaded from one of the GNU mirror sites or directly
>From . The list of GNU mirrors can be
found at and a list of GnuTLS mirrors
can be found at .
Here are the XZ compressed sources:
ftp://ftp.gnu.org/gnu/gnutls/gnutls-3.1.0.tar.xz
http://ftp.gnu.org/gnu/gnutls/gnutls-3.1.0.tar.xz
ftp://ftp.gnutls.org/pub/gnutls/gnutls-3.1.0.tar.xz
Here are the LZIP compressed sources:
ftp://ftp.gnu.org/gnu/gnutls/gnutls-3.1.0.tar.lz
http://ftp.gnu.org/gnu/gnutls/gnutls-3.1.0.tar.lz
ftp://ftp.gnutls.org/pub/gnutls/gnutls-3.1.0.tar.lz
Here are OpenPGP detached signatures signed using key 0x96865171:
ftp://ftp.gnu.org/gnu/gnutls/gnutls-3.1.0.tar.xz.sig
http://ftp.gnu.org/gnu/gnutls/gnutls-3.1.0.tar.xz.sig
ftp://ftp.gnutls.org/pub/gnutls/gnutls-3.1.0.tar.xz.sig
ftp://ftp.gnu.org/gnu/gnutls/gnutls-3.1.0.tar.lz.sig
http://ftp.gnu.org/gnu/gnutls/gnutls-3.1.0.tar.lz.sig
ftp://ftp.gnutls.org/pub/gnutls/gnutls-3.1.0.tar.lz.sig
Note that it has been signed with my openpgp key:
pub 3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid Nikos Mavrogiannopoulos gnutls.org>
uid Nikos Mavrogiannopoulos
gmail.com>
sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02]
regards,
Nikos
From r.korthaus at sirrix.com Thu Aug 16 14:11:10 2012
From: r.korthaus at sirrix.com (=?UTF-8?B?UmVuw6kgS29ydGhhdXM=?=)
Date: Thu, 16 Aug 2012 14:11:10 +0200
Subject: Importing a PKCS#1 RSAPublicKey structure into a gnutls_pubkey_t
In-Reply-To:
References: <501BC681.3010005@sirrix.com> <501D86AC.8030305@gnutls.org>
<5020BF9B.1010905@sirrix.com>
Message-ID: <502CE35E.1040903@sirrix.com>
Am 09.08.2012 14:49, schrieb Nikos Mavrogiannopoulos:
> On Tue, Aug 7, 2012 at 9:11 AM, Ren? Korthaus wrote:
>> Thanks for the clarification. Then is there a reason that gnutls offers no
>> method to import a PKCS#1 RSAPublicKey structure - given that it is a
>> standard format and almost all smartcards speak it plus RSAPublicKey is very
>> similar to RSAPrivateKey and gnutls can already decode RSAPrivateKey
>> structures with _gnutls_privkey_decode_pkcs1_rsa_key. From the code I've
>> seen it should be fairly easy to implement and would make us very happy. :)
> The problem is that RSAPublicKey structure is RSA specific. GnuTLS
> supports the generic SubjectPublicKeyInfo structure for public keys
> which may contain RSA, DSA, or ECDSA keys. If however you provide a
> simple patch that reads the structure for an gnutls_pubkey_t, I'll be
> happy to include it in the 3.1 release.
Sorry for the delay, we are very buse ATM. I'll be happy to provide a
patch. Let me see what I can do in the next few days.
Best, Ren?
>
> regards,
> Nikos
--
Sirrix AG security technologies - http://www.sirrix.com
Ren? Korthaus eMail: r.korthaus at sirrix.com
Tel +49(681) 959 86-163 Fax +49(681) 959 86-5163
PGP Key ID 0x688EF9C8 Fingerprint 1FB6 2405 51C4 79DB C008 D1D2 C2E0 1A14 688E F9C8
Vorstand: Ammar Alkassar (Vors.), Christian St?ble, Markus Bernhammer
Vorsitzender des Aufsichtsrates: Harald St?ber
Sitz der Gesellschaft: Homburg/Saar, HRB 3857 Amtsgericht Saarbr?cken
This message may contain confidential and/or privileged information. If you are not the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and
delete this message.
