From nmav at gnutls.org Mon Dec 1 15:19:17 2003 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Mon, 1 Dec 2003 16:19:17 +0200 Subject: [gnutls-dev] gnutls 0.9.99 Message-ID: <20031201141917.GA22069@gnutls.org> I've reuploaded gnutls-0.9.99 to fix the compilation bug in common.c (gnutls-cli, gnutls-serv). Since this was just a trivial change (i removed the twofish cipher selection) I didn't update the version number. -- Nikos Mavroyanopoulos From ivo at o2w.nl Tue Dec 2 00:17:17 2003 From: ivo at o2w.nl (Ivo Timmermans) Date: Tue, 2 Dec 2003 00:17:17 +0100 Subject: [gnutls-dev] python-gnutls 0.2 Message-ID: <20031201231717.GB19113@juarez> Hi, I have just released version 0.2 of python-gnutls. Nothing really shocking has changed, except that there's now a server class, and that the TLS handshake has to be done explicitly now, possibly after changing some settings. http://home.o2w.net/~ivo/python-gnutls/ Ivo -- You know you've been Raytracing too long when... * You see a physically attractive person, and your first thought is, "Nice blobs!" - Jeff Lee, http://www.shipbrook.com/jeff/ykybrtlw.html From nmav at gnutls.org Thu Dec 4 12:16:30 2003 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Thu, 04 Dec 2003 13:16:30 +0200 Subject: [gnutls-dev] gnutls 1.0.0 Message-ID: <20031204111630.GA6791@gnutls.org> I've just released gnutls 1.0.0. This is finaly the first stable release of the 0.9.x branch. Please upgrade to this version because there will be no more support for the older 0.8.x branch. -- Nikos Mavroyanopoulos From ivo at o2w.nl Thu Dec 4 13:55:25 2003 From: ivo at o2w.nl (Ivo Timmermans) Date: Thu, 4 Dec 2003 13:55:25 +0100 Subject: [gnutls-dev] gnutls 1.0.0 In-Reply-To: <20031204111630.GA6791@gnutls.org> References: <20031204111630.GA6791@gnutls.org> Message-ID: <20031204125525.GA11351@juarez> Nikos Mavroyanopoulos wrote: > I've just released gnutls 1.0.0. This is finaly the first > stable release of the 0.9.x branch. Please upgrade to this > version because there will be no more support for the older > 0.8.x branch. Out of curiosity, why was the major soversion changed to 10 instead of 9? Ivo -- Bus error From nmav at gnutls.org Thu Dec 4 16:37:38 2003 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Thu, 04 Dec 2003 17:37:38 +0200 Subject: [gnutls-dev] gnutls 1.0.0 In-Reply-To: <20031204125525.GA11351@juarez> References: <20031204111630.GA6791@gnutls.org> <20031204125525.GA11351@juarez> Message-ID: <20031204153738.GA1180@gnutls.org> On Thu, Dec 04, 2003 at 01:55:25PM +0100, Ivo Timmermans wrote: > > I've just released gnutls 1.0.0. This is finaly the first > > stable release of the 0.9.x branch. Please upgrade to this > > version because there will be no more support for the older > > 0.8.x branch. > Out of curiosity, why was the major soversion changed to 10 instead of > 9? Because it is binary incompatible with some 0.9.x releases. If the soversion was not changed, it would make some applications linked against a development release to crash. > Ivo > -- > Bus error -- Nikos Mavroyanopoulos From ivo at o2w.nl Thu Dec 4 16:53:32 2003 From: ivo at o2w.nl (Ivo Timmermans) Date: Thu, 4 Dec 2003 16:53:32 +0100 Subject: [gnutls-dev] gnutls 1.0.0 In-Reply-To: <20031204153738.GA1180@gnutls.org> References: <20031204111630.GA6791@gnutls.org> <20031204125525.GA11351@juarez> <20031204153738.GA1180@gnutls.org> Message-ID: <20031204155332.GA12491@juarez> Nikos Mavroyanopoulos wrote: > On Thu, Dec 04, 2003 at 01:55:25PM +0100, Ivo Timmermans wrote: > > > > I've just released gnutls 1.0.0. This is finaly the first > > > stable release of the 0.9.x branch. Please upgrade to this > > > version because there will be no more support for the older > > > 0.8.x branch. > > Out of curiosity, why was the major soversion changed to 10 instead of > > 9? > Because it is binary incompatible with some 0.9.x releases. > If the soversion was not changed, it would make some applications > linked against a development release to crash. The soversion for 0.9.99 was 8.1.99, so it could have been major version 9 instead of 10, or did I miss something? Ivo -- If the designers of X-Windows built cars, there would be no fewer than five steering wheels hidden about the cockpit, none of which followed the same principles -- but you'd be able to shift gears with your car stereo. Useful feature, that. - Marus J. Ranum, DEC From nmav at gnutls.org