From info at yorhel.nl Fri Mar 1 12:03:50 2013 From: info at yorhel.nl (Yoran Heling) Date: Fri, 1 Mar 2013 12:03:50 +0100 Subject: [gnutls-help] Clean TLS shutdown Message-ID: <20130301110350.GA22152@mahoro.ispfabriek.nl> Hello, I'm trying to figure out how to perform a clean shutdown of a TLS session, and how the API communicates that back to the application. >From what I understand so far, if either end of the connection wishes to close the session, it would call gnutls_bye() with GNUTLS_SHUT_RDWR. Assuming the other end of the session is waiting for input with gnutls_record_recv(), it will detect this shutdown request with _recv() returning 0 (EOF). What should the receiving end do in such a case? If it calls close() on the underlying socket, will the gnutls_bye() fail with an error on the other end? Should it call gnutls_bye() itself for that to succeed? Related to the above, is my understanding correct that when either end closes the underlying socket without initiating a gnutls_bye(), the gnutls_record_recv() on the other end will fail with an error? Any clarification on this subjects is appreciated. Yoran. From nmav at gnutls.org Tue Mar 5 01:04:49 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 05 Mar 2013 01:04:49 +0100 Subject: [gnutls-help] Clean TLS shutdown In-Reply-To: <20130301110350.GA22152@mahoro.ispfabriek.nl> References: <20130301110350.GA22152@mahoro.ispfabriek.nl> Message-ID: <513536A1.3070507@gnutls.org> On 03/01/2013 12:03 PM, Yoran Heling wrote: > I'm trying to figure out how to perform a clean shutdown of a TLS > session, and how the API communicates that back to the application. >>From what I understand so far, if either end of the connection wishes to > close the session, it would call gnutls_bye() with GNUTLS_SHUT_RDWR. > Assuming the other end of the session is waiting for input with > gnutls_record_recv(), it will detect this shutdown request with _recv() > returning 0 (EOF). Hello Yoran, Indeed what you say is correct. > What should the receiving end do in such a case? If it calls close() on > the underlying socket, will the gnutls_bye() fail with an error on the > other end? Should it call gnutls_bye() itself for that to succeed? It doesn't really matter in general, but indeed if you want to be polite and prevent an error the peer's bye call you should also terminate the connection using gnutls_bye(). That would matter, however, in a case where the streams close in a not symmetric way, i.e., one calls bye with _WR, and then continues to read the remaining data until EOF. regards, Nikos From wolfgangmuehlbauer at gmx.de Thu Mar 7 12:01:07 2013 From: wolfgangmuehlbauer at gmx.de (Wolfgang =?utf-8?b?TcO8aGxiYXVlcg==?=) Date: Thu, 7 Mar 2013 11:01:07 +0000 (UTC) Subject: [gnutls-help] Assertion failure and access violation error in gnutls References: <20110105171205.929B340704A@mx1.bel.co.in> <511e0d225ff7dccbe32c202d948eb7c9.squirrel@mail.bel.co.in> Message-ID: bel.co.in> writes: > > Hello, > > I am writing a proxy code for windows based clients. The browser connects ... > int main() > { > . > . > . > . > > if(!g_thread_supported()) > g_thread_init (NULL); > > gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_gthreads_cbs); > > gcry_control (GCRYCTL_SUSPEND_SECMEM_WARN); > gcry_control (GCRYCTL_INIT_SECMEM, 16384, 0); > gcry_control (GCRYCTL_RESUME_SECMEM_WARN); > gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); > > gnutls_global_init (); > ... > 2. The second problem I am facing is "access violation reading location" > in gnutls_handshake(). Sometimes during handshake the debugger stops and > tells unhandeled exception in clientproxy.exe; access violation reading > location 0x..... I