From latze at angry-red-pla.net Fri Aug 17 15:10:58 2012
From: latze at angry-red-pla.net (Carolin Latze)
Date: Fri, 17 Aug 2012 15:10:58 +0200
Subject: GnuTLS without nettle on Ubuntu 12.04
In-Reply-To: <5025308E.7090201@gnutls.org>
References: <50252DA3.2060202@angry-red-pla.net> <5025308E.7090201@gnutls.org>
Message-ID: <502E42E2.1050905@angry-red-pla.net>
On 08/10/2012 06:02 PM, Nikos Mavrogiannopoulos wrote:
> On 08/10/2012 05:49 PM, Carolin Latze wrote:
>
>> Hi all,
>>
>> I moved to Ubuntu 12.04. which comes with libnettle 2.4.x. When I try to
>> install GnuTLS from GIT checkout, it asks for libnettle 2.5. Are the
>> changes that major or could I easily run it with 2.4.x too?
>
> Unfortunately no, the master branch (gnutls 3.1.0) requires nettle 2.5.
>
Since I have to set up a new system then anyways, which Linux do you use
in which version? I tried Debian wheezy and Ubuntu 12.04 for the moment
and both come with nettle 2.4.x.
Regards
Carolin
From latze at angry-red-pla.net Fri Aug 17 15:23:17 2012
From: latze at angry-red-pla.net (Carolin Latze)
Date: Fri, 17 Aug 2012 15:23:17 +0200
Subject: GnuTLS without nettle on Ubuntu 12.04
In-Reply-To: <0M8W004GGIA1T360@mailout2.samsung.com>
References: <0M8W004GGIA1T360@mailout2.samsung.com>
Message-ID: <502E45C5.9040802@angry-red-pla.net>
On 08/17/2012 03:17 PM, Sarat Chandra Addepalli wrote:
> Samsung Enterprise Portal mySingle
>
> Hi Carolin,
>
> On 08/10/2012 06:02 PM, Nikos Mavrogiannopoulos wrote:
> > On 08/10/2012 05:49 PM, Carolin Latze wrote:
> >
> >> Hi all,
> >>
> >> I moved to Ubuntu 12.04. which comes with libnettle 2.4.x. When I
> try to
> >> install GnuTLS from GIT checkout, it asks for libnettle 2.5. Are the
> >> changes that major or could I easily run it with 2.4.x too?
> >
> > Unfortunately no, the master branch (gnutls 3.1.0) requires nettle 2.5.
> >
>
> >Since I have to set up a new system then anyways, which Linux do you use
> >in which version? I tried Debian wheezy and Ubuntu 12.04 for the moment
> >and both come with nettle 2.4.x.
>
> shouldn't something like simply downloading nettle 2.5 (from git or
> whatever is its scm tool)
>
> and installing it suffice? I fail to see why you woul have to revamp
> your OS...
>
Oh lol, it is Friday hm. You are right.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From superuser at gmail.com Fri Aug 17 21:06:05 2012
From: superuser at gmail.com (Murray S. Kucherawy)
Date: Fri, 17 Aug 2012 12:06:05 -0700
Subject: Question about gnutls_global_set_log_function()
Message-ID:
I'm writing a multithreaded application that could be doing RSA
signature generations and/or validations in parallel.
Right now gnutls_global_set_log_function() allows me to specify an
error reporting function, but in theory any thread could call it. It
would be helpful to receive something thread-specific in the function
I provide to gnutls_global_set_log_function() so that, for example, a
buffer could be assigned per thread to receive this information.
As it stands right now I have to do something like a pthread_key to
get thread-specific storage from the underlying threading
implementation. Not having that dependency would be desirable. Being
able to add gnutls_set_thread_specific() that stores a thread-specific
pointer would be helpful, and then that could be done inside my global
log function to take thread-specific action.
Thanks for any help here.
-MSK
From tk at giga.or.at Fri Aug 17 21:31:42 2012
From: tk at giga.or.at (Thomas Klausner)
Date: Fri, 17 Aug 2012 21:31:42 +0200
Subject: upgrading from 2 to 3: gnutls_certificate_get_x509_c{a,rl}s
Message-ID: <20120817193142.GF24913@danbala.tuwien.ac.at>
Hi!
