From django at nausch.org Tue Nov 3 17:48:39 2015 From: django at nausch.org (Django) Date: Tue, 3 Nov 2015 17:48:39 +0100 Subject: [mod_gnutls-devel] mod_gnutls and multiple TLS-vHosts Message-ID: <5638E567.9070809@nausch.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 HI, apologize my thumb question, but I'm not sure doing the right thing righ t! I ever thought, that mod_gnutls enables multiple TLS virtual name based hosts. Is this right? I tried to setup two name based vhosts, but if I try to check both hosts via https://www.ssllabs.com/ssltest/ the default-host is marked as "without SNI" and the second host is marked "only usable with SNI-supported browsers. Whats the difference between mod_gnutls (0.7.1) and mod_ssl (2.4.6)? How does mod_gnutls multiple TLS vhosts realize this, with SNI or on a different way? Thanks for explaining and helping me! ;) Have a nice day Django -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJWOOVnAAoJEAdOz2FQpr/t8mkP/AwgulLZ25ADLzvpVkplqMNs mNuBW3rKUXOLlLedyJb12RjMBSRi5muAHNYzCy6BgRzKA6dbM8gBilKblRZkJhSx zlTPIXyptEsL5BV7WbhND+f2qS2eVSQE5AW7NnnVOhuYWJcI95ll78jayh1whGGX Od/hCsvKeeMxppqkVgPqyVJ00iSZG9yM2sHsRWgYyh3VQSRrLvYK3Fp+oiMpv2uf 649YhNpV3cz2vJ1M6LazCIFqey5kzXgiAdvY7Yyti+yoCSTgFK6/oIP6PbdFSsLU ZOZ+zMeFcQrhuE55ylIQtOrY5kdfdZmzO06jdazh0/IpS6HoIkBCMnDHIv3sraPs 0M8ixIp3F/EOS2edwPppjh52tzP1/OWZc9XC2zIDrcITByQLLemvkfV/0H2Je7cv Ka5gRE5nxp1boMJ8hx3mcaG3G56LB2hiiEWiwTFDmbxxH9DYyuCevOXj8GR9uBEr L6VNtY0Uhi+iZjXZdPGWQBqm7FaMot/EL3KMUnHuQorFcPT2qQSkOReUDpW/+ujl eg/kucmYodvYr5LM06w7ZnOBKUIhleESOCMDnbjyigqdHXqZgueHNlsCx0cF5MuS TjOnVcuG6ittV8GIt/MPL6RdYoNdJe/L7wmb7KniDJKeRhrCqCOK+ccxS1oEBjX3 9Sw+G+WW9yawmBzty862 =nwr/ -----END PGP SIGNATURE----- From thomas2.klute at uni-dortmund.de Mon Nov 9 18:30:29 2015 From: thomas2.klute at uni-dortmund.de (Thomas Klute) Date: Mon, 9 Nov 2015 18:30:29 +0100 Subject: [mod_gnutls-devel] mod_gnutls and multiple TLS-vHosts In-Reply-To: <5638E567.9070809@nausch.org> References: <5638E567.9070809@nausch.org> Message-ID: <5640D835.8070200@uni-dortmund.de> Am 03.11.2015 um 17:48 schrieb Django: > I ever thought, that mod_gnutls enables multiple TLS virtual name > based hosts. Is this right? Yes, it does. If you want to look at the code in gnutls_hooks.c: mgs_select_virtual_server_cb is set as "post client hello function" (see gnutls_handshake_set_post_client_hello_function [1]) to load credentials matching the vhost config. mgs_select_virtual_server_cb calls mgs_find_sni_server to try and find a vhost matching SNI information provided by the client (if any). > I tried to setup two name based vhosts, but if I try to check both > hosts via https://www.ssllabs.com/ssltest/ the default-host is marked > as "without SNI" and the second host is marked "only usable with > SNI-supported browsers. I'm afraid I can't comment on your configuration without seeing it. The default host is what you'll get if the client does not send the SNI extension, but if ServerName is set properly it should be reachable with SNI, too. If it isn't, that'd be a bug that should be fixed, but I'd need more information to reproduce. Regards, Thomas [1] http://gnutls.org/manual/html_node/Core-TLS-API.html#gnutls_005fhandshake_005fset_005fpost_005fclient_005fhello_005ffunction -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: From thomas2.klute at uni-dortmund.de Sat Nov 21 20:24:01 2015 From: thomas2.klute at uni-dortmund.de (Thomas Klute) Date: Sat, 21 Nov 2015 20:24:01 +0100 Subject: [mod_gnutls-devel] New Release: mod_gnutls 0.7.2 Message-ID: <5650C4D1.6030905@uni-dortmund.de> Hello everyone, I have just uploaded the source archive for mod_gnutls 0.7.2. This is a bugfix & maintenance release. Changelog since mod_gnutls 0.7.1: * Bugfix: Non-blocking reads in the input filter could lead to a busy wait in the gnutls_io_input_read function, causing high load on Keep-Alive connections waiting for data, until either more data could be received or the connection was closed. The fix is to pass EAGAIN/EINTR results up to the input filter so they can be handled properly. Please see commit f5a36eedea93851af6fa340951bf609f750eb4ca [1] for details. * Close TLS session if the input filter receives EOF (mostly relevant for proper termination of proxy connections). * Remove dependency on APR Memcache, which is replaced by the newer version included in the APR Utility Library (libaprutil). * Remove dependency on bc. It was used for floating point arithmetic in the test suite, the calculations have been changed to use integers and pure bash code. You can download the release archive and detached PGP signature from https://mod.gnutls.org/downloads/ or check out the signed tag "mod_gnutls/0.7.2" from my repository on Github [2]. Kind regards, Thomas Klute [1] https://github.com/airtower-luna/mod_gnutls/commit/f5a36eedea93851af6fa340951bf609f750eb4ca [2] https://github.com/airtower-luna/mod_gnutls -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: From webmaster at mod.gnutls.org Sat Nov 21 20:00:33 2015 From: webmaster at mod.gnutls.org (mod_gnutls) Date: Sat, 21 Nov 2015 19:00:33 -0000 Subject: [mod_gnutls-devel] [mod_gnutls] #23: enable pkcs11 for server secret key material In-Reply-To: <039.091be886fd42ea800dd3a682f729296f@mod.gnutls.org> References: <039.091be886fd42ea800dd3a682f729296f@mod.gnutls.org> Message-ID: <054.cf2979db3d28143279d9b4afbb0f74cd@mod.gnutls.org> #23: enable pkcs11 for server secret key material -------------------------------------+------------------------------------- Reporter: | Owner: https://id.mayfirst.org/dkg | https://id.mayfirst.org/dkg Type: enhancement | Status: closed Priority: major | Component: code Version: | Resolution: fixed Keywords: pkcs11 | -------------------------------------+------------------------------------- Changes (by thomas klute): * status: new => closed * resolution: => fixed Comment: Implemented in version 0.7, thanks to Nikos for the patch! -- Ticket URL: mod_gnutls The apache httpd module for HTTPS using GnuTLS From django at nausch.org Sun Nov 22 22:34:31 2015 From: django at nausch.org (Django) Date: Sun, 22 Nov 2015 22:34:31 +0100 Subject: [mod_gnutls-devel] New Release: mod_gnutls 0.7.2 In-Reply-To: <5650C4D1.6030905@uni-dortmund.de> References: <5650C4D1.6030905@uni-dortmund.de> Message-ID: <565234E7.6090002@nausch.