From gregs at sloop.net Thu Nov 2 20:09:28 2017 From: gregs at sloop.net (Gregory Sloop) Date: Thu, 2 Nov 2017 12:09:28 -0700 Subject: [gnutls-help] Generating DH params Message-ID: <1478161073.20171102120928@sloop.net> So, I use certtool to create CA/certs/keys for OpenVPN. OpenVPN wants a DH file too, and I used to use EasyRSA or OpenSSL to generate this. It looks like there's a deprecated option to generate DH in certtool - but it's deprecated. Should I use it anyway, or is there some way to do what I want with GNUTLS? TIA -Greg -------------- next part -------------- An HTML attachment was scrubbed... URL: From n.mavrogiannopoulos at gmail.com Sat Nov 4 17:17:27 2017 From: n.mavrogiannopoulos at gmail.com (Nikos Mavrogiannopoulos) Date: Sat, 04 Nov 2017 17:17:27 +0100 Subject: [gnutls-help] Generating DH params In-Reply-To: <1478161073.20171102120928@sloop.net> References: <1478161073.20171102120928@sloop.net> Message-ID: <1509812247.2171.1.camel@gmail.com> On Thu, 2017-11-02 at 12:09 -0700, Gregory Sloop wrote: > So, I use certtool to create CA/certs/keys for OpenVPN. > OpenVPN wants a DH file too, and I used to use EasyRSA or OpenSSL to > generate this. > > It looks like there's a deprecated option to generate DH in certtool > - but it's deprecated. > Should I use it anyway, or is there some way to do what I want with > GNUTLS? > We no longer recommend to use arbitrary random parameters, but to utilize the RFC7919 parameters. See more information in the documentation [0].? "In older applications which require to specify explicit DH parameters, we recommend using certtool (of GnuTLS 3.5.6 or later) with the --get- dh-params option to obtain the FFDHE parameters discussed above (i.e., RFC7919). The output parameters of the tool are in PKCS#3 format and can be imported by most existing applications.?" regards, Nikos [0]. https://www.gnutls.org/manual/html_node/Parameter-generation.html From jgh at wizmail.org Sun Nov 5 21:21:31 2017 From: jgh at wizmail.org (Jeremy Harris) Date: Sun, 5 Nov 2017 20:21:31 +0000 Subject: [gnutls-help] cipher priorities Message-ID: <249c8ce7-1c38-d666-2f7f-85a8a1844600@wizmail.org> GnuTLS 3.5.8 Server, having loaded two cert (one RSA, then one ECDSA) using gnutls_certificate_set_x509_key_file(). With a client hello having only one sig-hash algorithm, "0401 rsa-sha256" the handshake fails. The server debug log has "(gnutls_handshake): An unknown public key algorithm was encountered." If I only load the RSA cert, it's fine. What should I be doing different? -- Thanks, Jeremy From nmav at gnutls.org Mon Nov 6 16:10:07 2017 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 6 Nov 2017 16:10:07 +0100 Subject: [gnutls-help] cipher priorities In-Reply-To: <249c8ce7-1c38-d666-2f7f-85a8a1844600@wizmail.org> References: <249c8ce7-1c38-d666-2f7f-85a8a1844600@wizmail.org> Message-ID: On Sun, Nov 5, 2017 at 9:21 PM, Jeremy Harris wrote: > GnuTLS 3.5.8 > > Server, having loaded two cert (one RSA, then one ECDSA) using > gnutls_certificate_set_x509_key_file(). > > With a client hello having only one sig-hash algorithm, > "0401 rsa-sha256" the handshake fails. The server debug log > has > > "(gnutls_handshake): An unknown public key algorithm was encountered." > > > > If I only load the RSA cert, it's fine. > > What should I be doing different? Could you provide a reproducer? If you check the tests/ subdirectory there is set_x509_key_file_ocsp_multi2.c which pretty much does what you are describing. regards, Nikos From jgh at wizmail.org Tue Nov 7 11:03:10 2017 From: jgh at wizmail.org (Jeremy Harris) Date: Tue, 7 Nov 2017 10:03:10 +0000 Subject: [gnutls-help] cipher priorities In-Reply-To: References: <249c8ce7-1c38-d666-2f7f-85a8a1844600@wizmail.org> Message-ID: <772e8cb7-78f8-7c52-2ec2-a763bdd74eef@wizmail.org> On 06/11/17 15:10, Nikos Mavrogiannopoulos wrote: > Could you provide a reproducer? Responding privately. -- Jeremy