From hfusa at web.de Mon Sep 16 11:32:09 2013 From: hfusa at web.de (Horst Freiburger) Date: Mon, 16 Sep 2013 11:32:09 +0200 Subject: [gnutls-help] Using GnuTLS with an HSM - Implementation Message-ID: <5236D019.9040905@web.de> Hi Nikos, hi everyone, now i am implementing the function hooks to use a TR03109 security module in GnuTLS described in "Using GnuTLS with an HSM" (July 2013). (Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_123_CBC_SHA256) I've already implemented the functions to set the function pointers in GnuTLS. After this i've added the automated function call for getting the random number of the security module for the "client hello"-message. So part one is implemented. Now i will implement the function to get the EC-Key-Pair from the security module and to calculate the pre-master-secret in the security module. I have a few problems to find the right place in the source-code. I've tracked the function calls to the right place: _gnutls_handshake() _gnutls_handshake_client() _gnutls_send_client_kx_message() _gnutls_generate_client_kx() For the last function i cannot find the implementation... Where is this function implemented? Is this the right function call sequence to solve my problem? Thanks for your answer! Horst From nmav at gnutls.org Tue Sep 17 10:01:05 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 17 Sep 2013 10:01:05 +0200 Subject: [gnutls-help] Using GnuTLS with an HSM - Implementation In-Reply-To: <5236D019.9040905@web.de> References: <5236D019.9040905@web.de> Message-ID: <52380C41.20306@gnutls.org> On 09/16/2013 11:32 AM, Horst Freiburger wrote: > Hi Nikos, hi everyone, > > now i am implementing the function hooks to use a TR03109 security > module in GnuTLS described in "Using GnuTLS with an HSM" (July 2013). > (Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_123_CBC_SHA256) > > I've already implemented the functions to set the function pointers in > GnuTLS. After this i've added the automated function call for getting > the random number of the security module for the "client hello"-message. > So part one is implemented. > > Now i will implement the function to get the EC-Key-Pair from the > security module and to calculate the pre-master-secret in the security > module. I have a few problems to find the right place in the source-code. > > I've tracked the function calls to the right place: > _gnutls_handshake() > _gnutls_handshake_client() > _gnutls_send_client_kx_message() > _gnutls_generate_client_kx() > > For the last function i cannot find the implementation... Where is this > function implemented? Hello Horst, It depends on the key exchange method of the ciphersuite. Check gnutls_auth.h and the auth/ directory which has the implementation for the various supported methods. regards, Nikos From hfusa at web.de Fri Sep 20 10:35:33 2013 From: hfusa at web.de (Horst Freiburger) Date: Fri, 20 Sep 2013 10:35:33 +0200 Subject: [gnutls-help] Using GnuTLS with an HSM - Implementation In-Reply-To: <52380C41.20306@gnutls.org> References: <52380C41.20306@gnutls.org> Message-ID: <523C08D5.7020208@web.de> Hello Nikos, thank you for the answer. I have to look in the ecdhe.c for my cipher suite TLS_ECDHE_ECDSA_WITH_AES_123_CBC_SHA256, right? Another question: The TR-03109 shows a handshake with a "CertificateVerify"-message send by the SERVER. This is something new to me. Does GnuTLS support this message send by the server? regards, Horst From jonathan.roudiere at gmail.com Fri Sep 20 17:52:42 2013 From: jonathan.roudiere at gmail.com (Jonathan Roudiere) Date: Fri, 20 Sep 2013 17:52:42 +0200 Subject: [gnutls-help] Couple of questions about gnutls lib usage Message-ID: Hello everyone, I'm porting a software from OpenSSL to GnuTLS, after having read the (great!) gnutls documentation I still have a couple of questions. - there is a way to retrieve certificates or pkey from a credential struct ? (a bit like gnutls_certificate_get_ours but for a certificate_credentials structure). - In case where I set a certificate and a key (through gnutls_certificate_set_x509_key*) in a credential structure there is a function/way to add certificates to provide them with the first certificate (to build chain) ? - With dh is a new key is generated for every new ssl session ? or only once for the current cred and parameter pair ? In this latter case can I change/control this behavior ? Thanks for your help. Regards, Joe From jonathan.roudiere at gmail.com Fri