[gnutls-help] Forcing IPv4 with gnutls-cli?
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Jul 11 08:09:27 CEST 2014
On 07/10/2014 08:33 PM, Manuel Pégourié-Gonnard wrote:
> Assume I want to connect to a DTLS server on localhost, that listens only in
> IPv4. On IPv6-capable systems, localhost also resolves as ::1 and this is the
> first address gnutls-cli tries. Unfortunately, with UDP it cannot detect that
> no-one is listening on the other side, so it keeps trying to resend it
> ClientHello to ::1 until it times out and exits with a failing status.
>
> I can force the use of IPv4 by specifying the host as "127.0.0.1" instead of
> "localhost" but then certificate validation fails.
>
> (Of course the use of localhost here is only an example, the same issue arises
> with any host whose name resolves to an IPv6 address too, but where the DTLS
> server only listens in IPv4.)
>
> I looked in the man page for one of the following options which would solve my
> problem, but failed to find them.
>
> 1. Ability for force IPv4 or IPv6.
brainstorming features here:
* ability to use an arbitrary file descriptor for the transport instead
of opening a TCP connection directly would be nice, and ultimately more
flexible as a debugging tool
> 2. Ability to specify separately a name for certificate validation and an
> address for the actual connection.
I think we have at least six different possible places where the
hostname is possibly used:
0) name for address lookup for TCP/UDP
1) name for DANE TLSA lookup
2) name to include in SNI
3) name to verify against X.509 certificate
4) name to verify against OpenPGP certificate
5) name to look up/store in TOFU known_hosts file
For the sake of sanity of the interface, we probably want to conflate
several of these, but it might be worth thinking through the tradeoffs.
> Am I missing something obvious?
>
> Thanks in advance,
> Manuel.
>
> PS: now I'm looking into --tofu to work around the problem. Is there a way to
> specify an alternative "known_hosts" file?
based on lib/verify-tofu.c and lib/system.c, it looks like the file will
always be named "known_hosts" and it will be within $HOME/.gnutls/ on
unix-derived systems. I suppose you could modify $HOME but that doesn't
sound very satisfying.
Nikos, i note that the functions around this all use snprintf and are
generally limited to PATH_MAX, without verifying that snprintf returns a
sensible value. I worry that for very large values of $HOME, this might
produce some weird behavior, but i haven't been able to coax it into
anything concrete yet. Maybe it's worth having a look and thinking
through what the consequences would be for a very long $HOME?
Regards,
--dkg
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140711/413bf9ec/attachment.sig>
More information about the Gnutls-help
mailing list