From timo.gerke at alice-dsl.net Fri Aug 1 19:52:31 2025 From: timo.gerke at alice-dsl.net (Timo Gerke) Date: Fri, 1 Aug 2025 19:52:31 +0200 Subject: [gnutls-help] ECIES support in gnutls Message-ID: <70f9bdd8-dd90-4c16-8dd2-807d34b3b772@alice-dsl.net> Hi all, is the Elliptic Curve Integrated Encryption Scheme supported by gnutls? If so, which certtool command (sequence) is correct to generate an ECIES based CSR? If not I hereby request ECIES support as feature. Other open cryptolibs like wolfssl [1] for example already support ecies Thanks and Regards, Timo Gerke [1] see https://www.wolfssl.com/ecies-sec-1-isoiec-18033 -- Timo Gerke Lohkoppelweg 40 22529 Hamburg Germany Fon: +49-40-24433033 Fax: +49-40-22628453 If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. Bruce Schneier, amerikanischer Kryptograph -------------- next part -------------- A non-text attachment was scrubbed... Name: timo_gerke.vcf Type: text/vcard Size: 235 bytes Desc: not available URL: From simon at josefsson.org Fri Aug 1 22:11:10 2025 From: simon at josefsson.org (Simon Josefsson) Date: Fri, 01 Aug 2025 22:11:10 +0200 Subject: [gnutls-help] ECIES support in gnutls In-Reply-To: <70f9bdd8-dd90-4c16-8dd2-807d34b3b772@alice-dsl.net> (Timo Gerke's message of "Fri, 1 Aug 2025 19:52:31 +0200") References: <70f9bdd8-dd90-4c16-8dd2-807d34b3b772@alice-dsl.net> Message-ID: <87o6syvm3l.fsf@josefsson.org> Timo Gerke writes: > Hi all, > > is the Elliptic Curve Integrated Encryption Scheme supported by gnutls? Not to my knowledge. > If so, which certtool command (sequence) is correct to generate an > ECIES based CSR? > > If not I hereby request ECIES support as feature. Do you have a openly available protocol specification as a reference? There seems to be several variants around, and it isn't clear to me which one (if any) will win. /Simon > Other open cryptolibs like wolfssl [1] for example already support ecies > > Thanks and Regards, > > Timo Gerke > > [1] see https://www.wolfssl.com/ecies-sec-1-isoiec-18033 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1251 bytes Desc: not available URL: From gnutls-help at aliases.systohc.net Sat Aug 9 17:50:05 2025 From: gnutls-help at aliases.systohc.net (Fabiano Sidler) Date: Sat, 9 Aug 2025 17:50:05 +0200 Subject: [gnutls-help] Building GnuTLS with p11-kit Message-ID: Hi folks! I'm trying to build GnuTLS with p11-kit support. While building p11-kit itself with the following commands ? ? PREFIX=/tmp ? ? P11KIT_VERSION=0.25.5 ? ? GNUTLS_VERSION=3.7.11 ? ? wget https://github.com/p11-glue/p11-kit/releases/download/${P11KIT_VERSION}/p11-kit-${P11KIT_VERSION}.tar.xz ? ? tar xf p11-kit-${P11KIT_VERSION}.tar.xz ? ? cd p11-kit-${P11KIT_VERSION} ? ? ./configure --prefix=${PREFIX}/gnutls --disable-trust-module --enable-debug=yes --without-bash-completion ? ? make -j$(nproc) ? ? make install ? ? cd .. worked perfectly, building GnuTLS with ? ? wget https://www.gnupg.org/ftp/gcrypt/gnutls/v3.7/gnutls-${GNUTLS_VERSION}.tar.xz ? ? tar xf gnutls-${GNUTLS_VERSION}.tar.xz ? ? cd gnutls-${GNUTLS_VERSION} ? ? ./configure --prefix=${PREFIX}/gnutls --with-included-unistring terribly fails at finding p11-kit with ? ? [...] ? ? checking for p11-kit-1 >= 0.23.1... no ? ? configure: error: ? ? *** ? ? *** p11-kit >= 0.23.1 was not found. To disable PKCS #11 support ? ? *** use --without-p11-kit, otherwise you may get p11-kit from ? ? *** https://p11-glue.freedesktop.org/p11-kit.html ? ? *** When I use this configure line ? P11_KIT_CFLAGS=-I${PREFIX}/gnutls/include/p11-kit-1 P11_KIT_LIBS=-L${PREFIX}/gnutls/lib:${PREFIX}/gnutls/lib/pkcs11 ./configure --prefix=${PREFIX}/gnutls --with-included-unistring ./configure passes without error but the subsequent make fails with ? ? ake[3]: *** [Makefile:2623: srptool] Error 1 ? ? /usr/bin/ld: ../lib/.libs/libgnutls.so: undefined reference to `p11_kit_uri_get_pin_source' ? ? [...] ? ? /usr/bin/ld: ../lib/.libs/libgnutls.so: undefined reference to `p11_kit_uri_get_token_info' ? ? collect2: error: ld returned 1 exit status ? ? make[3]: *** [Makefile:2611: ocsptool] Error 1 ? ? make[3]: Leaving directory '/home/user/Downloads/gnutls-3.7.11/src' ? ? make[2]: *** [Makefile:2446: all] Error 2 ? ? make[2]: Leaving directory '/home/user/Downloads/gnutls-3.7.11/src' ? ? make[1]: *** [Makefile:2264: all-recursive] Error 1 ? ? make[1]: Leaving directory '/home/user/Downloads/gnutls-3.7.11' ? ? make: *** [Makefile:2189: all] Error 2 How can I successfully build GnuTLS with p11-kit? I'm on Ubuntu 24.04 if that matters... Greetings, Fabiano From ametzler at bebt.de Sun Aug 10 11:06:38 2025 From: ametzler at bebt.de (Andreas Metzler) Date: Sun, 10 Aug 2025 11:06:38 +0200 Subject: [gnutls-help] Building GnuTLS with p11-kit In-Reply-To: References: Message-ID: On 2025-08-09 Fabiano Sidler wrote: > Hi folks! > I'm trying to build GnuTLS with p11-kit support. While building p11-kit > itself with the following commands > ? ? PREFIX=/tmp > ? ? P11KIT_VERSION=0.25.5 > ? ? GNUTLS_VERSION=3.7.11 > ? ? wget https://github.com/p11-glue/p11-kit/releases/download/${P11KIT_VERSION}/p11-kit-${P11KIT_VERSION}.tar.xz > ? ? tar xf p11-kit-${P11KIT_VERSION}.tar.xz > ? ? cd p11-kit-${P11KIT_VERSION} > ? ? ./configure --prefix=${PREFIX}/gnutls --disable-trust-module > --enable-debug=yes --without-bash-completion > ? ? make -j$(nproc) > ? ? make install > ? ? cd .. > worked perfectly, building GnuTLS with [...] Hello, You have installed p11-kit into a set of directories which * are not scanned by pkgconf by default (/usr/gnutls/lib/pkgconfig/), * whose header subdir are not in the preprocessor's default search path (/usr/gnutls/include) and * whose lib subdir is neither in the compiler/linker's search-path * nor in the runtime dynamic linker's search-path (/usr/gnutls/lib/) One can do strange stuff like this but it is completely unrelated to gnutls how to deal with this. (e.g. static linking, rpath, modifying the pc file, symlink farm, ...) cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From timo.gerke at alice-dsl.net Sat Aug 16 19:22:09 2025 From: timo.gerke at alice-dsl.net (Timo Gerke) Date: Sat, 16 Aug 2025 19:22:09 +0200 Subject: [gnutls-help] Generating encryption only CRQ does not work Message-ID: Hi all, while I was trying to generate an request with encryption only options. I enabled following options in the template file: - data_encipherment - encryption_key - key_encipherment - non_repudiation I used a 4096 bit RSA key. But the generated CRQ only had the key_encipherment flag enabled. I tried self-compiled version of gnutld 3.8.10 and pre-compiled (debian) version 3.7.9 without success. Any ideas? Thanks, Timo Gerke From aneris at disroot.org Thu Aug 21 12:34:04 2025 From: aneris at disroot.org (aneris) Date: Thu, 21 Aug 2025 12:34:04 +0200 Subject: [gnutls-help] No supported cipher suites have been found. Message-ID: <75a948cbd23b9dd71fb7768bd96eef36@disroot.org> Hi all, I've been using the GnuTLS documentation to try and write my own TLS server. I (think) I've loaded all the certificates properly, but on trying to connect (with gnutls-cli) I get "No supported cipher suites have been found." I tried to use gnutls-serv which also gave the same error until I passed --x509certfile and --x509keyfile (which gave me errors due to my self-signed certificate, but that's unrelated.). So I am wondering if my certificates aren't being loaded properly, but the code runs fine and it doesn't throw, so I have no idea why its not working. Here is the code, only gtls_raii.cpp, gtls_raii.hpp and main.cpp are important. https://github.com/HikariNee/Geminus/blob/main/src/tls/ Thanks in advance for your time. -- Hikari (Any/All) > People always beat themselves up based on their idea of how someone is > like. -------------- next part -------------- An HTML attachment was scrubbed... URL: From lars.nooden at gmx.com Sun Aug 31 18:57:13 2025 From: lars.nooden at gmx.com (=?UTF-8?Q?Lars_Nood=C3=A9n?=) Date: Sun, 31 Aug 2025 19:57:13 +0300 Subject: [gnutls-help] Signing an x509 Certificate Signing Request (CSR) with a smart card In-Reply-To: References: <7db7a075-c010-4bbe-859d-56502496382f@gmx.com> Message-ID: <8e4273d5-e356-41c3-aa1e-9cfc68003c47@gmx.com> On 7/25/25 13:45, Zoltan Fridrich wrote: > Hello Lars, > > I think you can sign a CSR with certtool, the command might look something > like this: > *$ certtool --generate-certificate --load-request= > --load-ca-privkey= --load-ca-certificate= > --outfile=* > but instead of providing file paths, you can provide PKCS#11 URIs which > would look something like this > "pkcs11:p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust". > You can specify the concrete cert and keys by adding type,id and label to > the uri, so maybe something > like: "pkcs11:p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust;type=;object=