From mpg at polarssl.org Wed Oct 1 00:11:36 2014 From: mpg at polarssl.org (=?UTF-8?B?TWFudWVsIFDDqWdvdXJpw6ktR29ubmFyZA==?=) Date: Wed, 01 Oct 2014 00:11:36 +0200 Subject: [gnutls-help] DTLS retransmission issue with gnutls-cli Message-ID: <542B2A98.9030107@polarssl.org> Hi, Using gnutls-cli version 3.3.8, I observed the following behaviour: if the handshake flight starting with (Client)Certificate and ending with (Client)Finished is lost (it is sent in a single UDP datagram), then gnutls-cli never retransmits it, and the handshake eventually times out after about 40 seconds. The expected behaviour would be for the client to retransmit the lost flight. The problem was observed using a UDP proxy that drops and delay packets pseudo-randomly. A capture of the failed handshake is available at: https://elzevir.fr/tmp/gnutls-cli-not-resending-gnutls-serv.pcapng.gz The server (gnutls-serv in this case) is listening on port 4433, and the proxy on port 5556. So, the communication as seen by the client can be obtained by filtering on udp.dstport == 5556 || udp.srcport == 5556 in wireshark. The client's output ends with: - Successfully sent 0 certificate(s) to server. |<1>| Discarded replayed handshake packet with sequence 1 [...] |<1>| Discarded replayed handshake packet with sequence 5 *** Fatal error: The operation timed out *** Handshake has failed GnuTLS error: The operation timed out Please let me know if you need more information about the problem. It's probably possible to reproduce it using dtls-stress from the GnuTLS test utilities, but I didn't try. I never observed a similar behaviour (not retransmitting when needed) with gnutls-serv so far. Regards, Manuel. From dev at cor0.com Wed Oct 1 01:03:04 2014 From: dev at cor0.com (dev) Date: Tue, 30 Sep 2014 19:03:04 -0400 (EDT) Subject: [gnutls-help] Compiling gnutls on solaris In-Reply-To: <1412113718.5174.2.camel@nomad.lan> References: <1151451447.22883.1411651761672.JavaMail.vpopmail@webmail2.networksolutionsemail.com> <1454936507.25153.1411653912436.JavaMail.vpopmail@webmail2.networksolutionsemail.com> <1411664314.14218.2.camel@nomad.lan> <1565848195.35667.1411759785456.JavaMail.vpopmail@webmail2.networksolutionsemail.com> <1411801299.2484.0.camel@nomad.lan> <1033573853.10943.1411815391958.JavaMail.vpopmail@webmail2.networksolutionsemail.com> <1411833226.6999.3.camel@nomad.lan> <1388862836.36808.1412100271456.JavaMail.vpopmail@webmail2.networksolutionsemail.com> <1412104533.2908.8.camel@nomad.lan> <1412105107.2908.9.camel@nomad.lan> <376211371.48242.1412110409015.JavaMail.vpopmail@webmail2.networksolutionsemail.com> <1412113718.5174.2.camel@nomad.lan> Message-ID: <780740981.54665.1412118184168.JavaMail.vpopmail@webmail2.networksolutionsemail.com> On September 30, 2014 at 5:48 PM Nikos Mavrogiannopoulos wrote: > On Tue, 2014-09-30 at 16:53 -0400, dev wrote: > > > configure.ac:45: installing 'build-aux/compile' > > configure.ac:27: installing 'build-aux/config.guess' > > configure.ac:27: installing 'build-aux/config.sub' > > configure.ac:29: installing 'build-aux/install-sh' > > configure.ac:29: installing 'build-aux/missing' > > Makefile.am: installing './INSTALL' > > Makefile.am: error: required file './ChangeLog' not found > > doc/Makefile.am: installing 'build-aux/depcomp' > > doc/Makefile.am:135: installing 'build-aux/mdate-sh' > > doc/Makefile.am:135: installing 'build-aux/texinfo.tex' > > guile/src/Makefile.am:113: warning: '%'-style pattern rules are a > > GNU > > make extension > > autoreconf: automake failed with exit status: 1 > > node000$ > > odd given that : > > node000$ gmake --version > > The issue is the missing changelog :) Autotools are pretty weird in > that > aspect. Try running gmake autoreconf after a clone. once more with feeling : $ cd $HOME/git $ git clone git://gitorious.org/gnutls/gnutls.git Cloning into 'gnutls'... remote: Counting objects: 150872, done. remote: Compressing objects: 100% (28191/28191), done. remote: Total 150872 (delta 127843), reused 145266 (delta 122296) Receiving objects: 100% (150872/150872), 61.01 MiB | 306.00 KiB/s, done. Resolving deltas: 100% (127843/127843), done. Checking connectivity... done. Checking out files: 100% (1977/1977), done. $ dt Tue_Sep_30_222149_GMT_2014 $ mkdir /usr/local/build/gnutls-3.3.8_Tue_Sep_30_222149_GMT_2014_SunOS5.10_sparcv9.001 $ star -copy -p -acl -sparse -dump -xdir -xdot -U \ > -C `pwd`/gnutls . \ > /usr/local/build/gnutls-3.3.8_Tue_Sep_30_222149_GMT_2014_SunOS5.10_sparcv9.001 star: 0 blocks + 105584128 bytes (total of 105584128 bytes = 103109.50k). $ cd /usr/local/build/gnutls-3.3.8_Tue_Sep_30_222149_GMT_2014_SunOS5.10_sparcv9.001 $ ls -Ap .clcopying NEWS doc/ maint.mk .git/ README extra/ po/ .gitignore README-alpha gl/ src/ .gitmodules THANKS gtk-doc.make symbols.last AUTHORS build-aux/ guile/ tests/ COPYING cfg.mk lib/ win32/ COPYING.LESSER configure.ac libdane/ GNUmakefile cross.mk ltmain.sh Makefile.am devel/ m4/ $ gmake autoreconf for f in po/*.po.in; do \ cp $f `echo $f | sed 's/.in//'`; \ done mv build-aux/config.rpath build-aux/config.rpath- autopoint Copying file ABOUT-NLS Copying file build-aux/config.rpath Copying file m4/codeset.m4 Copying file m4/fcntl-o.m4 Copying file m4/gettext.m4 Copying file m4/glibc2.m4 Copying file m4/glibc21.m4 . . . Copying file po/boldquot.sed Copying file po/en at boldquot.header Copying file po/en at quot.header Copying file po/insert-header.sin Copying file po/quot.sed Copying file po/remove-potcdate.sin rm -f m4/codeset.m4 m4/gettext.m4 m4/glibc21.m4 m4/glibc2.m4 m4/iconv.m4 m4/intdiv0.m4 m4/intldir.m4 m4/intl.m4 m4/intlmacosx.m4 m4/intmax.m4 m4/inttypes_h.m4 m4/inttypes-pri.m4 m4/lcmessage.m4 m4/lib-ld.m4 m4/lib-link.m4 m4/lib-prefix.m4 m4/lock.m4 m4/longlong.m4 m4/nls.m4 m4/po.m4 m4/printf-posix.m4 m4/progtest.m4 m4/size_max.m4 m4/stdint_h.m4 m4/uintmax_t.m4 m4/wchar_t.m4 m4/wint_t.m4 m4/visibility.m4 m4/xsize.m4 touch ChangeLog test -f ./configure || AUTOPOINT=true autoreconf --install . . . I see the touch Changelog there. Good. . . . src/libopts/m4/libopts.m4:362: LIBOPTS_RUN_FOPEN_BINARY is expanded from... src/libopts/m4/libopts.m4:424: INVOKE_LIBOPTS_MACROS is expanded from... src/libopts/m4/libopts.m4:559: AM_COND_IF is expanded from... src/libopts/m4/libopts.m4:580: LIBOPTS_CHECK is expanded from... configure.ac:463: the top level configure.ac:463: warning: AC_LANG_CONFTEST: no AC_LANG_SOURCE call detected in body ../../lib/autoconf/lang.m4:193: AC_LANG_CONFTEST is expanded from... ../../lib/autoconf/general.m4:2729: _AC_RUN_IFELSE is expanded from... ../../lib/m4sugar/m4sh.m4:639: AS_IF is expanded from... ../../lib/autoconf/general.m4:2748: AC_RUN_IFELSE