From mjones at softwarefreedom.org Thu Jun 12 00:05:00 2014 From: mjones at softwarefreedom.org (Marc Jones) Date: Wed, 11 Jun 2014 18:05:00 -0400 Subject: [mod_gnutls-devel] populating REMOTE_USER Message-ID: <5398D28C.4050904@softwarefreedom.org> DKG, A few months ago on the freedombox mailing list clint asked about having modgnutls populating REMOTE USER. (http://lists.alioth.debian.org/pipermail/freedombox-discuss/2014-March/006262.html) I was wondering if any progress on this was made. I was hoping to do group authorization based on the modgnutls's verified client certificates, but that requires an alternative AuthType since apache will not process group authorization modules unless a AuthType is specified and a user has been authenticated. Perhaps there is need for a mod_auth_gnutls or extending mod_gnutls to support AuthType GnuTLS? -- Marc Jones Counsel Software Freedom Law Center 1995 Broadway, 17th Floor New York, NY 10023 Tel: 212-461-1919 Fax: 212-580-0898 Email: mjones at softwarefreedom.org www.softwarefreedom.org -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xAC9364C7.asc Type: application/pgp-keys Size: 6452 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 897 bytes Desc: OpenPGP digital signature URL: From n.mavrogiannopoulos at gmail.com Tue Jun 24 18:57:22 2014 From: n.mavrogiannopoulos at gmail.com (Nikos Mavrogiannopoulos) Date: Tue, 24 Jun 2014 18:57:22 +0200 Subject: [mod_gnutls-devel] make check Message-ID: Hello, I'm trying to use the "make check" operation on a Fedora system, and I get the following error: $ make GNUPGHOME=server/ gpg --armor --export "$(GNUPGHOME=server/ gpg --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f 10 -d :)" > server/minimal.pgp gpg: key "" not found: malformed user id gpg: WARNING: nothing exported make: *** [server/minimal.pgp] Error 2 rm server/minimal.pgp To be honest I don't understand the syntax used in GNUPGHOME and what is the intention. Is there some particular version of make or bash assumed? regards, Nikos From dkg at fifthhorseman.net Tue Jun 24 19:54:14 2014 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Tue, 24 Jun 2014 13:54:14 -0400 Subject: [mod_gnutls-devel] make check In-Reply-To: References: Message-ID: <53A9BB46.90208@fifthhorseman.net> Hi Nikos-- On 06/24/2014 12:57 PM, Nikos Mavrogiannopoulos wrote: > I'm trying to use the "make check" operation on a Fedora system, and > I get the following error: > $ make > GNUPGHOME=server/ gpg --armor --export "$(GNUPGHOME=server/ gpg > --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f > 10 -d :)" > server/minimal.pgp > gpg: key "" not found: malformed user id > gpg: WARNING: nothing exported > make: *** [server/minimal.pgp] Error 2 > rm server/minimal.pgp do you have the monkeysphere package installed? I think this line is failing because the initial key creation (a line or two above?) failed. it's possible that "make check" won't work without monkeysphere installed, in particular, it needs at least the pem2openpgp translator. Some of the later tests (the ones that test the MSVA validation setup) will of course also need the monkeysphere validation agent running. can you show the output of: ls -l t/server it should look something like this: 0 dkg at alice:~/src/mod_gnutls/mod_gnutls$ ls -l t/server total 36 -rw-r--r-- 1 dkg dkg 1503 Jun 24 13:53 cert.pgp -rw------- 1 dkg dkg 705 Jun 24 13:53 pubring.gpg -rw------- 1 dkg dkg 705 Jun 24 13:53 pubring.gpg~ -rw-r--r-- 1 dkg dkg 6796 Jun 24 13:53 secret.key -rw-r--r-- 1 dkg dkg 2094 Jun 24 13:53 secret.pgp -rw------- 1 dkg dkg 1476 Jun 24 13:53 secring.gpg -rw------- 1 dkg dkg 1280 Jun 24 13:53 trustdb.gpg -rw-r--r-- 1 dkg dkg 1314 Jun 24 13:53 x509.pem 0 dkg at alice:~/src/mod_gnutls/mod_gnutls$ > To be honest I don't understand the syntax used in GNUPGHOME and what > is the intention. Is there some particular version of make or bash > assumed? it shouldn't depend on the version of make or bash, no. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1010 bytes Desc: OpenPGP digital signature URL: From n.mavrogiannopoulos at gmail.com Wed Jun 25 16:01:27 2014 From: n.mavrogiannopoulos at gmail.com (Nikos Mavrogiannopoulos) Date: Wed, 25 Jun 2014 16:01:27 +0200 Subject: [mod_gnutls-devel] make check In-Reply-To: <53A9BB46.90208@fifthhorseman.net> References: <53A9BB46.90208@fifthhorseman.net> Message-ID: On Tue, Jun 24, 2014 at 7:54 PM, Daniel Kahn Gillmor wrote: >> I'm trying to use the "make check" operation on a Fedora system, and >> I get the following error: >> $ make >> GNUPGHOME=server/ gpg --armor --export "$(GNUPGHOME=server/ gpg >> --with-colons --list-secret-keys --fingerprint | grep ^fpr: | cut -f >> 10 -d :)" > server/minimal.pgp >> gpg: key "" not found: malformed user id >> gpg: WARNING: nothing exported >> make: *** [server/minimal.pgp] Error 2 >> rm server/minimal.pgp > do you have the monkeysphere package installed? I think this line is > failing because the initial key creation (a line or two above?) failed. Ok that seems to be the case. I had the package installed, but the first run of make check was done before it was installed, and the failure persisted until I run make clean on t. It's now ok. > it's possible that "make check" won't work without monkeysphere > installed, in particular, it needs at least the pem2openpgp translator. > Some of the later tests (the ones that test the MSVA validation setup) > will of course also need the monkeysphere validation agent running. These headers for msv don't seem to be available in the Fedora package so I cannot test the make check here. In any case, I'm in the process of modifying mod_gnutls to allow specifying pkcs11: URLs (or tpmkey) in the place of a file. The code is currently at https://github.com/nmav/mod_gnutls, and I'll try to submit a version once better tested. regards, Nikos From calderon.thomas at gmail.com Thu Jun 26 20:13:51 2014 From: calderon.thomas at gmail.com (Thomas Calderon) Date: Thu, 26 Jun 2014 20:13:51 +0200 Subject: [mod_gnutls-devel] mod_gnutls + pkcs11 = less data leaked (?) Message-ID: Hi there, I followed your discussion back in April towards supporting PKCS#11 in mod_gnutls. I would like to point out that I co-developed Caml Crush, a PKCS#11 filtering proxy. Our work address the various shortcomings of the PKCS#11 API. However, since it is a client/server approach it can be used as an elegant way to isolate the keying materials from the web server's memory. We have successfully tested this approach using mod_nss (since PKCS#11 tokens are natively supported within NSS databases). Caml Crush can be found at https://github.com/ANSSI-FR/caml-crush. It would be great if a patch adding PKCS#11 support could be contributed to mod_gnutls as it would offer an alternative, choice is always welcome ! Kind regards, Thomas Calderon -------------- next part -------------- An HTML attachment was scrubbed... URL: From nmav at gnutls.org Fri Jun 27 08:48:18 2014 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 27 Jun 2014 08:48:18 +0200 Subject: [mod_gnutls-devel] mod_gnutls + pkcs11 = less data leaked (?) In-Reply-To: References: Message-ID: <1403851698.4223.3.camel@nomad.lan> On Thu, 2014-06-26 at 20:13 +0200, Thomas Calderon wrote: > Hi there, > I followed your discussion back in April towards supporting PKCS#11 in > mod_gnutls. > I would like to point out that I co-developed Caml Crush, a PKCS#11 > filtering proxy. Our work address the various shortcomings of the > PKCS#11 API. > However, since it is a client/server approach it can be used as an > elegant way to isolate the keying materials from the web server's > memory. > We have successfully tested this approach using mod_nss (since PKCS#11 > tokens are natively supported within NSS databases). Hello Thomas, Actually that's pretty nice. Have you tried using the opendnssec softhsm module as backend? How much was the slowdown due to the usage of isolation? I didn't know about caml-crush so I'll certainly test it. regards, Nikos From calderon.thomas at gmail.com Fri Jun 27 09:23:41 2014 From: calderon.thomas at gmail.com (Thomas Calderon) Date: Fri, 27 Jun 2014 09:23:41 +0200 Subject: [mod_gnutls-devel] mod_gnutls + pkcs11 = less data leaked (?) In-Reply-To: <1403851698.4223.3.camel@nomad.lan> References: <1403851698.4223.3.camel@nomad.lan> Message-ID: Hi Nikos, During our development we used various cryptographic backends such as SoftHSM or openCryptoKi. I would recommend SoftHSM as it is much simpler and cleaner code (it has less features which are not relevant to TLS sessions establishment). We also used hardware backends (smarcards or HSMs) to test out our code. As for the slowdown, we have only preliminary results. In the case of mod_nss it is negligible when compared to local storage of certificates and keys. This is due to the fact that the crypto is done purely in software so it competes quite well. However, these results were obtained with our PKCS#11 filtering proxy on the same machine as the web server. Obviously if you further isolate the web server and Caml Crush on different computers, it should increase response time. We plan to release more performance results in the near future. There are significant shortcomings to the upstream mod_nss module (such as not supporting server-side DHE ciphersuites). Testing other TLS Apache modules is also in our roadmap (for instance mod_ssl requires patching). This is why it would be great to have alternatives. Do not hesitate to provide feedback on Caml Crush. Kind regards, Thomas Calderon On Fri, Jun 27, 2014 at 8:48 AM, Nikos Mavrogiannopoulos wrote: > On Thu, 2014-06-26 at 20:13 +0200, Thomas Calderon wrote: > > Hi there, > > > I followed your discussion back in April towards supporting PKCS#11 in > > mod_gnutls. > > I would like to point out that I co-developed Caml Crush, a PKCS#11 > > filtering proxy. Our work address the various shortcomings of the > > PKCS#11 API. > > However, since it is a client/server approach it can be used as an > > elegant way to isolate the keying materials from the web server's > > memory. > > We have successfully tested this approach using mod_nss (since PKCS#11 > > tokens are natively supported within NSS databases). > > Hello Thomas, > Actually that's pretty nice. Have you tried using the opendnssec > softhsm module as backend? How much was the slowdown due to the usage of > isolation? I didn't know about caml-crush so I'll certainly test it. > > regards, > Nikos > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: