[gnutls-help] Simple CA- and TLS-less secure connection possible with GnuTLS ?

Michel Briand michelbriand at free.fr
Mon Mar 30 08:24:48 CEST 2020 

Torsten Kühnel <tdkuehnel at ncot.de> - Tue, 10 Mar 2020 12:59:37 +0100

>Hello,
>
>i am working the ladder from the ground up to establish a secure point
>to point connection over an untrusted network like the internet.
>
>Please correct me if i am wrong on my way. Further, please let us
>ignore the global CA hierarchy for this example.
>
>DH key exchange is a way to negotiate some crypto secrets to use in a
>symmetric block or stream cipher to actually transfer encrypted
>packets/bytes. The negotiated crypto secrets can not be revealed by
>sniffing the unencrypted negotiation traffic involved.
>
>Up to this point we do not know who the peer actually is. Is it a man
>in the middle or our intended peer ? So we need some kind of
>authentication.
>
>We display the fingerprint of the peers private/public key pair, and
>transmit it over an out of band connection for verification. Further
>assume the OOB verfication succeeds.
>
>Now we do have a secure point to point connection over an insecure
>transport medium with a known peer.
>
>How do i implement such an approach using GnuTLS? Is it at all
>possible with this library, i.e. avoid TLS/CA and higher level
>certificate stuff ?
>
>I tried to reach the effect by using the following code:
>
>	res = gnutls_priority_set_direct(
>		session,
>//		"SECURE128:-VERS-SSL3.0:-VERS-TLS1.0:-ARCFOUR-128:+PSK:+DHE-PSK",
>//		"NONE:SECURE128:+PSK:+DHE-PSK",
>//		"NONE:+SHA256:+AES-256-CCM:+DHE-PSK",
>//		"NONE:+CIPHER-ALL:+KX-ALL:+MAC-ALL:+COMP-ALL:+SIGN-ALL:+CTYPE-ALL",
>		&error
>		);
>	if (res != GNUTLS_E_SUCCESS) {
>		error_exit2("gnutls_priority_set_direct() failed:", res);
>	}
>
>but with all but the first priority string uncommented i get the following error:
>
>GnuTLS [5]: REC[0x6c0de0]: Allocating epoch #0
>GnuTLS [3]: ASSERT: priority.c[gnutls_priority_set]:576
>GnuTLS [3]: ASSERT: priority.c[gnutls_priority_set_direct]:1503
>ERROR: gnutls_priority_set_direct() failed:, No or insufficient priorities were set.
>
>
>GnuTLS is 3.5.8 on a slackware linux.
>

Hello,

GnuTLS supported OpenPGP authentication some time ago.
I liked very much this feature.
TLS protocol works the same, but authentication takes place with a
circle of trust, instead of a hierarchy of trust.

Cheers,
Michel

More information about the Gnutls-help mailing list