have no idea how to resolve this. So, please can > someone help?? > > Thanks, > Snigdha > > Confidentiality Notice > > The information contained in this electronic message and any > attachments to this message are intended for the exclusive use of > the addressee(s) and may contain confidential or privileged > information. If you are not the intended recipient, please notify > the sender at Bharat Electronics or support bel.co.in immediately > and destroy all copies of this message and any attachments. > Hello! Make sure your first call to libcrypt is gcry_control(GCRYCTL_SET_THREAD_CBS,...) http://www.gnupg.org/documentation/manuals/gcrypt/Multi_002dThreading.html "If your application is multi-threaded, you must set the thread support callbacks with the GCRYCTL_SET_THREAD_CBS command before any other function in the library. " Even before g_thread_supported() and gcry_check_version (GCRYPT_VERSION), or gcry_control(GCRYCTL_SET_THREAD_CBS,...) will return an error and your callbacks for mutex_lock/mutex_unlock won't be called. After i have added gcry_check_version() before gcry_control(GCRYCTL_SET_THREAD_CBS), my callbacks for mutex locking / unlocking have not been called any longer... gnuTLS 2.6 / libcrypt 11 I'm handling the handshake procedure for one connection only in one thread, no context switching. This is the thread the CSocket was created / attached. Wolfgang From florian.klickermann at gmail.com Thu Mar 14 12:22:13 2013 From: florian.klickermann at gmail.com (Florian Klickermann) Date: Thu, 14 Mar 2013 12:22:13 +0100 Subject: [gnutls-help] Gnutls with TPM "Handshake failed" Message-ID: Hi all, and first excuse me to be totally beginner about gnutls .I'm trying to create certificates with the TPM and connect to a server. I use a BeagleboardxM, TPM 1.2 with a Debian, 3.7 Kernel and gnutls-3.1.1. I've create the following keys and certificates (pubkey, ca-cert, ca-key, cert): $ tpmtool --generate-rsa --bits 2048 --register --user tpmkey:uuid=9f59a38c-771a-41b8-86c9-c4f3095c6859;storage=user $ tpmtool --pubkey "tpmkey:uuid=9f59a38c-771a-41b8-86c9-c4f3095c6859;storage=user" --outfile=pubkey.pem $ certtool --generate-privkey --load-privkey "tpmkey:uuid=9f59a38c-771a-41b8-86c9-c4f3095c6859;storage=user" --outfile ca-key.pem $ certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca-cert.pem $ certtool --generate-certificate --outfile cert.pem --load-privkey "tpmkey:uuid=9f59a38c-771a-41b8-86c9-c4f3095c6859;storage=user" --load-pubkey pubkey.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem For a first test I create a server on the BeagleBoard and connect with the client to local host and get the following client error: Server: $ gnutls-serv --x509cafile /etc/ssl/certs/ca-cert.pem --x509keyfile /etc/ssl/certs/ca-key.pem -p 443 Set static Diffie-Hellman parameters, consider --dhparams. Processed 1 CA certificate(s). HTTP Server listening on IPv4 0.0.0.0 port 443...done HTTP Server listening on IPv6 :: port 443...done Client: $ gnutls-cli --x509keyfile " tpmkey:uuid=9f59a38c-771a-41b8-86c9-c4f3095c6859;storage=user " --x509certfile /etc/ssl/certs/cert.pem -p 443 localhost Processed 141 CA certificate(s). Token 'SRK' with URL 'TPM' requires user PIN Enter PIN: Processed 1 client X.509 certificates... Resolving 'localhost'... Connecting to '127.0.0.1:443'... *** Fatal error: A TLS fatal alert has been received. *** Received alert [40]: Handshake failed No certificates found! *** Handshake has failed GnuTLS error: A TLS fatal alert has been received. I don?t know where my mistakes are. Thanks for your time, and for moreover for those great tools . Florian -------------- next part -------------- An HTML attachment was scrubbed... URL: From nmav at gnutls.org Thu Mar 14 15:28:07 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 14 Mar 2013 15:28:07 +0100 Subject: [gnutls-help] Gnutls with TPM "Handshake failed" In-Reply-To: References: Message-ID: <5141DE77.8020300@gnutls.org> On 03/14/2013 12:22 PM, Florian Klickermann wrote: > Hi all, and first excuse me to be totally beginner about gnutls .I'm trying > to create certificates with the TPM and connect to a server. > I use a BeagleboardxM, TPM 1.2 with a Debian, 3.7 Kernel and gnutls-3.1.1. > I've create the following keys and certificates (pubkey, ca-cert, ca-key, > cert): > > $ tpmtool --generate-rsa --bits 2048 --register --user > tpmkey:uuid=9f59a38c-771a-41b8-86c9-c4f3095c6859;storage=user > > $ tpmtool --pubkey > "tpmkey:uuid=9f59a38c-771a-41b8-86c9-c4f3095c6859;storage=user" > --outfile=pubkey.pem Up to this point you have a public and private key pair, and the private key is stored in the TPM. > $ certtool --generate-privkey --load-privkey > "tpmkey:uuid=9f59a38c-771a-41b8-86c9-c4f3095c6859;storage=user" --outfile > ca-key.pem What are you actually trying to do here? That command doesn't make sense. If you want to generate a private key, why do you load the TPM private key? > $ certtool --generate-certificate --outfile cert.pem --load-privkey > "tpmkey:uuid=9f59a38c-771a-41b8-86c9-c4f3095c6859;storage=user" > --load-pubkey pubkey.pem --load-ca-certificate ca-cert.pem > --load-ca-privkey ca-key.pem That last command would generate a certificate in cert.pem that corresponds to the TPM key. > For a first test I create a server on the BeagleBoard and connect with the > client to local host and get the following client error: > Server: > $ gnutls-serv --x509cafile /etc/ssl/certs/ca-cert.pem --x509keyfile > /etc/ssl/certs/ca-key.pem -p 443 That looks like a bug on the server. It wouldn't have started with the options that you issued. A server requires --x509certfile and --x509keyfile, and on those you should set the server's certificate and private key, not that CAs. regards, Nikos From rrsuj at yahoo.com Mon Mar 18 18:24:02 2013 From: rrsuj at yahoo.com (khan wahid) Date: Mon, 18 Mar 2013 10:24:02 -0700 (PDT) Subject: [gnutls-help] TLS-Extension-Handling Message-ID: <1363627442.47516.YahooMailNeo@web164506.mail.gq1.yahoo.com> Hi, I have downloaded the version 3.1.8 (from ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.8.tar.xz), but did not find any lib/m4/hooks.m4 file (actually there is no "m4" directory), but I need the file to extend GnuTLS as explained in http://gnutls.org/manual/html_node/TLS-Extension-Handling.html. Please help. Thanks Rrsuj -------------- next part -------------- An HTML attachment was scrubbed... URL: From nmav at gnutls.org Wed Mar 20 08:54:56 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 20 Mar 2013 08:54:56 +0100 Subject: [gnutls-help] TLS-Extension-Handling In-Reply-To: <1363627442.47516.YahooMailNeo@web164506.mail.gq1.yahoo.com> References: <1363627442.47516.YahooMailNeo@web164506.mail.gq1.yahoo.com> Message-ID: On Mon, Mar 18, 2013 at 6:24 PM, khan wahid wrote: > Hi, > I have downloaded the version 3.1.8 (from > ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.8.tar.xz), but did not > find any lib/m4/hooks.m4 file (actually there is no "m4" directory), but I Hello, The hooks file in 3.1.x is at the m4/ directory (not lib/m4). regards, Nikos From joke at seiken.de Wed Mar 20 10:22:49 2013 From: joke at seiken.de (Joke de Buhr) Date: Wed, 20 Mar 2013 10:22:49 +0100 Subject: [gnutls-help] OpenPGP: handshake with fingerprint not working Message-ID: <30308012.EYumOo31Yc@localhost.localdomain> hi, the handshake with openpgp fingerprint is not working. gnutls 