Thu Dec 4 19:20:27 2003 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Thu, 04 Dec 2003 20:20:27 +0200 Subject: [gnutls-dev] gnutls 1.0.0 In-Reply-To: <20031204155332.GA12491@juarez> References: <20031204111630.GA6791@gnutls.org> <20031204125525.GA11351@juarez> <20031204153738.GA1180@gnutls.org> <20031204155332.GA12491@juarez> Message-ID: <20031204182027.GA1290@gnutls.org> On Thu, Dec 04, 2003 at 04:53:32PM +0100, Ivo Timmermans wrote: > > > > I've just released gnutls 1.0.0. This is finaly the first > > > > stable release of the 0.9.x branch. Please upgrade to this > > > > version because there will be no more support for the older > > > > 0.8.x branch. > > > Out of curiosity, why was the major soversion changed to 10 instead of > > > 9? > > Because it is binary incompatible with some 0.9.x releases. > > If the soversion was not changed, it would make some applications > > linked against a development release to crash. > The soversion for 0.9.99 was 8.1.99, so it could have been major > version 9 instead of 10, or did I miss something? It seems you're right. I missed a so number :) > Ivo -- Nikos Mavroyanopoulos From papadopo at shfj.cea.fr Fri Dec 5 12:07:49 2003 From: papadopo at shfj.cea.fr (Dimitri Papadopoulos-Orfanos) Date: Fri, 05 Dec 2003 12:07:49 +0100 Subject: [gnutls-dev] Building opencdk-0.5.3 on Solaris Message-ID: <3FD06705.5000504@shfj.cea.fr> Hi, While building opencdk-0.5.3 using the Sun ONE Studio 7 compiler I get the attached warnings. A few of them look like they could be serious and should be fixed. I have ommited the usual signed/unsignd warnings. I understand you don't want to fix these minor warnings. Regards, -- Dimitri -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: opencdk-0.5.3.log URL: From papadopo at shfj.cea.fr Fri Dec 5 13:14:26 2003 From: papadopo at shfj.cea.fr (Dimitri Papadopoulos-Orfanos) Date: Fri, 05 Dec 2003 13:14:26 +0100 Subject: [gnutls-dev] gnutls-1.0.0 build errors Message-ID: <3FD076A2.5050107@shfj.cea.fr> Hi, I'm attempting to build gnutls-1.0.0 on Solaris. I already have libgcrypt-1.1.90 and opencdk-0.5.3: $ libgcrypt-config --prefix /usr/local/libgcrypt-1.1.90 $ $ libgcrypt-config --cflags -I/usr/local/libgcrypt-1.1.90/include \ -I/usr/local/libgpg-error-0.5/include $ libgcrypt-config --libs -L/usr/local/libgcrypt-1.1.90/lib -lgcrypt \ -L/usr/local/libgpg-error-0.5/lib -lgpg-error $ $ $ opencdk-config --prefix /usr/local/opencdk-0.5.3 $ $ opencdk-config --cflags -I/usr/local/libgcrypt-1.1.90/include \ -I/usr/local/libgpg-error-0.5/include \ -I/usr/local/opencdk-0.5.3/include $ opencdk-config --libs -lz -L/usr/local/opencdk-0.5.3/lib -lopencdk \ -L/usr/local/libgcrypt-1.1.90/lib -lgcrypt \ -L/usr/local/libgpg-error-0.5/lib -lgpg-error $ First note that -lz should appear last in this library list - for systems with a linker unable to reorder shared libraries itself, like old releases of IRIX or HP-UX. Second it seems that gnutls-1.0.0 needs an external opencdk-0.5.2 library. It won't build with an included opencdk library as it used to. This doesn't seem to be documented anywhere. Finally, it seems the configure script doesn't put the compiler flags needed to include opencdk headers into Makefiles: $ ./configure --prefix=/usr/local/gnutls-1.0.0 [...] checking for opencdk-config... /usr/local/bin/opencdk-config checking for libopencdk - version >= 0.5.2... yes [...] $ gmake [...] cc -DHAVE_CONFIG_H -I. -I. -I../.. -I../ -I../../includes/ -I../../lib -I../../lib/minitasn1 -O -I/usr/local/libgcrypt-1.1.90/include -I/usr/local/libgpg-error-0.5/include -c openpgp.c -KPIC -DPIC -o .libs/openpgp.o "openpgp.c", line 33: cannot find include file: "./openpgp.h", line 8: cannot find include file: "./openpgp.h", line 14: syntax error before or at: cdk_kbnode_t "./openpgp.h", line 14: cannot recover from previous errors cc: acomp failed for openpgp.c [...] $ I had to work around thsi problem by setting CPPFLAGS: setenv CPPFLAGS -I/usr/local/opencdk/include Regards, -- Dimitri From papadopo at shfj.cea.fr Fri Dec 5 13:30:51 2003 From: papadopo at shfj.cea.fr (Dimitri Papadopoulos-Orfanos) Date: Fri, 05 Dec 2003 13:30:51 +0100 Subject: [gnutls-dev] Building gnutls-1.0.0 on Solaris Message-ID: <3FD07A7B.7020502@shfj.cea.fr> Hi, While building gnutls-1.0.0 using the Sun ONE Studio 7 compiler I got a few warnings that could be fixed or worked around: "minilzo.c", line 1173: warning: integer overflow detected: op "<<" "minilzo.c", line 2190: warning: loop not entered at top "minilzo.c", line 2682: warning: loop not entered at top "serv.c", line 954: warning: statement not reached "cli.c", line 425: warning: implicit function declaration: bzero There are also the usual bunch of signed/unsigned errors, but I understand you don' want to fix them. See attached log. -- Dimitri -------------- next part -------------- A non-text attachment was scrubbed... Name: gnutls-1.0.0.log.gz Type: application/x-gzip Size: 14392 bytes Desc: not available URL: From nmav at gnutls.org Fri Dec 5 13:25:03 2003 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Fri, 05 Dec 2003 14:25:03 +0200 Subject: [gnutls-dev] gnutls-1.0.0 build errors In-Reply-To: <3FD076A2.5050107@shfj.cea.fr> References: <3FD076A2.5050107@shfj.cea.fr> Message-ID: <20031205122503.GA20371@gnutls.org> On Fri, Dec 05, 2003 at 01:14:26PM +0100, Dimitri Papadopoulos-Orfanos wrote: > Hi, > I'm attempting to build gnutls-1.0.0 on Solaris. > I already have libgcrypt-1.1.90 and opencdk-0.5.3: [...] > Second it seems that gnutls-1.0.0 needs an external opencdk-0.5.2 > library. It won't build with an included opencdk library as it used to. > This doesn't seem to be documented anywhere. Hello Dimitri, Opencdk was never included in gnutls. That openpgp functionality was being disabled if it was not found. For 1.0.0 I made it mandatory to have the openpgp functionality, so applications can depend on that api. Embedded systems that do not need that functionality can still use the --disable-openpgp-authentication as a configure parameter. > Finally, it seems the configure script doesn't put the compiler flags > needed to include opencdk headers into Makefiles: > $ ./configure --prefix=/usr/local/gnutls-1.0.0 > [...] > checking for opencdk-config... /usr/local/bin/opencdk-config > checking for libopencdk - version >= 0.5.2... yes > [...] You should use the --with-libopencdk-prefix parameter for the opencdk library. > Regards, > -- > Dimitri -- Nikos Mavroyanopoulos From papadopo at shfj.cea.fr Fri Dec 5 13:58:01 2003 From: papadopo at shfj.cea.fr (Dimitri Papadopoulos-Orfanos) Date: Fri, 05 Dec 2003 13:58:01 +0100 Subject: [gnutls-dev] gnutls-1.0.0 build errors In-Reply-To: <20031205122503.GA20371@gnutls.org> References: <3FD076A2.5050107@shfj.cea.fr> <20031205122503.GA20371@gnutls.org> Message-ID: <3FD080D9.80100@shfj.cea.fr> Hi, >>Finally, it seems the configure script doesn't put the compiler flags >>needed to include opencdk headers into Makefiles: >>$ ./configure --prefix=/usr/local/gnutls-1.0.0 >>[...] >>checking for opencdk-config... /usr/local/bin/opencdk-config >>checking for libopencdk - version >= 0.5.2... yes >>[...] > > > You should use the --with-libopencdk-prefix parameter for the > opencdk library. No, that's not the problem. The configure script did find the location of opencdk: checking for opencdk-config... /usr/local/bin/opencdk-config checking for libopencdk - version >= 0.5.2... yes I did try --with-libopencdk-prefix and it doesn't help. The problem is that the Makefile lacks a reference to the (known) location of the opencdk headers. it's probably just a question of adding a dependency on opencdk in libextra/Makefile.am or maybe libextra/openpgp/Makefile.am. I'd like to provide a patch, but I'm a bit lost in the usual automake/autoconf mess in these directories. -- Dimitri From nmav at gnutls.org Fri Dec 5 15:25:07 2003 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Fri, 05 Dec 2003 16:25:07 +0200 Subject: [gnutls-dev] gnutls-1.0.0 build errors In-Reply-To: <3FD080D9.80100@shfj.cea.fr> References: <3FD076A2.5050107@shfj.cea.fr> <20031205122503.GA20371@gnutls.org> <3FD080D9.80100@shfj.cea.fr> Message-ID: <20031205142507.GA27318@gnutls.org> On Fri, Dec 05, 2003 at 01:58:01PM +0100, Dimitri Papadopoulos-Orfanos wrote: > >>checking for opencdk-config... /usr/local/bin/opencdk-config > >>checking for libopencdk - version >= 0.5.2... yes > >You should use the --with-libopencdk-prefix parameter for the > >opencdk library. > No, that's not the problem. The configure script did find the location > of opencdk: > checking for opencdk-config... /usr/local/bin/opencdk-config > checking for libopencdk - version >= 0.5.2... yes > I did try --with-libopencdk-prefix and it doesn't help. Thanks, I've found the problem. Just fixed in the cvs. > -- > Dimitri -- Nikos Mavroyanopoulos From ivo at o2w.nl Fri Dec 5 19:00:22 2003 From: ivo at o2w.nl (Ivo Timmermans) Date: Fri, 5 Dec 2003 19:00:22 +0100 Subject: [gnutls-dev] gnutls-cli fallback to ssl3 Message-ID: <20031205180022.GA18347@juarez> Hi, It seems that gnutls-cli can't fall back on SSL3 if TLS1 is not available, is this an error in the program or in the library? For example: > gnutls-cli --protocols ssl3 -p 563 news.mozilla.org Resolving 'news.mozilla.org'... Connecting to '204.29.187.156:563'... - Certificate type: X.509 - Got a certificate list of 3 certificates. [...] 