is expanded from... ../../lib/m4sugar/m4sh.m4:639: AS_IF is expanded from... ../../lib/autoconf/general.m4:2031: AC_CACHE_VAL is expanded from... src/libopts/m4/libopts.m4:385: LIBOPTS_RUN_FOPEN_TEXT is expanded from... src/libopts/m4/libopts.m4:424: INVOKE_LIBOPTS_MACROS is expanded from... src/libopts/m4/libopts.m4:559: AM_COND_IF is expanded from... src/libopts/m4/libopts.m4:580: LIBOPTS_CHECK is expanded from... configure.ac:463: the top level configure.ac:45: installing 'build-aux/compile' configure.ac:27: installing 'build-aux/config.guess' configure.ac:27: installing 'build-aux/config.sub' configure.ac:29: installing 'build-aux/install-sh' configure.ac:29: installing 'build-aux/missing' Makefile.am: installing './INSTALL' doc/Makefile.am: installing 'build-aux/depcomp' doc/Makefile.am:135: installing 'build-aux/mdate-sh' doc/Makefile.am:135: installing 'build-aux/texinfo.tex' guile/src/Makefile.am:113: warning: '%'-style pattern rules are a GNU make extension mv build-aux/config.rpath- build-aux/config.rpath $ Good stuff. Now let's try a simply configure : $ $ LIBS=\-lsocket\ \-lnsl LD_LIBRARY_PATH=/usr/local/lib \ > ./configure --enable-dependency-tracking \ > --enable-shared --enable-static --disable-hardware-acceleration \ > --with-libiconv-prefix=/usr/local --with-libintl-prefix=/usr/local \ > --with-libz-prefix=/usr/local checking build system type... sparc-sun-solaris2.10 checking host system type... sparc-sun-solaris2.10 checking for a BSD-compatible install... build-aux/install-sh -c checking whether build environment is sane... yes checking for a thread-safe mkdir -p... build-aux/install-sh -c -d checking for gawk... gawk checking whether /usr/local/bin/gmake sets $(MAKE)... yes checking whether /usr/local/bin/gmake supports nested variables... yes checking whether /usr/local/bin/gmake supports nested variables... (cached) yes *** *** Checking for compilation programs... checking for pkg-config... /usr/local/bin/pkg-config checking pkg-config is at least version 0.9.0... yes checking for gcc... /opt/solarisstudio12.3/bin/c99 checking whether the C compiler works... yes checking for C compiler default output file name... a.out checking for suffix of executables... checking whether we are cross compiling... no checking for suffix of object files... o checking whether we are using the GNU C compiler... no . . . checking for LIBIDN... yes checking whether to build libdane... yes checking for unbound library... no configure: WARNING: *** *** libunbound was not found. Libdane will not be built. *** checking for P11_KIT... no configure: error: *** *** p11-kit >= 0.20.7 was not found. To disable PKCS #11 support *** use --without-p11-kit, otherwise you may get p11-kit from *** http://p11-glue.freedesktop.org/p11-kit.html *** $ Abruptly fails. $ $ tail config.log #define HAVE_RAW_DECL_WCSWIDTH 1 #define HAVE_STDINT_H 1 #define HAVE_DLFCN_H 1 #define LT_OBJDIR ".libs/" #define HAVE_LIBIDN 1 #define ENABLE_NON_SUITEB_CURVES 1 #define UNBOUND_ROOT_KEY_FILE "/etc/unbound/root.key" #define SYSTEM_PRIORITY_FILE "/etc/gnutls/default-priorities" configure: exit 1 $ Yep, that's not good :-\ dc From nmav at gnutls.org Wed Oct 1 13:30:45 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 1 Oct 2014 13:30:45 +0200 Subject: [gnutls-help] DTLS retransmission issue with gnutls-cli In-Reply-To: <542B2A98.9030107@polarssl.org> References: <542B2A98.9030107@polarssl.org> Message-ID: On Wed, Oct 1, 2014 at 12:11 AM, Manuel P?gouri?-Gonnard wrote: > Hi, > > Using gnutls-cli version 3.3.8, I observed the following behaviour: if the > handshake flight starting with (Client)Certificate and ending with > (Client)Finished is lost (it is sent in a single UDP datagram), then gnutls-cli > never retransmits it, and the handshake eventually times out after about 40 seconds. > > The expected behaviour would be for the client to retransmit the lost flight. > The problem was observed using a UDP proxy that drops and delay packets > pseudo-randomly. A capture of the failed handshake is available at: > https://elzevir.fr/tmp/gnutls-cli-not-resending-gnutls-serv.pcapng.gz Interesting. There is the dtls-stress tool to reproduce that scenario and I tried: ./dtls-stress -full -shello 01234 -sfinished 01 -cfinished 01234 CCertificate CKeyExchange CCertificateVerify CChangeCipherSpec CFinished -d 6 which filters the same packets as in your scenario, but everything goes well. The packets are filtered and retransmitted. Could you send me the full gnutls-cli log with -d 6 when the packets don't get send? regards, Nikos From nmav at gnutls.org Wed Oct 1 13:32:30 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 1 Oct 2014 13:32:30 +0200 Subject: [gnutls-help] Compiling gnutls on solaris In-Reply-To: <780740981.54665.1412118184168.JavaMail.vpopmail@webmail2.networksolutionsemail.com> References: <1151451447.22883.1411651761672.JavaMail.vpopmail@webmail2.networksolutionsemail.com> <1454936507.25153.1411653912436.JavaMail.vpopmail@webmail2.networksolutionsemail.com> <1411664314.14218.2.camel@nomad.lan> <1565848195.35667.1411759785456.JavaMail.vpopmail@webmail2.networksolutionsemail.com> <1411801299.2484.0.camel@nomad.lan> <1033573853.10943.1411815391958.JavaMail.vpopmail@webmail2.networksolutionsemail.com> <1411833226.6999.3.camel@nomad.lan> <1388862836.36808.1412100271456.JavaMail.vpopmail@webmail2.networksolutionsemail.com> <1412104533.2908.8.camel@nomad.lan> <1412105107.2908.9.camel@nomad.lan> <376211371.48242.1412110409015.JavaMail.vpopmail@webmail2.networksolutionsemail.com> <1412113718.5174.2.camel@nomad.lan> <780740981.54665.1412118184168.JavaMail.vpopmail@webmail2.networksolutionsemail.com> Message-ID: On Wed, Oct 1, 2014 at 1:03 AM, dev wrote: > checking for P11_KIT... no > configure: error: > *** > *** p11-kit >= 0.20.7 was not found. To disable PKCS #11 support > *** use --without-p11-kit, otherwise you may get p11-kit from > *** http://p11-glue.freedesktop.org/p11-kit.html > *** > $ > Abruptly fails. But I think the message is pretty informative. If you don't want pkcs #11 support use --without-p11-kit, otherwise you'll have to install p11-kit. regards, Nikos From mpg at polarssl.org Wed Oct 1 14:03:09 2014 From: mpg at polarssl.org (=?windows-1252?Q?Manuel_P=E9gouri=E9-Gonnard?=) Date: Wed, 01 Oct 2014 14:03:09 +0200 Subject: [gnutls-help] DTLS retransmission issue with gnutls-cli In-Reply-To: References: <542B2A98.9030107@polarssl.org> Message-ID: <542BED7D.7070909@polarssl.org> On 01/10/2014 13:30, Nikos Mavrogiannopoulos wrote: > Interesting. There is the dtls-stress tool to reproduce that scenario > and I tried: > ./dtls-stress -full -shello 01234 -sfinished 01 -cfinished 01234 > CCertificate CKeyExchange CCertificateVerify CChangeCipherSpec > CFinished -d 6 > which filters the same packets as in your scenario, but everything goes well. > Weird. I'm not sure if that's relevant, but from what I understand, the proxy I used does a bit more than that, eg when the server resends its ServerHello flight, messages are reordered, and some of them are even "lost". > The packets are filtered and retransmitted. Could you send me the full > gnutls-cli log with -d 6 when the packets don't get send? > Sure, here it is (I hope attachments are ok for the list, otherwise I'll resend). The client invocation was gnutls-cli -u --insecure -p 5556 127.0.0.1 -d 6 > cli-d6.log 2>&1 The testing plaftorm is GNU/Linux. Regards, Manuel. -------------- next part -------------- A non-text attachment was scrubbed... Name: cli-d6.log.gz Type: application/gzip Size: 3049 bytes Desc: not available URL: From nmav at gnutls.org Thu Oct 2 14:23:13 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 2 Oct 2014 14:23:13 +0200 Subject: [gnutls-help] DTLS retransmission issue with gnutls-cli In-Reply-To: <542BED7D.7070909@polarssl.org> References: <542B2A98.9030107@polarssl.org> <542BED7D.7070909@polarssl.org> Message-ID: On Wed, Oct 1, 2014 at 2:03 PM, Manuel P?gouri?-Gonnard wrote: > On 01/10/2014 13:30, Nikos Mavrogiannopoulos wrote: >> Interesting. There is the dtls-stress tool to reproduce that scenario >> and I tried: >> ./dtls-stress -full -shello 01234 -sfinished 01 -cfinished 01234 >> CCertificate CKeyExchange CCertificateVerify CChangeCipherSpec >> CFinished -d 6 >> which filters the same packets as in your scenario, but everything goes well. >> > Weird. I'm not sure if that's relevant, but from what I understand, the proxy I > used does a bit more than that, eg when the server resends its ServerHello > flight, messages are reordered, and some of them are even "lost". It seems the dtls-stress tests don't include support for session tickets, while your test does. Does this patch fix the issue you see? regards, Nikos -------------- next part -------------- diff --git a/lib/ext/session_ticket.c b/lib/ext/session_ticket.c index 33ad8d9..aeae5a8 100644 --- a/lib/ext/session_ticket.c +++ b/lib/ext/session_ticket.c @@ -33,6 +33,7 @@ #include #include #include +#include #ifdef ENABLE_SESSION_TICKETS @@ -643,6 +644,17 @@ int _gnutls_recv_new_session_ticket(gnutls_session_t session) if (!priv->session_ticket_renew) return 0; + /* This is the last flight and peer cannot be sure + * we have received it unless we notify him. So we + * wait for a message and retransmit if needed. */ + if (IS_DTLS(session) && !_dtls_is_async(session) && + (gnutls_record_check_pending(session) + + record_check_unprocessed(session)) == 0) { + ret = _dtls_wait_and_retransmit(session); + if (ret < 0) + return gnutls_assert_val(ret); + } + ret = _gnutls_recv_handshake(session, GNUTLS_HANDSHAKE_NEW_SESSION_TICKET, 0, &buf); From yi.tang.uni at gmail.com Tue Oct 7 16:23:10 2014 From: yi.tang.uni at gmail.com (=?utf-8?B?5ZSQ5q+F?= (Yi Tang)) Date: Tue, 07 Oct 2014 15:23:10 +0100 Subject: [gnutls-help] The TLS connection was non-properly terminated Message-ID: Hi, I sent and received a plain text mail but the Message buffer shows gnutls.c: 0 fatal error: The TLS connection was non-properly terminated. it's definitely not a fatal error, otherwise i won't received it... is there anyway to get rid of this message? btw: i was using mu4e. Yi -- ?? (Yi Tang) Email: yi.tang.uni at gmail.com From kalessin at kalessin.fr Wed Oct 8 11:13:40 2014 From: kalessin at kalessin.fr (Louis Opter) Date: Wed, 8 Oct 2014 02:13:40 -0700 Subject: [gnutls-help] x509 PKIs working with OpenSSL but not GnuTLS Message-ID: <20141008091340.GA1422@kalessin.fr> Hello, I'm trying to setup taskd [1], a server using GnuTLS on top of a custom task synchronization protocol, and my experience so far has been miserable. I have three different x509 PKIs; all of them work with openssl s_client and s_server. But two of them don't work with taskd and I can't find why. He are small descriptions of the three PKIs I'm using: - pki-sans: generated using certtool nothing fancy and containing two subject alternative names: one for a fqdn and one for an ip address; - pki-no-sans: same thing as pki-sans without any subject alternative name entry, I'd like to use this PKI since it's not affected by a bug in SANs handling fixed in 3.3.6; - pki-openvpn: a pki generated with easyrsa3 [2] and used with OpenVPN. As far as I can understand the certs in pki-no-sans and pki-openpvn are functionally equivalent. The only difference I can see is that my server cert for openvpn has two more values, DirName and serial, in the Authority Key Identifier field. Here is what I have tried: pki-no-sans: | taskd | s_client | ---------+--------+----------+ taskd | KO-1 | OK | s_server | KO-1 | OK | pki-sans: | taskd | s_client | ---------+--------+----------+ taskd | OK | OK | s_server | OK | OK | pki-openvpn: | taskd | s_client | ---------+--------+----------+ taskd | KO-1 | OK-2 | s_server | KO-1 | OK | KO-1: the client says the certificate has an error. KO-2: client says ok but the server says there is an error in the certificate. What can explain such differences? Why some PKIs aren't working with GnuTLS but are working with openssl? Is there reference clients and servers for gnutls like s_client or s_server? All tests have been done with GnuTLS 3.3.8 compiled straight from git on Linux. And the programs in src/tls/ in the taskd 1.1.0 branch from git. Thanks [1] http://taskwarrior.org/ [2] https://github.com/OpenVPN/easy-rsa -- Louis Opter From nmav at gnutls.org Thu Oct 9 14:56:11 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 9 Oct 2014 14:56:11 +0200 Subject: [gnutls-help] x509 PKIs working with OpenSSL but not GnuTLS In-Reply-To: <20141008091340.GA1422@kalessin.fr> References: <20141008091340.GA1422@kalessin.fr> Message-ID: On Wed, Oct 8, 2014 at 11:13 AM, Louis Opter wrote: > Hello, > > I'm trying to setup taskd [1], a server using GnuTLS on top of a custom > task synchronization protocol, and my experience so far has been > miserable. [...] > | taskd | s_client | > ---------+--------+----------+ > taskd | KO-1 | OK | > s_server | KO-1 | OK | > > pki-sans: > > | taskd | s_client | > ---------+--------+----------+ > taskd | OK | OK | > s_server | OK | OK | > > pki-openvpn: > > | taskd | s_client | > ---------+--------+----------+ > taskd | KO-1 | OK-2 | > s_server | KO-1 | OK | > > KO-1: the client says the certificate has an error. > KO-2: client says ok but the server says there is an error in the > certificate. > > What can explain such differences? Unfortunately without mentioning the reason of failure or seeing the certificate chains, no. > Why some PKIs aren't working with > GnuTLS but are working with openssl? Is there reference clients and > servers for gnutls like s_client or s_server? gnutls-cli and gnutls-serv. regards, Nikos From mpg at polarssl.org Thu Oct 9 18:11:09 2014 From: mpg at polarssl.org (=?windows-1252?Q?Manuel_P=E9gouri=E9-Gonnard?