3.1.9. it seems the handshake procedures returns -9 (GNUTLS_E_UNEXPECTED_PACKET_LENGTH) if clients are instructed sending fingerprints during an openpgp handshake. clients are instructed to send fingerprints via: gnutls_openpgp_send_cert(session, GNUTLS_OPENPGP_CERT_FINGERPRINT); a valid callback function has been set on the server side via: gnutls_openpgp_set_recv_key_function(...); during handshake the server never calls the callback function and the handshakes return with an error. greetings joke -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 729 bytes Desc: This is a digitally signed message part. URL: From nmav at gnutls.org Thu Mar 21 09:52:33 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 21 Mar 2013 09:52:33 +0100 Subject: [gnutls-help] OpenPGP: handshake with fingerprint not working In-Reply-To: <30308012.EYumOo31Yc@localhost.localdomain> References: <30308012.EYumOo31Yc@localhost.localdomain> Message-ID: On Wed, Mar 20, 2013 at 10:22 AM, Joke de Buhr wrote: > hi, > > the handshake with openpgp fingerprint is not working. gnutls 3.1.9. > > it seems the handshake procedures returns -9 > (GNUTLS_E_UNEXPECTED_PACKET_LENGTH) if clients are instructed sending > fingerprints during an openpgp handshake. > clients are instructed to send fingerprints via: > gnutls_openpgp_send_cert(session, GNUTLS_OPENPGP_CERT_FINGERPRINT); > a valid callback function has been set on the server side via: > gnutls_openpgp_set_recv_key_function(...); > during handshake the server never calls the callback function and the > handshakes return with an error. Hello Joke, Do you have some code that reproduces the issue? Was that working on some other gnutls version? regards, Nikos From nmav at gnutls.org Thu Mar 21 17:53:28 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 21 Mar 2013 17:53:28 +0100 Subject: [gnutls-help] OpenPGP: handshake with fingerprint not working In-Reply-To: <30308012.EYumOo31Yc@localhost.localdomain> References: <30308012.EYumOo31Yc@localhost.localdomain> Message-ID: <514B3B08.5080301@gnutls.org> On 03/20/2013 10:22 AM, Joke de Buhr wrote: > hi, > > the handshake with openpgp fingerprint is not working. gnutls 3.1.9. > it seems the handshake procedures returns -9 > (GNUTLS_E_UNEXPECTED_PACKET_LENGTH) if clients are instructed sending > fingerprints during an openpgp handshake. Hello, I just verified that and it is a bug. I've committed a fix in the repository, but as it is now you cannot use fingerprints in the handshake with openpgp certificates. regards, Nikos From joke at seiken.de Thu Mar 21 19:08:42 2013 From: joke at seiken.de (Joke de Buhr) Date: Thu, 21 Mar 2013 19:08:42 +0100 Subject: [gnutls-help] OpenPGP: handshake with fingerprint not working In-Reply-To: <514B3B08.5080301@gnutls.org> References: <30308012.EYumOo31Yc@localhost.localdomain> <514B3B08.5080301@gnutls.org> Message-ID: <2713177.n8VH3aBsI8@localhost.localdomain> hi, thanks for verifying it. I haven't had the time to build an example program yet. i'm not entirely certain but i think a gnutls function to set the retrieved certificate (gpgme, ...) based on the fingerprint supplied during gnutls_openpgp_recv_key_func() seems to be missing as well. regards joke On Thursday 21 March 2013 17:53:28 Nikos Mavrogiannopoulos wrote: > On 03/20/2013 10:22 AM, Joke de Buhr wrote: > > hi, > > > > the handshake with openpgp fingerprint is not working. gnutls 3.1.9. > > it seems the handshake procedures returns -9 > > (GNUTLS_E_UNEXPECTED_PACKET_LENGTH) if clients are instructed sending > > fingerprints during an openpgp handshake. > > Hello, > I just verified that and it is a bug. I've committed a fix in the > repository, but as it is now you cannot use