Sep 20 17:35:02 2013 From: jonathan.roudiere at gmail.com (Jonathan Roudiere) Date: Fri, 20 Sep 2013 17:35:02 +0200 Subject: [gnutls-help] Couple of questions about gnutls lib usage. Message-ID: Hello everyone, I'm porting a software from OpenSSL to GnuTLS, after having read the (great!) gnutls documentation I still have a couple of questions. - there is a way to retrieve certificates or pkey from a credential struct ? (a bit like gnutls_certificate_get_ours but for a certificate_credentials structure). - In case where I set a certificate and a key (through gnutls_certificate_set_x509_key*) in a credential struct there is a function/way to add certificates to provide them with the first certificate (to build chain) ? - With dh is a new key is generated for every new ssl session ? or only once for the current cred and parameter pair ? In this latter case can I change/control this behavior ? Thanks for your help. Regards, Joe From nmav at gnutls.org Sun Sep 22 23:14:10 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 22 Sep 2013 23:14:10 +0200 Subject: [gnutls-help] Using GnuTLS with an HSM - Implementation In-Reply-To: <523C08D5.7020208@web.de> References: <52380C41.20306@gnutls.org> <523C08D5.7020208@web.de> Message-ID: <523F5DA2.5010003@gnutls.org> On 09/20/2013 10:35 AM, Horst Freiburger wrote: > Hello Nikos, > > thank you for the answer. I have to look in the ecdhe.c for my cipher > suite TLS_ECDHE_ECDSA_WITH_AES_123_CBC_SHA256, right? > > Another question: > The TR-03109 shows a handshake with a "CertificateVerify"-message send > by the SERVER. This is something new to me. Does GnuTLS support this > message send by the server? Hello Horst, No. Could that be a typo? The server sends the ServerKeyExchange message which is the equivalent of CertificateVerify of the client. regards, Nikos From n.mavrogiannopoulos at gmail.com Sun Sep 22 23:35:27 2013 From: n.mavrogiannopoulos at gmail.com (Nikos Mavrogiannopoulos) Date: Sun, 22 Sep 2013 23:35:27 +0200 Subject: [gnutls-help] Couple of questions about gnutls lib usage. In-Reply-To: References: Message-ID: <523F629F.2080107@gmail.com> On 09/20/2013 05:35 PM, Jonathan Roudiere wrote: > Hello everyone, > > I'm porting a software from OpenSSL to GnuTLS, after having read the > (great!) gnutls documentation I still have a couple of questions. > > - there is a way to retrieve certificates or pkey from a credential struct ? > (a bit like gnutls_certificate_get_ours but for a > certificate_credentials structure). Unfortunately no. This was intentional to allow rewrites of the internals of the certificate credentials structure. > - In case where I set a certificate and a key (through > gnutls_certificate_set_x509_key*) > in a credential struct there is a function/way to add certificates to > provide them with the first > certificate (to build chain) ? I don't quite understand the question. You mean if you provide an incomplete chain whether you can fill it in later? If that is the question, that isn't possible. > - With dh is a new key is generated for every new ssl session ? or > only once for the > current cred and parameter pair ? In this latter case can I > change/control this behavior ? A new key is generated on every session to maintain the perfect forward secrecy requirements. You cannot change that, but why would you want to do it differently? If performance is an issue then you could use specially crafted groups (as generated by certtool) that use a prime of a certain type that allows for keys of smaller size (and thus much faster exponentiation). regards, Nikos From jonathan.roudiere at gmail.com Mon Sep 23 10:17:49 2013 From: jonathan.roudiere at gmail.com (Jonathan Roudiere) Date: Mon, 23 Sep 2013 10:17:49 +0200 Subject: [gnutls-help] Couple of questions about gnutls lib usage. In-Reply-To: <523F629F.2080107@gmail.com> References: <523F629F.2080107@gmail.com> Message-ID: Hi Nikos, >> - In case where I set a certificate and a key (through >> gnutls_certificate_set_x509_key*) >> in a credential struct there is a function/way to add certificates to >> provide them with the first >> certificate (to build chain) ? > > I don't quite understand the question. You mean if you provide an > incomplete chain whether you can fill it in later? If that is the > question, that isn't possible. Yes, that's the question. ok ... >> - With dh is a new key is generated for every new ssl session ? or >> only once for the >> current cred and