From rmbeer2 at gmail.com  Wed Jan  2 23:30:14 2019
From: rmbeer2 at gmail.com (Rm Beer)
Date: Wed, 2 Jan 2019 19:30:14 -0300
Subject: [gnutls-help] Service Desk (from rmbeer2@gmail.com): Fail
 Handsake (#649)
In-Reply-To: <CAA0fXPsFcuq5HZp9DipRiqYwjgqNw=ZaWvTOueSE6qwE7CY-=A@mail.gmail.com>
References: <reply-0633e2249496c95cc56db7af932b28e2@gitlab.com>
 <issue_16689635@gitlab.com> <74c73d9a881c21a82ab37a124f76fe73@gitlab.com>
 <CAA0fXPuMJvefkam47pC0zk4maf-CEQnwAW3gruSPFfRLmLZR1w@mail.gmail.com>
 <CAA0fXPsD9BQL_qt0n1uQ7AZL6oYKZBCXMpUpm=_ZfCj38aW3zQ@mail.gmail.com>
 <CAA0fXPs8iuapQ9vYMArjcWUuY4j7kzYxnEbCQzJatDtY0H3S_A@mail.gmail.com>
 <CAA0fXPsFcuq5HZp9DipRiqYwjgqNw=ZaWvTOueSE6qwE7CY-=A@mail.gmail.com>
Message-ID: <CAA0fXPv_sLTbA6u_pCB0a1drt=hXXAWf2+=LDsLFL9xC4aRghQ@mail.gmail.com>

Why do you never respond to my request for help?? Do not you see that
this is very important to me?? I need it!!!
need help with this!!!
https://stackoverflow.com/questions/53926500/i-need-to-run-gnutls-with-x509-in-server-client-doubts-and-needs-fixing

2019-01-02 19:26 GMT-03:00, Rm Beer <rmbeer2 at gmail.com>:
> 2019-01-02 19:26 GMT-03:00, Rm Beer <rmbeer2 at gmail.com>:
>> need help with this!!
>> https://stackoverflow.com/questions/53926500/i-need-to-run-gnutls-with-x509-in-server-client-doubts-and-needs-fixing
>>
>> 2019-01-02 19:25 GMT-03:00, Rm Beer <rmbeer2 at gmail.com>:
>>> Why do you never respond to my request for help?? Do not you see that
>>> this is very important to me?? I need it!!!
>>>
>>> 2019-01-01 14:33 GMT-03:00, Rm Beer <rmbeer2 at gmail.com>:
>>>> This is the code that give the problem:
>>>> https://stackoverflow.com/questions/53926500/i-need-to-run-gnutls-with-x509-in-server-client-doubts-and-needs-fixing
>>>>
>>>>
>>>> 2018-12-16 4:57 GMT-03:00, Nikos Mavrogiannopoulos
>>>> <gitlab at mg.gitlab.com>:
>>>>> New response for issue #649:
>>>>>
>>>>> Author: Nikos Mavrogiannopoulos
>>>>>
>>>>> Unfortunately that is insufficient information for a bug report. Given
>>>>> that
>>>>> this is a SIGPIPE, most likely it is best to report it to the
>>>>> application
>>>>> using gnutls.
>>>>>
>>>>
>>>
>>
>


From buytenh at wantstofly.org  Fri Jan  4 14:07:52 2019
From: buytenh at wantstofly.org (Lennert Buytenhek)
Date: Fri, 4 Jan 2019 15:07:52 +0200
Subject: [gnutls-help] gnutls 3.6.4 clients unable to talk to gnutls 3.6.5
 servers due to record-size-limit extension in ServerHello
Message-ID: <20190104130752.GB11285@wantstofly.org>

Hello!

I'm using a TLS application which broke after upgrading the server to
GnuTLS 3.6.5, because the GnuTLS 3.6.5 server now sends a record-size-limit
extension (28) in its ServerHello, which the 3.6.4-using client doesn't
grok, and the handshake dies on the client side with:

	gnutls_handshake: An illegal TLS extension was received.

This appears to mean that GnuTLS <= 3.6.4 clients will not be able to
talk to GnuTLS 3.6.5 servers at all?

I understand that GnuTLS <= 3.6.4 are buggy in the sense that they do
not accept a record-size-limit extension received in a ServerHello even
though it is legal to send this extension in a ServerHello, but is there
at least a way to turn off sending this extension on the server side, so
that it can continue to interoperate with older clients until those can
be upgraded?  (I didn't see any such way.)


