[gnutls-help] Simple CA- and TLS-less secure connection possible with GnuTLS ?

[Torsten Kühnel]

Hello,

i am working the ladder from the ground up to establish a secure point
to point connection over an untrusted network like the internet.

Please correct me if i am wrong on my way. Further, please let us
ignore the global CA hierarchy for this example.

DH key exchange is a way to negotiate some crypto secrets to use in a
symmetric block or stream cipher to actually transfer encrypted
packets/bytes. The negotiated crypto secrets can not be revealed by
sniffing the unencrypted negotiation traffic involved.

Up to this point we do not know who the peer actually is. Is it a man
in the middle or our intended peer ? So we need some kind of
authentication.

We display the fingerprint of the peers private/public key pair, and
transmit it over an out of band connection for verification. Further
assume the OOB verfication succeeds.

Now we do have a secure point to point connection over an insecure
transport medium with a known peer.

How do i implement such an approach using GnuTLS? Is it at all
possible with this library, i.e. avoid TLS/CA and higher level
certificate stuff ?

I tried to reach the effect by using the following code:

	res = gnutls_priority_set_direct(
		session,
//		"SECURE128:-VERS-SSL3.0:-VERS-TLS1.0:-ARCFOUR-128:+PSK:+DHE-PSK",
//		"NONE:SECURE128:+PSK:+DHE-PSK",
//		"NONE:+SHA256:+AES-256-CCM:+DHE-PSK",
//		"NONE:+CIPHER-ALL:+KX-ALL:+MAC-ALL:+COMP-ALL:+SIGN-ALL:+CTYPE-ALL",
		&error
		);
	if (res != GNUTLS_E_SUCCESS) {
		error_exit2("gnutls_priority_set_direct() failed:", res);
	}

but with all but the first priority string uncommented i get the following error:

GnuTLS [5]: REC[0x6c0de0]: Allocating epoch #0
GnuTLS [3]: ASSERT: priority.c[gnutls_priority_set]:576
GnuTLS [3]: ASSERT: priority.c[gnutls_priority_set_direct]:1503
ERROR: gnutls_priority_set_direct() failed:, No or insufficient priorities were set.


GnuTLS is 3.5.8 on a slackware linux.

-- 
tdkuehnel at ncot.de <tdkuehnel at ncot.de>