parameter pair ? In this latter case can I >> change/control this behavior ? > > A new key is generated on every session to maintain the perfect forward > secrecy requirements. You cannot change that, but why would you want to > do it differently? If performance is an issue then you could use > specially crafted groups (as generated by certtool) that use a prime of > a certain type that allows for keys of smaller size (and thus much > faster exponentiation). Ok, that's exactly the behavior I want, it was just to be sure. > regards, > Nikos > Thank you, Regards, Joe From micah at riseup.net Fri Sep 27 02:56:58 2013 From: micah at riseup.net (Micah Anderson) Date: Thu, 26 Sep 2013 20:56:58 -0400 Subject: [gnutls-help] --bits should not arbitrarily prohibit me from creating small dh params Message-ID: <87zjqzrsit.fsf@muck.riseup.net> Hello, I would prefer to use certtool over openssl in order to generate the DH parameter files that I need for my postfix MTA installations, unfortunately it seems as if certtool is not letting me create smaller bit sizes. Postfix currently accepts two possible settings: http://www.postfix.org/postconf.5.html#smtpd_tls_dh512_param_file http://www.postfix.org/postconf.5.html#smtpd_tls_dh1024_param_file it seems I cannot generate the dh512 param file with certtool: $ certtool --generate-dh-params --bits=512 --outfile=/tmp/dh_512.pem ** Note: Please use the --sec-param instead of --bits Error generating parameters: The request is invalid. I believe that this is a too small bit size, but in a MTA world, I need to be able to gracefully accept smaller bit sizes if a client only can do those. If I do not configure the 512bit file, that means is if someone connects to my MTA who is only offering 512bits of DH, then I would refuse to talk to them and we'd just do it in the clear... that is not a good situation. Postfix will use the better parameters when peers can accept them, but I need to still be able to work with peers that cannot accept the reasonable parameters. I understand the goal of pushing people to use the --sec-param option to automatically make some crypto decisions for people, so they don't need to worry about them, but I would prefer that you do not disable the --bits functionality when the bits are considered too low and let me decide that. thanks! micah From nmav at gnutls.org Sun Sep 29 21:32:23 2013 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 29 Sep 2013 21:32:23 +0200 Subject: [gnutls-help] --bits should not arbitrarily prohibit me from creating small dh params In-Reply-To: <87zjqzrsit.fsf@muck.riseup.net> References: <87zjqzrsit.fsf@muck.riseup.net> Message-ID: <52488047.1010405@gnutls.org> On 09/27/2013 02:56 AM, Micah Anderson wrote: > Hello, I would prefer to use certtool over openssl in order to > generate the DH parameter files that I need for my postfix MTA > installations, unfortunately it seems as if certtool is not letting > me create smaller bit sizes. Postfix currently accepts two possible > settings: > > http://www.postfix.org/postconf.5.html#smtpd_tls_dh512_param_file > http://www.postfix.org/postconf.5.html#smtpd_tls_dh1024_param_file it > seems I cannot generate the dh512 param file with certtool: Hello Micah, Indeed it doesn't work. It requires some changes in the DH generation code, but there is not much incentive to do that. A 512-bit DH group is pretty much toy encryption. There is a nice story about breaking RSA with 512-bits (while it is not the same problem as DH the security level/effort required is equivalent) http://www.wired.com/threatlevel/2012/10/dkim-vulnerability-widespread/all/ Even 1024-bit DH is quite weak for today's standards. See keylength.com for acceptable sizes. > I believe that this is a too small bit size, but in a MTA world, I > need to be able to gracefully accept smaller bit sizes if a client > only can do those. If I do not configure the 512bit file, that means > is if someone connects to my MTA who is only offering 512bits of DH, > then I would refuse to talk to them and we'd just do it in the > clear... that is not a good situation. Postfix will use the better > parameters when peers can accept them, but I need to still be able > to work with peers that cannot accept the reasonable parameters. Not really. The server is the one who is proposing the DH parameters so you shouldn't have any issues. Would you mind to elaborate on the issues you had? I'm quite interested. regards, Nikos