First off: I know nothing about gnutls except what I can google
together. I'm looking at compiling freeDiameter-1.1.2 on my system,
which has gnutls-3.0.22 installed.
It doesn't compile because of
../libfdcore/libfdcore.so.1.1.2: undefined reference to `gnutls_certificate_get_x509_crls'
../libfdcore/libfdcore.so.1.1.2: undefined reference to `gnutls_certificate_get_x509_cas'
I found
http://www.gnu.org/software/gnutls/manual/html_node/Upgrading-from-previous-versions.html
which says:
gnutls_certificate_get_x509_crls, gnutls_certificate_get_x509_cas:
Removed to allow updating the internal structures. Replaced by
gnutls_certificate_get_issuer.
The code looks like this:
GNUTLS_TRACE( gnutls_certificate_get_x509_cas (fd_g_config->cnf_sec_data.credentials, &CA_list, (unsigned int *) &CA_list_length) );
GNUTLS_TRACE( gnutls_certificate_get_x509_crls (fd_g_config->cnf_sec_data.credentials, &CRL_list, (unsigned int *) &CRL_list_length) );
CHECK_GNUTLS_DO( gnutls_x509_crt_list_verify(certs, cert_max, CA_list, CA_list_length, CRL_list, CRL_list_length, 0, &verify),
{
TRACE_DEBUG(INFO, "Failed to verify the local certificate '%s' against local credentials. Please check your certificate is valid.", fd_g_config->cnf_sec_data.cert_file);
return EINVAL;
} );
I don't see how I can replace gnutls_certificate_get_x509_cas and
gnutls_certificate_get_x509_crls with gnutls_certificate_get_issuer
here because gnutls_x509_crt_list_verify needs CA_list and CRL_list
filled out by the two functions.
Please advise.
If we come up with a fix, the next question will be what you recommend
on keeping code backwards compatible with gnutls-2.
Thanks,
Thomas
From nmav at gnutls.org Sat Aug 18 09:03:32 2012
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Sat, 18 Aug 2012 09:03:32 +0200
Subject: upgrading from 2 to 3: gnutls_certificate_get_x509_c{a,rl}s
In-Reply-To: <20120817193142.GF24913@danbala.tuwien.ac.at>
References: <20120817193142.GF24913@danbala.tuwien.ac.at>
Message-ID: <502F3E44.70602@gnutls.org>
On 08/17/2012 09:31 PM, Thomas Klausner wrote:
> Hi!
>
> First off: I know nothing about gnutls except what I can google
> together. I'm looking at compiling freeDiameter-1.1.2 on my system,
> which has gnutls-3.0.22 installed.
> It doesn't compile because of
> ../libfdcore/libfdcore.so.1.1.2: undefined reference to `gnutls_certificate_get_x509_crls'
> ../libfdcore/libfdcore.so.1.1.2: undefined reference to `gnutls_certificate_get_x509_cas'
> I found
> http://www.gnu.org/software/gnutls/manual/html_node/Upgrading-from-previous-versions.html
> which says:
> gnutls_certificate_get_x509_crls, gnutls_certificate_get_x509_cas:
> Removed to allow updating the internal structures. Replaced by
> gnutls_certificate_get_issuer.
Indeed. The above functions are no longer available.
> The code looks like this:
>
> GNUTLS_TRACE( gnutls_certificate_get_x509_cas (fd_g_config->cnf_sec_data.credentials, &CA_list, (unsigned int *) &CA_list_length) );
> GNUTLS_TRACE( gnutls_certificate_get_x509_crls (fd_g_config->cnf_sec_data.credentials, &CRL_list, (unsigned int *) &CRL_list_length) );
> CHECK_GNUTLS_DO( gnutls_x509_crt_list_verify(certs, cert_max, CA_list, CA_list_length, CRL_list, CRL_list_length, 0, &verify),
> {
> TRACE_DEBUG(INFO, "Failed to verify the local certificate '%s' against local credentials. Please check your certificate is valid.", fd_g_config->cnf_sec_data.cert_file);
> return EINVAL;
> } );
What the code you quote is doing is verify certs of cert_max size
against the CA_list and CRL_list received from the previous calls.
