[gnutls-help] Simple CA- and TLS-less secure connection possible with GnuTLS ?

Torsten Kühnel tdkuehnel at ncot.de
Tue Mar 10 12:59:37 CET 2020


i am working the ladder from the ground up to establish a secure point
to point connection over an untrusted network like the internet.

Please correct me if i am wrong on my way. Further, please let us
ignore the global CA hierarchy for this example.

DH key exchange is a way to negotiate some crypto secrets to use in a
symmetric block or stream cipher to actually transfer encrypted
packets/bytes. The negotiated crypto secrets can not be revealed by
sniffing the unencrypted negotiation traffic involved.

Up to this point we do not know who the peer actually is. Is it a man
in the middle or our intended peer ? So we need some kind of

We display the fingerprint of the peers private/public key pair, and
transmit it over an out of band connection for verification. Further
assume the OOB verfication succeeds.

Now we do have a secure point to point connection over an insecure
transport medium with a known peer.

How do i implement such an approach using GnuTLS? Is it at all
possible with this library, i.e. avoid TLS/CA and higher level
certificate stuff ?

I tried to reach the effect by using the following code:

	res = gnutls_priority_set_direct(
//		"NONE:+SHA256:+AES-256-CCM:+DHE-PSK",
	if (res != GNUTLS_E_SUCCESS) {
		error_exit2("gnutls_priority_set_direct() failed:", res);

but with all but the first priority string uncommented i get the following error:

GnuTLS [5]: REC[0x6c0de0]: Allocating epoch #0
GnuTLS [3]: ASSERT: priority.c[gnutls_priority_set]:576
GnuTLS [3]: ASSERT: priority.c[gnutls_priority_set_direct]:1503
ERROR: gnutls_priority_set_direct() failed:, No or insufficient priorities were set.

GnuTLS is 3.5.8 on a slackware linux.

tdkuehnel at ncot.de <tdkuehnel at ncot.de>

More information about the Gnutls-help mailing list