Thanks,
Lennert


From catonano at gmail.com  Mon Jan  7 12:35:45 2019
From: catonano at gmail.com (Catonano)
Date: Mon, 7 Jan 2019 12:35:45 +0100
Subject: [gnutls-help] building Gnutls on Ubuntu 18.04.1
Message-ID: <CAJ98PDyL7jbSWf3KPF65g0jS3rOgbBTLtTGTqp-=isTYTx-6PQ@mail.gmail.com>

Hello,

with Gnutls checed out from master, this is qhat I get

checking for getentropy... no
checking for NETTLE... no
configure: error:
  ***
  *** Libnettle 3.4.1 was not found.

I also built Nettle 3.4.1 and installed it in my $HOME/opt

But I don't know how to instruct Gnutls to hook with my version instead of
the system provided one

Thanks in advance
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20190107/00a12de7/attachment.html>

From alice at librelamp.com  Mon Jan  7 12:52:19 2019
From: alice at librelamp.com (Alice Wonder)
Date: Mon, 7 Jan 2019 03:52:19 -0800
Subject: [gnutls-help] building Gnutls on Ubuntu 18.04.1
In-Reply-To: <CAJ98PDyL7jbSWf3KPF65g0jS3rOgbBTLtTGTqp-=isTYTx-6PQ@mail.gmail.com>
References: <CAJ98PDyL7jbSWf3KPF65g0jS3rOgbBTLtTGTqp-=isTYTx-6PQ@mail.gmail.com>
Message-ID: <526e74e7-9fcb-8ec8-bd95-b0efc784b999@librelamp.com>

On 1/7/19 3:35 AM, Catonano wrote:
> Hello,
> 
> with Gnutls checed out from master, this is qhat I get
> 
> checking for getentropy... no
> checking for NETTLE... no
> configure: error:
>  ? ***
>  ? *** Libnettle 3.4.1 was not found.
> 
> I also built Nettle 3.4.1 and installed it in my $HOME/opt
> 
> But I don't know how to instruct Gnutls to hook with my version instead 
> of the system provided one
> 
> Thanks in advance

export PKG_CONFIG_PATH="$HOME/opt"
./configure

That should tell pkgconfig to look in $HOME/opt/lib/pkgconfig first for 
the pkgconfig file.


From alice at librelamp.com  Mon Jan  7 12:55:11 2019
From: alice at librelamp.com (Alice Wonder)
Date: Mon, 7 Jan 2019 03:55:11 -0800
Subject: [gnutls-help] building Gnutls on Ubuntu 18.04.1
In-Reply-To: <526e74e7-9fcb-8ec8-bd95-b0efc784b999@librelamp.com>
References: <CAJ98PDyL7jbSWf3KPF65g0jS3rOgbBTLtTGTqp-=isTYTx-6PQ@mail.gmail.com>
 <526e74e7-9fcb-8ec8-bd95-b0efc784b999@librelamp.com>
Message-ID: <94349282-f208-2c58-d43c-de317dcbe471@librelamp.com>

On 1/7/19 3:52 AM, Alice Wonder wrote:
> On 1/7/19 3:35 AM, Catonano wrote:
>> Hello,
>>
>> with Gnutls checed out from master, this is qhat I get
>>
>> checking for getentropy... no
>> checking for NETTLE... no
>> configure: error:
>> ?? ***
>> ?? *** Libnettle 3.4.1 was not found.
>>
>> I also built Nettle 3.4.1 and installed it in my $HOME/opt
>>
>> But I don't know how to instruct Gnutls to hook with my version 
>> instead of the system provided one
>>
>> Thanks in advance
> 
> export PKG_CONFIG_PATH="$HOME/opt"
> ./configure
> 
> That should tell pkgconfig to look in $HOME/opt/lib/pkgconfig first for 
> the pkgconfig file.