You can do a similar thing using gnutls_certificate_get_issuer(). You
get the issuer of certs[cert_max-1] and verify against that. That would
something similar to:
CHECK_GNUTLS_DO(
gnutls_certificate_get_issuer(fd_g_config->cnf_sec_data.credentials,
certs[cert_max-1], &CA, 0), { error(cannot find issuer) } );
CHECK_GNUTLS_DO( gnutls_x509_crt_list_verify(certs, cert_max, CA, 1,
NULL, 0, 0, &verify), { error(failed to verify) } );
> I don't see how I can replace gnutls_certificate_get_x509_cas and
> gnutls_certificate_get_x509_crls with gnutls_certificate_get_issuer
> here because gnutls_x509_crt_list_verify needs CA_list and CRL_list
> filled out by the two functions.
The verification against the CRLs isn't available. If you want to do
elaborate verification you may use the functions at:
http://www.gnu.org/software/gnutls/manual/html_node/Verifying-X_002e509-certificate-paths.html#Verifying-X_002e509-certificate-paths
The certificate structure is supposed to be used by functions like
gnutls_certificate_verify_peers2().
> If we come up with a fix, the next question will be what you recommend
> on keeping code backwards compatible with gnutls-2.
In that case you'll have to use conditional code, or use
gnutls_certificate_verify_peers2() is possible (if in the actual snippet
above you're verifying the peer's certificate).
regards,
Nikos
From nmav at gnutls.org Sat Aug 18 09:21:34 2012
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Sat, 18 Aug 2012 09:21:34 +0200
Subject: Question about gnutls_global_set_log_function()
In-Reply-To:
References:
Message-ID: <502F427E.3060809@gnutls.org>
On 08/17/2012 09:06 PM, Murray S. Kucherawy wrote:
> I'm writing a multithreaded application that could be doing RSA
> signature generations and/or validations in parallel.
>
> Right now gnutls_global_set_log_function() allows me to specify an
> error reporting function, but in theory any thread could call it. It
> would be helpful to receive something thread-specific in the function
> I provide to gnutls_global_set_log_function() so that, for example, a
> buffer could be assigned per thread to receive this information.
Indeed. However this is a debugging function, not one that is typically
expected to run. Which error conditions do you try to catch using those?
The only related function I can see is
gnutls_global_set_audit_log_function() which supplies the session argument.
> As it stands right now I have to do something like a pthread_key to
> get thread-specific storage from the underlying threading
> implementation. Not having that dependency would be desirable. Being
> able to add gnutls_set_thread_specific() that stores a thread-specific
> pointer would be helpful, and then that could be done inside my global
> log function to take thread-specific action.
What do you mean? Where would the thread-specific pointer would be stored?
regards,
Nikos
From superuser at gmail.com Sun Aug 19 06:23:39 2012
From: superuser at gmail.com (Murray S. Kucherawy)
Date: Sat, 18 Aug 2012 21:23:39 -0700
Subject: Question about gnutls_global_set_log_function()
In-Reply-To: <502F427E.3060809@gnutls.org>
References:
<502F427E.3060809@gnutls.org>
Message-ID:
I suppose I'm comparing this to the openssl method where there's a
per-thread queue of error codes which can then be translated to
strings. You might get 0 or 1 back from RSA_verify(), for example,
but if you want detail you have to go into the per-thread error stack,
extract codes, and translate them to strings.
It may be the case that the GNUTLS equivalent functions are more
descriptive. If that's the case, then I probably don't need this
capability after all.
-MSK
From nmav at gnutls.org Sun Aug 19 09:17:25 2012
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Sun, 19 Aug 2012 09:17:25 +0200
Subject: Question about gnutls_global_set_log_function()
In-Reply-To:
References:
<502F427E.3060809@gnutls.org>
Message-ID: <50309305.6080201@gnutls.org>
On 08/19/2012 06:23 AM, Murray S. Kucherawy wrote:
> I suppose I'm comparing this to the openssl method where there's a
> per-thread queue of error codes which can then be translated to
> strings. You might get 0 or 1 back from RSA_verify(), for example,
> but if you want detail you have to go into the per-thread error stack,
> extract codes, and translate them to strings.
>
> It may be the case that the GNUTLS equivalent functions are more
> descriptive. If that's the case, then I probably don't need this
> capability after all.
Indeed. There is nothing like an errno style of error codes in gnutls.
Each function returns a proper error code.
regards,
Nikos
From ognen.duzlevski at gmail.com Tue Aug 21 01:05:45 2012
From: ognen.duzlevski at gmail.com (Ognen Duzlevski)
Date: Mon, 20 Aug 2012 18:05:45 -0500
Subject: Problem with GnuTLS/openssl
Message-ID:
Hello,
I have a Debian 6.0.5 server running OpenLDAP which appears to be linked
against GnuTLS. I have generated a self-signed certificate using certtool
and have successfully used it to authenticate Debian client machines
against the OpenLDAP ldaps:// server in question.
However, when I try to do the same on a CentOS 6 client, I am unable to do
so.
On the CentOS client, if I try to run ldapsearch against the server, I get
the following:
ldap_start_tls: Can't contact LDAP server (-1)
additional info: TLS error -8101:Certificate type not approved for
application.
On the CentOS client, if I try to run gnutls-cli-debug, I get the following:
gnutls-cli-debug -p 636 ldap.blahblah.com
Resolving 'ldap.blahblah.com'...
Connecting to '10.6.0.11:636'...
Error in %INITIAL_SAFE_RENEGOTIATION
Checking for Safe renegotiation support...
And then it just dies.
I am getting the feeling this has something to do with GnuTLS and openssl?
Any ideas?
Thanks!
OD
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From nmav at gnutls.org Tue Aug 21 10:36:45 2012
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Tue, 21 Aug 2012 10:36:45 +0200
Subject: Problem with GnuTLS/openssl
In-Reply-To:
References:
Message-ID:
On Tue, Aug 21, 2012 at 1:05 AM, Ognen Duzlevski
wrote:
> Hello,
> I have a Debian 6.0.5 server running OpenLDAP which appears to be linked
> against GnuTLS. I have generated a self-signed certificate using certtool
> and have successfully used it to authenticate Debian client machines against
> the OpenLDAP ldaps:// server in question.
> However, when I try to do the same on a CentOS 6 client, I am unable to do
> so.
> On the CentOS client, if I try to run ldapsearch against the server, I get
> the following:
> ldap_start_tls: Can't contact LDAP server (-1)
> additional info: TLS error -8101:Certificate type not approved for
> application.
This is an error I cannot help with. Your should check with an
openldap mailing list.
> On the CentOS client, if I try to run gnutls-cli-debug, I get the following:
> gnutls-cli-debug -p 636 ldap.blahblah.com
> Resolving 'ldap.blahblah.com'...
> Connecting to '10.6.0.11:636'...
> Error in %INITIAL_SAFE_RENEGOTIATION
> Checking for Safe renegotiation support...
Which version of libgnutls and gnutls-bin is installed in that system?
It seems like they have an old library but new binaries.
regards,
Nikos
From simon at josefsson.org Tue Aug 21 12:19:26 2012
From: simon at josefsson.org (Simon Josefsson)
Date: Tue, 21 Aug 2012 12:19:26 +0200
Subject: Problem with GnuTLS/openssl
In-Reply-To:
(Ognen Duzlevski's message of "Mon, 20 Aug 2012 18:05:45 -0500")
References:
Message-ID: <87628ck0nl.fsf@latte.josefsson.org>
Ognen Duzlevski writes:
> Hello,
>
> I have a Debian 6.0.5 server running OpenLDAP which appears to be linked
> against GnuTLS. I have generated a self-signed certificate using certtool
> and have successfully used it to authenticate Debian client machines
> against the OpenLDAP ldaps:// server in question.
>
> However, when I try to do the same on a CentOS 6 client, I am unable to do
> so.
>
> On the CentOS client, if I try to run ldapsearch against the server, I get
> the following:
>
> ldap_start_tls: Can't contact LDAP server (-1)
> additional info: TLS error -8101:Certificate type not approved for
> application.
Maybe you need to answer one of these with 'y' when you generate the
cert:
Is this also a TLS web server certificate? (y/N):
Will the certificate be used for signing (required for TLS)? (y/N):
Will the certificate be used for encryption (not required for TLS)? (y/N):
/Simon
From ognen.duzlevski at gmail.com Tue Aug 21 18:10:49 2012
From: ognen.duzlevski at gmail.com (Ognen Duzlevski)
Date: Tue, 21 Aug 2012 11:10:49 -0500
Subject: Problem with GnuTLS/openssl
In-Reply-To:
References:
Message-ID:
Nikos,
On Tue, Aug 21, 2012 at 3:36 AM, Nikos Mavrogiannopoulos wrote:
> Which version of libgnutls and gnutls-bin is installed in that system?
> It seems like they have an old library but new binaries.
>
>
Thanks for answering.
Here is the output of ldd /usr/bin/gnutls-cli-debug
[root at dualamd ~]# ldd /usr/bin/gnutls-cli-debug
linux-vdso.so.1 => (0x00007fff58fff000)
libgnutls.so.26 => /usr/lib64/libgnutls.so.26 (0x0000003d4f000000)
libc.so.6 => /lib64/libc.so.6 (0x0000003dec800000)
libtasn1.so.3 => /usr/lib64/libtasn1.so.3 (0x0000003e01000000)
libz.so.1 => /lib64/libz.so.1 (0x0000003dee000000)
libgcrypt.so.11 => /usr/local/lib/libgcrypt.so.11
(0x00007f2d102f3000)
/lib64/ld-linux-x86-64.so.2 (0x0000003dec400000)
libgpg-error.so.0 => /usr/local/lib/libgpg-error.so.0
(0x00007f2d100ef000)
I compiled my own versions of libgnutls and latest gnutls-cli binaries and
it all worked, I was able to get gnutls-cli-debug to connect to my server
and give me the report I expected.
Now the question becomes what kind of surgery I need to do to this box to
get it to authenticate to ldap via tls.
Cheers,
Ognen
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From nmav at gnutls.org Wed Aug 22 11:05:00 2012
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Wed, 22 Aug 2012 11:05:00 +0200
Subject: Problem with GnuTLS/openssl
In-Reply-To:
References:
Message-ID:
On Tue, Aug 21, 2012 at 6:10 PM, Ognen Duzlevski
wrote:
> Thanks for answering.
> Here is the output of ldd /usr/bin/gnutls-cli-debug
You'd better check the versions of the installed packages in the
distribution. It is not easy to find the actual version for the shared
library version.
> I compiled my own versions of libgnutls and latest gnutls-cli binaries and
> it all worked, I was able to get gnutls-cli-debug to connect to my server
> and give me the report I expected.
Try to report the issue in your distribution.
> Now the question becomes what kind of surgery I need to do to this box to
> get it to authenticate to ldap via tls.
Doesn't the ldap work with the new library your installed?
regards,
Nikos
From tomackermann at gmail.com Fri Aug 24 09:42:11 2012
From: tomackermann at gmail.com (Tom Ackermann)
Date: Fri, 24 Aug 2012 09:42:11 +0200
Subject: certtool never asks for CA-password when signing certificates
Message-ID:
Hi all
I have already posted this in several (ubuntu-) forums but haven't received
any hints so far, maybe somebody on this list can shed some light on this:
When creating a CA with a password, certtool never again asks for the
password when signing new certificates.
Steps to reproduce (on Ubuntu 12.04, amd64)
----
[root at host] certtool -v
certtool (GnuTLS) 2.12.14
(...)
----
1. Create a private key for the CA:
----
$ [root at host] certtool --generate-privkey --outfile ca_tls.key --password
"secret"
(...)
----
2. Create a self-signed certificate for the CA
----
[root at host] certtool --generate-self-signed --load-privkey ca_tls.key
--outfile ca_tls.cert --password "secret"
Generating a self signed certificate...
Please enter the details of the certificate's distinguished name. Just
press enter to ignore a field.
(...)
Does the certificate belong to an authority? (y/N): y
Path length constraint (decimal, -1 for no constraint): -1
Is this a TLS web client certificate? (y/N): n
Will the certificate be used for IPsec IKE operations? (y/N):
Is this also a TLS web server certificate? (y/N): n
Enter the e-mail of the subject of the certificate:
Will the certificate be used to sign other certificates? (y/N): y
Will the certificate be used to sign CRLs? (y/N): y
Will the certificate be used to sign code? (y/N): y
Will the certificate be used to sign OCSP requests? (y/N): y
(...)
