[gnutls-help] too few bits from gnutls_dh_params_generate2() ?

Pierre Ossman ossman at cendio.se
Tue Nov 11 07:58:03 CET 2014

On Mon, 10 Nov 2014 11:48:13 -1000
Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:

> Hi Pierre--
> On Mon 2014-11-10 08:25:56 -1000, Pierre Ossman wrote:
> > We're having some interoperability issues between Java's SSLEngine and
> > GnuTLS in TigerVNC.
> what version of Java and its SSLEngine are you using?

Fedora's IcedTea 1.7.0. 2.5.3, whatever that means. Some form of
OpenJDK 7 I guess?

> > One example set of parameters I've gotten:
> >
> >>  TLS:         DH prime:
> >>               691e93a4e2dcd04a785abd633b6c066c404809815b6983f140fa8e0cad702ffffd15e7b8361e9924858494df07a7cff50d1b971e4ce1ab396647183b4222aded580f7a079203980c952e8443e2dde055793307c407c686c34af4a5309077023f078e0443bb4b5662c20af6af6958a8d2a2c52a50267428dac8e15d7777b49d6b
> >>  TLS:         DH generator:
> >>               5783a44a1aae0e098a9474b191251397812fc201f4e38d58e9ea96f2a83793a2468f9bbc55c82b6e4c55e6674ef23db59de38f3446d1c6b84f5837f350d9b1598abe09c79a83c39402bcc53c9f4444b76bdb0f6b4c0a5ccbd3bf76a794f4e307912127bffcc81261ae4ae3bf36a20a02ec65251e4778a8e58e11f22e685bbf59
> >>  TLS:         DH bits: 158
> what is this output from?  I'm not sure how to reconcile the "DH bits:
> 158" with the other data.

It was generated like this:

  if (gnutls_dh_params_generate2(dh_params, DH_BITS) != GNUTLS_E_SUCCESS)
    throw AuthFailureException("gnutls_dh_params_generate2 failed");

  gnutls_datum_t p, g;
  unsigned int b;
  char buffer[4096];
  size_t sz;

  gnutls_dh_params_export_raw(dh_params, &p, &g, &b);

  sz = sizeof(buffer);
  gnutls_hex_encode(&p, buffer, &sz);
  vlog.debug("DH prime: %s", buffer);
  sz = sizeof(buffer);
  gnutls_hex_encode(&g, buffer, &sz);
  vlog.debug("DH generator: %s", buffer);
  vlog.debug("DH bits: %u", b);

> have you reported this bug to java?  it sounds like they should not be
> doing this.

No. I found it a bit difficult to submit a good bug report as can't say
I'm familiar with DH beyond stating that Java and GnuTLS don't like each
other. :)

(It's also far from obvious how you report bugs to them)

Pierre Ossman           Software Development
Cendio AB		http://cendio.com
Teknikringen 8		http://twitter.com/ThinLinc
583 30 Linköping	http://facebook.com/ThinLinc
Phone: +46-13-214600	http://plus.google.com/112509906846170010689

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: not available
URL: </pipermail/attachments/20141111/297a5009/attachment.sig>

More information about the Gnutls-help mailing list