From nmav at gnutls.org  Sat Nov  2 08:28:44 2013
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Sat, 02 Nov 2013 08:28:44 +0100
Subject: [gnutls-help] certtool does not encrypt private keyfiles
In-Reply-To: <52726A06.8070402@gmail.com>
References: <52726A06.8070402@gmail.com>
Message-ID: <5274A9AC.80100@gnutls.org>

On 10/31/2013 03:32 PM, w94f8726ui wrote:
> Hi,
> 
> i generate a key with the following line:
> 
> /usr/local/bin/certtool -p -8 --pkcs-cipher=aes-256
> --disable-quick-random --sec-param=ultra --password=XXXXX --outfile
> XXXXX.key
> 
> Now i have a wonderful keyfile with a minor problem.
> The keyfile holds, pricate key, x and y in UNENCRYPTED values.
> After that the encrypted keypart starts.
> 
> So, is this a bug or do i have to manually remove the unencrypted parts?
> Cause i think a lot of folks generate encrypted keyfiles and think that
> all the important info would be encrypted.

Thanks. That's a nice observation. Indeed certtool shouldn't print the
parameters if an encrypted key is requested. I'll check it.

regards,
Nikos



From jonathan.roudiere at gmail.com  Mon Nov  4 15:32:32 2013
From: jonathan.roudiere at gmail.com (Jonathan Roudiere)
Date: Mon, 4 Nov 2013 15:32:32 +0100
Subject: [gnutls-help] gnutls_error_is_fatal() return value
In-Reply-To: <52650802.8060002@gnutls.org>
References: <CAD5bOtzk2Uf-pAQVDGnfAHG0K+M01LxJpWKhR89gQwoGk+nXoA@mail.gmail.com>
 <52650802.8060002@gnutls.org>
Message-ID: <CAD5bOtz15+L93QmyiHd+MnDpviGcLMQU9tP88mXuzQqiN+w=uQ@mail.gmail.com>

Hello Nikos,

Sorry for the long delay,

I don't know if it makes any sense to fix it but I doesn't need
this functionality. It's just for reporting.

If the documentation described this behavior for a long time
maybe people have followed it and -1 is an expected value
then the changes will not be so rough but maybe not :-) ...

Thank you anyway

Regards,
Joe


2013/10/21 Nikos Mavrogiannopoulos <nmav at gnutls.org>:
> On 10/14/2013 11:23 AM, Jonathan Roudiere wrote:
>> Hello,
>>
>> Help says that the gnutls_error_is_fatal() function returns -1 for
>> unknown error value but code doesn't seem to do that.
>>
>> Is the code shouldn't be modified like in the following patch ?
>
> Helo Jonathan,
>  I am wondering that since this issue exists for several years, does it
> make sense to fix it? Shouldn't we fix instead the documentation, or do
> you need that functionality?
>
> regards,
> Nikos
>
>


From night at nist.gov  Thu Nov  7 22:52:55 2013
From: night at nist.gov (Stephen Nightingale)
Date: Thu, 7 Nov 2013 16:52:55 -0500
Subject: [gnutls-help] Installing the Dependencies
Message-ID: <527C0BB7.8080603@nist.gov>

I'm trying to install GnuTLS 3.2.0 (because I want to use it with the 
python wrapper pygnutils).
It has dependencies of nettle and gmp.
Turns out that gmp is a dependency of nettle and nettle+gmp is a 
dependency of gnutils.
I ran gmp and installed the library in /usr/local/lib64/libgmp.la
So I need to configure nettle to pick up the libgmp library.
The gGnuTLS documentation says 'link with -lhogweed -lnettle -lgmp'
But of course I have to do this several layers of abstraction back in 
the nettle configure file.
I tried all kinds of combinations of command line arguments to 
./configure, but they all fail.
The standard ./configure for nettle creates it without gmp.

HOW can I call ./configure in nettle to pick up libgmp.la ?
Hint: ./configure LIBS=libgmp.la fails, cause it can't find the other 
libraries.
./configure LIBS='libgmp.la $LIBS' fails cause it doesnt like that syntax.

Any powerful insights powerfully appreciated.