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 HI! Am 21.11.2015 um 20:24 schrieb Thomas Klute: > I have just uploaded the source archive for mod_gnutls 0.7.2. This > is a bugfix & maintenance release. RPM for CentOS 7 are located here: http://repo.mailserver.guru/7/os/x86_64/repoview/mod_gnutls.html n8! Django -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJWUjTnAAoJEAdOz2FQpr/t0RgP/ivPXZ5FvODjq8KiUM7vf4EW Kzml/mF2Jhcy4P2jpq0S21nkeGHvd5+yyZi6YX5xMf0PYnVNpwGV4pZ6R9ACBvUD cyRPFAYKArNL6F27EuLnVy7Hx3qVp2jOxPu69c10XSAVA1EkMHx/NZBOsDwvXakL IJPWrMjdRH/+PBfkPh92ZdZzPt9Ax/VSS+nBsnVu2yS6lXD3wdp67zh8ouz3Do4c nRkDmQOFojP6KHWMLZ+SbFFSHtQTRi64okYsigzjxwk4TSc8DqmjpFmNIE8rkdKl 1kbFceillLYfWqF2NVdf77r7rD7OTA6QeiwHGUvTvOF4nl/7sOrMGJA43O1xIBZ9 rJ6aiK8XZUmUHiwPFoh1IXoHB7QFwPP9k/QLsA0njF9zusRHRQQL/MrZTpwr4oDx 9Nz2Z4rbfJJBOJsH0VW6LEsX4AdZstz22ycpNNeUdi/YfjKZDu56Lr4wOgAiR4un TBwjXLDya4DGHRygcjgncdB3dYQAvYoZRMXD3A9jCZubjJhSEPXiQoDnOSWysH3b QIZl94tY1ZAO+bh0zJKL6dSeWSThjGqEO8RRhFjeYIwonH8lMnCcVuS5aLt928ji G255ViBymhwSxctVPHSRjxs9v9utmzlF0o3t9ut6ykok/ID5M9JPSSferJk/eXYZ k+uLI4lvnPPM1zj/Lz14 =Bwpr -----END PGP SIGNATURE----- From dkg at fifthhorseman.net Mon Nov 23 20:09:34 2015 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 23 Nov 2015 14:09:34 -0500 Subject: [mod_gnutls-devel] New Release: mod_gnutls 0.7.2 In-Reply-To: <5650C4D1.6030905@uni-dortmund.de> References: <5650C4D1.6030905@uni-dortmund.de> Message-ID: <87ziy4wn0x.fsf@alice.fifthhorseman.net> On Sat 2015-11-21 14:24:01 -0500, Thomas Klute wrote: > I have just uploaded the source archive for mod_gnutls 0.7.2. This is a > bugfix & maintenance release. Thanks for this, Thomas! 0.7.2-2 is now available in debian unstable, and appears to have built and tested cleanly on all the main GNU/Linux platforms in Debian. The kfreebsd and ppc64 builds appear to have failed because of some problem with the monkeysphere validation agent: https://buildd.debian.org/status/logs.php?arch=&pkg=mod-gnutls but it looks in much better shape than previous releases. thanks for your improvements! --dkg From webmaster at mod.gnutls.org Mon Nov 23 23:14:58 2015 From: webmaster at mod.gnutls.org (mod_gnutls) Date: Mon, 23 Nov 2015 22:14:58 -0000 Subject: [mod_gnutls-devel] [mod_gnutls] #29: Disabling SSL3 and TLS1.0 don't work In-Reply-To: <027.ad31e2f31d181ef6f004c84b9bd75dc5@mod.gnutls.org> References: <027.ad31e2f31d181ef6f004c84b9bd75dc5@mod.gnutls.org> Message-ID: <042.267fc14812fbfc8e39fa5565bb37603e@mod.gnutls.org> #29: Disabling SSL3 and TLS1.0 don't work ----------------------------+------------------------------------------ Reporter: frederic massot | Owner: https://id.mayfirst.org/dkg Type: defect | Status: closed Priority: major | Component: code Version: 5.10 | Resolution: fixed Keywords: | ----------------------------+------------------------------------------ Changes (by thomas klute): * status: new => closed * resolution: => fixed Comment: This bug is no longer present as of version 0.7.2 (I assume this was actually fixed in 0.6 but didn't check explicitly). Note that in recent GnuTLS versions SSLv3 is not included in the NORMAL priorities. With two vhosts configured with GnuTLSPriorities NORMAL:-VERS-TLS1.0 and GnuTLSPriorities NORMAL respectively, the first one is not reachable with a client configured to use TLS 1.0 only, while the second one is. Switching the priority strings has the expected effect of reversing the reachability by TLS 1.0. -- Ticket URL: mod_gnutls The apache httpd module for HTTPS using GnuTLS