fingerprints in the > handshake with openpgp certificates. > > regards, > Nikos > > _______________________________________________ > Gnutls-help mailing list > Gnutls-help at lists.gnutls.org > http://lists.gnupg.org/mailman/listinfo/gnutls-help From nmav at gnutls.org Thu Mar 21 20:02:24 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 21 Mar 2013 20:02:24 +0100 Subject: [gnutls-help] OpenPGP: handshake with fingerprint not working In-Reply-To: <2713177.n8VH3aBsI8@localhost.localdomain> References: <30308012.EYumOo31Yc@localhost.localdomain> <514B3B08.5080301@gnutls.org> <2713177.n8VH3aBsI8@localhost.localdomain> Message-ID: <514B5940.4060504@gnutls.org> On 03/21/2013 07:08 PM, Joke de Buhr wrote: > hi, > > thanks for verifying it. I haven't had the time to build an example program > yet. > > i'm not entirely certain but i think a gnutls function to set the retrieved > certificate (gpgme, ...) based on the fingerprint supplied during > gnutls_openpgp_recv_key_func() seems to be missing as well. I don't understand what you mean here. The retrieved certificate return returned as the last parameter in the callback. regards, Nikos From joke at seiken.de Thu Mar 21 20:07:44 2013 From: joke at seiken.de (Joke de Buhr) Date: Thu, 21 Mar 2013 20:07:44 +0100 Subject: [gnutls-help] OpenPGP: handshake with fingerprint not working In-Reply-To: <514B5940.4060504@gnutls.org> References: <30308012.EYumOo31Yc@localhost.localdomain> <2713177.n8VH3aBsI8@localhost.localdomain> <514B5940.4060504@gnutls.org> Message-ID: <7032043.aKB16kKuti@localhost.localdomain> sorry, you're right. i simply didn't notice the "gnutls_datum_t * key" parameter of gnutls_openpgp_recv_key_func(). regards joke On Thursday 21 March 2013 20:02:24 Nikos Mavrogiannopoulos wrote: > On 03/21/2013 07:08 PM, Joke de Buhr wrote: > > hi, > > > > thanks for verifying it. I haven't had the time to build an example > > program > > yet. > > > > i'm not entirely certain but i think a gnutls function to set the > > retrieved > > certificate (gpgme, ...) based on the fingerprint supplied during > > gnutls_openpgp_recv_key_func() seems to be missing as well. > > I don't understand what you mean here. The retrieved certificate return > returned as the last parameter in the callback. > > regards, > Nikos > > > _______________________________________________ > Gnutls-help mailing list > Gnutls-help at lists.gnutls.org > http://lists.gnupg.org/mailman/listinfo/gnutls-help From nmav at gnutls.org Fri Mar 22 19:10:37 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 22 Mar 2013 19:10:37 +0100 Subject: [gnutls-help] gnutls 3.0.29 Message-ID: <514C9E9D.5080807@gnutls.org> Hello, I've just released gnutls 3.0.29. This is a bug-fix release on the previous stable branch. That release also adds limited support for the android environment. * Version 3.0.29 (released 2013-03-22) ** certtool: When generating PKCS #12 files use by default the ARCFOUR (RC4) cipher to be compatible with devices that don't support AES with PKCS #12. ** libgnutls: Corrected issue in gnutls_pubkey_verify_data(). ** libgnutls: gnutls_pkcs11_reinit() will reinitialize all PKCS #11 modules, and not only the ones loaded via p11-kit. ** libgnutls: Load CA certificates in android 4.x systems. ** libgnutls: Corrected issue in the (deprecated) external key signing interface, when used with TLS 1.2. Reported by Bjorn H. Christensen. ** libgnutls: PKCS #11 slots are scanned only when needed, not on initialization. This speeds up gnutls initialization when smart cards are present. ** libgnutls: Fixes in openpgp handshake with fingerprints. Reported by Joke de Buhr. ** configure: Trust store file must be explicitly set or unset when cross compiling. ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded directly from . A list of GnuTLS mirrors can be found at . Here are the XZ and LZIP compressed sources: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.0/gnutls-3.0.29.tar.xz ftp://ftp.gnutls.org/gcrypt/gnutls/v3.0/gnutls-3.0.29.tar.lz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.0/gnutls-3.0.29.tar.xz.sig ftp://ftp.gnutls.org/gcrypt/gnutls/v3.0/gnutls-3.0.29.tar.lz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From nmav at gnutls.org Fri Mar 22 19:47:15 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 22 Mar 2013 19:47:15 +0100 Subject: [gnutls-help] gnutls 3.1.10 Message-ID: <514CA733.5080800@gnutls.org> Hello, I've just released gnutls 3.1.10. This release adds new features and fixed bugs on the current stable branch. It also adds support for the Android system (i.e., loading the trust store, but in a more efficient way than the 3.0.x branch). * Version 3.1.10 (released 2013-03-22) ** certtool: When generating PKCS #12 files use by default the ARCFOUR (RC4) cipher to be compatible with devices that don't support AES with PKCS #12. ** libgnutls: Load CA certificates in android 4.x systems. ** libgnutls: Optimized CA certificate loading. ** libgnutls: Private keys are overwritten on deinitialization. ** libgnutls: PKCS #11 slots are scanned only when needed, not on initialization. This speeds up gnutls initialization when smart cards are present. ** libgnutls: Corrected issue in the (deprecated) external key signing interface, when used with TLS 1.2. Reported by Bjorn H. Christensen. ** libgnutls: Fixes in openpgp handshake with fingerprints. Reported by Joke de Buhr. ** libgnutls-dane: Updated DANE verification options. ** configure: Trust store file must be explicitly set or unset when cross compiling. ** API and ABI modifications: gnutls_x509_crt_get_issuer_dn2: Added gnutls_x509_crt_get_dn2: Added gnutls_x509_crl_get_issuer_dn2: Added gnutls_x509_crq_get_dn2: Added gnutls_x509_trust_list_remove_trust_mem: Added gnutls_x509_trust_list_remove_trust_file: Added gnutls_x509_trust_list_remove_cas: Added gnutls_session_get_desc: Added gnutls_privkey_sign_raw_data: Added gnutls_privkey_status: Added Getting the Software ==================== GnuTLS may be downloaded directly from . A list of GnuTLS mirrors can be found at . Here are the XZ and LZIP compressed sources: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.10.tar.xz ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.10.tar.lz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.10.tar.xz.sig ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.10.tar.lz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From nmav at gnutls.org Fri Mar 22 19:57:52 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 22 Mar 2013 19:57:52 +0100 Subject: [gnutls-help] gnutls 3.1.10 In-Reply-To: <514CA733.5080800@gnutls.org> References: <514CA733.5080800@gnutls.org> Message-ID: <514CA9B0.7050107@gnutls.org> On 03/22/2013 07:47 PM, Nikos Mavrogiannopoulos wrote: > I've just released gnutls 3.1.10. This release adds new features and > fixed bugs on the current stable branch. It also adds support for the > Android system (i.e., loading the trust store, but in a more efficient > way than the 3.0.x branch). btw. I forgot to mention that the license was changed to LGPLv2.1+. regards, Nikos From joke at seiken.de Tue Mar 26 10:25:04 2013 From: joke at seiken.de (Joke de Buhr) Date: Tue, 26 Mar 2013 10:25:04 +0100 Subject: [gnutls-help] heartbeat procedure Message-ID: <7933709.k2DEecuHSZ@localhost.localdomain> hi, if got a question regarding the heartbeat procedure. i'm using gnutls 3.1.10 with heartbeat support enabled. i established a working dtls session. i activated the heartbeat on one side (client) via gnutls_heartbeat_allowed(session, GNUTLS_HB_LOCAL_ALLOWED_TO_SEND); and on the other side (server) i invoked gnutls_heartbeat_allowed(session, GNUTLS_HB_PEER_ALLOWED_TO_SEND); but i'm not entirely sure if that's even necessary. the client pings the server by doing gnutls_heartbeat_ping(session, 100, 0, 0); because i need/want to handle timeouts myself. the ping is send to the server and the server recognizes the ping as the loglevel messages indicate during ret = gnutls_record_recv(...); but value returned is -9 (GNUTLS_E_UNEXPECTED_PACKET_LENGTH) rather than -293 (GNUTLS_E_HEARTBEAT_PING_RECEIVED). i'm not sure if i'm using heartbeat the right way or if this is a bug. by the way the documentation to gnutls_heartbeat_set_timeouts() seems to be copied from gnutls_dtls_set_timeouts(). the description hasn't been updated yet. regards joke From nmav at gnutls.org Tue Mar 26 11:43:23 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 26 Mar 2013 11:43:23 +0100 Subject: [gnutls-help] heartbeat procedure In-Reply-To: <7933709.k2DEecuHSZ@localhost.localdomain> References: <7933709.k2DEecuHSZ@localhost.localdomain> Message-ID: On Tue, Mar 26, 2013 at 10:25 AM, Joke de Buhr wrote: > hi, > > if got a question regarding the heartbeat procedure. i'm using gnutls 3.1.10 > with heartbeat support enabled. > i established a working dtls session. i activated the heartbeat on one side > (client) via > gnutls_heartbeat_allowed(session, GNUTLS_HB_LOCAL_ALLOWED_TO_SEND); Hello, I think you need gnutls_heartbeat_enable(). Check tests/mini-dtls-heartbeat.c. regards, Nikos From joke at seiken.de Tue Mar 26 12:34:47 2013 From: joke at seiken.de (Joke de Buhr) Date: Tue, 26 Mar 2013 12:34:47 +0100 Subject: [gnutls-help] heartbeat procedure In-Reply-To: References: <7933709.k2DEecuHSZ@localhost.localdomain> Message-ID: <1746417.X1BX7UEafN@localhost.localdomain> sorry, during writing the email the function names got mixed up. i'm setting gnutls_heartbeat_enable(session, GNUTLS_HB_LOCAL_ALLOWED_TO_SEND); and on the client side and gnutls_heartbeat_enable(session, GNUTLS_HB_PEER_ALLOWED_TO_SEND); on the server side. nevertheless -9 (GNUTLS_E_UNEXPECTED_PACKET_LENGTH) is returned on. On Tuesday 26 March 2013 11:43:23 Nikos Mavrogiannopoulos wrote: > On Tue, Mar 26, 2013 at 10:25 AM, Joke de Buhr wrote: > > hi, > > > > if got a question regarding the heartbeat procedure. i'm using gnutls > > 3.1.10 with heartbeat support enabled. > > i established a working dtls session. i activated the heartbeat on one > > side > > (client) via > > > > gnutls_heartbeat_allowed(session, > > GNUTLS_HB_LOCAL_ALLOWED_TO_SEND); > > Hello, > I think you need gnutls_heartbeat_enable(). Check > tests/mini-dtls-heartbeat.c. > > regards, > Nikos From nmav at gnutls.org Tue Mar 26 13:09:43 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 26 Mar 2013 13:09:43 +0100 Subject: [gnutls-help] heartbeat procedure In-Reply-To: <1746417.X1BX7UEafN@localhost.localdomain> References: <7933709.k2DEecuHSZ@localhost.localdomain> <1746417.X1BX7UEafN@localhost.localdomain> Message-ID: On Tue, Mar 26, 2013 at 12:34 PM, Joke de Buhr wrote: > sorry, during writing the email the function names got mixed up. i'm setting > > gnutls_heartbeat_enable(session, GNUTLS_HB_LOCAL_ALLOWED_TO_SEND); > and on the client side and > gnutls_heartbeat_enable(session, GNUTLS_HB_PEER_ALLOWED_TO_SEND); Then my advice would be to focus on the second part of the initial answer. >> Check tests/mini-dtls-heartbeat.c. Does this test run successfully? If yes, did you try to send heartbeats the same way it does? regards, Nikos