----
3. Create a key for the server
----
[root at host] certtool --generate-privkey --outfile server_tls.key
----
4. Create a certificate for the server
----
[root at host] certtool --generate-certificate --load-privkey server_tls.key
--load-ca-certificate ca_tls.cert --load-ca-privkey ca_tls.key --outfile
server_tls.cert
Generating a signed certificate...
Please enter the details of the certificate's distinguished name. Just
press enter to ignore a field.
(...)
Does the certificate belong to an authority? (y/N):
Is this a TLS web client certificate? (y/N):
Will the certificate be used for IPsec IKE operations? (y/N):
Is this also a TLS web server certificate? (y/N): y
Enter a dnsName of the subject of the certificate: server
Enter a dnsName of the subject of the certificate: server.com
Enter a dnsName of the subject of the certificate: www.server.com
Enter a dnsName of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)?
(y/N):
Will the certificate be used for encryption (RSA ciphersuites)? (y/N): y
(...)
Is the above information ok? (y/N): y
Signing certificate...
----
The certificate for the server gets created and works fine (e.g. importing
the CA cert in firefox and configuring apache with the server cert).
However, I would expect to be asked for the CA password (created in step1)
when signing the certificate in step 4. This doesn't happen.
By the way: Why can I even define a password for the CA certificate in step
2? I would think a password for the CA key should be sufficient?
Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From nmav at gnutls.org Fri Aug 24 14:40:51 2012
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Fri, 24 Aug 2012 14:40:51 +0200
Subject: certtool never asks for CA-password when signing certificates
In-Reply-To:
References:
Message-ID:
On Fri, Aug 24, 2012 at 9:42 AM, Tom Ackermann wrote:
> Hi all
> I have already posted this in several (ubuntu-) forums but haven't received
> any hints so far, maybe somebody on this list can shed some light on this:
> When creating a CA with a password, certtool never again asks for the
> password when signing new certificates.
Thanks for reporting that. The default key format doesn't support any
passwords. You have to use the PKCS #8 format (with the --pkcs8
parameter). I'll put a check to do it automatically if a password has
been supplied.
regards,
Nikos
From bortzmeyer at nic.fr Tue Aug 28 11:28:17 2012
From: bortzmeyer at nic.fr (Stephane Bortzmeyer)
Date: Tue, 28 Aug 2012 11:28:17 +0200
Subject: www.gnutls.org does not have TLS...
Message-ID: <20120828092816.GA26625@nic.fr>
% gnutls-cli www.gnutls.org
Processed 150 CA certificate(s).
Resolving 'www.gnutls.org'...
Connecting to '199.59.163.239:443'...
Cannot connect to www.gnutls.org:443: Connection refused
:-(
From bortzmeyer at nic.fr Tue Aug 28 11:30:08 2012
From: bortzmeyer at nic.fr (Stephane Bortzmeyer)
Date: Tue, 28 Aug 2012 11:30:08 +0200
Subject: Any TLS server with OpenPGP certificates?
Message-ID: <20120828093008.GA26733@nic.fr>
GnuTLS handles OpenPGP certificates (RFC 6091) for a long time. Does
anyone know in the wild a TLS server using these?
From mr_mol13 at hotmail.com Tue Aug 28 19:23:20 2012
From: mr_mol13 at hotmail.com (Minh Nguyen Huu)
Date: Tue, 28 Aug 2012 17:23:20 +0000
Subject: GNUTLS + MingGW help
Message-ID:
Hi,
I'm trying to compilre the gnutls library using MinGW on Windows 7 (64bit). After some struggling, I've managed to compile Nettle (+GMP), however I cannot make GNUTLS. When I run ./configure in the GNUTLS everything seems ok, but when I try to make the library I keep getting the same error, which I have pasted below. Does anyone have experience making gnutls on Windows and can help me out?
Thanks in advance,
Minh
*** Warning: This system can not link to static lib archive D:/MinGW/lib/libgmp.
la.
