From thomas2.klute at uni-dortmund.de Fri Apr 3 01:04:30 2015 From: thomas2.klute at uni-dortmund.de (Thomas Klute) Date: Fri, 03 Apr 2015 01:04:30 +0200 Subject: [mod_gnutls-devel] TLS proxy support for mod_gnutls Message-ID: <551DCAFE.4080401@uni-dortmund.de> Hi everyone, this week I finally had time to implement some test cases for the TLS proxy support added a while ago [1]. I now consider TLS proxy functional, though there's still room for improvement: Checking the validity of the server certificate using OCSP or CRLs would be good. However, neither of these is available for client authentication, so I suppose my additions are at least on par with preexisting code there. ;-) While writing the proxy tests, I also improved the test suite and got rid of the foreground sleep calls (well, almost - if you compile with MSVA support, there'll be one) in favor of proper locking and background waits, which massively speeds up the test suite. As usual, feedback and patches are welcome. And by the way, my security patch for TLS client auth made it into Debian (and probably other distributions) a few weeks ago [2]. :-) Regards, Thomas [1] https://github.com/airtower-luna/mod_gnutls/commits/tls-proxy [2] https://www.debian.org/security/2015/dsa-3177 From thomas2.klute at uni-dortmund.de Tue Apr 21 23:34:55 2015 From: thomas2.klute at uni-dortmund.de (Thomas Klute) Date: Tue, 21 Apr 2015 23:34:55 +0200 Subject: [mod_gnutls-devel] New GnuTLS key handling API and TLS proxy support Message-ID: <5536C27F.6070502@uni-dortmund.de> Hi everyone! I finally got around to merging Nikos Mavrogiannopoulos' patch [1] to use the newer GnuTLS key handling API with my TLS proxy support. You can find the result in the master branch of my Github repository: https://github.com/airtower-luna/mod_gnutls I had merged Nikos' patch with my bugfixes and test suite improvements a while ago (see [2]), but then didn't have time to merge with the TLS proxy support as well. Some notes on the current status (at commit 4133f2dd7749879a231db4aa1fcea63d3a8dc3c1 [3]): a) There were a few problems with OpenPGP key handling in GnuTLS, which required workarounds. Kudos to Nikos for very fast help with debugging (you can see our conversation in the comments to [1])! The bugs should be fixed in GnuTLS 3.3.12 and newer, so the workarounds use version guards. However, I haven't actually tested with a version newer than 3.3.8 yet, so it would be great if someone could do that. b) Using the new key handling API should make it possible to use PKCS #11 URLs for X.509 keys and certificates, but I haven't tested that. I'd welcome reports, and it would be even better if anyone could write PKCS #11 test cases using a simulated HSM (maybe SoftHSM would work?). c) At the moment, proxy TLS connections support only file based X.509 authentication. Sadly, I can't make an upstream release, but I'd like to hear how this works for you. Regards, Thomas [1] https://github.com/nmav/mod_gnutls/commit/031acac9c6541034777f8917633164b51f6bd10a [2] https://github.com/airtower-luna/mod_gnutls/tree/new-gnutls-api [3] https://github.com/airtower-luna/mod_gnutls/commit/4133f2dd7749879a231db4aa1fcea63d3a8dc3c1 From bortzmeyer at nic.fr Fri Apr 24 17:00:40 2015 From: bortzmeyer at nic.fr (Stephane Bortzmeyer) Date: Fri, 24 Apr 2015 17:00:40 +0200 Subject: [mod_gnutls-devel] Ticket tracker still in use? Message-ID: <20150424150039.GA306@nic.fr> It seems mostly filled with spam . Some very serious tickets like seems forgotten. From thomas2.klute at uni-dortmund.de Sun Apr 26 22:25:25 2015 From: thomas2.klute at uni-dortmund.de (Thomas Klute) Date: Sun, 26 Apr 2015 22:25:25 +0200 Subject: [mod_gnutls-devel] New GnuTLS key handling API and TLS proxy support In-Reply-To: References: <5536C27F.6070502@uni-dortmund.de> Message-ID: <553D49B5.8030708@uni-dortmund.de> Am 22.04.2015 um 11:40 schrieb Nikos Mavrogiannopoulos: > On Tue, Apr 21, 2015 at 11:34 PM, Thomas Klute > wrote: >> b) Using the new key handling API should make it possible to use PKCS >> #11 URLs for X.509 keys and certificates, but I haven't tested that. I'd >> welcome reports, and it would be even better if anyone could write PKCS >> #11 test cases using a simulated HSM (maybe SoftHSM would work?). > > In gnutls I use an automated test suite with softhsm. It generates > keys using softhsm and then runs gnutls-serv and gnutls-cli. > https://gitlab.com/gnutls/gnutls/blob/master/tests/suite/testpkcs11 > https://gitlab.com/gnutls/gnutls/blob/master/tests/suite/testpkcs11.softhsm > The test suite assumes that softhsm is configured with p11-kit. Thank you for the hint! I've successfully tested a PKCS #11 configuration with SoftHSM, though I didn't get around to writing an automated test yet. :-) By the way, is there any reason not to call gnutls_pkcs11_add_provider after gnutls_global_init (without a previous call to gnutls_pkcs11_init) as long as mixing the new provider with system defaults is not a problem? It doesn't seem to be the expected case in the PKCS #11 Initialization chapter [1] of the GnuTLS documentation, but the API documentation doesn't warn against it either. > For deployment one would have to use softhsm over caml-crush (to > ensure that the server has no access to keys): > https://github.com/ANSSI-FR/caml-crush/wiki > >> Sadly, I can't make an upstream release, but I'd like to hear how this >> works for you. > > Would it make sense to fork the project? I'm seriously considering that, though I'd really like to keep the name and some kind of continuity, in particular because I expect that would make it easier to get new releases into distributions. :-/ Your mail wasn't forwarded over the mailing list for some reason, but since you kept in on CC I've done the same. Regards, Thomas [1] http://www.gnutls.org/manual/html_node/PKCS11-Initialization.html From nmav at gnutls.org Wed Apr 22 11:40:22 2015 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 22 Apr 2015 11:40:22 +0200 Subject: [mod_gnutls-devel] New GnuTLS key handling API and TLS proxy support In-Reply-To: <5536C27F.6070502@uni-dortmund.de> References: <5536C27F.6070502@uni-dortmund.de> Message-ID: On Tue, Apr 21, 2015 at 11:34 PM, Thomas Klute wrote: > Hi everyone! > I finally got around to merging Nikos Mavrogiannopoulos' patch [1] to > use the newer GnuTLS key handling API with my TLS proxy support. You can > find the result in the master branch of my Github repository: > https://github.com/airtower-luna/mod_gnutls > I had merged Nikos' patch with my bugfixes and test suite improvements a > while ago (see [2]), but then didn't have time to merge with the TLS > proxy support as well. Some notes on the current status (at commit > 4133f2dd7749879a231db4aa1fcea63d3a8dc3c1 [3]): Very nice work. > b) Using the new key handling API should make it possible to use PKCS > #11 URLs for X.509 keys and certificates, but I haven't tested that. I'd > welcome reports, and it would be even better if anyone could write PKCS > #11 test cases using a simulated HSM (maybe SoftHSM would work?). In gnutls I use an automated test suite with softhsm. It generates keys using softhsm and then runs gnutls-serv and gnutls-cli. https://gitlab.com/gnutls/gnutls/blob/master/tests/suite/testpkcs11 https://gitlab.com/gnutls/gnutls/blob/master/tests/suite/testpkcs11.softhsm The test suite assumes that softhsm is configured with p11-kit. For deployment one would have to use softhsm over caml-crush (to ensure that the server has no access to keys): https://github.com/ANSSI-FR/caml-crush/wiki > Sadly, I can't make an upstream release, but I'd like to hear how this > works for you. Would it make sense to fork the project? regards, Nikos