=) Date: Thu, 09 Oct 2014 18:11:09 +0200 Subject: [gnutls-help] DTLS retransmission issue with gnutls-cli In-Reply-To: References: <542B2A98.9030107@polarssl.org> <542BED7D.7070909@polarssl.org> Message-ID: <5436B39D.9050103@polarssl.org> On 02/10/2014 14:23, Nikos Mavrogiannopoulos wrote: > It seems the dtls-stress tests don't include support for session > tickets, while your test does. Does this patch fix the issue you see? > It does :) Regards, Manuel. From kalessin at kalessin.fr Sat Oct 11 08:32:19 2014 From: kalessin at kalessin.fr (Louis Opter) Date: Fri, 10 Oct 2014 23:32:19 -0700 Subject: [gnutls-help] x509 PKIs working with OpenSSL but not GnuTLS In-Reply-To: References: <20141008091340.GA1422@kalessin.fr> Message-ID: <20141010233219.36edc67e@wintermute.kalessin.fr> On Thu, 9 Oct 2014 14:56:11 +0200 Nikos Mavrogiannopoulos wrote: Thanks for the answers. > Unfortunately without mentioning the reason of failure or seeing the > certificate chains, no. Using gnutls-cli and gnutls-serv I have been able to isolate the issue a little bit more: pki-no-sans: | t_client | s_client | g_client | ---------+----------+----------+----------+ t_server | KO-1 | OK | OK | s_server | KO-1 | OK | OK | g_server | KO-1 | OK | OK | pki-sans: | t_client | s_client | g_client | ---------+----------+----------+----------+ t_client | OK | OK | OK | s_server | OK | OK | OK | g_server | OK | OK | OK | pki-openvpn: | t_client | s_client | g_client | ---------+----------+----------+----------+ t_client | KO-1 | KO-2 | KO-3 | s_server | KO-1 | OK | KO-3 | g_server | KO-1 | OK | KO-3 | KO-1: the client says the certificate has an error. KO-2: client says ok but the server says there is an error in the certificate. KO-3: the client says: the name in the certificate doesn't match the expected. t_{client,server} are taskwarrior (gnu)tls test client and server. g_{client,server} are gnutls-{cli,serv}. So, the tests with pki-no-sans points out that something seems to be amiss in the taskwarrior client implementation and I'll follow up with the taskwarrior devs. However, are you guys interested into more details about my openvpn pki? (It shouldn't be anything fancy, I generated it using easyrsa3). Unfortunately, the error message from gnutls-cli isn't helpful to me. Thanks -- Louis Opter From nmav at gnutls.org Sat Oct 11 12:27:22 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sat, 11 Oct 2014 12:27:22 +0200 Subject: [gnutls-help] x509 PKIs working with OpenSSL but not GnuTLS In-Reply-To: <20141010233219.36edc67e@wintermute.kalessin.fr> References: <20141008091340.GA1422@kalessin.fr> <20141010233219.36edc67e@wintermute.kalessin.fr> Message-ID: <1413023242.11711.2.camel@nomad.lan> On Fri, 2014-10-10 at 23:32 -0700, Louis Opter wrote: > On Thu, 9 Oct 2014 14:56:11 +0200 Nikos Mavrogiannopoulos > wrote: > > Thanks for the answers. > > > Unfortunately without mentioning the reason of failure or seeing the > > certificate chains, no. > > Using gnutls-cli and gnutls-serv I have been able to isolate the issue a > little bit more: [...] > | t_client | s_client | g_client | > ---------+----------+----------+----------+ > t_client | KO-1 | KO-2 | KO-3 | > s_server | KO-1 | OK | KO-3 | > g_server | KO-1 | OK | KO-3 | > > KO-1: the client says the certificate has an error. > KO-2: client says ok but the server says there is an error in the > certificate. > KO-3: the client says: the name in the certificate doesn't match the > expected. > t_{client,server} are taskwarrior (gnu)tls test client and server. > g_{client,server} are gnutls-{cli,serv}. To be honest I am confused on what are you describing here and what is the actual issue you are seeing. As far as I understand you have some certificate chain that gnutls-cli reports that the "the name in the certificate doesn't match". In that case you should check the CN of the certificate and the subject alternative name. regards, Nikos From nmav at gnutls.org Mon Oct 13 08:45:22 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 13 Oct 2014 08:45:22 +0200 Subject: [gnutls-help] gnutls 3.1.27 Message-ID: <1413182722.18260.0.camel@nomad.lan> Hello, I've just released gnutls 3.1.27. This is a bug-fix release on the previous stable branch. * Version 3.1.27 (released 2014-10-13) ** libgnutls: Fixed issue with unexpected non-fatal errors resetting the handshake's hash buffer, in applications using the heartbeat extension or DTLS. Reported by Joeri de Ruiter. ** libgnutls: Corrected gnutls_x509_crl_verify() which would always report a CRL signature as invalid. Reported by Armin Burgmeier. ** tools: updated libopts. ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded directly from . A list of GnuTLS mirrors can be found at . Here are the XZ and LZIP compressed sources: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.27.tar.xz ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.27.tar.lz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.27.tar.xz.sig ftp://ftp.gnutls.org/gcrypt/gnutls/v3.1/gnutls-3.1.27.tar.lz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From nmav at gnutls.org Mon Oct 13 08:46:33 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 13 Oct 2014 08:46:33 +0200 Subject: [gnutls-help] gnutls 3.2.19 Message-ID: <1413182793.18260.2.camel@nomad.lan> Hello, I've just released gnutls 3.2.19. This is a bugfix release on the previous stable branch. * Version 3.2.19 (released 2014-10-13) ** libgnutls: Fixes in the transparent import of PKCS #11 certificates. Reported by Joseph Peruski. ** libgnutls: Fixed issue with unexpected non-fatal errors resetting the handshake's hash buffer, in applications using the heartbeat extension or DTLS. Reported by Joeri de Ruiter. ** libgnutls: fix issue in DTLS retransmission when session tickets were in use; reported by Manuel P?gouri?-Gonnard. ** libgnutls: Prevent abort() in library if getrusage() fails. Try to detect instead which of RUSAGE_THREAD and RUSAGE_SELF would work. ** guile: new 'set-session-server-name!' procedure; see the manual for details. ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded directly from . A list of GnuTLS mirrors can be found at . Here are the XZ and LZIP compressed sources: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.19.tar.xz ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.19.tar.lz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.19.tar.xz.sig ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.19.tar.lz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From nmav at gnutls.org Mon Oct 13 08:48:36 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 13 Oct 2014 08:48:36 +0200 Subject: [gnutls-help] gnutls 3.3.9 Message-ID: <1413182916.18260.4.camel@nomad.lan> Hello, I've just released gnutls 3.3.9. This is a bug-fix release on the stable branch. With this release the 3.3.x branch becomes the stable branch. * Version 3.3.9 (released 2014-10-13) ** libgnutls: Fixes in the transparent import of PKCS #11 certificates. Reported by Joseph Peruski. ** libgnutls: Fixed issue with unexpected non-fatal errors resetting the handshake's hash buffer, in applications using the heartbeat extension or DTLS. Reported by Joeri de Ruiter. ** libgnutls: When both a trust module and additional CAs are present account the latter as well; reported by David Woodhouse. ** libgnutls: added GNUTLS_TL_GET_COPY flag for gnutls_x509_trust_list_get_issuer(). That allows the function to be used in a thread safe way when PKCS #11 trust modules are in use. ** libgnutls: fix issue in DTLS retransmission when session tickets were in use; reported by Manuel P?gouri?-Gonnard. ** libgnutls-dane: Do not require the CA on a ca match to be direct CA. ** libgnutls: Prevent abort() in library if getrusage() fails. Try to detect instead which of RUSAGE_THREAD and RUSAGE_SELF would work. ** guile: new 'set-session-server-name!' procedure; see the manual for details. ** certtool: The authority key identifier will be set in a certificate only if the CA's subject key identifier is set. ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded directly from . A list of GnuTLS mirrors can be found at . Here are the XZ and LZIP compressed sources: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.9.tar.xz ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.9.tar.lz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.9.tar.xz.sig ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.9.tar.lz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From mcatanzaro at gnome.org Fri Oct 17 01:09:46 2014 From: mcatanzaro at gnome.org (Michael Catanzaro) Date: Thu, 16 Oct 2014 18:09:46 -0500 Subject: [gnutls-help] Advice for handling POODLE vulnerability Message-ID: <1413500986.22954.9.camel@lumiose-city> Hi, I'm looking for some advice on how to plug the POODLE vulnerability in WebKitGTK+. We use GnuTLS indirectly through libsoup, which uses glib, which uses glib-networking, which uses GnuTLS. glib does not currently offer the ability to control the protocols or cipher suites in use. Traditionally, glib-networking has not changed any GnuTLS defaults, on the assumption that your defaults will always be better and more secure than anything the glib developers could come up with. But since it looks like SSLv3 will not be disabled until GnuTLS 3.4, and we need to immediately disable SSLv3, this no longer seems like a reasonable option for glib. In order to avoid breaking applications that require SSLv3, the current consideration is to add new API in glib (and possibly also in libsoup) for controlling protocols in use... but this seems like a poor way to handle a security issue, and would cause glib to default to insecure. There's a short discussion in [1]. We'd really appreciate any advice this list has to offer on how to proceed. Thanks, Michael [1] https://bugzilla.gnome.org/show_bug.cgi?id=738633 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: This is a digitally signed message part URL: From nmav at gnutls.org Fri Oct 17 06:17:17 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 17 Oct 2014 06:17:17 +0200 Subject: [gnutls-help] Advice for handling POODLE vulnerability In-Reply-To: <1413500986.22954.9.camel@lumiose-city> References: <1413500986.22954.9.camel@lumiose-city> Message-ID: <1413519437.2461.8.camel@nomad.lan> On Thu, 2014-10-16 at 18:09 -0500, Michael Catanzaro wrote: > Hi, > > I'm looking for some advice on how to plug the POODLE vulnerability in > WebKitGTK+. We use GnuTLS indirectly through libsoup, which uses glib, > which uses glib-networking, which uses GnuTLS. glib does not currently > offer the ability to control the protocols or cipher suites in use. > > Traditionally, glib-networking has not changed any GnuTLS defaults, on > the assumption that your defaults will always be better and more secure > than anything the glib developers could come up with. But since it looks > like SSLv3 will not be disabled until GnuTLS 3.4, and we need to > immediately disable SSLv3, this no longer seems like a reasonable option > for glib. In order to avoid breaking applications that require SSLv3, > the current consideration is to add new API in glib (and possibly also > in libsoup) for controlling protocols in use... but this seems like a > poor way to handle a security issue, and would cause glib to default to > insecure. Hi, I've posted a security advisory on [0]. The short answer is that you don't need to do any changes, unless glib-networking does the browser-like insecure TLS negotiation. If you are in that case SSL 3.0 will only be negotiated as fallback, if neither of the parties support anything better. If on the other hand glib-networking perform the insecure TLS negotiation, it should be modified not to try SSL 3.0 as part of it. In any case, I think that offering an API to control the SSL 3.0 usage per application will cause more issues than it will solve. By the time you introduce it applications would use it to avoid compatibility issues, and SSL 3.0 will stay on indefinitely until someone notices. [0]. http://www.gnutls.org/security.html#GNUTLS-SA-2014-4 regards, Nikos From dev at cor0.com Fri Oct 17 22:19:19 2014 From: dev at cor0.com (dev) Date: Fri, 17 Oct 2014 16:19:19 -0400 (EDT) Subject: [gnutls-help] gnutls 3.3.9 In-Reply-To: <1413182916.18260.4.camel@nomad.lan> References: <1413182916.18260.4.camel@nomad.lan> Message-ID: <1204426961.49599.1413577159550.JavaMail.vpopmail@webmail2.networksolutionsemail.com> On October 13, 2014 at 2:48 AM Nikos Mavrogiannopoulos wrote: > Hello, > I've just released gnutls 3.3.9. This is a bug-fix release on > the stable branch. With this release the 3.3.x branch becomes the > stable > branch. > > * Version 3.3.9 (released 2014-10-13) Fails to build in the usual way and in the usual place on Solaris 10 : $ tail -20 ../gnutls-3.3.9_SunOS5.10_sparcv9_001.build.log CC tpm.lo CC fips.lo