*** I have the capability to make that library automatically link in when
*** you link to this library. But I can only do this if you have a
*** shared version of the library, which you do not appear to have.
Creating library file: .libs/libgnutls.dll.a
nettle/.libs/libcrypto.a(mpi.o): In function `wrap_nettle_mpi_new':
D:\MinGW\msys\1.0\home\Minh\gnutls-3.0.22\lib\nettle/mpi.c:97: undefined referen
ce to `___gmpz_init2'
nettle/.libs/libcrypto.a(mpi.o): In function `wrap_nettle_mpi_div':
D:\MinGW\msys\1.0\home\Minh\gnutls-3.0.22\lib\nettle/mpi.c:342: undefined refere
nce to `___gmpz_cdiv_q'
nettle/.libs/libcrypto.a(ecc_make_key.o): In function `ecc_make_key':
D:\MinGW\msys\1.0\home\Minh\gnutls-3.0.22\lib\nettle/ecc_make_key.c:142: undefin
ed reference to `___gmpz_set_str'
D:\MinGW\msys\1.0\home\Minh\gnutls-3.0.22\lib\nettle/ecc_make_key.c:143: undefin
ed reference to `___gmpz_set_str'
D:\MinGW\msys\1.0\home\Minh\gnutls-3.0.22\lib\nettle/ecc_make_key.c:144: undefin
ed reference to `___gmpz_set_str'
D:\MinGW\msys\1.0\home\Minh\gnutls-3.0.22\lib\nettle/ecc_make_key.c:145: undefin
ed reference to `___gmpz_set_str'
D:\MinGW\msys\1.0\home\Minh\gnutls-3.0.22\lib\nettle/ecc_make_key.c:146: undefin
ed reference to `___gmpz_set_str'
nettle/.libs/libcrypto.a(ecc_make_key.o):D:\MinGW\msys\1.0\home\Minh\gnutls-3.0.
22\lib\nettle/ecc_make_key.c:147: more undefined references to `___gmpz_set_str'
follow
nettle/.libs/libcrypto.a(ecc_projective_dbl_point_3.o): In function `ecc_project
ive_dbl_point':
D:\MinGW\msys\1.0\home\Minh\gnutls-3.0.22\lib\nettle/ecc_projective_dbl_point_3.
c:113: undefined reference to `___gmpz_divexact_ui'
nettle/.libs/libcrypto.a(ecc_projective_add_point.o): In function `ecc_projectiv
e_add_point':
D:\MinGW\msys\1.0\home\Minh\gnutls-3.0.22\lib\nettle/ecc_projective_add_point.c:
214: undefined reference to `___gmpz_divexact_ui'
collect2.exe: error: ld returned 1 exit status
make[3]: *** [libgnutls.la] Error 1
make[3]: Leaving directory `/home/Minh/gnutls-3.0.22/lib'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/home/Minh/gnutls-3.0.22/lib'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/Minh/gnutls-3.0.22'
make: *** [all] Error 2
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From nmav at gnutls.org Wed Aug 29 10:54:58 2012
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Wed, 29 Aug 2012 10:54:58 +0200
Subject: www.gnutls.org does not have TLS...
In-Reply-To: <20120828092816.GA26625@nic.fr>
References: <20120828092816.GA26625@nic.fr>
Message-ID:
On Tue, Aug 28, 2012 at 11:28 AM, Stephane Bortzmeyer wrote:
> % gnutls-cli www.gnutls.org
> Processed 150 CA certificate(s).
> Resolving 'www.gnutls.org'...
> Connecting to '199.59.163.239:443'...
> Cannot connect to www.gnutls.org:443: Connection refused
Unfortunately we don't have the resources to sustain an https server.
regards,
Nikos
From nmav at gnutls.org Wed Aug 29 13:31:48 2012
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Wed, 29 Aug 2012 13:31:48 +0200
Subject: Any TLS server with OpenPGP certificates?
In-Reply-To: <20120828093008.GA26733@nic.fr>
References: <20120828093008.GA26733@nic.fr>
Message-ID:
On Tue, Aug 28, 2012 at 11:30 AM, Stephane Bortzmeyer wrote:
> GnuTLS handles OpenPGP certificates (RFC 6091) for a long time. Does
> anyone know in the wild a TLS server using these?
mod_gnutls [0] can be used with openpgp certificates. I don't know if
or which Internet servers use it.
regards,
Nikos
[0]. http://modgnutls.sourceforge.net/