Stephen.
'Google is no friend of mine'.




From night at nist.gov  Thu Nov 14 22:39:44 2013
From: night at nist.gov (Stephen Nightingale)
Date: Thu, 14 Nov 2013 16:39:44 -0500
Subject: [gnutls-help] gnutls-cli 'cannot find shared library
	libgnutls.so.28'
Message-ID: <52854320.1060705@nist.gov>

So after finally getting it to configure, make and check, I installed 
gnutls with libraries in /usr/lib.
In running gnutls-cli I get the message:
"gnutls-cli: error while loading shared libraries: libgnutls.so.28: 
cannot open shared object file: No such file or directory"
libgnutls.so.28 is in /usr/lib.    There is e.g. libgnutls.so.26 in 
/usr/lib64.

Could it be looking in /usr/lib64 for libgnutls.so.28 ?

How do I arrange the arguments to ./configure to get it to install in 
the correct directory/ies?
Or how do I hack the complex tree of Makefiles to achieve the same 
objective?

Stephen.






From night at nist.gov  Fri Nov 15 15:30:41 2013
From: night at nist.gov (Stephen Nightingale)
Date: Fri, 15 Nov 2013 09:30:41 -0500
Subject: [gnutls-help] gnutls-cli 'cannot find shared library
	libgnutls.so.28'
In-Reply-To: <52854320.1060705@nist.gov>
References: <52854320.1060705@nist.gov>
Message-ID: <52863011.8060109@nist.gov>


Cancel that plea.  If I set LD_LIBRARY_PATH to include lib and lib64 I 
can get gnutls-cli to run.
Sn.


On 11/14/2013 4:39 PM, Stephen Nightingale wrote:
> So after finally getting it to configure, make and check, I installed 
> gnutls with libraries in /usr/lib.
> In running gnutls-cli I get the message:
> "gnutls-cli: error while loading shared libraries: libgnutls.so.28: 
> cannot open shared object file: No such file or directory"
> libgnutls.so.28 is in /usr/lib.    There is e.g. libgnutls.so.26 in 
> /usr/lib64.
>
> Could it be looking in /usr/lib64 for libgnutls.so.28 ?
>
> How do I arrange the arguments to ./configure to get it to install in 
> the correct directory/ies?
> Or how do I hack the complex tree of Makefiles to achieve the same 
> objective?
>
> Stephen.
>
>
>
>




From nmav at gnutls.org  Sat Nov 23 11:16:03 2013
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Sat, 23 Nov 2013 11:16:03 +0100
Subject: [gnutls-help] gnutls 3.1.17
Message-ID: <1385201763.32052.2.camel@aspire.lan>

Hello,  I've just released gnutls 3.1.17. This release prioritizes the
GCM ciphersuites over CBC, enables TPM support and fixes few other bugs 
on the current stable branch.


* Version 3.1.17 (released 2013-11-23)

** libgnutls: Support for TPM via trousers is now enabled by default.

** libgnutls: GCM mode is prioritized over CBC in all of the default
priority strings.

** libgnutls: Added support for ISO OID for RSA-SHA1 signatures.

** libgnutls: When traversing PKCS #11 tokens looking for an object,
avoid looking in unrelated to the object tokens.

** libgnutls: Fixed bug in gnutls_x509_crt_set_dn() at DN parsing.

** libgnutls: gnutls_x509_crt_set_expiration_time() will set the no
well defined expiration date when (time_t)-1 is specified as date.

** libgnutls: Backported memory leak fix when a handshake is terminated
by an EOF.

** libgnutls: Forbid all compression methods in DTLS.

** gnutls-serv: Fixed issue with IPv6 address in UDP mode.

** certtool: When exporting an encrypted PEM private key do not output
the key parameters.

** certtool: Expiration days template option allows for a -1 value
which will set to the no well defined expiration date (RFC5280), and no
longer chokes on integer overflows. Suggested by Stefan Buehler.

** tools: The environment variable GNUTLS_PIN can be used to read any
PIN requested from tokens.

** tools: The installed version of libopts is used if the autogen tool
is present.

** API and ABI modifications: No changes since last version.


Getting the Software
====================

GnuTLS may be downloaded directly from
<ftp://ftp.gnutls.org/gcrypt/gnutls/>.  A list of GnuTLS mirrors can be
found at <http://www.gnutls.org/download.html>.

Here are the XZ and LZIP compressed sources:

  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.17.tar.xz
  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.17.tar.lz

Here are OpenPGP detached signatures signed using key 0x96865171:

  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.17.tar.xz.sig
  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.17.tar.lz.sig

Note that it has been signed with my openpgp key:
pub   3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid                  Nikos Mavrogiannopoulos <nmav <at> gnutls.org>
uid                  Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at>
gmail.com>
sub   2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub   2048R/1404A91D 2008-05-04 [expires: 2018-05-02]

regards,
Nikos




From nmav at gnutls.org  Sat Nov 23 16:23:32 2013
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Sat, 23 Nov 2013 16:23:32 +0100
Subject: [gnutls-help] gnutls 3.2.7
Message-ID: <1385220212.14918.3.camel@aspire.lan>

Hello,
 I've just released gnutls 3.2.7. This release adds new features and
fixes bugs on the next stable branch. Note that this will be the last
release of 3.2.7 with (major) new features added. If there are no 
serious bugs reported on this branch for a while, it will be marked
as stable.


* Version 3.2.7 (released 2013-11-23)

** libgnutls: gnutls_cipher_get_iv_size() now returns the correct IV
size in GCM ciphers (previously it returned the implicit IV used in
TLS).

** libgnutls: gnutls_certificate_set_x509_key_file() et al when
provided with a PKCS #11 URL pointing to a certificate, will attempt to
load the whole chain.

** libgnutls: When traversing PKCS #11 tokens looking for an object,
avoid looking in unrelated to the object tokens.

** libgnutls: Added an experimental %DUMBFW option in priority strings.
This avoids a black hole behavior in some firewalls by sending a large
client hello. See
http://www.ietf.org/mail-archive/web/tls/current/msg10423.html

** libgnutls: The GNUTLS_DEBUG_LEVEL variable if set to a log level
number will force output of debug messages to stderr.

** libgnutls: Fixed the setting of the ciphersuite when
gnutls_premaster_set() is used with another protocol than the
GNUTLS_DTLS0_9 protocol.

** libgnutls: gnutls_x509_crt_set_expiration_time() will set the no
well defined expiration date when (time_t)-1 is specified as date.

** libgnutls: Session tickets are encrypted using AES-GCM.

** libgnutls: Corrected issue in record decompression. Issue pinpointed
by Frank Zschockel.

** libgnutls: Forbid all compression methods in DTLS.

** gnutls-serv: Fixed issue with IPv6 address in UDP mode.

** certtool: When exporting an encrypted PEM private key do not output
the key parameters.

** certtool: Expiration days template option allows for a -1 value
which will set to the no well defined expiration date (RFC5280), and no
longer chokes on integer overflows. Suggested by Stefan Buehler.

** certtool: Added new template options: 'activation_date', and
'expiration_date'.

** tools: The environment variable GNUTLS_PIN can be used to read any
PIN requested from tokens.

** tools: The installed version of libopts is used if the autogen tool
is present.

** API and ABI modifications:
gnutls_pkcs11_obj_export3: Added
gnutls_pkcs11_get_raw_issuer: Added
gnutls_est_record_overhead_size: Exported


Getting the Software
====================

GnuTLS may be downloaded directly from
<ftp://ftp.gnutls.org/gcrypt/gnutls/>.  A list of GnuTLS mirrors can be
found at <http://www.gnutls.org/download.html>.

Here are the XZ and LZIP compressed sources:

  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.7.tar.xz
  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.7.tar.lz

Here are OpenPGP detached signatures signed using key 0x96865171:

  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.7.tar.xz.sig
  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.7.tar.lz.sig

Note that it has been signed with my openpgp key:
pub   3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid                  Nikos Mavrogiannopoulos <nmav <at> gnutls.org>
uid                  Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at>
gmail.com>
sub   2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub   2048R/1404A91D 2008-05-04 [expires: 2018-05-02]

regards,
Nikos