CC safe-memset.lo CC inet_pton.lo CC gnutls_srp.lo CC gnutls_psk.lo CCLD libgnutls.la Undefined first referenced symbol in file inet_aton x509/.libs/libgnutls_x509.a(rfc2818_hostname.o) (symbol belongs to implicit dependency /lib/64/libnsl.so.1) ld: fatal: symbol referencing errors. No output written to .libs/libgnutls.so.28.41.1 gmake[4]: *** [libgnutls.la] Error 2 gmake[4]: Leaving directory `/usr/local/build/gnutls-3.3.9_SunOS5.10_sparcv9_001/lib' gmake[3]: *** [all-recursive] Error 1 gmake[3]: Leaving directory `/usr/local/build/gnutls-3.3.9_SunOS5.10_sparcv9_001/lib' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/usr/local/build/gnutls-3.3.9_SunOS5.10_sparcv9_001/lib' gmake[1]: *** [all-recursive] Error 1 gmake[1]: Leaving directory `/usr/local/build/gnutls-3.3.9_SunOS5.10_sparcv9_001' gmake: *** [all] Error 2 $ One of these days I will dig around and find whatever linkage options are needed and perhaps get them sorted out in the mysterious Makefile down in ./lib Dennis From kalessin at kalessin.fr Sun Oct 19 07:33:21 2014 From: kalessin at kalessin.fr (Louis Opter) Date: Sat, 18 Oct 2014 22:33:21 -0700 Subject: [gnutls-help] x509 PKIs working with OpenSSL but not GnuTLS In-Reply-To: <1413023242.11711.2.camel@nomad.lan> References: <20141008091340.GA1422@kalessin.fr> <20141010233219.36edc67e@wintermute.kalessin.fr> <1413023242.11711.2.camel@nomad.lan> Message-ID: <20141019053321.GF1422@kalessin.fr> On Sat, Oct 11, 2014 at 12:27:22PM +0200, Nikos Mavrogiannopoulos wrote: > On Fri, 2014-10-10 at 23:32 -0700, Louis Opter wrote: > > To be honest I am confused on what are you describing here and what is > the actual issue you are seeing. As far as I understand you have some > certificate chain that gnutls-cli reports that the "the name in the > certificate doesn't match". In that case you should check the CN of the > certificate and the subject alternative name. Thank you for your help Nikos, in the end my issues boiled down to CN mismatches, which are being handled differently in OpenSSL and GnuTLS (I'd be happy to hear more about that btw). Everything ended-up being difficult to investigate because x509 is a lot of moving parts, because I fucked-up some config in taskwarrior and I also ran into the bug fixed by this commit at some point: https://gitorious.org/gnutls/gnutls/commit/4a7f52373c6623d9e8775814bdb18129a26a0f81 I still have to say that everything would have been a lot easier and a lot less confusing if the error reporting was better. Is there anything like gnutls_strerror but for the status variable set by the gnutls_certificate_verify_peers functions? Thanks -- Louis Opter From ceving at gmail.com Sun Oct 19 12:16:53 2014 From: ceving at gmail.com (Sascha Ziemann) Date: Sun, 19 Oct 2014 12:16:53 +0200 Subject: [gnutls-help] seek error in in config file Message-ID: <54438F95.9080606@gmail.com> Hi, I tried to feed the config to certtool without writing it do disk: function generate_ca_cert () { local CA_KEY="$1" local CA_CRT="$2" certtool --generate-self-signed \ --template <(ca_config) \ --load-privkey "$CA_HOME"/"$CA_KEY" \ --outfile "$CA_HOME"/"$CA_CRT" } This throws the following error: error parsing command line: /dev/fd/63: seek error in in config file Why is it necessary to seek the config file? Regards, Sascha From nmav at gnutls.org Sun Oct 19 22:27:14 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 19 Oct 2014 22:27:14 +0200 Subject: [gnutls-help] x509 PKIs working with OpenSSL but not GnuTLS In-Reply-To: <20141019053321.GF1422@kalessin.fr> References: <20141008091340.GA1422@kalessin.fr> <20141010233219.36edc67e@wintermute.kalessin.fr> <1413023242.11711.2.camel@nomad.lan> <20141019053321.GF1422@kalessin.fr> Message-ID: <1413750434.2741.5.camel@nomad.lan> On Sat, 2014-10-18 at 22:33 -0700, Louis Opter wrote: > https://gitorious.org/gnutls/gnutls/commit/4a7f52373c6623d9e8775814bdb18129a26a0f81 > > I still have to say that everything would have been a lot easier and a > lot less confusing if the error reporting was better. Is there anything > like gnutls_strerror but for the status variable set by the > gnutls_certificate_verify_peers functions? Yes, there is gnutls_certificate_verification_status_print(). From nmav at gnutls.org Mon Oct 20 14:29:27 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 20 Oct 2014 14:29:27 +0200 Subject: [gnutls-help] seek error in in config file In-Reply-To: <54438F95.9080606@gmail.com> References: <54438F95.9080606@gmail.com> Message-ID: On Sun, Oct 19, 2014 at 12:16 PM, Sascha Ziemann wrote: > Hi, > > I tried to feed the config to certtool without writing it do disk: > > function generate_ca_cert () > { > local CA_KEY="$1" > local CA_CRT="$2" > certtool --generate-self-signed \ > --template <(ca_config) \ > --load-privkey "$CA_HOME"/"$CA_KEY" \ > --outfile "$CA_HOME"/"$CA_CRT" > } > This throws the following error: > error parsing command line: /dev/fd/63: seek error in in config file > Why is it necessary to seek the config file? I don't know this syntax to specify a file on command line, but the template file is read by autogen (libopts to be precise). I don't know why it needs to seek though, but my guess would be that it needs to support more complex than gnutls' configuration files. regards, Nikos From ceving at gmail.com Mon Oct 20 16:50:51 2014 From: ceving at gmail.com (Sascha Ziemann) Date: Mon, 20 Oct 2014 16:50:51 +0200 Subject: [gnutls-help] seek error in in config file In-Reply-To: References: <54438F95.9080606@gmail.com> Message-ID: 2014-10-20 14:29 GMT+02:00 Nikos Mavrogiannopoulos : > On Sun, Oct 19, 2014 at 12:16 PM, Sascha Ziemann wrote: > > Hi, > > > > I tried to feed the config to certtool without writing it do disk: > > > > function generate_ca_cert () > > { > > local CA_KEY="$1" > > local CA_CRT="$2" > > certtool --generate-self-signed \ > > --template <(ca_config) \ > > --load-privkey "$CA_HOME"/"$CA_KEY" \ > > --outfile "$CA_HOME"/"$CA_CRT" > > } > > This throws the following error: > > error parsing command line: /dev/fd/63: seek error in in config file > > Why is it necessary to seek the config file? > > I don't know this syntax to specify a file on command line, but the > template file is read by autogen (libopts to be precise). > It is not a file. It is a process substition, which is actually a pipe: http://tldp.org/LDP/abs/html/process-sub.html Using a pipe simplifies the cleanup, because no temporary files are written to disk. But if it is not supported by libopts, I will have to do the cleanup... Regards, Sascha -------------- next part -------------- An HTML attachment was scrubbed... URL: From mattroisang at gmail.com Wed Oct 22 04:36:51 