200 secnews.netscape.com Netscape-Collabra/3.52 03615 NNRP ready (posting ok). > gnutls-cli -p 563 news.mozilla.org Resolving 'news.mozilla.org'... Connecting to '204.29.187.156:563'... *** Fatal error: A TLS fatal alert has been received. *** Received alert [40]: Handshake failed *** Handshake has failed GNUTLS ERROR: A TLS fatal alert has been received. Ivo -- /* I can't stand it anymore! Please can't we just write the whole Unix system in lisp or something? */ - bash-2.02/unwind_prot.c From nmav at gnutls.org Fri Dec 5 21:56:05 2003 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Fri, 05 Dec 2003 22:56:05 +0200 Subject: [gnutls-dev] gnutls-cli fallback to ssl3 In-Reply-To: <20031205180022.GA18347@juarez> References: <20031205180022.GA18347@juarez> Message-ID: <20031205205605.GA884@gnutls.org> On Fri, Dec 05, 2003 at 07:00:22PM +0100, Ivo Timmermans wrote: > Hi, > It seems that gnutls-cli can't fall back on SSL3 if TLS1 is not > available, is this an error in the program or in the library? The error is in the "Netscape-Collabra/3.52" server. It should be a really ancient server. Try gnutls-cli on www.verisign.com (an ssl 3.0 server). It works fine there. The problem with the specific (netscape) server is that it cannot handle an SSL 3.0 with a TLS version number. That kind of servers only works fine if an SSL 2.0 hello is sent (that what openssl does). Since gnutls does not send an SSL 2.0 hello there is no way it can properly communicate with this server, unless TLS 1.0 is disabled. > For example: > > > gnutls-cli --protocols ssl3 -p 563 news.mozilla.org > Resolving 'news.mozilla.org'... > Connecting to '204.29.187.156:563'... > - Certificate type: X.509 > - Got a certificate list of 3 certificates. > [...] > 200 secnews.netscape.com Netscape-Collabra/3.52 03615 NNRP ready > (posting ok). > > gnutls-cli -p 563 news.mozilla.org > Resolving 'news.mozilla.org'... > Connecting to '204.29.187.156:563'... > *** Fatal error: A TLS fatal alert has been received. > *** Received alert [40]: Handshake failed > *** Handshake has failed > GNUTLS ERROR: A TLS fatal alert has been received. > Ivo > -- > /* I can't stand it anymore! Please can't we just write the > whole Unix system in lisp or something? */ > - bash-2.02/unwind_prot.c -- Nikos Mavroyanopoulos From nmav at gnutls.org Fri Dec 5 22:32:13 2003 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Fri, 05 Dec 2003 23:32:13 +0200 Subject: [gnutls-dev] gnutls-cli fallback to ssl3 In-Reply-To: <20031205205605.GA884@gnutls.org> References: <20031205180022.GA18347@juarez> <20031205205605.GA884@gnutls.org> Message-ID: <20031205213213.GA5222@gnutls.org> On Fri, Dec 05, 2003 at 10:56:05PM +0200, Nikos Mavroyanopoulos wrote: > The problem with the specific (netscape) server is that it > cannot handle an SSL 3.0 with a TLS version number. That kind That is: handle an SSL 3.0 client hello with a TLS version number. I shouldn't watch tv while replying :) -- Nikos Mavroyanopoulos From bjg at network-theory.co.uk Mon Dec 8 16:28:55 2003 From: bjg at network-theory.co.uk (Brian Gough) Date: Mon, 08 Dec 2003 15:28:55 +0000 Subject: [gnutls-dev] gnu-friends interview for gnutls-1.0 Message-ID: Hi, I saw that GNU TLS 1.0 has just been released (congratulations!) Would any of the developers be interested in doing an email interview (either one person or jointly) for the GNU-Friends website? (http://www.gnu-friends.org/) Please contact me directly if you are interested. Thanks. best regards -- Brian Gough p.s. Here are links for some recent GNU-Friends interviews, Sergey Poznyakoff - GNU Radius http://www.gnu-friends.org/story/2003/11/27/12333/589 Nicola Pero - GNUstep http://www.gnu-friends.org/story/2003/11/17/14479/003 Marius Vollmer - GNU Guile http://www.gnu-friends.org/story/2003/10/17/55512/019 From nmav at gnutls.org Wed Dec 10 16:43:50 2003 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Wed, 10 Dec 2003 17:43:50 +0200 Subject: [gnutls-dev] gnutls 1.0.1 Message-ID: <20031210154350.GA24185@gnutls.org> I've just released gnutls 1.0.1. The changes since gnutls 1.0.0 are: - Some minor fixes in the makefiles. They now include CFLAGS from libgcrypt or opencdk if installed in a non standard directory. - Fixed the SRP detection test in gnutls-cli-debug. - Added gnutls_rsa_params_export_pkcs1() and gnutls_rsa_params_import_pkcs1(). - Documentation updates. -- Nikos Mavroyanopoulos From papadopo at shfj.cea.fr Mon Dec 15 12:19:49 2003 From: papadopo at shfj.cea.fr (Dimitri Papadopoulos-Orfanos) Date: Mon, 15 Dec 2003 12:19:49 +0100 Subject: [gnutls-dev] gnutls-1.0.1 build errors Message-ID: <3FDD98D5.5000903@shfj.cea.fr> Hi, I'm attempting to build gnutls-1.0.1 on Solaris. I already have libgcrypt-1.1.90 and opencdk-0.5.3 installed: $ libgcrypt-config --cflags -I/usr/local/libgcrypt-1.1.90/include -I/usr/local/libgpg-error-0.5/include $ $ opencdk-config --cflags -I/usr/local/libgcrypt-1.1.90/include -I/usr/local/libgpg-error-0.5/include -I/usr/local/opencdk-0.5.3/include $ The configure script still doesn't insert all necessary compiler flags into a Makefile. Specifically the opencdk inclusion path is missing from src/Makefile: $ ./configure --prefix=/usr/local/gnutls-1.0.1 \ --with-libgcrypt-prefix=/usr/local/libgcrypt-1.1.90 \ --with-libopencdk-prefix=/usr/local/opencdk-0.5.3 [...] $ gmake cc -DHAVE_CONFIG_H -I. -I. -I.. -I../lib -I../libtasn1/lib -I../includes -O -I/usr/local/libgcrypt-1.1.90/include -I/usr/local/libgpg-error-0.5/include -c `test -f 'serv.c' || echo './'`serv.c "serv.c", line 41: cannot find include file: [...] cc: acomp failed for serv.c gmake[3]: *** [serv.o] Error 2 gmake[3]: Leaving directory `/tmp/gnutls-1.0.1/src' [...] $ This issue was worked around by inserting manually into the Makefile: -I/usr/local/opencdk-0.5.3/include Then there were the ususal signed/unsigned warnings, see attached build log file. Regards, -- Dimitri -------------- next part -------------- A non-text attachment was scrubbed... Name: gnutls-1.0.1.log.gz Type: application/x-gzip Size: 14845 bytes Desc: not available URL: From nmav at gnutls.org Wed Dec 17 14:59:17 2003 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Wed, 17 Dec 2003 15:59:17 +0200 Subject: [gnutls-dev] gnutls-1.0.1 build errors In-Reply-To: <3FDD98D5.5000903@shfj.cea.fr> References: <3FDD98D5.5000903@shfj.cea.fr> Message-ID: <20031217135917.GA9094@gnutls.org> On Mon, Dec 15, 2003 at 12:19:49PM +0100, Dimitri Papadopoulos-Orfanos wrote: > Hi, > I'm attempting to build gnutls-1.0.1 on Solaris. > I already have libgcrypt-1.1.90 and opencdk-0.5.3 installed: [...] > The configure script still doesn't insert all necessary compiler flags > into a Makefile. Specifically the opencdk inclusion path is missing from > src/Makefile: This was a bug in opencdk.m4. I've corrected that in the cvs. > Regards, > -- > Dimitri -- Nikos Mavroyanopoulos From nmav at gnutls.org Thu Dec 18 15:26:00 2003 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Thu, 18 Dec 2003 16:26:00 +0200 Subject: [gnutls-dev] gnutls 1.0.2 Message-ID: <20031218142600.GA13581@gnutls.org> I've just released gnutls 1.0.2 which corrects an important bug in the RSA key generation. -- Nikos Mavroyanopoulos From jas at extundo.com Fri Dec 19 04:28:06 2003 From: jas at extundo.com (Simon Josefsson) Date: Fri, 19 Dec 2003 04:28:06 +0100 Subject: [gnutls-dev] gnutls_bye always return -50? Message-ID: In my client code I use: do ret = gnutls_bye(session, GNUTLS_SHUT_RDWR); while (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN); if (ret != GNUTLS_E_SUCCESS) shishi_error_printf (handle, "TLS Disconnected failed (%d): %s", ret, gnutls_strerror (ret)); and in my server code I use: do rc = gnutls_bye (ls->session, GNUTLS_SHUT_RDWR); while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED); if (rc != GNUTLS_E_SUCCESS) syslog (LOG_ERR, "TLS terminate failed to %s on socket %d (%d): %s", ls->str, ls->sockfd, rc, gnutls_strerror (rc)); both of these return errors, from the client: TLS Disconnected failed (-50): The request is invalid. and the server: shishi: TLS terminate failed to *:4711/tcp peer 127.0.0.1 on socket 6 (-50): The request is invalid. Everything else works, but I wonder if the error code indicate a real error (so I should abort everything) or just a bug somewhere (so I should fix it). The example applications in GNUTLS seem to ignore the return value. Any ideas? Thanks, Simon From nmav at gnutls.org Fri Dec 19 09:50:53 2003 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Fri, 19 Dec 2003 10:50:53 +0200 Subject: [gnutls-dev] gnutls_bye always return -50? In-Reply-To: References: Message-ID: <20031219085052.GA21337@gnutls.org> On Fri, Dec 19, 2003 at 04:28:06AM +0100, Simon Josefsson wrote: > In my client code I use: > do > ret = gnutls_bye(session, GNUTLS_SHUT_RDWR); > while (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN); > > if (ret != GNUTLS_E_SUCCESS) > shishi_error_printf (handle, "TLS Disconnected failed (%d): %s", > ret, gnutls_strerror (ret)); [...] > both of these return errors, from the client: > TLS Disconnected failed (-50): The request is invalid. This was a bug in the gnutls_bye(). I've fixed that in the cvs. > Thanks, > Simon -- Nikos Mavroyanopoulos From jas at extundo.com Sat Dec 20 14:21:03 2003 From: jas at extundo.com (Simon Josefsson) Date: Sat, 20 Dec 2003 14:21:03 +0100 Subject: [gnutls-dev] dh_param's required in client for anonymous kx in 1.1? Message-ID: I'm using the anonymous key exchange, and I generate dh_param's in the server, and it works fine with 1.0. With 1.1 (from CVS) however, I get an error in the server: shishi: TLS handshake failed (-32): Insufficient credentials for that request. Any ideas? Given the recent NEWS entry, I suspect gnutls might be removing the ANON kx from the list of valid kx's in the client, because the client hasn't any dh_param's. But as far as I understand, only the server is required to generate the dh_param's. Thanks. From nmav at gnutls.org Sat Dec 20 18:09:46 2003 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Sat, 20 Dec 2003 19:09:46 +0200 Subject: [gnutls-dev] dh_param's required in client for anonymous kx in 1.1? In-Reply-To: References: Message-ID: <20031220170946.GA2558@gnutls.org> On Sat, Dec 20, 2003 at 02:21:03PM +0100, Simon Josefsson wrote: > I'm using the anonymous key exchange, and I generate dh_param's in the > server, and it works fine with 1.0. With 1.1 (from CVS) however, I > get an error in the server: > shishi: TLS handshake failed (-32): Insufficient credentials for that request. gnutls-cli works fine in 1.1.0. Do you allocate and set the anon client credentials? If yes, please enable debugging(with level 2) and send me the output. > Given the recent NEWS entry, I suspect gnutls might be removing the > ANON kx from the list of valid kx's in the client, because the client > hasn't any dh_param's. But as far as I understand, only the server is > required to generate the dh_param's. Yes this is correct. > Thanks. -- Nikos Mavroyanopoulos From simon+gnutls-dev at josefsson.org Sat Dec 20 19:34:56 2003 From: simon+gnutls-dev at josefsson.org (Simon Josefsson) Date: Sat, 20 Dec 2003 19:34:56 +0100 Subject: [gnutls-dev] Re: dh_param's required in client for anonymous kx in 1.1? In-Reply-To: <20031220170946.GA2558@gnutls.org> (Nikos Mavroyanopoulos's message of "Sat, 20 Dec 2003 19:09:46 +0200") References: <20031220170946.GA2558@gnutls.org> Message-ID: Nikos Mavroyanopoulos writes: > On Sat, Dec 20, 2003 at 02:21:03PM +0100, Simon Josefsson wrote: > >> I'm using the anonymous key exchange, and I generate dh_param's in the >> server, and it works fine with 1.0. With 1.1 (from CVS) however, I >> get an error in the server: >> shishi: TLS handshake failed (-32): Insufficient credentials for that request. > > gnutls-cli works fine in 1.1.0. Do you allocate and set the anon > client credentials? Yes. err = gnutls_anon_allocate_server_credentials (&anoncred); if (err) error (EXIT_FAILURE, 0, "Cannot allocate GNUTLS credential: %s (%d)", gnutls_strerror (err), err); err = gnutls_dh_params_init (&dh_params); if (err) error (EXIT_FAILURE, 0, "Cannot initialize GNUTLS DH parameters: %s (%d)", gnutls_strerror (err), err); if (!arg.quiet_flag) printf ("Generating Diffie-Hellman parameters...\n"); err = gnutls_dh_params_generate2 (dh_params, DH_BITS); if (err) error (EXIT_FAILURE, 0, "Cannot generate GNUTLS DH parameters: %s (%d)", gnutls_strerror (err), err); gnutls_anon_set_server_dh_params (anoncred, dh_params); ... rc = gnutls_credentials_set (ls->session, GNUTLS_CRD_ANON, anoncred); if (rc != GNUTLS_E_SUCCESS) { syslog (LOG_ERR, "TLS failed, gnutls_cs %d: %s", rc, gnutls_strerror (rc)); return -1; } > If yes, please enable debugging(with level 2) > and send me the output. shishid: Trying STARTTLS tls 2: ASSERT: gnutls_db.c:217 tls 2: EXT[8079568]: Received extension 'SERVER_NAME' tls 2: ASSERT: auth_cert.c:1488 tls 2: ASSERT: gnutls_handshake.c:2440 tls 2: ASSERT: gnutls_handshake.c:550 tls 2: ASSERT: gnutls_handshake.c:351 tls 2: ASSERT: gnutls_handshake.c:1747 tls 2: ASSERT: gnutls_handshake.c:2184 shishid: TLS handshake failed (-32): Insufficient credentials for that request. The interesting thing is that if I also set a X.509 credential in the session: rc = gnutls_credentials_set (ls->session, GNUTLS_CRD_CERTIFICATE, x509cred); if (rc != GNUTLS_E_SUCCESS) { syslog (LOG_ERR, "TLS failed, gnutls_cs X.509 %d: %s", rc, gnutls_strerror (rc)); return -1; } The negotiation works, and negotiate anonymous TLS fine: shishid: Trying STARTTLS tls 2: ASSERT: gnutls_db.c:217 tls 2: EXT[8079608]: Received extension 'SERVER_NAME' tls 2: ASSERT: gnutls_x509.c:1019 shishid: TLS handshake negotiated protocol `TLS 1.0', key exchange `Anon DH', certficate type `X.509', cipher `AES 256 CBC', mac `SHA', compression `NULL' The KX's are: const int kx_prio[] = { GNUTLS_KX_ANON_DH, 0 }; So I don't understand how adding the x.509 credential help, although the gnutls_handshake code seem to have changed between 1.0.2 (which works) and CVS (which doesn't) so perhaps the trace above help you. Thanks. From nmav at gnutls.org Sat Dec 20 19:58:45 2003 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Sat, 20 Dec 2003 20:58:45 +0200 Subject: [gnutls-dev] Re: dh_param's required in client for anonymous kx in 1.1? In-Reply-To: References: <20031220170946.GA2558@gnutls.org> Message-ID: <20031220185845.GA23318@gnutls.org> On Sat, Dec 20, 2003 at 07:34:56PM +0100, Simon Josefsson wrote: > The interesting thing is that if I also set a X.509 credential in the > session: This was the problem. While changing the code for 1.1.0 I introduced that bug. This should be now fixed. > Thanks. -- Nikos Mavroyanopoulos From simon+gnutls-dev at josefsson.org Sat Dec 20 20:17:37 2003 From: simon+gnutls-dev at josefsson.org (Simon Josefsson) Date: Sat, 20 Dec 2003 20:17:37 +0100 Subject: [gnutls-dev] Re: dh_param's required in client for anonymous kx in 1.1? In-Reply-To: <20031220185845.GA23318@gnutls.org> (Nikos Mavroyanopoulos's message of "Sat, 20 Dec 2003 20:58:45 +0200") References: <20031220170946.GA2558@gnutls.org> <20031220185845.GA23318@gnutls.org> Message-ID: Nikos Mavroyanopoulos writes: > On Sat, Dec 20, 2003 at 07:34:56PM +0100, Simon Josefsson wrote: > >> The interesting thing is that if I also set a X.509 credential in the >> session: > This was the problem. While changing the code for 1.1.0 I introduced that bug. > This should be now fixed. I can't seem to be able to build CVS now (libextra/privkey.c?), but I'll revert to 1.0.2 for the time being. Thanks. From nmav at gnutls.org Sat Dec 20 21:27:05 2003 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Sat, 20 Dec 2003 22:27:05 +0200 Subject: [gnutls-dev] Re: dh_param's required in client for anonymous kx in 1.1? In-Reply-To: References: <20031220170946.GA2558@gnutls.org> <20031220185845.GA23318@gnutls.org> Message-ID: <20031220202705.GA24654@gnutls.org> On Sat, Dec 20, 2003 at 08:17:37PM +0100, Simon Josefsson wrote: > >> The interesting thing is that if I also set a X.509 credential in the > >> session: > > This was the problem. While changing the code for 1.1.0 I introduced that bug. > > This should be now fixed. > I can't seem to be able to build CVS now (libextra/privkey.c?), but > I'll revert to 1.0.2 for the time being. Thanks. It's under heavy development. I'll have a working development release in a few days. -- Nikos Mavroyanopoulos From simon+gnutls-dev at josefsson.org Sun Dec 21 09:49:08 2003 From: simon+gnutls-dev at josefsson.org (Simon Josefsson) Date: Sun, 21 Dec 2003 09:49:08 +0100 Subject: [gnutls-dev] Anonymity lost if same DH params re-used for ephemeral RSA/DSS too? Message-ID: This might not be exactly gnutls specific, but the question grow out of a usage question of your API: is it OK to use the same D-H parameters for both the ANON-DH and DHE-RSA/DSS key exchanges? It takes several seconds to generate the D-H params, so I'd rather not generate two sets if it can be avoided. The issue I'm worried about: can someone impersonate a server with DHE-RSA/DSS kx, by using the ANON-DH kx against the real server, if the real server is using the same D-H parameters for both ANON-DH and DHE-RSA/DSS? Any other problems using the same D-H parameters? I suppose the answer is no, but just wanted to be sure. I guess I need a good TLS textbook... (I know I can store the D-H parameters on disk in PKCS#3 format to speed up server startup.) Thanks. From nmav at gnutls.org Sun Dec 21 10:47:51 2003 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Sun, 21 Dec 2003 11:47:51 +0200 Subject: [gnutls-dev] Anonymity lost if same DH params re-used for ephemeral RSA/DSS too? In-Reply-To: References: Message-ID: <20031221094751.GA3654@gnutls.org> On Sun, Dec 21, 2003 at 09:49:08AM +0100, Simon Josefsson wrote: > This might not be exactly gnutls specific, but the question grow out > of a usage question of your API: is it OK to use the same D-H > parameters for both the ANON-DH and DHE-RSA/DSS key exchanges? It > takes several seconds to generate the D-H params, so I'd rather not > generate two sets if it can be avoided. Yes it's perfectly fine to use the same DH parameters. It does not weaken the protocol in any way. > The issue I'm worried about: > can someone impersonate a server with DHE-RSA/DSS kx, by using the > ANON-DH kx against the real server, if the real server is using the > same D-H parameters for both ANON-DH and DHE-RSA/DSS? Any other > problems using the same D-H parameters? No. In the certificate authenticated ciphersuites (such as DHE-RSA/DSS) the session parameters are signed with the certificate, so it is not possible to impersonate the server. > I suppose the answer is no, but just wanted to be sure. I guess I > need a good TLS textbook... A glimpse on rfc2246 should be sufficient. > Thanks. -- Nikos Mavroyanopoulos From nmav at gnutls.org Sun Dec 21 10:54:36 2003 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Sun, 21 Dec 2003 11:54:36 +0200 Subject: [gnutls-dev] gnutls 1.0.3 Message-ID: <20031221095436.GA31957@gnutls.org> Hello, gnutls 1.0.3 is out. The changes since 1.0.2 are: - Corrected bug in gnutls_bye() which made it return an error code of INVALID_REQUEST instead of success. - Corrected a bug in the GNUTLS_KEY key usage definitions. -- Nikos Mavroyanopoulos From simon+gnutls-dev at josefsson.org Sun Dec 21 12:24:34 2003 From: simon+gnutls-dev at josefsson.org (Simon Josefsson) Date: Sun, 21 Dec 2003 12:24:34 +0100 Subject: [gnutls-dev] Re: Anonymity lost if same DH params re-used for ephemeral RSA/DSS too? In-Reply-To: <20031221094751.GA3654@gnutls.org> (Nikos Mavroyanopoulos's message of "Sun, 21 Dec 2003 11:47:51 +0200") References: <20031221094751.GA3654@gnutls.org> Message-ID: Nikos Mavroyanopoulos writes: > On Sun, Dec 21, 2003 at 09:49:08AM +0100, Simon Josefsson wrote: > >> This might not be exactly gnutls specific, but the question grow out >> of a usage question of your API: is it OK to use the same D-H >> parameters for both the ANON-DH and DHE-RSA/DSS key exchanges? It >> takes several seconds to generate the D-H params, so I'd rather not >> generate two sets if it can be avoided. > Yes it's perfectly fine to use the same DH parameters. It does > not weaken the protocol in any way. Good, thanks for quick response. Btw, I have verified that 1.0.3 solved my gnutls_bye problem. Thanks, Simon From nmav at gnutls.org Sun Dec 21 15:56:07 2003 From: nmav at gnutls.org (Nikos Mavroyanopoulos) Date: Sun, 21 Dec 2003 16:56:07 +0200 Subject: [gnutls-dev] gnutls 1.1.0 Message-ID: <20031221145606.GA18032@gnutls.org> The first release of gnutls' development branch is out. The differences with the stable branch now are: - The error codes GNUTLS_E_NO_TEMPORARY_DH_PARAMS and GNUTLS_E_NO_TEMPORARY_RSA_PARAMS are no longer returned by the handshake function. Ciphersuites that require temporary parameters are removed when such parameters do not exist. - Added the callbacks gnutls_certificate_client_retrieve_function() and gnutls_certificate_server_retrieve_function(), to allow a client or a server to specify certificates for the handshake without storing them to the credentials structure. - Added support for generating and exporting DSA private keys. - Added gnutls_x509_crt_set_key_usage() and certtool can now set the certificate's key usage. - Added gnutls_openpgp_key_get_key_usage(). -- Nikos Mavroyanopoulos