GAH - typo

should be

export PKG_CONFIG_PATH="$HOME/opt/lib/pkgconfig"


From catonano at gmail.com  Mon Jan  7 13:10:48 2019
From: catonano at gmail.com (Catonano)
Date: Mon, 7 Jan 2019 13:10:48 +0100
Subject: [gnutls-help] building Gnutls on Ubuntu 18.04.1
In-Reply-To: <94349282-f208-2c58-d43c-de317dcbe471@librelamp.com>
References: <CAJ98PDyL7jbSWf3KPF65g0jS3rOgbBTLtTGTqp-=isTYTx-6PQ@mail.gmail.com>
 <526e74e7-9fcb-8ec8-bd95-b0efc784b999@librelamp.com>
 <94349282-f208-2c58-d43c-de317dcbe471@librelamp.com>
Message-ID: <CAJ98PDyz=moDs5ZcyacVHrzLJsn5JvU7Jejv2cPEsmPbi27Ghw@mail.gmail.com>

Il giorno lun 7 gen 2019 alle ore 12:55 Alice Wonder <alice at librelamp.com>
ha scritto:

> On 1/7/19 3:52 AM, Alice Wonder wrote:
> > On 1/7/19 3:35 AM, Catonano wrote:
> >> Hello,
> >>
> >> with Gnutls checed out from master, this is qhat I get
> >>
> >> checking for getentropy... no
> >> checking for NETTLE... no
> >> configure: error:
> >>    ***
> >>    *** Libnettle 3.4.1 was not found.
> >>
> >> I also built Nettle 3.4.1 and installed it in my $HOME/opt
> >>
> >> But I don't know how to instruct Gnutls to hook with my version
> >> instead of the system provided one
> >>
> >> Thanks in advance
> >
> > export PKG_CONFIG_PATH="$HOME/opt"
> > ./configure
> >
> > That should tell pkgconfig to look in $HOME/opt/lib/pkgconfig first for
> > the pkgconfig file.
>
> GAH - typo
>
> should be
>
> export PKG_CONFIG_PATH="$HOME/opt/lib/pkgconfig"
>

Thank you !

I could run configure successfully !! ?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20190107/b871def6/attachment.html>

From catonano at gmail.com  Mon Jan  7 19:28:15 2019
From: catonano at gmail.com (Catonano)
Date: Mon, 7 Jan 2019 19:28:15 +0100
Subject: [gnutls-help] make check
Message-ID: <CAJ98PDy_vGxKfKE3yXr6fd5Ve91sSNvcu3UJZsaZCgVbsOyWiQ@mail.gmail.com>

Hello,

running make check, I get this

...
  CCLD     cipher-test
  CC       cipher-api-test.o
  CCLD     cipher-api-test
  CC       cipher_override-cipher-override.o
  CCLD     cipher-override
/usr/bin/ld: cipher_override-cipher-override.o: undefined reference to
symbol 'nettle_aes_encrypt@@NETTLE_6'
/home/catonano/opt/lib/libnettle.so.6: error adding symbols: DSO missing
from command line
collect2: error: ld returned 1 exit status
Makefile:1756: recipe for target 'cipher-override' failed
make[3]: *** [cipher-override] Error 1
make[3]: Leaving directory
'/home/catonano/projects/gnutls/gnutls/tests/slow'
Makefile:2173: recipe for target 'check-am' failed
make[2]: *** [check-am] Error 2
make[2]: Leaving directory
'/home/catonano/projects/gnutls/gnutls/tests/slow'
Makefile:7384: recipe for target 'check-recursive' failed
make[1]: *** [check-recursive] Error 1
make[1]: Leaving directory '/home/catonano/projects/gnutls/gnutls/tests'
Makefile:1540: recipe for target 'check-recursive' failed
make: *** [check-recursive] Error 1

I think I'm going to install it anyway, in my $HOME/opt location

I'm going to use it as a dependency for some Guile based projects and the
Guile bindings are all I am interested in

I just wanted to let you know

Having the tests pass would be nice anyway

Thanks !
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20190107/542821be/attachment.html>

From alice at librelamp.com  Tue Jan  8 01:03:04 2019
From: alice at librelamp.com (Alice Wonder)
Date: Mon, 7 Jan 2019 16:03:04 -0800
Subject: [gnutls-help] make check
In-Reply-To: <CAJ98PDy_vGxKfKE3yXr6fd5Ve91sSNvcu3UJZsaZCgVbsOyWiQ@mail.gmail.com>
References: <CAJ98PDy_vGxKfKE3yXr6fd5Ve91sSNvcu3UJZsaZCgVbsOyWiQ@mail.gmail.com>
Message-ID: <85dad4b8-62cc-6833-9953-04dd01c8b8c4@librelamp.com>

On 1/7/19 10:28 AM, Catonano wrote:
> Hello,
> 
> running make check, I get this
> 
> ...
>  ? CCLD???? cipher-test
>  ? CC?????? cipher-api-test.o
>  ? CCLD???? cipher-api-test
>  ? CC?????? cipher_override-cipher-override.o
>  ? CCLD???? cipher-override
> /usr/bin/ld: cipher_override-cipher-override.o: undefined reference to 
> symbol 'nettle_aes_encrypt@@NETTLE_6'
> /home/catonano/opt/lib/libnettle.so.6: error adding symbols: DSO missing 
> from command line
> collect2: error: ld returned 1 exit status
> Makefile:1756: recipe for target 'cipher-override' failed
> make[3]: *** [cipher-override] Error 1
> make[3]: Leaving directory 
> '/home/catonano/projects/gnutls/gnutls/tests/slow'
> Makefile:2173: recipe for target 'check-am' failed
> make[2]: *** [check-am] Error 2
> make[2]: Leaving directory 
> '/home/catonano/projects/gnutls/gnutls/tests/slow'
> Makefile:7384: recipe for target 'check-recursive' failed
> make[1]: *** [check-recursive] Error 1
> make[1]: Leaving directory '/home/catonano/projects/gnutls/gnutls/tests'
> Makefile:1540: recipe for target 'check-recursive' failed
> make: *** [check-recursive] Error 1
> 
> I think I'm going to install it anyway, in my $HOME/opt location
> 
> I'm going to use it as a dependency for some Guile based projects and 
> the Guile bindings are all I am interested in
> 
> I just wanted to let you know
> 
> Having the tests pass would be nice anyway
> 
> Thanks !

My guess (and just a guess) is that it is linking against shared libs 
not in the ld.so.conf path.

On my system (Linux) I have nettle istalled in /opt/gnutls as the prefix 
and I have a file /etc/ld.so.conf.d/gnutls.conf containing:

# For updated gnutls libraries
/opt/gnutls/lib64

(lib64 is a 64-bit redhat thing)

then ldconfig knows where they are and they can be dynamically loaded as 
needed.


From catonano at gmail.com  Tue Jan  8 12:53:28 2019
From: catonano at gmail.com (Catonano)
Date: Tue, 8 Jan 2019 12:53:28 +0100
Subject: [gnutls-help] make check
In-Reply-To: <85dad4b8-62cc-6833-9953-04dd01c8b8c4@librelamp.com>
References: <CAJ98PDy_vGxKfKE3yXr6fd5Ve91sSNvcu3UJZsaZCgVbsOyWiQ@mail.gmail.com>
 <85dad4b8-62cc-6833-9953-04dd01c8b8c4@librelamp.com>
Message-ID: <CAJ98PDzmKzRcZVxVtfhbnhLf4gQo1XocZnqfbez7m6KZNjr_fg@mail.gmail.com>

Il giorno mar 8 gen 2019 alle ore 01:03 Alice Wonder <alice at librelamp.com>
ha scritto:

>
> My guess (and just a guess) is that it is linking against shared libs
> not in the ld.so.conf path.
>

I thought so too

But then I added a /etc/ld.so.conf.d/nettle.conf file with

/home/catonano/opt/lib

in it

So then

$ sudo ldconfig -v | grep nettle
/sbin/ldconfig.real: Impossibile fare stat di
/usr/local/lib/x86_64-linux-gnu: File o directory non esistente
/sbin/ldconfig.real: Percorso "/lib/x86_64-linux-gnu" fornito pi? di una
volta
/sbin/ldconfig.real: Percorso "/usr/lib/x86_64-linux-gnu" fornito pi? di
una volta
/sbin/ldconfig.real: /lib/x86_64-linux-gnu/ld-2.27.so is the dynamic
linker, ignoring

    libnettle.so.6 -> libnettle.so.6.5
    libnettle.so.6 -> libnettle.so.6.4


The libnettle.so.6.5 is the one in my $HOME/opt/lib

And that error came up anyway

Shoud I reconfigure and rebuild with this new ldconfig configuration on ?

Thanks !
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20190108/6c09c451/attachment.html>

From alice at librelamp.com  Tue Jan  8 14:16:33 2019
From: alice at librelamp.com (Alice Wonder)
Date: Tue, 8 Jan 2019 05:16:33 -0800
Subject: [gnutls-help] make check
In-Reply-To: <CAJ98PDzmKzRcZVxVtfhbnhLf4gQo1XocZnqfbez7m6KZNjr_fg@mail.gmail.com>
References: <CAJ98PDy_vGxKfKE3yXr6fd5Ve91sSNvcu3UJZsaZCgVbsOyWiQ@mail.gmail.com>
 <85dad4b8-62cc-6833-9953-04dd01c8b8c4@librelamp.com>
 <CAJ98PDzmKzRcZVxVtfhbnhLf4gQo1XocZnqfbez7m6KZNjr_fg@mail.gmail.com>
Message-ID: <89c0793b-779e-7b1c-aaef-0e3a2841f722@librelamp.com>

On 1/8/19 3:53 AM, Catonano wrote:
> Il giorno mar 8 gen 2019 alle ore 01:03 Alice Wonder 
> <alice at librelamp.com <mailto:alice at librelamp.com>> ha scritto:
> 
> 
>     My guess (and just a guess) is that it is linking against shared libs
>     not in the ld.so.conf path.
> 
> 
> I thought so too
> 
> But then I added a /etc/ld.so.conf.d/nettle.conf file with
> 
> /home/catonano/opt/lib
> in it
> 
> So then
> 
> $ sudo ldconfig -v | grep nettle
> /sbin/ldconfig.real: Impossibile fare stat di 
> /usr/local/lib/x86_64-linux-gnu: File o directory non esistente
> /sbin/ldconfig.real: Percorso "/lib/x86_64-linux-gnu" fornito pi? di una 
> volta
> /sbin/ldconfig.real: Percorso "/usr/lib/x86_64-linux-gnu" fornito pi? di 
> una volta
> /sbin/ldconfig.real: /lib/x86_64-linux-gnu/ld-2.27.so 
> <http://ld-2.27.so> is the dynamic linker, ignoring
> 
>  ??? libnettle.so.6 -> libnettle.so.6.5
>  ??? libnettle.so.6 -> libnettle.so.6.4
> 
> 
> The libnettle.so.6.5 is the one in my $HOME/opt/lib
> 
> And that error came up anyway
> 
> Shoud I reconfigure and rebuild with this new ldconfig configuration on ?
> 
> Thanks !

I would try that, though I don't see how it will make a difference but 
it could. It may be confused because both libnettle libraries are 
different versions of libnettle.so.6

Another thing you could try is compiling gnutls with rpath enabled. I'm 
not exactly sure what the switch for that is, may just be --enable-rpath ???


From catonano at gmail.com  Wed Jan  9 07:58:25 2019
From: catonano at gmail.com (Catonano)
Date: Wed, 9 Jan 2019 07:58:25 +0100
Subject: [gnutls-help] make check
In-Reply-To: <89c0793b-779e-7b1c-aaef-0e3a2841f722@librelamp.com>
References: <CAJ98PDy_vGxKfKE3yXr6fd5Ve91sSNvcu3UJZsaZCgVbsOyWiQ@mail.gmail.com>
 <85dad4b8-62cc-6833-9953-04dd01c8b8c4@librelamp.com>
 <CAJ98PDzmKzRcZVxVtfhbnhLf4gQo1XocZnqfbez7m6KZNjr_fg@mail.gmail.com>
 <89c0793b-779e-7b1c-aaef-0e3a2841f722@librelamp.com>
Message-ID: <CAJ98PDx21B1nNutPwZOiTUtZRheJGKnb8US+hszC2b=DWzUFdg@mail.gmail.com>

Il giorno mar 8 gen 2019 alle ore 14:16 Alice Wonder <alice at librelamp.com>
ha scritto:

> On 1/8/19 3:53 AM, Catonano wrote:
> > Il giorno mar 8 gen 2019 alle ore 01:03 Alice Wonder
> > <alice at librelamp.com <mailto:alice at librelamp.com>> ha scritto:
> >
> >
> >     My guess (and just a guess) is that it is linking against shared libs
> >     not in the ld.so.conf path.
> >
> >
> > I thought so too
> >
> > But then I added a /etc/ld.so.conf.d/nettle.conf file with
> >
> > /home/catonano/opt/lib
> > in it
> >
> > So then
> >
> > $ sudo ldconfig -v | grep nettle
> > /sbin/ldconfig.real: Impossibile fare stat di
> > /usr/local/lib/x86_64-linux-gnu: File o directory non esistente
> > /sbin/ldconfig.real: Percorso "/lib/x86_64-linux-gnu" fornito pi? di una
> > volta
> > /sbin/ldconfig.real: Percorso "/usr/lib/x86_64-linux-gnu" fornito pi? di
> > una volta
> > /sbin/ldconfig.real: /lib/x86_64-linux-gnu/ld-2.27.so
> > <http://ld-2.27.so> is the dynamic linker, ignoring
> >
> >      libnettle.so.6 -> libnettle.so.6.5
> >      libnettle.so.6 -> libnettle.so.6.4
> >
> >
> > The libnettle.so.6.5 is the one in my $HOME/opt/lib
> >
> > And that error came up anyway
> >
> > Shoud I reconfigure and rebuild with this new ldconfig configuration on ?
> >
> > Thanks !
>
> I would try that, though I don't see how it will make a difference but
> it could. It may be confused because both libnettle libraries are
> different versions of libnettle.so.6
>
> Another thing you could try is compiling gnutls with rpath enabled. I'm
> not exactly sure what the switch for that is, may just be --enable-rpath
> ???
>

Hi Alice !

I just wanted to let you now that I managed to run the tests on Gnunet
successfully !

This is the configure command I used:

./configure \
--prefix=/home/catonano/opt \
GUILE="/usr/bin/guile" \
PKG_CONFIG_PATH="/home/catonano/opt/lib/pkgconfig/" \
LT_SYS_LIBRARY_PATH="/home/catonano/opt/lib" \
NETTLE_LIBS="-L/home/catonano/opt/lib -lnettle" \

I'm not sure about LT_SYS_LIBRARY_PATH

But what solved the situation finally was the NETTLE_LIBS switch

I searched on line informations about this error message
DSO missing from command line

and it turns out it's about a lib NOT being given on the command line (DSO
stands for dinamic shared objec)t

This happened with Nettle in the tests

I expected that a set of switches that makes the build succeed would also
have made running the tests succeed
But I was wrong

Well, All's well that ends well

Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20190109/e9aa6228/attachment.html>

From jgh at wizmail.org  Tue Jan 15 17:31:50 2019
From: jgh at wizmail.org (Jeremy Harris)
Date: Tue, 15 Jan 2019 16:31:50 +0000
Subject: [gnutls-help] cipher names
Message-ID: <950dbf18-27de-9452-f707-77b034d45e5d@wizmail.org>

Hi,

RFC 8316 section 4.3 gives a need for cipher names per the
IANA registry https://www.iana.org/assignments/tls-parameters

These lead with a "TLS_" and have an embedded "WITH_", in contrast
with the strings returned by gnutls_cipher_suite_get_name().

Is there a supported way of getting the IANA-format name?
-- 
Thanks,
  Jeremy


From marcus.kool at urlfilterdb.com  Sat Jan 19 19:40:15 2019
From: marcus.kool at urlfilterdb.com (Marcus Kool)
Date: Sat, 19 Jan 2019 16:40:15 -0200
Subject: [gnutls-help] limits for a TLS server based on gnutls
Message-ID: <65e0517d-f174-3d60-01ba-187d5ba0e1bb@urlfilterdb.com>

I am designing a new application where a server needs 40,000+ open encrypted sockets to serve its clients and I am looking at various libraries capable to do TLS encryption.

Is gnutls capable and efficient in dealing with 40,000 - 100,000 concurrent TLS sessions ?

Do you know of any open source software that does something similar ?

Thanks,

Marcus



From nmav at gnutls.org  Fri Jan 25 09:02:50 2019
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Fri, 25 Jan 2019 09:02:50 +0100
Subject: [gnutls-help] gnutls 3.6.6
Message-ID: <fa49c1fd0843ad59c89e00cea6a5ba3565ce3c61.camel@gnutls.org>

Hello, 
 I've just released gnutls 3.6.6. This is a bug fix release on the
3.6.x branch. It introduces support for raw public keys, fixes several
small issues and issues related to TLS1.3 support.

I'd like to thank everyone who contributed in this release:
Tim R?hsen, Daiki Ueno, Dmitry Eremin-Solenikov, Hugo Beauz?e-Luyssen,
Peter Wu, Andreas Metzler, Fabrice Fontaine, Alon Bar-Lev,
Maks Naumov, Marga Manterola and Tom Vrancken.

The detailed list of changes follows; they can be seen in more detail
in our milestone tracker:
https://gitlab.com/gnutls/gnutls/milestones/18

Changes
=======

* Version 3.6.6 (released 2019-01-25)

** libgnutls: gnutls_pubkey_import_ecc_raw() was fixed to set the number bits
   on the public key (#640).

** libgnutls: Added support for raw public-key authentication as defined in RFC7250.
   Raw public-keys can be negotiated by enabling the corresponding certificate
   types via the priority strings. The raw public-key mechanism must be explicitly
   enabled via the GNUTLS_ENABLE_RAWPK init flag (#26, #280).

** libgnutls: When on server or client side we are sending no extensions we do
   not set an empty extensions field but we rather remove that field competely.
   This solves a regression since 3.5.x and improves compatibility of the server
   side with certain clients.

** libgnutls: We no longer mark RSA keys in PKCS#11 tokens as RSA-PSS capable if
   the CKA_SIGN is not set (#667).

** libgnutls: The priority string option %NO_EXTENSIONS was improved to completely
   disable extensions at all cases, while providing a functional session. This
   also implies that when specified, TLS1.3 is disabled.

** libgnutls: GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION was marked as deprecated.
   The previous definition was non-functional (#609).

** API and ABI modifications:
GNUTLS_ENABLE_RAWPK: Added
GNUTLS_ENABLE_CERT_TYPE_NEG: Removed (was no-op; replaced by GNUTLS_ENABLE_RAWPK) 
GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION: Deprecated
GNUTLS_PCERT_NO_CERT: Deprecated


Getting the Software
====================

GnuTLS may be downloaded directly from
<ftp://ftp.gnutls.org/gcrypt/gnutls/>.  A list of GnuTLS mirrors can
be found at <http://www.gnutls.org/download.html>.

Here are the XZ compressed sources:

  https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.6.tar.xz

Here are OpenPGP detached signatures signed using key 0x96865171:

  https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.6.tar.xz.sig

Note that it has been signed with my openpgp key:
pub   3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid                  Nikos Mavrogiannopoulos <nmav <at> gnutls.org>
uid                  Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at>
gmail.com>
sub   2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub   2048R/1404A91D 2008-05-04 [expires: 2018-05-02]

regards,
Nikos




From jgh at wizmail.org  Fri Jan 25 10:38:26 2019
From: jgh at wizmail.org (Jeremy Harris)
Date: Fri, 25 Jan 2019 09:38:26 +0000
Subject: [gnutls-help] cipher names
In-Reply-To: <950dbf18-27de-9452-f707-77b034d45e5d@wizmail.org>
References: <950dbf18-27de-9452-f707-77b034d45e5d@wizmail.org>
Message-ID: <5729df68-6d94-52bf-7676-ee6669e4bf67@wizmail.org>

On 15/01/2019 16:31, Jeremy Harris wrote:
> RFC 8316 section 4.3 gives a need for cipher names per the
> IANA registry https://www.iana.org/assignments/tls-parameters
> 
> These lead with a "TLS_" and have an embedded "WITH_", in contrast
> with the strings returned by gnutls_cipher_suite_get_name().
> 
> Is there a supported way of getting the IANA-format name?

No answers yet.  Anybody?
-- 
Thanks,
  Jeremy



From jgh at wizmail.org  Tue Jan 29 22:33:58 2019
From: jgh at wizmail.org (Jeremy Harris)
Date: Tue, 29 Jan 2019 21:33:58 +0000
Subject: [gnutls-help] cipher names
In-Reply-To: <950dbf18-27de-9452-f707-77b034d45e5d@wizmail.org>
References: <950dbf18-27de-9452-f707-77b034d45e5d@wizmail.org>
Message-ID: <99a2e232-ef4c-93aa-2696-3b189b309bbd@wizmail.org>

On 15/01/2019 16:31, Jeremy Harris wrote:
> RFC 8316 section 4.3 gives a need for cipher names per the
> IANA registry https://www.iana.org/assignments/tls-parameters

It'd help if I gave the correct reference: RFC 8314.

> Is there a supported way of getting the IANA-format name?

... for recording in a mail Received: header.


Currently my choice seems to be between trying to
algorithmically munge the name returned by
   gnutls_cipher_suite_get_name()
[complex enough that I doubt I'd do it without errors]

or duplicating the IANA tables for lookup from the
"value" pair.  But there's no obvious way to get that
pair either.

Could the cs_algorithms[] table in lib/algorithms/ciphersuites.c
be extended with an IANA name field, and an API provided?
-- 
Cheers,
  Jeremy