2014 From: mattroisang at gmail.com (Mat Troi) Date: Tue, 21 Oct 2014 19:36:51 -0700 Subject: [gnutls-help] Compiling gnutls 3.3 with Solaris Studio 12.2 Message-ID: Hi, While compiling gnutls 3.3 with Solaris Studio 12.2, I got the error below: Assembler: "elf/cpuid-x86_64.s", line 59 : Syntax error Near line: ".section .note.GNU-stack,"",%progbits" cc: fbe failed for elf/cpuid-x86_64.s I did a little research and found this has to do with hinting this object file does *not* require an executable stack, but I could not find any hint on fixing the error. Has anyone seen and know how to fix? Thanks, Mat -------------- next part -------------- An HTML attachment was scrubbed... URL: From nmav at gnutls.org Thu Oct 23 09:09:24 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 23 Oct 2014 09:09:24 +0200 Subject: [gnutls-help] Compiling gnutls 3.3 with Solaris Studio 12.2 In-Reply-To: References: Message-ID: On Wed, Oct 22, 2014 at 4:36 AM, Mat Troi wrote: > Hi, > > While compiling gnutls 3.3 with Solaris Studio 12.2, I got the error below: > > Assembler: > "elf/cpuid-x86_64.s", line 59 : Syntax error > Near line: ".section .note.GNU-stack,"",%progbits" > cc: fbe failed for elf/cpuid-x86_64.s > > I did a little research and found this has to do with hinting this object > file does not require an executable stack, but I could not find any hint on > fixing the error. Has anyone seen and know how to fix? Hi, You can simply remove that line, or compile using gnu as. If you know some way to express that portably for the solaris as it would be better. regards, Nikos From nmav at gnutls.org Thu Oct 23 09:14:31 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 23 Oct 2014 09:14:31 +0200 Subject: [gnutls-help] Compiling gnutls 3.3 with Solaris Studio 12.2 In-Reply-To: References: Message-ID: On Thu, Oct 23, 2014 at 9:09 AM, Nikos Mavrogiannopoulos wrote: > On Wed, Oct 22, 2014 at 4:36 AM, Mat Troi wrote: >> Hi, >> >> While compiling gnutls 3.3 with Solaris Studio 12.2, I got the error below: >> >> Assembler: >> "elf/cpuid-x86_64.s", line 59 : Syntax error >> Near line: ".section .note.GNU-stack,"",%progbits" >> cc: fbe failed for elf/cpuid-x86_64.s >> >> I did a little research and found this has to do with hinting this object >> file does not require an executable stack, but I could not find any hint on >> fixing the error. Has anyone seen and know how to fix? > Hi, > You can simply remove that line, or compile using gnu as. If you know > some way to express that portably for the solaris as it would be > better. btw. would putting that line in #if defined(__linux__) #endif block work in solaris? regards, Nikos From raphael.cohn at stormmq.com Thu Oct 23 19:18:28 2014 From: raphael.cohn at stormmq.com (Raphael Cohn) Date: Thu, 23 Oct 2014 18:18:28 +0100 Subject: [gnutls-help] Quietening gnutls-cli Message-ID: Hi, I'm trying to automate gnutls-cli. I'm running it as a background job from bash, with stdin and stderr redirected to a pair of FIFOs. However, I can't find a way to stop gnutls-cli from outputing connection status information on stdout rather than stderr - things like "Processed 242 CA certificate(s).". This makes it really hard to use - especially as the automation is actually plug-replaceable for several other programs making plaintext connections, all of which send their noise to stderr and reserve stdout for read/write/ Is there something I'm missing? A flag like '-q'? Any help greatly appreciated, Raph -------------- next part -------------- An HTML attachment was scrubbed... URL: From mattroisang at gmail.com Fri Oct 24 00:08:39 2014 From: mattroisang at gmail.com (Mat Troi) Date: Thu, 23 Oct 2014 15:08:39 -0700 Subject: [gnutls-help] Compiling gnutls 3.3 with Solaris Studio 12.2 In-Reply-To: References: Message-ID: Hi, Adding the #if defined(__linux__) doesn't work. Removing the line works. I tried switching to GNU compiler and got past that problem. I cannot find equivalent syntax in Solaris Studio. This is a totally unrelated problem, I have a bunch of missing symbol references, but from the configure, nettle was found checking for NETTLE... yes The error for undefined symbol is: Undefined first referenced symbol in file nettle_gcm_aes_decrypt nettle/.libs/libcrypto.a(cipher.o) nettle_rsa_pkcs1_sign_tr nettle/.libs/libcrypto.a(pk.o) nettle_ecc_scalar_set nettle/.libs/libcrypto.a(pk.o) nettle_ecc_scalar_get nettle/.libs/libcrypto.a(pk.o) nettle_sha512_digest nettle/.libs/libcrypto.a(mac.o) nettle_sha512_update nettle/.libs/libcrypto.a(mac.o) .... I tried to do a find in the nettle directory and found #define hmac_sha512_update nettle_hmac_sha512_update #define hmac_sha384_update nettle_hmac_sha512_update ./hmac.h But where is nettle_hmac_sha512_update defined? Thanks, Matt On Thu, Oct 23, 2014 at 12:14 AM, Nikos Mavrogiannopoulos wrote: > On Thu, Oct 23, 2014 at 9:09 AM, Nikos Mavrogiannopoulos > wrote: > > On Wed, Oct 22, 2014 at 4:36 AM, Mat Troi wrote: > >> Hi, > >> > >> While compiling gnutls 3.3 with Solaris Studio 12.2, I got the error > below: > >> > >> Assembler: > >> "elf/cpuid-x86_64.s", line 59 : Syntax error > >> Near line: ".section .note.GNU-stack,"",%progbits" > >> cc: fbe failed for elf/cpuid-x86_64.s > >> > >> I did a little research and found this has to do with hinting this > object > >> file does not require an executable stack, but I could not find any > hint on > >> fixing the error. Has anyone seen and know how to fix? > > Hi, > > You can simply remove that line, or compile using gnu as. If you know > > some way to express that portably for the solaris as it would be > > better. > > btw. would putting that line in > #if defined(__linux__) > > #endif > > block work in solaris? > > regards, > Nikos > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nmav at gnutls.org Fri Oct 24 20:24:08 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 24 Oct 2014 20:24:08 +0200 Subject: [gnutls-help] Compiling gnutls 3.3 with Solaris Studio 12.2 In-Reply-To: References: Message-ID: <1414175048.14354.1.camel@nomad.lan> On Thu, 2014-10-23 at 15:08 -0700, Mat Troi wrote: > Hi, > > Adding the #if defined(__linux__) doesn't work. Removing the line > works. I tried switching to GNU compiler and got past that problem. > I cannot find equivalent syntax in Solaris Studio. would using .ifdef __linux__ and .endif instead work? > This is a totally unrelated problem, I have a bunch of missing symbol > references, but from the configure, nettle was found > checking for NETTLE... yes > The error for undefined symbol is: > Undefined first referenced > symbol in file > nettle_gcm_aes_decrypt nettle/.libs/libcrypto.a(cipher.o) > nettle_rsa_pkcs1_sign_tr nettle/.libs/libcrypto.a(pk.o) > nettle_ecc_scalar_set nettle/.libs/libcrypto.a(pk.o) > nettle_ecc_scalar_get nettle/.libs/libcrypto.a(pk.o) > nettle_sha512_digest nettle/.libs/libcrypto.a(mac.o) > nettle_sha512_update nettle/.libs/libcrypto.a(mac.o) > .... If you are using nettle 2.7.1, these symbols should be there. Could it be that you have two different versions of nettle in your system that conflict? regards, Nikos From mattroisang at gmail.com Sat Oct 25 03:30:55 2014 From: mattroisang at gmail.com (Mat Troi) Date: Fri, 24 Oct 2014 18:30:55 -0700 Subject: [gnutls-help] Compiling gnutls 3.3 with Solaris Studio 12.2 In-Reply-To: <1414175048.14354.1.camel@nomad.lan> References: <1414175048.14354.1.camel@nomad.lan> Message-ID: On Fri, Oct 24, 2014 at 11:24 AM, Nikos Mavrogiannopoulos wrote: > On Thu, 2014-10-23 at 15:08 -0700, Mat Troi wrote: > > Hi, > > > > Adding the #if defined(__linux__) doesn't work. Removing the line > > works. I tried switching to GNU compiler and got past that problem. > > I cannot find equivalent syntax in Solaris Studio. > > would using .ifdef __linux__ and .endif instead work? > Doesn't work either. > > > This is a totally unrelated problem, I have a bunch of missing symbol > > references, but from the configure, nettle was found > > checking for NETTLE... yes > > The error for undefined symbol is: > > Undefined first referenced > > symbol in file > > nettle_gcm_aes_decrypt nettle/.libs/libcrypto.a(cipher.o) > > nettle_rsa_pkcs1_sign_tr nettle/.libs/libcrypto.a(pk.o) > > nettle_ecc_scalar_set nettle/.libs/libcrypto.a(pk.o) > > nettle_ecc_scalar_get nettle/.libs/libcrypto.a(pk.o) > > nettle_sha512_digest nettle/.libs/libcrypto.a(mac.o) > > nettle_sha512_update nettle/.libs/libcrypto.a(mac.o) > > .... > > If you are using nettle 2.7.1, these symbols should be there. Could it > be that you have two different versions of nettle in your system that > conflict? > Yes I have nettle 2.7.1, I changed my configure line to have -L and -l for pointing to libnettle and hogweed and that helps. NETTLE_LIBS="-L/usr/local/lib -lnettle" NETTLE_CFLAGS="-I/usr/local/include" HOGWEED_LIBS="-L/usr/local/lib -lhogweed" HOGWEED_CFLAGS="-I/usr/local/include" Now I am missing this symbol, do you know what library I need to include for this? CC gnutls_openssl.lo CC openssl_compat.lo CCLD libgnutls-openssl.la Undefined first referenced symbol in file version_to_entry .libs/gnutls_openssl.o Thanks, Matt > regards, > Nikos > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ceving at gmail.com Sat Oct 25 09:19:26 2014 From: ceving at gmail.com (Sascha Ziemann) Date: Sat, 25 Oct 2014 09:19:26 +0200 Subject: [gnutls-help] Quietening gnutls-cli In-Reply-To: References: Message-ID: 2014-10-23 19:18 GMT+02:00 Raphael Cohn : > > I'm trying to automate gnutls-cli. I'm running it as a background job from > bash, with stdin and stderr redirected to a pair of FIFOs. > > However, I can't find a way to stop gnutls-cli from outputing connection > status information on stdout rather than stderr - things like "Processed > 242 CA certificate(s).". > Untestet: while read LINE; do if [ "$LINE" = "Processed 242 CA certificate(s)." ]; then echo "$LINE" >&2 else echo "$LINE" fi done -------------- next part -------------- An HTML attachment was scrubbed... URL: From nmav at gnutls.org Sat Oct 25 10:34:36 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sat, 25 Oct 2014 10:34:36 +0200 Subject: [gnutls-help] Compiling gnutls 3.3 with Solaris Studio 12.2 In-Reply-To: References: <1414175048.14354.1.camel@nomad.lan> Message-ID: <1414226076.2475.1.camel@nomad.lan> On Fri, 2014-10-24 at 18:30 -0700, Mat Troi wrote: > Yes I have nettle 2.7.1, I changed my configure line to have -L and -l > for pointing to libnettle and hogweed and that helps. > NETTLE_LIBS="-L/usr/local/lib -lnettle" > NETTLE_CFLAGS="-I/usr/local/include" HOGWEED_LIBS="-L/usr/local/lib > -lhogweed" HOGWEED_CFLAGS="-I/usr/local/include" > Now I am missing this symbol, do you know what library I need to > include for this? > CC gnutls_openssl.lo > CC openssl_compat.lo > CCLD libgnutls-openssl.la > Undefined first referenced > symbol in file > version_to_entry .libs/gnutls_openssl.o No idea, but you most probably you don't need this library. Try using --disable-openssl-compatibility to configure script. regards, Nikos From jens.lechtenboerger at fsfe.org Sat Oct 25 15:31:23 2014 From: jens.lechtenboerger at fsfe.org (Jens Lechtenboerger) Date: Sat, 25 Oct 2014 15:31:23 +0200 Subject: [gnutls-help] Quietening gnutls-cli References: Message-ID: <86oat0jmxg.fsf@informationelle-selbstbestimmung-im-internet.de> On 2014-10-23, Raphael Cohn wrote: > Hi, > > I'm trying to automate gnutls-cli. I'm running it as a background job from > bash, with stdin and stderr redirected to a pair of FIFOs. > > However, I can't find a way to stop gnutls-cli from outputing connection > status information on stdout rather than stderr - things like "Processed > 242 CA certificate(s).". I don?t think that you can suppress that output. You need to read past "- Simple Client Mode:\n\n" Here is what I?m doing, with a link to my code: https://blogs.fsfe.org/jens.lechtenboerger/?p=230 Best wishes Jens From mattroisang at gmail.com Sat Oct 25 18:29:30 2014 From: mattroisang at gmail.com (Mat Troi) Date: Sat, 25 Oct 2014 09:29:30 -0700 Subject: [gnutls-help] Compiling gnutls 3.3 with Solaris Studio 12.2 In-Reply-To: <1414226076.2475.1.camel@nomad.lan> References: <1414175048.14354.1.camel@nomad.lan> <1414226076.2475.1.camel@nomad.lan> Message-ID: That is what I did and it worked but I am curious what library to include for that symbol? What exactly does --disable-openssl-compatibility do? I couldn't find details of it in the doc. Thanks. On Oct 25, 2014 1:34 AM, "Nikos Mavrogiannopoulos" wrote: > On Fri, 2014-10-24 at 18:30 -0700, Mat Troi wrote: > > > > Yes I have nettle 2.7.1, I changed my configure line to have -L and -l > > for pointing to libnettle and hogweed and that helps. > > NETTLE_LIBS="-L/usr/local/lib -lnettle" > > NETTLE_CFLAGS="-I/usr/local/include" HOGWEED_LIBS="-L/usr/local/lib > > -lhogweed" HOGWEED_CFLAGS="-I/usr/local/include" > > Now I am missing this symbol, do you know what library I need to > > include for this? > > CC gnutls_openssl.lo > > CC openssl_compat.lo > > CCLD libgnutls-openssl.la > > Undefined first referenced > > symbol in file > > version_to_entry .libs/gnutls_openssl.o > > No idea, but you most probably you don't need this library. > Try using --disable-openssl-compatibility to configure script. > > regards, > Nikos > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: