From ametzler at downhill.at.eu.org Sun Nov 1 13:34:36 2009 From: ametzler at downhill.at.eu.org (Andreas Metzler) Date: Sun, 1 Nov 2009 13:34:36 +0100 Subject: Timebombs in testsuite In-Reply-To: <87hbtik4px.fsf@mocca.josefsson.org> References: <20091026132616.GF3347@downhill.g.la> <87hbtik4px.fsf@mocca.josefsson.org> Message-ID: <20091101123436.GB3320@downhill.g.la> On 2009-10-29 Simon Josefsson wrote: > Andreas Metzler writes: [cert expiry timebomb] > ... > > Can these be handled proactively before they actually break? > Good point. I'm thinking of using something like the patch below. > Thoughts? > /Simon > diff --git a/tests/chainverify.c b/tests/chainverify.c > index 19b27eb..13d4710 100644 > --- a/tests/chainverify.c > +++ b/tests/chainverify.c > @@ -32,6 +32,21 @@ > #include > #include > +/* GnuTLS internally calls time() to find out the current time when > + verifying certificates. To avoid a time bomb, we hard code the > + current time. This should work fine on systems where the library > + call to time is resolved at run-time. */ > +time_t > +time (time_t *t) > +{ > + time_t then = 1256803113; > + > + if (t) > + *t = then; > + > + return then; > +} > + > /* *INDENT-OFF* */ > /* Triggers incorrect verification success on older versions */ Works for me. Applied and uploaded to Debian. thanks, cu andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From david.kirkby at onetel.net Sun Nov 1 16:14:58 2009 From: david.kirkby at onetel.net (Dr. David Kirkby) Date: Sun, 01 Nov 2009 15:14:58 +0000 Subject: Build + test problems on OpenSolaris (aka Solaris 11) Message-ID: <4AEDA5F2.5000502@onetel.net> I'm trying to build gnutls-2.8.4 on a Sun Ultra 27 running OpenSolaris (aka Solaris 11). The Ultra 27 has 3.333 GHz Quad core Intel Xeon processor, so is *not* one of Sun's SPARC processors. I'm using gcc 3.4.3. First gnutils-2.8.4 would not build at all, but would give this error message: Undefined first referenced symbol in file inet_ntop ex-serv1.o (symbol belongs to implicit dependency /lib/libnsl.so.1) ld: fatal: symbol referencing errors. No output written to ex-serv1 A web search found someone else having the exact same problem on Solaris 10 (not 11). http://mail-index.netbsd.org/pkgsrc-bugs/2009/06/17/msg032744.html A look in the man page for inet_ntop showed: SYNOPSIS cc [ flag... ] file... -lsocket -lnsl [ library... ] so I tried to configure again, this time adding the 'nsl' library. $ ./configure 'LIBS=-lnsl' That worked, and the code built ok. But it fails one test. ... |<2>| ASSERT: mpi.c:620 |<2>| ASSERT: dn.c:1210 Verifying...sh: line 10: 18564: Memory fault(coredump) FAIL: chainverify ... =================================== 1 of 35 tests failed Please report to bug-gnutls at gnu.org =================================== I noticed someone else had a problem on Solaris with a test failure, which was resolved by changing HUGE_VAL to HUGE, but this was thought to be a compiler bug. http://old.nabble.com/On-dropping--D_REENTRANT--D_THREAD_SAFE-td14620552.html I do not want to waste your time on this test failures until I have verified it with a recent version of gcc. But the requirement to add the library does seem to be necessary with Solaris on x86 platforms. I think it is x86, rather than Solaris 10 vs 11, as the post above shows problems with Solaris 10 on x86, but I know Solaris 10 on SPARC has presented no such issue. Dave -------------- next part -------------- A non-text attachment was scrubbed... Name: typescript.gz Type: application/x-gzip Size: 19050 bytes Desc: not available URL: From simon at josefsson.org Mon Nov 2 11:40:49 2009 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 02 Nov 2009 11:40:49 +0100 Subject: Build + test problems on OpenSolaris (aka Solaris 11) In-Reply-To: <4AEDA5F2.5000502@onetel.net> (David Kirkby's message of "Sun, 01 Nov 2009 15:14:58 +0000") References: <4AEDA5F2.5000502@onetel.net> Message-ID: <87bpjlnr9q.fsf@mocca.josefsson.org> "Dr. David Kirkby" writes: > I'm trying to build gnutls-2.8.4 on a Sun Ultra 27 running OpenSolaris > (aka Solaris 11). The Ultra 27 has 3.333 GHz Quad core Intel Xeon > processor, so is *not* one of Sun's SPARC processors. > > I'm using gcc 3.4.3. > > First gnutils-2.8.4 would not build at all, but would give this error message: > > Undefined first referenced > symbol in file > inet_ntop ex-serv1.o (symbol belongs to > implicit dependency /lib/libnsl.so.1) > ld: fatal: symbol referencing errors. No output written to ex-serv1 > > A web search found someone else having the exact same problem on > Solaris 10 (not 11). > > http://mail-index.netbsd.org/pkgsrc-bugs/2009/06/17/msg032744.html > > A look in the man page for inet_ntop showed: > > SYNOPSIS > cc [ flag... ] file... -lsocket -lnsl [ library... ] > > so I tried to configure again, this time adding the 'nsl' library. > > $ ./configure 'LIBS=-lnsl' > > > That worked, and the code built ok. When you don't use the workaround, what is the value of LIBSOCKET in doc/examples/Makefile? I think it should contain -lnsl, and should be used when linking ex-serv1. Can you show the build output? > But it fails one test. > > > ... > FAIL: chainverify Yep -- known problem, but you could ignore it. It will be fixed in soon to be released 2.8.5. > I noticed someone else had a problem on Solaris with a test failure, > which was resolved by changing HUGE_VAL to HUGE, but this was thought > to be a compiler bug. > > http://old.nabble.com/On-dropping--D_REENTRANT--D_THREAD_SAFE-td14620552.html > > I do not want to waste your time on this test failures until I have > verified it with a recent version of gcc. That was a different problem. But trying with a more recent gcc version may be useful anyway, for the -lnsl issue. > But the requirement to add the library does seem to be necessary with > Solaris on x86 platforms. I think it is x86, rather than Solaris 10 vs > 11, as the post above shows problems with Solaris 10 on x86, but I > know Solaris 10 on SPARC has presented no such issue. Gnulib modules should take care of the -lnsl issue, but it may be that for some reason it is not working properly. /Simon From simon at josefsson.org Mon Nov 2 12:55:43 2009 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 02 Nov 2009 12:55:43 +0100 Subject: GnuTLS 2.8.5 Message-ID: <87eiohm98g.fsf@mocca.josefsson.org> We are proud to announce a new stable GnuTLS release: Version 2.8.5. GnuTLS is a modern C library that implements the standard network security protocol Transport Layer Security (TLS), for use by network applications. GnuTLS is developed for GNU/Linux, but works on many Unix-like systems and comes with a binary installer for Windows. The GnuTLS library is distributed under the terms of the GNU Lesser General Public License version 2.1 (or later). The "extra" GnuTLS library (which contains TLS/IA support, LZO compression and Libgcrypt FIPS-mode handler), the OpenSSL compatibility library, the self tests and the command line tools are all distributed under the GNU General Public License version 3.0 (or later). The manual is distributed under the GNU Free Documentation License version 1.3 (or later). The project page of the library is available at: http://www.gnu.org/software/gnutls/ What's New ========== ** libgnutls: In server side when resuming a session do not overwrite the ** initial session data with the resumed session data. ** libgnutls: Fix PKCS#12 encoding. The error you would get was "The OID is not supported.". Problem introduced for the v2.8.x branch in 2.7.6. ** guile: Compatibility with guile 2.x. By Ludovic Courtes . ** tests: Fix expired cert in chainverify self-test. ** tests: Fix time bomb in chainverify self-test. Reported by Andreas Metzler in . ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded from one of the mirror sites or direct from . The list of mirrors can be found at . Here are the BZIP2 compressed sources (6.0MB): ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.8.5.tar.bz2 http://ftp.gnu.org/gnu/gnutls/gnutls-2.8.5.tar.bz2 Here are OpenPGP detached signatures signed using key 0xB565716F: ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.8.5.tar.bz2.sig http://ftp.gnu.org/gnu/gnutls/gnutls-2.8.5.tar.bz2.sig Note, that we don't distribute gzip compressed tarballs. In order to check that the version of GnuTLS which you are going to install is an original and unmodified one, you should verify the OpenPGP signature. You can use the command gpg --verify gnutls-2.8.5.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. The signing key can be identified with the following information: pub 1280R/B565716F 2002-05-05 [expires: 2010-04-21] Key fingerprint = 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F uid Simon Josefsson uid Simon Josefsson sub 1280R/4D5D40AE 2002-05-05 [expires: 2010-04-21] The key is available from: http://josefsson.org/key.txt dns:b565716f.josefsson.org?TYPE=CERT Alternatively, after successfully verifying the OpenPGP signature of this announcement, you could verify that the files match the following checksum values. The values are for SHA-1 and SHA-224 respectively: 5121c52efd4718ad3d8b641d28343b0c6abaa571 gnutls-2.8.5.tar.bz2 9d6f1906e380cc7366e2427493c33b72a137e438cdc9080fba3d84f6 gnutls-2.8.5.tar.bz2 Documentation ============= The manual is available online at: http://www.gnu.org/software/gnutls/documentation.html In particular the following formats are available: HTML: http://www.gnu.org/software/gnutls/manual/html_node/index.html PDF: http://www.gnu.org/software/gnutls/manual/gnutls.pdf For developers there is a GnuTLS API reference manual formatted using the GTK-DOC tools: http://www.gnu.org/software/gnutls/reference/gnutls-gnutls.html For developers interested in improving code quality, we publish Cyclomatic code complexity charts that help you find code that may need review and improvements: http://www.gnu.org/software/gnutls/cyclo/ Also useful are code coverage charts which indicate parts of the source code that needs to be tested better by the included self-tests: http://www.gnu.org/software/gnutls/coverage/ Community ========= If you need help to use GnuTLS, or want to help others, you are invited to join our help-gnutls mailing list, see: http://lists.gnu.org/mailman/listinfo/help-gnutls If you wish to participate in the development of GnuTLS, you are invited to join our gnutls-dev mailing list, see: http://lists.gnu.org/mailman/listinfo/gnutls-devel Windows installer ================= GnuTLS has been ported to the Windows operating system, and a binary installer is available. The installer contains DLLs for application development, manuals, examples, and source code. The installer includes libgpg-error v1.7, libgcrypt v1.4.4, libtasn1 v2.3, and GnuTLS v2.8.5. For more information about GnuTLS for Windows: http://josefsson.org/gnutls4win/ The Windows binary installer and PGP signature: http://josefsson.org/gnutls4win/gnutls-2.8.5.exe (15MB) http://josefsson.org/gnutls4win/gnutls-2.8.5.exe.sig The checksum values for SHA-1 and SHA-224 are: 5dadd78a630f30d3b4b3a34261068e74cba28d80 gnutls-2.8.5.exe 53af38a54ff2f971d9eecfb44f4ab39cc6dbad371ad6425d312eaccd gnutls-2.8.5.exe A ZIP archive containing the Windows binaries: http://josefsson.org/gnutls4win/gnutls-2.8.5.zip (5.3MB) http://josefsson.org/gnutls4win/gnutls-2.8.5.zip.sig The checksum values for SHA-1 and SHA-224 are: b41c0ac3088620bf78996d719b335317cb90405a gnutls-2.8.5.zip 73ca7da90ebac569948114735d6899a08431ebbe15be3d619bec05a3 gnutls-2.8.5.zip A Debian mingw32 package is also available: http://josefsson.org/gnutls4win/mingw32-gnutls_2.8.5-1_all.deb (4.8MB) The checksum values for SHA-1 and SHA-224 are: 4ecb2e7617d8722d090ec96138ce595647c06a82 mingw32-gnutls_2.8.5-1_all.deb cbdd418aea622dfaf9876f563ebc1e192ec0ab90bca8748277501e76 mingw32-gnutls_2.8.5-1_all.deb Internationalization ==================== The GnuTLS library messages have been translated into Czech, Dutch, French, German, Malay, Polish, Swedish, and Vietnamese. We welcome the addition of more translations. Support ======= Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult AB, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. The GnuTLS service directory is available at: http://www.gnu.org/software/gnutls/commercial.html Happy Hacking, Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 420 bytes Desc: not available URL: From bkasarov at gmail.com Mon Nov 2 13:13:15 2009 From: bkasarov at gmail.com (Boyan Kasarov) Date: Mon, 02 Nov 2009 14:13:15 +0200 Subject: Build + test problems on OpenSolaris (aka Solaris 11) In-Reply-To: <87bpjlnr9q.fsf@mocca.josefsson.org> References: <4AEDA5F2.5000502@onetel.net> <87bpjlnr9q.fsf@mocca.josefsson.org> Message-ID: <1257163995.3375.200.camel@175-58.evo.bg> Hello, This is the build output for the example gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I../.. -I../../lib/includes -I../../lib/includes -I../../libextra/includes -I../../gl -I../../gl -g -O2 -MT ex-serv-export.o -MD -MP -MF .deps/ex-serv-export.Tpo -c -o ex-serv-export.o ex-serv-export.c mv -f .deps/ex-serv-export.Tpo .deps/ex-serv-export.Po /bin/sh ../../libtool --tag=CC --mode=link gcc -std=gnu99 -g -O2 -no-install -o ex-serv-export ex-serv-export.o libexamples.la ../../lib/libgnutls.la ../../libextra/libgnutls-extra.la ../../gl/libgnu.la -lsocket libtool: link: gcc -std=gnu99 -g -O2 -o ex-serv-export ex-serv-export.o ./.libs/libexamples.a ../../lib/.libs/libgnutls.so ../../libextra/.libs/libgnutls-extra.so /export/home/derex/workspace/gnutls-2.9.8/lib/.libs/libgnutls.so -ltasn1 -lz -lgcrypt ../../gl/.libs/libgnu.a -lsocket -R/export/home/derex/workspace/gnutls-2.9.8/lib/.libs -R/export/home/derex/workspace/gnutls-2.9.8/libextra/.libs -R/tmp/gnutls/lib ld: warning: file /export/home/derex/workspace/gnutls-2.9.8/lib/.libs/libgnutls.so: linked to ../../lib/.libs/libgnutls.so: attempted multiple inclusion of file Undefined first referenced symbol in file inet_ntop ex-serv-export.o (symbol belongs to implicit dependency /lib/libnsl.so.1) ld: fatal: symbol referencing errors. No output written to ex-serv-export On Mon, 2009-11-02 at 11:40 +0100, Simon Josefsson wrote: > When you don't use the workaround, what is the value of LIBSOCKET in > doc/examples/Makefile? I think it should contain -lnsl, and should be > used when linking ex-serv1. Can you show the build output? LIBSOCKET = -lsocket Boyan From david.kirkby at onetel.net Mon Nov 2 13:58:53 2009 From: david.kirkby at onetel.net (Dr. David Kirkby) Date: Mon, 02 Nov 2009 12:58:53 +0000 Subject: Build + test problems on OpenSolaris (aka Solaris 11) In-Reply-To: <87iqdtcd9l.fsf@mocca.josefsson.org> References: <4AEDA5F2.5000502@onetel.net> <87bpjlnr9q.fsf@mocca.josefsson.org> <1257163995.3375.200.camel@175-58.evo.bg> <87iqdtcd9l.fsf@mocca.josefsson.org> Message-ID: <4AEED78D.5090206@onetel.net> Simon Josefsson wrote: > The GnuTLS team received the bug report below, but it appears to be a > gnulib issue. > How about this patch? Not tested on Solaris systems, but posted for > review of my general idea. > > /Simon I'll check that later. I would add, if any developer wants access to a Solaris system, I can arrange that on a permanent basis. Sun donated a Sun T5240 (16 cores) to the Sage project. http://www.sagemath.org/ Anyone writing code used in Sage in any way, would be welcome to an account on that SPARC machine. Just drop me a private email with your preferred username and I'll set you an account up on that at the University of Washington. This particular issue is only seen on Solaris 11 to my knowledge, despite the fact that the library function has not changed between Solaris 10 and 11. I will need to sort out the best way to get you an account on a Solaris 11 (OpenSolaris x86) system, but doing it will be no problem. It would take me a bit longer. (As a short term solution, I do not mind doing do on my own personal machine, but a better longer term solution would be at the university.) BTW, if you want to install OpenSolaris on a linux box, you can use VirtualBox. Both VirtualBox and Solaris are free. Just run Solaris as a virtual machine. PS, for what it is worth, this builds fine on HP C3600 workstation with a PA-RISC processor running HP-UX 11.11. At some point over the next few months, I might try it on IBM's AIX. Dave From nmav at gnutls.org Mon Nov 2 20:13:39 2009 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 02 Nov 2009 21:13:39 +0200 Subject: TLS 1.2 server In-Reply-To: <873a56cxty.fsf@mocca.josefsson.org> References: <87iqf1p592.fsf@broken.deisui.org> <87r5tp56c4.fsf@mocca.josefsson.org> <87ske44pfy.fsf@mocca.josefsson.org> <87pr98eha4.fsf@broken.deisui.org> <87eipo4jgc.fsf@mocca.josefsson.org> <87ljjwdv8c.fsf@broken.deisui.org> <87zl8buyc2.fsf@mocca.josefsson.org> <4AE26E73.4070907@gnutls.org> <873a56cxty.fsf@mocca.josefsson.org> Message-ID: <4AEF2F63.4080103@gnutls.org> Simon Josefsson wrote: > That's missing, right. Client-authentication with TLS 1.2 and > certificate signing callbacks doesn't seem to be working right either, > the sign callback receives a string of size 36 (SHA1+MD5) but it should > be a PKCS#1 SHA1/SHA2 structure. Hi, I think I fixed this part during the weekend, however I don't know if the value received by the callback is what it is expected. > Yeah, I know. :-( > > My plan was to create some helper functions to do the hashing, and set > up separate hashing for all of MD5, SHA-1, SHA-2 and let the later code > figure out which hash to actually use. This is wasteful, but that is > the TLS 1.2 design. I now use only SHA-1 and SHA-256 and wait for a fix in TLS 1.3 :) (MD5 is no use for a signature anyway, and the rest... just allow SHA-256 :) regards, Nikos From simon at josefsson.org Tue Nov 3 07:35:54 2009 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 03 Nov 2009 07:35:54 +0100 Subject: TLS 1.2 server In-Reply-To: <4AEF2F63.4080103@gnutls.org> (Nikos Mavrogiannopoulos's message of "Mon, 02 Nov 2009 21:13:39 +0200") References: <87iqf1p592.fsf@broken.deisui.org> <87r5tp56c4.fsf@mocca.josefsson.org> <87ske44pfy.fsf@mocca.josefsson.org> <87pr98eha4.fsf@broken.deisui.org> <87eipo4jgc.fsf@mocca.josefsson.org> <87ljjwdv8c.fsf@broken.deisui.org> <87zl8buyc2.fsf@mocca.josefsson.org> <4AE26E73.4070907@gnutls.org> <873a56cxty.fsf@mocca.josefsson.org> <4AEF2F63.4080103@gnutls.org> Message-ID: <87k4y89ktx.fsf@mocca.josefsson.org> Nikos Mavrogiannopoulos writes: > Simon Josefsson wrote: > >> That's missing, right. Client-authentication with TLS 1.2 and >> certificate signing callbacks doesn't seem to be working right either, >> the sign callback receives a string of size 36 (SHA1+MD5) but it should >> be a PKCS#1 SHA1/SHA2 structure. > > Hi, > I think I fixed this part during the weekend, however I don't know if > the value received by the callback is what it is expected. Great, I'll check it. Btw, I backed out some patch from the gnutls-2.8 branch because it was added after I made the release candidate and I didn't want to delay the release. The patch looked quite large though, is it really appropriate for 2.8.x? TLS 1.2 isn't enabled by default in 2.8 because it never worked well, so I don't think TLS 1.2 related fixes are suitable for that branch. >> Yeah, I know. :-( >> >> My plan was to create some helper functions to do the hashing, and set >> up separate hashing for all of MD5, SHA-1, SHA-2 and let the later code >> figure out which hash to actually use. This is wasteful, but that is >> the TLS 1.2 design. > > I now use only SHA-1 and SHA-256 and wait for a fix in TLS 1.3 :) > (MD5 is no use for a signature anyway, and the rest... just allow SHA-256 :) Let's see if it gets fixed... I'm not holding my breath. /Simon From nmav at gnutls.org Tue Nov 3 19:20:14 2009 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 03 Nov 2009 20:20:14 +0200 Subject: TLS 1.2 server In-Reply-To: <87k4y89ktx.fsf@mocca.josefsson.org> References: <87iqf1p592.fsf@broken.deisui.org> <87r5tp56c4.fsf@mocca.josefsson.org> <87ske44pfy.fsf@mocca.josefsson.org> <87pr98eha4.fsf@broken.deisui.org> <87eipo4jgc.fsf@mocca.josefsson.org> <87ljjwdv8c.fsf@broken.deisui.org> <87zl8buyc2.fsf@mocca.josefsson.org> <4AE26E73.4070907@gnutls.org> <873a56cxty.fsf@mocca.josefsson.org> <4AEF2F63.4080103@gnutls.org> <87k4y89ktx.fsf@mocca.josefsson.org> Message-ID: <4AF0745E.4030702@gnutls.org> Simon Josefsson wrote: > Btw, I backed out some patch from the gnutls-2.8 branch because it was > added after I made the release candidate and I didn't want to delay the > release. The patch looked quite large though, is it really appropriate > for 2.8.x? TLS 1.2 isn't enabled by default in 2.8 because it never > worked well, so I don't think TLS 1.2 related fixes are suitable for > that branch. I was also worrying about it since it was many fixes in one. The only reason I committed it, was because it fixed the memory leak issue in interrupted handshake. regards, Nikos From simon at josefsson.org Wed Nov 4 12:31:26 2009 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 04 Nov 2009 12:31:26 +0100 Subject: TLS 1.2 server In-Reply-To: <4AF0745E.4030702@gnutls.org> (Nikos Mavrogiannopoulos's message of "Tue, 03 Nov 2009 20:20:14 +0200") References: <87iqf1p592.fsf@broken.deisui.org> <87r5tp56c4.fsf@mocca.josefsson.org> <87ske44pfy.fsf@mocca.josefsson.org> <87pr98eha4.fsf@broken.deisui.org> <87eipo4jgc.fsf@mocca.josefsson.org> <87ljjwdv8c.fsf@broken.deisui.org> <87zl8buyc2.fsf@mocca.josefsson.org> <4AE26E73.4070907@gnutls.org> <873a56cxty.fsf@mocca.josefsson.org> <4AEF2F63.4080103@gnutls.org> <87k4y89ktx.fsf@mocca.josefsson.org> <4AF0745E.4030702@gnutls.org> Message-ID: <87bpjijzld.fsf@mocca.josefsson.org> Nikos Mavrogiannopoulos writes: > Simon Josefsson wrote: > >> Btw, I backed out some patch from the gnutls-2.8 branch because it was >> added after I made the release candidate and I didn't want to delay the >> release. The patch looked quite large though, is it really appropriate >> for 2.8.x? TLS 1.2 isn't enabled by default in 2.8 because it never >> worked well, so I don't think TLS 1.2 related fixes are suitable for >> that branch. > > I was also worrying about it since it was many fixes in one. The only > reason I committed it, was because it fixed the memory leak issue in > interrupted handshake. Is it possible to fix only that leak without the other stuff? /Simon From bradh at frogmouth.net Thu Nov 5 02:32:26 2009 From: bradh at frogmouth.net (Brad Hards) Date: Thu, 5 Nov 2009 12:32:26 +1100 Subject: building recent git Message-ID: <200911051232.26679.bradh@frogmouth.net> Hi, I'm having a problem with building a recent git checkout. "make bootstrap" results in configure: summary of build options: version: 2.9.8 shared 42:3:16 Host type: i686-pc-linux-gnu Install prefix: /usr/local Compiler: gcc -std=gnu99 Warning flags: errors: -Werror warnings: -Wall -W -Wformat-security -Winit-self -Wmissing-include-dirs -Wunused -Wunknown- pragmas -Wstrict-aliasing -Wfloat-equal -Wdeclaration-after-statement -Wpointer-arith -Wbad-function-cast -Wcast-align -Wwrite- strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wmissing-noreturn -Wmissing-format-attribute - Wpacked -Wredundant-decls -Wnested-externs -Winline -Winvalid-pch -Wlong-long -Wvla -Wvolatile-register-var -Wdisabled- optimization -Wstack-protector -Woverlength-strings -Wbuiltin-macro-redefined -Wmudflap -Wpacked-bitfield-compat -Wsync-nand - Wattributes -Wcoverage-mismatch -Wmultichar -Wunused-macros -Wno-missing-field-initializers -Wno-sign-compare -Wno-pointer- sign -Wno-unused-parameter -Wno-unused-parameter -Wno-stack-protector -fdiagnostics-show-option Library types: Shared=yes, Static=yes Valgrind: valgrind Guile wrappers: yes C++ library: yes OpenSSL library: yes makeobj[0]: Leaving directory `/home/bradh-dev/gnutls-git' I then make, and it dies with: libtool: compile: gcc -DHAVE_CONFIG_H -I. -DLOCALEDIR=\"/usr/local/share/locale\" -I./gl -I./gl -I./includes -I./includes -I./x509 - I./opencdk -Werror -Wframe-larger-than=2100 -Wall -W -Wformat-security -Winit-self -Wmissing-include-dirs -Wunused -Wunknown- pragmas -Wstrict-aliasing -Wfloat-equal -Wdeclaration-after-statement -Wpointer-arith -Wbad-function-cast -Wcast-align -Wwrite- strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wmissing-noreturn -Wmissing-format-attribute - Wpacked -Wredundant-decls -Wnested-externs -Winline -Winvalid-pch -Wlong-long -Wvla -Wvolatile-register-var -Wdisabled- optimization -Wstack-protector -Woverlength-strings -Wbuiltin-macro-redefined -Wmudflap -Wpacked-bitfield-compat -Wsync-nand - Wattributes -Wcoverage-mismatch -Wmultichar -Wunused-macros -Wno-missing-field-initializers -Wno-sign-compare -Wno-pointer- sign -Wno-unused-parameter -Wno-unused-parameter -Wno-stack-protector -fdiagnostics-show-option -g -O2 -MT auth_cert.lo -MD - MP -MF .deps/auth_cert.Tpo -c auth_cert.c -fPIC -DPIC -o .libs/auth_cert.o cc1: warnings being treated as errors auth_cert.c: In function '_gnutls_proc_x509_server_certificate': auth_cert.c:1030: error: implicit declaration of function '_gnutls_session_sign_algo_enabled' [-Wimplicit-function-declaration] auth_cert.c:1030: error: nested extern declaration of '_gnutls_session_sign_algo_enabled' [-Wnested-externs] auth_cert.c: In function '_gnutls_proc_cert_cert_req': auth_cert.c:1371: error: implicit declaration of function '_gnutls_sign_algorithm_parse_data' [-Wimplicit-function-declaration] auth_cert.c:1371: error: nested extern declaration of '_gnutls_sign_algorithm_parse_data' [-Wnested-externs] auth_cert.c: In function '_gnutls_gen_cert_server_cert_req': auth_cert.c:1617: error: implicit declaration of function '_gnutls_sign_algorithm_write_params' [-Wimplicit-function-declaration] auth_cert.c:1617: error: nested extern declaration of '_gnutls_sign_algorithm_write_params' [-Wnested-externs] auth_cert.c: In function '_gnutls_server_select_cert': auth_cert.c:1929: error: implicit declaration of function '_gnutls_session_sign_algo_requested' [-Wimplicit-function-declaration] auth_cert.c:1929: error: nested extern declaration of '_gnutls_session_sign_algo_requested' [-Wnested-externs] make[4]: *** [auth_cert.lo] Error 1 make[4]: Leaving directory `/home/bradh-dev/gnutls-git/lib' make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/home/bradh-dev/gnutls-git/lib' make[2]: *** [all] Error 2 make[2]: Leaving directory `/home/bradh-dev/gnutls-git/lib' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/home/bradh-dev/gnutls-git' make: *** [all] Error 2 makeobj[0]: Leaving directory `/home/bradh-dev/gnutls-git' Does that look familiar to anyone? Brad From bradh at frogmouth.net Thu Nov 5 03:14:21 2009 From: bradh at frogmouth.net (Brad Hards) Date: Thu, 5 Nov 2009 13:14:21 +1100 Subject: [patch] Re: building recent git In-Reply-To: <200911051232.26679.bradh@frogmouth.net> References: <200911051232.26679.bradh@frogmouth.net> Message-ID: <200911051314.21558.bradh@frogmouth.net> On Thursday 05 November 2009 12:32:26 Brad Hards wrote: [snip build problem] Just a missing header. See below for the fix. diff --git a/lib/auth_cert.c b/lib/auth_cert.c index d637316..2cd8b58 100644 --- a/lib/auth_cert.c +++ b/lib/auth_cert.c @@ -35,6 +35,7 @@ #include "gnutls_num.h" #include "libtasn1.h" #include "gnutls_datum.h" +#include "ext_signature.h" #include #include #include There are a couple more fixes required. Brad From bradh at frogmouth.net Thu Nov 5 03:17:56 2009 From: bradh at frogmouth.net (Brad Hards) Date: Thu, 5 Nov 2009 13:17:56 +1100 Subject: [patch] building recent git In-Reply-To: <200911051232.26679.bradh@frogmouth.net> References: <200911051232.26679.bradh@frogmouth.net> Message-ID: <200911051317.56581.bradh@frogmouth.net> On Thursday 05 November 2009 12:32:26 Brad Hards wrote: Next problem: libtool: compile: gcc -DHAVE_CONFIG_H -I. - DLOCALEDIR=\"/usr/local/share/locale\" -I./gl -I./gl -I./includes -I./includes -I./x509 -I./opencdk -Werror -Wframe-larger-than=2100 -Wall -W -Wformat- security -Winit-self -Wmissing-include-dirs -Wunused -Wunknown-pragmas - Wstrict-aliasing -Wfloat-equal -Wdeclaration-after-statement -Wpointer-arith - Wbad-function-cast -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing- prototypes -Wmissing-declarations -Wmissing-noreturn -Wmissing-format- attribute -Wpacked -Wredundant-decls -Wnested-externs -Winline -Winvalid-pch - Wlong-long -Wvla -Wvolatile-register-var -Wdisabled-optimization -Wstack- protector -Woverlength-strings -Wbuiltin-macro-redefined -Wmudflap -Wpacked- bitfield-compat -Wsync-nand -Wattributes -Wcoverage-mismatch -Wmultichar - Wunused-macros -Wno-missing-field-initializers -Wno-sign-compare -Wno-pointer- sign -Wno-unused-parameter -Wno-unused-parameter -Wno-stack-protector - fdiagnostics-show-option -g -O2 -MT ext_signature.lo -MD -MP -MF .deps/ext_signature.Tpo -c ext_signature.c -fPIC -DPIC -o .libs/ext_signature.o cc1: warnings being treated as errors ext_signature.c: In function '_gnutls_sign_algorithm_write_params': ext_signature.c:44: error: unused variable 'ret' [-Wunused-variable] Fix: diff --git a/lib/ext_signature.c b/lib/ext_signature.c index cd12fc7..93a0d08 100644 --- a/lib/ext_signature.c +++ b/lib/ext_signature.c @@ -41,7 +41,6 @@ int _gnutls_sign_algorithm_write_params(gnutls_session_t session, opaque *data, { opaque* p = data; int len, i ,j; -int ret; sign_algorithm_st aid; len = session->internals.priorities.sign_algo.algorithms * 2; From bradh at frogmouth.net Thu Nov 5 03:44:45 2009 From: bradh at frogmouth.net (Brad Hards) Date: Thu, 5 Nov 2009 13:44:45 +1100 Subject: [patch] update M4 for INET_NTOP and INET_PTON checks. In-Reply-To: <200911051232.26679.bradh@frogmouth.net> References: <200911051232.26679.bradh@frogmouth.net> Message-ID: <200911051344.45826.bradh@frogmouth.net> libtool: link: gcc -std=gnu99 -g -O2 -o ex-client2 ex-client2.o none required none required ./.libs/libexamples.a ../../lib/.libs/libgnutls.so - L/usr/local/lib ../../libextra/.libs/libgnutls-extra.so /home/bradh- dev/gnutls-git/lib/.libs/libgnutls.so -ltasn1 -lz /usr/local/lib/libgcrypt.so -lgpg-error ../../gl/.libs/libgnu.a -Wl,-rpath -Wl,/home/bradh-dev/gnutls- git/lib/.libs -Wl,-rpath -Wl,/home/bradh-dev/gnutls-git/libextra/.libs gcc: none: No such file or directory gcc: required: No such file or directory gcc: none: No such file or directory gcc: required: No such file or directory make[4]: *** [ex-client2] Error 1 make[4]: Leaving directory `/home/bradh-dev/gnutls-git/doc/examples' make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/home/bradh-dev/gnutls-git/doc' make[2]: *** [all] Error 2 make[2]: Leaving directory `/home/bradh-dev/gnutls-git/doc' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/home/bradh-dev/gnutls-git' make: *** [all] Error 2 makeobj[0]: Leaving directory `/home/bradh-dev/gnutls-git' Fix: diff --git a/gl/m4/inet_ntop.m4 b/gl/m4/inet_ntop.m4 index 85a6bb6..ea645f2 100644 --- a/gl/m4/inet_ntop.m4 +++ b/gl/m4/inet_ntop.m4 @@ -18,7 +18,8 @@ AC_DEFUN([gl_INET_NTOP], [AC_REPLACE_FUNCS([inet_ntop])]) LIBS=$gl_save_LIBS INET_NTOP_LIB= - if test "$ac_cv_search_inet_ntop" != "none needed"; then + if test "$ac_cv_search_inet_ntop" != "none needed" && + test "$ac_cv_search_inet_ntop" != "none required"; then INET_NTOP_LIB="$ac_cv_search_inet_ntop" fi AC_SUBST([INET_NTOP_LIB]) diff --git a/gl/m4/inet_pton.m4 b/gl/m4/inet_pton.m4 index f071801..068deee 100644 --- a/gl/m4/inet_pton.m4 +++ b/gl/m4/inet_pton.m4 @@ -18,7 +18,8 @@ AC_DEFUN([gl_INET_PTON], [AC_REPLACE_FUNCS([inet_pton])]) LIBS=$gl_save_LIBS INET_PTON_LIB= - if test "$ac_cv_search_inet_pton" != "none needed"; then + if test "$ac_cv_search_inet_pton" != "none needed" && + test "$ac_cv_search_inet_pton" != "none required"; then INET_PTON_LIB="$ac_cv_search_inet_pton" fi AC_SUBST([INET_PTON_LIB]) Brad From dispensa at phonefactor.com Thu Nov 5 04:53:38 2009 From: dispensa at phonefactor.com (Steve Dispensa) Date: Wed, 04 Nov 2009 21:53:38 -0600 Subject: TLS renegotiation MITM Message-ID: Hi, A colleague and I have released details of a new attack against TLS in the area of renegotiation. Information is here: http://extendedsubset.com/?p=8 During the process of running this bug (and its proposed solution) to ground, I implemented a patch to GNUTLS, attached. There are also two new files that implement the extension that solves the problem. There is lots of background in the above link, but the one missing part is the Internet Draft that has been tentatively agreed on by most of the major vendors (pending IETF action, of course). That draft is what I have implemented, and you should see it posted to the TLS IETF list tomorrow morning. I'd be happy to help in any way I can. Thanks. -Steve -------------- next part -------------- A non-text attachment was scrubbed... Name: ext_safe_renegotiation.c Type: application/octet-stream Size: 3381 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ext_safe_renegotiation.h Type: application/octet-stream Size: 1283 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: gnutls-safe-renegotiation.patch Type: application/octet-stream Size: 6298 bytes Desc: not available URL: From simon at josefsson.org Thu Nov 5 08:50:36 2009 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 05 Nov 2009 08:50:36 +0100 Subject: [patch] Re: building recent git In-Reply-To: <200911051314.21558.bradh@frogmouth.net> (Brad Hards's message of "Thu, 5 Nov 2009 13:14:21 +1100") References: <200911051232.26679.bradh@frogmouth.net> <200911051314.21558.bradh@frogmouth.net> Message-ID: <87eiodif5f.fsf@mocca.josefsson.org> Brad Hards writes: > +#include "ext_signature.h" Pushed, thanks! > -int ret; This too. > Fix: > diff --git a/gl/m4/inet_ntop.m4 b/gl/m4/inet_ntop.m4 > index 85a6bb6..ea645f2 100644 > --- a/gl/m4/inet_ntop.m4 > +++ b/gl/m4/inet_ntop.m4 > @@ -18,7 +18,8 @@ AC_DEFUN([gl_INET_NTOP], > [AC_REPLACE_FUNCS([inet_ntop])]) > LIBS=$gl_save_LIBS > INET_NTOP_LIB= > - if test "$ac_cv_search_inet_ntop" != "none needed"; then > + if test "$ac_cv_search_inet_ntop" != "none needed" && > + test "$ac_cv_search_inet_ntop" != "none required"; then > INET_NTOP_LIB="$ac_cv_search_inet_ntop" > fi > AC_SUBST([INET_NTOP_LIB]) > diff --git a/gl/m4/inet_pton.m4 b/gl/m4/inet_pton.m4 > index f071801..068deee 100644 > --- a/gl/m4/inet_pton.m4 > +++ b/gl/m4/inet_pton.m4 > @@ -18,7 +18,8 @@ AC_DEFUN([gl_INET_PTON], > [AC_REPLACE_FUNCS([inet_pton])]) > LIBS=$gl_save_LIBS > INET_PTON_LIB= > - if test "$ac_cv_search_inet_pton" != "none needed"; then > + if test "$ac_cv_search_inet_pton" != "none needed" && > + test "$ac_cv_search_inet_pton" != "none required"; then > INET_PTON_LIB="$ac_cv_search_inet_pton" > fi > AC_SUBST([INET_PTON_LIB]) Applied, but also forwarded to the gnulib list since this seems like a potential bigger issue. /Simon From bradh at frogmouth.net Thu Nov 5 11:10:05 2009 From: bradh at frogmouth.net (Brad Hards) Date: Thu, 5 Nov 2009 21:10:05 +1100 Subject: Running "make check" under valgrind Message-ID: <200911052110.06021.bradh@frogmouth.net> Hi, When I run "make check" with valgrind support, I'm seeing about 20 tests that are showing valgrind errors. Looks like a common backtrace: ==28786== Conditional jump or move depends on uninitialised value(s) ==28786== at 0x4130789: _gcry_mpi_print (mpicoder.c:583) ==28786== by 0x40E4A48: gcry_mpi_print (visibility.c:308) ==28786== by 0x40474B8: wrap_gcry_mpi_print (mpi-libgcrypt.c:76) ==28786== by 0x4044109: _gnutls_dh_common_print_server_kx (auth_dh_common.c:326) ==28786== by 0x404F3F3: gen_psk_server_kx (auth_dhe_psk.c:157) ==28786== by 0x4027C57: _gnutls_send_server_kx_message (gnutls_kx.c:200) ==28786== by 0x40245D7: _gnutls_handshake_server (gnutls_handshake.c:2762) ==28786== by 0x4024C89: gnutls_handshake (gnutls_handshake.c:2435) ==28786== by 0x8049717: doit (dhepskself.c:272) ==28786== by 0x80499EC: main (utils.c:148) ==28786== ==28786== Conditional jump or move depends on uninitialised value(s) ==28786== at 0x4130789: _gcry_mpi_print (mpicoder.c:583) ==28786== by 0x40E4A48: gcry_mpi_print (visibility.c:308) ==28786== by 0x40474B8: wrap_gcry_mpi_print (mpi-libgcrypt.c:76) ==28786== by 0x404412C: _gnutls_dh_common_print_server_kx (auth_dh_common.c:327) ==28786== by 0x404F3F3: gen_psk_server_kx (auth_dhe_psk.c:157) ==28786== by 0x4027C57: _gnutls_send_server_kx_message (gnutls_kx.c:200) ==28786== by 0x40245D7: _gnutls_handshake_server (gnutls_handshake.c:2762) ==28786== by 0x4024C89: gnutls_handshake (gnutls_handshake.c:2435) ==28786== by 0x8049717: doit (dhepskself.c:272) ==28786== by 0x80499EC: main (utils.c:148) ==28786== ==28786== Conditional jump or move depends on uninitialised value(s) ==28786== at 0x4130789: _gcry_mpi_print (mpicoder.c:583) ==28786== by 0x40E4A48: gcry_mpi_print (visibility.c:308) ==28786== by 0x40474B8: wrap_gcry_mpi_print (mpi-libgcrypt.c:76) ==28786== by 0x404414F: _gnutls_dh_common_print_server_kx (auth_dh_common.c:328) ==28786== by 0x404F3F3: gen_psk_server_kx (auth_dhe_psk.c:157) ==28786== by 0x4027C57: _gnutls_send_server_kx_message (gnutls_kx.c:200) ==28786== by 0x40245D7: _gnutls_handshake_server (gnutls_handshake.c:2762) ==28786== by 0x4024C89: gnutls_handshake (gnutls_handshake.c:2435) ==28786== by 0x8049717: doit (dhepskself.c:272) ==28786== by 0x80499EC: main (utils.c:148) ==28787== Conditional jump or move depends on uninitialised value(s) ==28787== at 0x4130789: _gcry_mpi_print (mpicoder.c:583) ==28787== by 0x40E4A48: gcry_mpi_print (visibility.c:308) ==28787== by 0x40474B8: wrap_gcry_mpi_print (mpi-libgcrypt.c:76) ==28787== by 0x40447A6: _gnutls_gen_dh_common_client_kx (auth_dh_common.c:142) ==28787== by 0x404F1D9: gen_psk_client_kx (auth_dhe_psk.c:89) ==28787== by 0x4027A1F: _gnutls_send_client_kx_message (gnutls_kx.c:295) ==28787== by 0x4023F5F: _gnutls_handshake_client (gnutls_handshake.c:2576) ==28787== by 0x4024D07: gnutls_handshake (gnutls_handshake.c:2431) ==28787== by 0x8049304: client (dhepskself.c:93) ==28787== by 0x8049566: doit (dhepskself.c:351) ==28787== by 0x80499EC: main (utils.c:148) Is anyone else seeing this? Brad From dam at opencsw.org Thu Nov 5 12:32:38 2009 From: dam at opencsw.org (Dagobert Michelsen) Date: Thu, 5 Nov 2009 12:32:38 +0100 Subject: GNUTLS 2.8.5: Assertion failed on Solaris 8 Sparc Message-ID: Hi, I have a failed test in 2.8.5 on Solaris 8 Sparc with Sun Studio 11: > gmake check-TESTS > gmake[9]: Entering directory `/home/dam/mgar/pkg/gnutls/trunk/work/ > solaris8-sparc/build-isa-sparcv8/gnutls-2.8.5/lib/gl/tests' > PASS: test-alloca-opt > PASS: test-byteswap > PASS: test-c-ctype > PASS: test-errno > PASS: test-fseeko.sh > PASS: test-fseeko2.sh > test-func.c:40: assertion failed > FAIL: test-func > PASS: test-netdb > PASS: test-read-file > PASS: test-snprintf I adjust the code to show what exactly is failing: > int > main () > { > printf( "%d %d\n", strlen (__func__), sizeof __func__ ); > ASSERT (strlen (__func__) + 1 == sizeof __func__); > return 0; > } > build8s% ./test-func > 4 0 > test-func.c:41: assertion failed > zsh: IOT instruction (core dumped) ./test-func I guess __func__ is kindof empty... Should this concern me? Best regards -- Dago From dam at opencsw.org Thu Nov 5 13:27:35 2009 From: dam at opencsw.org (Dagobert Michelsen) Date: Thu, 5 Nov 2009 13:27:35 +0100 Subject: Problem with linking when compiling GNUTLS Message-ID: <6CE33B59-7483-4304-9F9F-14D5D35DFAB0@opencsw.org> Hi, when I try to compile GNUTLS 2.8.5 on Solaris 8 Sparc with Sun Studio 11 against libgcrypt the configure-script has problems linking to it: > configure:7443: /opt/studio/SOS11/SUNWspro/bin/cc -o conftest -xO3 - > xarch=v8 -I/opt/csw/include -I/opt/csw/include -xarch=v8 -L/opt/csw/ > lib conftest.c /opt/csw/lib/libgcrypt.so -R/opt/csw/lib >&5 > Undefined first referenced > symbol in file > gpg_err_code_from_errno conftest.o (symbol belongs to > implicit dependency /opt/csw/lib/libgpg-error.so.0) > gpg_err_code_from_syserror conftest.o (symbol belongs to > implicit dependency /opt/csw/lib/libgpg-error.so.0) > ld: fatal: Symbol referencing errors. No output written to conftest The problem is that configure links directly to libgcrypt.so instead of what is correctly reported: > build8s% /opt/csw/bin/libgcrypt-config --libs > -L/opt/csw/lib -lgcrypt -lgpg-error Adding "-L/opt/csw/lib -lgpg-error" manually solves the problem. Additionally, there is an issue with missing networks libs on Solaris: > DEPDIR=.deps depmode=none /bin/bash ../../build-aux/depcomp \ > /opt/studio/SOS11/SUNWspro/bin/cc -DHAVE_CONFIG_H -I. - > I../.. -I../../lib/includes -I../../lib/includes -I../../libextra/ > includes -I../../gl -I../../gl -I/opt/csw/include -xO3 -xarch=v8 - > I/opt/csw/include -c ex-serv1.c > "ex-serv1.c", line 195: warning: statement not reached > /bin/bash ../../libtool --tag=CC --mode=link /opt/studio/SOS11/ > SUNWspro/bin/cc -xO3 -xarch=v8 -I/opt/csw/include -no-install - > xarch=v8 -L/opt/csw/lib -lgpg-error -L/opt/csw/lib -o ex-serv1 ex- > serv1.o libexamples.la ../../lib/libgnutls.la ../../libextra/ > libgnutls-extra.la ../../gl/libgnu.la -lsocket > libtool: link: /opt/studio/SOS11/SUNWspro/bin/cc -xO3 -xarch=v8 -I/ > opt/csw/include -xarch=v8 -o ex-serv1 ex-serv1.o -L/opt/csw/ > lib ./.libs/libexamples.a ../../lib/.libs/libgnutls.so ../../ > libextra/.libs/libgnutls-extra.so /home/dam/mgar/pkg/gnutls/trunk/ > work/solaris8-sparc/build-isa-sparcv8/gnutls-2.8.5/lib/.libs/ > libgnutls.so -ltasn1 -lz -lgcrypt -lintl ../../gl/.libs/libgnu.a - > lgpg-error -lsocket -R/home/dam/mgar/pkg/gnutls/trunk/work/solaris8- > sparc/build-isa-sparcv8/gnutls-2.8.5/lib/.libs -R/home/dam/mgar/pkg/ > gnutls/trunk/work/solaris8-sparc/build-isa-sparcv8/gnutls-2.8.5/ > libextra/.libs -R/opt/csw/lib > ld: warning: file /home/dam/mgar/pkg/gnutls/trunk/work/solaris8- > sparc/build-isa-sparcv8/gnutls-2.8.5/lib/.libs/libgnutls.so: linked > to ../../lib/.libs/libgnutls.so: attempted multiple inclusion of file > Undefined first referenced > symbol in file > inet_ntop ex-serv1.o (symbol belongs to > implicit dependency /lib/libnsl.so.1) > ld: fatal: Symbol referencing errors. No output written to ex-serv1 > gmake[6]: *** [ex-serv1] Error 1 > gmake[6]: Leaving directory `/home/dam/mgar/pkg/gnutls/trunk/work/ > solaris8-sparc/build-isa-sparcv8/gnutls-2.8.5/doc/examples' > gmake[5]: *** [all-recursive] Error 1 > gmake[5]: Leaving directory `/home/dam/mgar/pkg/gnutls/trunk/work/ > solaris8-sparc/build-isa-sparcv8/gnutls-2.8.5/doc' This can be solved by adding -lsocket -lnsl which shoud be autodetected during configure. Best regards -- Dago From simon at josefsson.org Thu Nov 5 13:58:18 2009 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 05 Nov 2009 13:58:18 +0100 Subject: Running "make check" under valgrind In-Reply-To: <200911052110.06021.bradh@frogmouth.net> (Brad Hards's message of "Thu, 5 Nov 2009 21:10:05 +1100") References: <200911052110.06021.bradh@frogmouth.net> Message-ID: <87hbt9f7rp.fsf@mocca.josefsson.org> Brad Hards writes: > Hi, > > When I run "make check" with valgrind support, I'm seeing about 20 tests that > are showing valgrind errors. Looks like a common backtrace: > > ==28786== Conditional jump or move depends on uninitialised value(s) > ==28786== at 0x4130789: _gcry_mpi_print (mpicoder.c:583) ... > Is anyone else seeing this? Nope. Which libgcrypt version are you using? /Simon From simon at josefsson.org Thu Nov 5 14:02:50 2009 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 05 Nov 2009 14:02:50 +0100 Subject: GNUTLS 2.8.5: Assertion failed on Solaris 8 Sparc In-Reply-To: (Dagobert Michelsen's message of "Thu, 5 Nov 2009 12:32:38 +0100") References: Message-ID: <87d43xf7k5.fsf@mocca.josefsson.org> Dagobert Michelsen writes: > Hi, > > I have a failed test in 2.8.5 on Solaris 8 Sparc with Sun Studio 11: > >> gmake check-TESTS >> gmake[9]: Entering directory `/home/dam/mgar/pkg/gnutls/trunk/work/ >> solaris8-sparc/build-isa-sparcv8/gnutls-2.8.5/lib/gl/tests' >> PASS: test-alloca-opt >> PASS: test-byteswap >> PASS: test-c-ctype >> PASS: test-errno >> PASS: test-fseeko.sh >> PASS: test-fseeko2.sh >> test-func.c:40: assertion failed >> FAIL: test-func >> PASS: test-netdb >> PASS: test-read-file >> PASS: test-snprintf > > > I adjust the code to show what exactly is failing: > >> int >> main () >> { >> printf( "%d %d\n", strlen (__func__), sizeof __func__ ); >> ASSERT (strlen (__func__) + 1 == sizeof __func__); >> return 0; >> } >> build8s% ./test-func >> 4 0 >> test-func.c:41: assertion failed >> zsh: IOT instruction (core dumped) ./test-func > > I guess __func__ is kindof empty... Should this concern me? __func__ is only used in the guile wrapper: guile/src/utils.c: scm_gnutls_error (GNUTLS_E_UNIMPLEMENTED_FEATURE, __func__); If you don't build the guile libraries, you could ignore it. A sizeof(__func__) == 0 seems odd. What is __func__ on Solaris? Is there some other variable that contains the current function name on Solaris? I think this is a bug in gnulib's func module, so let's continue discussion on the gnulib list. /Simon From simon at josefsson.org Thu Nov 5 14:09:33 2009 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 05 Nov 2009 14:09:33 +0100 Subject: Problem with linking when compiling GNUTLS In-Reply-To: <6CE33B59-7483-4304-9F9F-14D5D35DFAB0@opencsw.org> (Dagobert Michelsen's message of "Thu, 5 Nov 2009 13:27:35 +0100") References: <6CE33B59-7483-4304-9F9F-14D5D35DFAB0@opencsw.org> Message-ID: <87639pf78y.fsf@mocca.josefsson.org> Dagobert Michelsen writes: > Additionally, there is an issue with missing networks libs on Solaris: > >> DEPDIR=.deps depmode=none /bin/bash ../../build-aux/depcomp \ >> /opt/studio/SOS11/SUNWspro/bin/cc -DHAVE_CONFIG_H -I. - >> I../.. -I../../lib/includes -I../../lib/includes -I../../libextra/ >> includes -I../../gl -I../../gl -I/opt/csw/include -xO3 -xarch=v8 - >> I/opt/csw/include -c ex-serv1.c >> "ex-serv1.c", line 195: warning: statement not reached >> /bin/bash ../../libtool --tag=CC --mode=link /opt/studio/SOS11/ >> SUNWspro/bin/cc -xO3 -xarch=v8 -I/opt/csw/include -no-install - >> xarch=v8 -L/opt/csw/lib -lgpg-error -L/opt/csw/lib -o ex-serv1 ex- >> serv1.o libexamples.la ../../lib/libgnutls.la ../../libextra/ >> libgnutls-extra.la ../../gl/libgnu.la -lsocket >> libtool: link: /opt/studio/SOS11/SUNWspro/bin/cc -xO3 -xarch=v8 -I/ >> opt/csw/include -xarch=v8 -o ex-serv1 ex-serv1.o -L/opt/csw/ >> lib ./.libs/libexamples.a ../../lib/.libs/libgnutls.so ../../ >> libextra/.libs/libgnutls-extra.so /home/dam/mgar/pkg/gnutls/trunk/ >> work/solaris8-sparc/build-isa-sparcv8/gnutls-2.8.5/lib/.libs/ >> libgnutls.so -ltasn1 -lz -lgcrypt -lintl ../../gl/.libs/libgnu.a - >> lgpg-error -lsocket -R/home/dam/mgar/pkg/gnutls/trunk/work/solaris8- >> sparc/build-isa-sparcv8/gnutls-2.8.5/lib/.libs -R/home/dam/mgar/pkg/ >> gnutls/trunk/work/solaris8-sparc/build-isa-sparcv8/gnutls-2.8.5/ >> libextra/.libs -R/opt/csw/lib >> ld: warning: file /home/dam/mgar/pkg/gnutls/trunk/work/solaris8- >> sparc/build-isa-sparcv8/gnutls-2.8.5/lib/.libs/libgnutls.so: linked >> to ../../lib/.libs/libgnutls.so: attempted multiple inclusion of >> file >> Undefined first referenced >> symbol in file >> inet_ntop ex-serv1.o (symbol belongs to >> implicit dependency /lib/libnsl.so.1) >> ld: fatal: Symbol referencing errors. No output written to ex-serv1 >> gmake[6]: *** [ex-serv1] Error 1 >> gmake[6]: Leaving directory `/home/dam/mgar/pkg/gnutls/trunk/work/ >> solaris8-sparc/build-isa-sparcv8/gnutls-2.8.5/doc/examples' >> gmake[5]: *** [all-recursive] Error 1 >> gmake[5]: Leaving directory `/home/dam/mgar/pkg/gnutls/trunk/work/ >> solaris8-sparc/build-isa-sparcv8/gnutls-2.8.5/doc' > > This can be solved by adding -lsocket -lnsl which shoud be > autodetected during configure. This should be fixed by the latest changes made to gnulib right now. I'm going to release 2.9.7 shortly, you could test that so that 2.10.x will work OK. /Simon From simon at josefsson.org Thu Nov 5 14:13:34 2009 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 05 Nov 2009 14:13:34 +0100 Subject: Problem with linking when compiling GNUTLS In-Reply-To: <6CE33B59-7483-4304-9F9F-14D5D35DFAB0@opencsw.org> (Dagobert Michelsen's message of "Thu, 5 Nov 2009 13:27:35 +0100") References: <6CE33B59-7483-4304-9F9F-14D5D35DFAB0@opencsw.org> Message-ID: <871vkdf729.fsf@mocca.josefsson.org> Dagobert Michelsen writes: > Hi, > > when I try to compile GNUTLS 2.8.5 on Solaris 8 Sparc with Sun Studio 11 > against libgcrypt the configure-script has problems linking to it: > >> configure:7443: /opt/studio/SOS11/SUNWspro/bin/cc -o conftest -xO3 - >> xarch=v8 -I/opt/csw/include -I/opt/csw/include -xarch=v8 -L/opt/csw/ >> lib conftest.c /opt/csw/lib/libgcrypt.so -R/opt/csw/lib >&5 >> Undefined first referenced >> symbol in file >> gpg_err_code_from_errno conftest.o (symbol belongs to >> implicit dependency /opt/csw/lib/libgpg-error.so.0) >> gpg_err_code_from_syserror conftest.o (symbol belongs to >> implicit dependency /opt/csw/lib/libgpg-error.so.0) >> ld: fatal: Symbol referencing errors. No output written to conftest > > The problem is that configure links directly to libgcrypt.so instead > of what is correctly reported: > >> build8s% /opt/csw/bin/libgcrypt-config --libs >> -L/opt/csw/lib -lgcrypt -lgpg-error > > Adding "-L/opt/csw/lib -lgpg-error" manually solves the problem. Hi. GnuTLS isn't using libgcrypt-config to detect the libgrypt libraries, but the following patch hopefully fixes it. Will be part of upcoming 2.9.8, so please test that. /Simon >From 65e184ffdcf0441b51cd447f519d929376f7e06b Mon Sep 17 00:00:00 2001 From: Simon Josefsson Date: Thu, 5 Nov 2009 14:12:16 +0100 Subject: [PATCH] Make sure libgcrypt's dependency on libgpg-error is known. --- lib/m4/hooks.m4 | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/lib/m4/hooks.m4 b/lib/m4/hooks.m4 index 2973d6d..8e3ec92 100644 --- a/lib/m4/hooks.m4 +++ b/lib/m4/hooks.m4 @@ -34,7 +34,7 @@ AC_DEFUN([LIBGNUTLS_HOOKS], DLL_VERSION=`expr ${LT_CURRENT} - ${LT_AGE}` AC_SUBST(DLL_VERSION) - AC_LIB_HAVE_LINKFLAGS(gcrypt,, [#include ], + AC_LIB_HAVE_LINKFLAGS([gcrypt], [gpg-error], [#include ], [enum gcry_cipher_algos i = GCRY_CIPHER_CAMELLIA128]) if test "$ac_cv_libgcrypt" != yes; then AC_MSG_ERROR([[ -- 1.6.5.2 From simon at josefsson.org Thu Nov 5 14:23:32 2009 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 05 Nov 2009 14:23:32 +0100 Subject: GNUTLS 2.8.5: Assertion failed on Solaris 8 Sparc In-Reply-To: <4AF2D0A3.8040904@byu.net> (Eric Blake's message of "Thu, 05 Nov 2009 06:18:27 -0700") References: <87d43xf7k5.fsf@mocca.josefsson.org> <4AF2D0A3.8040904@byu.net> Message-ID: <87k4y5ds17.fsf@mocca.josefsson.org> Eric Blake writes: > According to Simon Josefsson on 11/5/2009 6:02 AM: >> A sizeof(__func__) == 0 seems odd. What is __func__ on Solaris? Is >> there some other variable that contains the current function name on >> Solaris? > > This is a known bug in the Solaris compiler, and gnulib just ignores the > error. This line from test-func.c is telling: > >> /* On SunPRO C 5.9, sizeof __func__ evaluates to 0. The compiler warns: >> "warning: null dimension: sizeof()". */ >> #if !defined __SUNPRO_C >> ASSERT (strlen (__func__) + 1 == sizeof __func__); >> #endif Ah, thanks. But does __func__ work on Solaris? Would it make sense to improve the self-test like this? /Simon diff --git a/tests/test-func.c b/tests/test-func.c index 8a3c465..3c2de3c 100644 --- a/tests/test-func.c +++ b/tests/test-func.c @@ -45,5 +45,8 @@ main () ASSERT (strlen (__func__) + 1 == sizeof __func__); #endif + assert (strcmp (__func__, "main") == 0 + || strcmp (__func__, "") == 0); + return 0; } From dam at opencsw.org Thu Nov 5 15:50:47 2009 From: dam at opencsw.org (Dagobert Michelsen) Date: Thu, 5 Nov 2009 15:50:47 +0100 Subject: Problem with linking when compiling GNUTLS In-Reply-To: <871vkdf729.fsf@mocca.josefsson.org> References: <6CE33B59-7483-4304-9F9F-14D5D35DFAB0@opencsw.org> <871vkdf729.fsf@mocca.josefsson.org> Message-ID: <95DD2EC9-E013-4894-929B-4A3074D3DE43@opencsw.org> Hi Simon, Am 05.11.2009 um 14:13 schrieb Simon Josefsson: > Dagobert Michelsen writes: >> when I try to compile GNUTLS 2.8.5 on Solaris 8 Sparc with Sun >> Studio 11 >> against libgcrypt the configure-script has problems linking to it: >> >>> configure:7443: /opt/studio/SOS11/SUNWspro/bin/cc -o conftest -xO3 - >>> xarch=v8 -I/opt/csw/include -I/opt/csw/include -xarch=v8 -L/opt/csw/ >>> lib conftest.c /opt/csw/lib/libgcrypt.so -R/opt/csw/lib >&5 >>> Undefined first referenced >>> symbol in file >>> gpg_err_code_from_errno conftest.o (symbol belongs to >>> implicit dependency /opt/csw/lib/libgpg-error.so.0) >>> gpg_err_code_from_syserror conftest.o (symbol belongs to >>> implicit dependency /opt/csw/lib/libgpg-error.so.0) >>> ld: fatal: Symbol referencing errors. No output written to conftest >> >> The problem is that configure links directly to libgcrypt.so instead >> of what is correctly reported: >> >>> build8s% /opt/csw/bin/libgcrypt-config --libs >>> -L/opt/csw/lib -lgcrypt -lgpg-error >> >> Adding "-L/opt/csw/lib -lgpg-error" manually solves the problem. > > Hi. GnuTLS isn't using libgcrypt-config to detect the libgrypt > libraries, but the following patch hopefully fixes it. Will be part > of > upcoming 2.9.8, so please test that. > > /Simon > > From 65e184ffdcf0441b51cd447f519d929376f7e06b Mon Sep 17 00:00:00 2001 > From: Simon Josefsson > Date: Thu, 5 Nov 2009 14:12:16 +0100 > Subject: [PATCH] Make sure libgcrypt's dependency on libgpg-error is > known. > > --- > lib/m4/hooks.m4 | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/lib/m4/hooks.m4 b/lib/m4/hooks.m4 > index 2973d6d..8e3ec92 100644 > --- a/lib/m4/hooks.m4 > +++ b/lib/m4/hooks.m4 > @@ -34,7 +34,7 @@ AC_DEFUN([LIBGNUTLS_HOOKS], > DLL_VERSION=`expr ${LT_CURRENT} - ${LT_AGE}` > AC_SUBST(DLL_VERSION) > > - AC_LIB_HAVE_LINKFLAGS(gcrypt,, [#include ], > + AC_LIB_HAVE_LINKFLAGS([gcrypt], [gpg-error], [#include ], > [enum gcry_cipher_algos i = GCRY_CIPHER_CAMELLIA128]) > if test "$ac_cv_libgcrypt" != yes; then > AC_MSG_ERROR([[ > -- > 1.6.5.2 Yes, this solves the problem with the missing libgpg-error. Now only the -lsocket -lnsl issue needs to be resolved :-) Best regards -- Dago From simon at josefsson.org Thu Nov 5 16:17:16 2009 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 05 Nov 2009 16:17:16 +0100 Subject: Problem with linking when compiling GNUTLS In-Reply-To: <95DD2EC9-E013-4894-929B-4A3074D3DE43@opencsw.org> (Dagobert Michelsen's message of "Thu, 5 Nov 2009 15:50:47 +0100") References: <6CE33B59-7483-4304-9F9F-14D5D35DFAB0@opencsw.org> <871vkdf729.fsf@mocca.josefsson.org> <95DD2EC9-E013-4894-929B-4A3074D3DE43@opencsw.org> Message-ID: <87hbt9atmr.fsf@mocca.josefsson.org> Dagobert Michelsen writes: >> - AC_LIB_HAVE_LINKFLAGS(gcrypt,, [#include ], >> + AC_LIB_HAVE_LINKFLAGS([gcrypt], [gpg-error], [#include ], >> [enum gcry_cipher_algos i = GCRY_CIPHER_CAMELLIA128]) >> if test "$ac_cv_libgcrypt" != yes; then >> AC_MSG_ERROR([[ >> -- >> 1.6.5.2 > > Yes, this solves the problem with the missing libgpg-error. Now only > the -lsocket -lnsl issue needs to be resolved :-) Great. The -lnsl issue could be fixed by using more recent gnulib here. /Simon From dam at opencsw.org Thu Nov 5 16:27:48 2009 From: dam at opencsw.org (Dagobert Michelsen) Date: Thu, 5 Nov 2009 16:27:48 +0100 Subject: Problem with linking when compiling GNUTLS In-Reply-To: <87hbt9atmr.fsf@mocca.josefsson.org> References: <6CE33B59-7483-4304-9F9F-14D5D35DFAB0@opencsw.org> <871vkdf729.fsf@mocca.josefsson.org> <95DD2EC9-E013-4894-929B-4A3074D3DE43@opencsw.org> <87hbt9atmr.fsf@mocca.josefsson.org> Message-ID: Hi Simon, Am 05.11.2009 um 16:17 schrieb Simon Josefsson: > Dagobert Michelsen writes: > >>> - AC_LIB_HAVE_LINKFLAGS(gcrypt,, [#include ], >>> + AC_LIB_HAVE_LINKFLAGS([gcrypt], [gpg-error], [#include >>> ], >>> [enum gcry_cipher_algos i = GCRY_CIPHER_CAMELLIA128]) >>> if test "$ac_cv_libgcrypt" != yes; then >>> AC_MSG_ERROR([[ >>> -- >>> 1.6.5.2 >> >> Yes, this solves the problem with the missing libgpg-error. Now only >> the -lsocket -lnsl issue needs to be resolved :-) > > Great. The -lnsl issue could be fixed by using more recent gnulib > here. It would be great if you had an updated tarball of the release-to-come will all known errors fixed so I can verify it. Best regards -- Dago From simon at josefsson.org Thu Nov 5 16:35:41 2009 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 05 Nov 2009 16:35:41 +0100 Subject: Problem with linking when compiling GNUTLS In-Reply-To: (Dagobert Michelsen's message of "Thu, 5 Nov 2009 16:27:48 +0100") References: <6CE33B59-7483-4304-9F9F-14D5D35DFAB0@opencsw.org> <871vkdf729.fsf@mocca.josefsson.org> <95DD2EC9-E013-4894-929B-4A3074D3DE43@opencsw.org> <87hbt9atmr.fsf@mocca.josefsson.org> Message-ID: <878welass2.fsf@mocca.josefsson.org> Dagobert Michelsen writes: > Hi Simon, > > Am 05.11.2009 um 16:17 schrieb Simon Josefsson: >> Dagobert Michelsen writes: >> >>>> - AC_LIB_HAVE_LINKFLAGS(gcrypt,, [#include ], >>>> + AC_LIB_HAVE_LINKFLAGS([gcrypt], [gpg-error], [#include >>>> ], >>>> [enum gcry_cipher_algos i = GCRY_CIPHER_CAMELLIA128]) >>>> if test "$ac_cv_libgcrypt" != yes; then >>>> AC_MSG_ERROR([[ >>>> -- >>>> 1.6.5.2 >>> >>> Yes, this solves the problem with the missing libgpg-error. Now only >>> the -lsocket -lnsl issue needs to be resolved :-) >> >> Great. The -lnsl issue could be fixed by using more recent gnulib >> here. > > It would be great if you had an updated tarball of the release-to-come > will all known errors fixed so I can verify it. Of 2.8.x or 2.9.x? I'll see if I can push out a 2.9.x release today. /Simon From simon at josefsson.org Thu Nov 5 17:40:10 2009 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 05 Nov 2009 17:40:10 +0100 Subject: GnuTLS 2.9.8 Message-ID: <87639p9b85.fsf@mocca.josefsson.org> The GnuTLS 2.9.x branch is NOT what you want for your stable system. It is intended for developers and experienced users. Here are the compressed sources (6.0MB): http://alpha.gnu.org/gnu/gnutls/gnutls-2.9.8.tar.bz2 ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.9.8.tar.bz2 Here is the OpenPGP signature: http://alpha.gnu.org/gnu/gnutls/gnutls-2.9.8.tar.bz2.sig ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.9.8.tar.bz2.sig Windows build: http://josefsson.org/gnutls4win/gnutls-2.9.8.exe http://josefsson.org/gnutls4win/gnutls-2.9.8.exe.sig http://josefsson.org/gnutls4win/gnutls-2.9.8.zip http://josefsson.org/gnutls4win/gnutls-2.9.8.zip.sig http://josefsson.org/gnutls4win/mingw32-gnutls_2.9.8-1_all.deb Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult AB, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. /Simon * Version 2.9.8 (released 2009-11-05) ** libgnutls: Fix for memory leaks on interrupted handshake. Reported by Tang Tong. ** libgnutls: Addition of support for TLS 1.2 signature algorithms ** extension and certificate verify field. This requires changes for TLS 1.2 servers and clients that use callbacks for certificate retrieval. They are now required to check with gnutls_sign_algorithm_get_requested() whether the certificate they send complies with the peer's preferences in signature algorithms. ** libgnutls: In server side when resuming a session do not overwrite the ** initial session data with the resumed session data. ** libgnutls: Added support for AES-128, AES-192 and AES-256 in PKCS #8 ** encryption. This affects also PKCS #12 encoded files. This adds the following new enums: GNUTLS_CIPHER_AES_192_CBC, GNUTLS_PKCS_USE_PBES2_AES_128, GNUTLS_PKCS_USE_PBES2_AES_192, GNUTLS_PKCS_USE_PBES2_AES_256. ** libgnutls: Fix PKCS#12 encoding. The error you would get was "The OID is not supported.". Problem introduced for the v2.8.x branch in 2.7.6. ** certtool: Added the --pkcs-cipher option. To explicitely specify the encryption algorithm to use. ** tests: Added "pkcs12_encode" self-test to check PKCS#12 functions. ** tests: Fix time bomb in chainverify self-test. Reported by Andreas Metzler in . ** tests: Fix expired cert in chainverify self-test. ** i18n: Vietnamese translation updated. Thanks to Clytie Siddall. ** API and ABI modifications: GNUTLS_CIPHER_AES_192_CBC: ADDED to gnutls/gnutls.h. GNUTLS_PKCS_USE_PBES2_AES_128: ADDED to gnutls/x509.h. GNUTLS_PKCS_USE_PBES2_AES_192: ADDED to gnutls/x509.h. GNUTLS_PKCS_USE_PBES2_AES_256: ADDED to gnutls/x509.h. GNUTLS_BAG_SECRET: ADDED to gnutls/pkcs12.h. GNUTLS_DIG_UNKNOWN: ADDED to gnutls/gnutls.h. gnutls_sign_algorithm_get_requested: ADDED. I appear to have forgotten to announce 2.9.7, so I'm including the NEWS entries for it too: * Version 2.9.7 (released 2009-10-06) ** libgnutls: TLS 1.2 server mode fixes. Now interoperates against Opera. Contributed by Daiki Ueno. ** libgnutlsxx: Fix link problems. Tiny patch from Boyan Kasarov . ** guile: Compatibility with guile 2.x. By Ludovic Courtes . ** API and ABI modifications: No changes since last version. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 420 bytes Desc: not available URL: From nmav at gnutls.org Thu Nov 5 22:05:21 2009 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 05 Nov 2009 23:05:21 +0200 Subject: TLS renegotiation MITM In-Reply-To: References: Message-ID: <4AF33E11.6060304@gnutls.org> Steve Dispensa wrote: > Hi, > > A colleague and I have released details of a new attack against TLS in the > area of renegotiation. Information is here: > > http://extendedsubset.com/?p=8 > > During the process of running this bug (and its proposed solution) to > ground, I implemented a patch to GNUTLS, attached. There are also two new > files that implement the extension that solves the problem. > > There is lots of background in the above link, but the one missing part is > the Internet Draft that has been tentatively agreed on by most of the major > vendors (pending IETF action, of course). That draft is what I have > implemented, and you should see it posted to the TLS IETF list tomorrow > morning. Hi thank you for the patch and for identifying the issue as well. I like both your patch and the fix itself. Would you be interested in signing the copyright assignment papers for FSF? best regards, Nikos From nmav at gnutls.org Thu Nov 5 22:29:59 2009 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 05 Nov 2009 23:29:59 +0200 Subject: TLS 1.2 server In-Reply-To: <87bpjijzld.fsf@mocca.josefsson.org> References: <87iqf1p592.fsf@broken.deisui.org> <87r5tp56c4.fsf@mocca.josefsson.org> <87ske44pfy.fsf@mocca.josefsson.org> <87pr98eha4.fsf@broken.deisui.org> <87eipo4jgc.fsf@mocca.josefsson.org> <87ljjwdv8c.fsf@broken.deisui.org> <87zl8buyc2.fsf@mocca.josefsson.org> <4AE26E73.4070907@gnutls.org> <873a56cxty.fsf@mocca.josefsson.org> <4AEF2F63.4080103@gnutls.org> <87k4y89ktx.fsf@mocca.josefsson.org> <4AF0745E.4030702@gnutls.org> <87bpjijzld.fsf@mocca.josefsson.org> Message-ID: <4AF343D7.8060002@gnutls.org> Simon Josefsson wrote: > Is it possible to fix only that leak without the other stuff? Could be but currently I don't have the time. From bradh at frogmouth.net Fri Nov 6 01:23:14 2009 From: bradh at frogmouth.net (Brad Hards) Date: Fri, 6 Nov 2009 11:23:14 +1100 Subject: Running "make check" under valgrind In-Reply-To: <87hbt9f7rp.fsf@mocca.josefsson.org> References: <200911052110.06021.bradh@frogmouth.net> <87hbt9f7rp.fsf@mocca.josefsson.org> Message-ID: <200911061123.14795.bradh@frogmouth.net> On Thursday 05 November 2009 23:58:18 you wrote: > Nope. Which libgcrypt version are you using? As it turned out, it was some svn version that I had installed. However I've removed that, rebuilt everything, and I can repeat that with 1.4.4 packages from my distro (libgcrypt-1.4.4-6.fc11). I also tried a more up-to-date svn version of libgcrypt (At revision 1406.) but no difference. A svn version of libgpg-error also made no difference. Brad From dispensa at phonefactor.com Fri Nov 6 02:24:31 2009 From: dispensa at phonefactor.com (Steve Dispensa) Date: Thu, 5 Nov 2009 19:24:31 -0600 Subject: TLS renegotiation MITM In-Reply-To: <4AF33E11.6060304@gnutls.org> References: <4AF33E11.6060304@gnutls.org> Message-ID: <0ABAC5C4-2C41-4641-B07A-349C4A8DED64@phonefactor.com> Yes, I'd be glad to. It will take me a couple of days to get to a printer/scanner, but meanwhile, if an email can do this, take this as my official intent to assign copyright to fsf. -Steve On Nov 5, 2009, at 3:03 PM, "Nikos Mavrogiannopoulos" wrote: > Steve Dispensa wrote: >> Hi, >> >> A colleague and I have released details of a new attack against TLS >> in the >> area of renegotiation. Information is here: >> >> http://extendedsubset.com/?p=8 >> >> During the process of running this bug (and its proposed solution) to >> ground, I implemented a patch to GNUTLS, attached. There are also >> two new >> files that implement the extension that solves the problem. >> >> There is lots of background in the above link, but the one missing >> part is >> the Internet Draft that has been tentatively agreed on by most of >> the major >> vendors (pending IETF action, of course). That draft is what I have >> implemented, and you should see it posted to the TLS IETF list >> tomorrow >> morning. > > Hi thank you for the patch and for identifying the issue as well. I > like > both your patch and the fix itself. Would you be interested in signing > the copyright assignment papers for FSF? > > best regards, > Nikos From simon at josefsson.org Fri Nov 6 08:37:32 2009 From: simon at josefsson.org (Simon Josefsson) Date: Fri, 06 Nov 2009 08:37:32 +0100 Subject: Running "make check" under valgrind In-Reply-To: <200911061123.14795.bradh@frogmouth.net> (Brad Hards's message of "Fri, 6 Nov 2009 11:23:14 +1100") References: <200911052110.06021.bradh@frogmouth.net> <87hbt9f7rp.fsf@mocca.josefsson.org> <200911061123.14795.bradh@frogmouth.net> Message-ID: <87hbt885oj.fsf@mocca.josefsson.org> Brad Hards writes: > On Thursday 05 November 2009 23:58:18 you wrote: >> Nope. Which libgcrypt version are you using? > As it turned out, it was some svn version that I had installed. However I've > removed that, rebuilt everything, and I can repeat that with 1.4.4 packages > from my distro (libgcrypt-1.4.4-6.fc11). > > I also tried a more up-to-date svn version of libgcrypt (At revision 1406.) > but no difference. A svn version of libgpg-error also made no difference. Strange, I'm using libgcrypt from debian and don't see this. Could you try to debug it further to see if there is a genuine memory leak? Hm, I realized I have a ~/.valgrind: --memcheck:leak-check=full --memcheck:leak-resolution=high --memcheck:show-reachable=yes --memcheck:num-callers=50 --suppressions=/home/jas/src/gnutls/tests/libgcrypt.supp The libgcrypt.supp file in GnuTLS lists some known memory leaks in libgcrypt. However, your leaks doesn't look like any of them, but maybe you could check that file to make sure. /Simon From simon at josefsson.org Fri Nov 6 12:38:24 2009 From: simon at josefsson.org (Simon Josefsson) Date: Fri, 06 Nov 2009 12:38:24 +0100 Subject: TLS renegotiation MITM In-Reply-To: (Steve Dispensa's message of "Wed, 04 Nov 2009 21:53:38 -0600") References: Message-ID: <87tyx7zxvz.fsf@mocca.josefsson.org> Steve Dispensa writes: > Hi, > > A colleague and I have released details of a new attack against TLS in the > area of renegotiation. Information is here: > > http://extendedsubset.com/?p=8 > > During the process of running this bug (and its proposed solution) to > ground, I implemented a patch to GNUTLS, attached. There are also two new > files that implement the extension that solves the problem. > > There is lots of background in the above link, but the one missing part is > the Internet Draft that has been tentatively agreed on by most of the major > vendors (pending IETF action, of course). That draft is what I have > implemented, and you should see it posted to the TLS IETF list tomorrow > morning. > > I'd be happy to help in any way I can. What GnuTLS version is your patch for? We haven't used a configure.in file in a long time. Would you mind reworking it for GnuTLS 2.8.x and/or 2.9.x? Those are the latest stable and experimental branches. Once the copyright paper issue has been resolved, we could integrate it. /Simon From dispensa at phonefactor.com Fri Nov 6 16:30:44 2009 From: dispensa at phonefactor.com (Steve Dispensa) Date: Fri, 6 Nov 2009 09:30:44 -0600 Subject: TLS renegotiation MITM In-Reply-To: <87tyx7zxvz.fsf@mocca.josefsson.org> References: <87tyx7zxvz.fsf@mocca.josefsson.org> Message-ID: <815C1CE2-C182-4A78-8279-EC23D4C0F5F4@phonefactor.com> Glad to. What's the best git tree? I thought I had the right one based on the site. Thanks. -Steve On Nov 6, 2009, at 5:36 AM, "Simon Josefsson" wrote: > Steve Dispensa writes: > >> Hi, >> >> A colleague and I have released details of a new attack against TLS >> in the >> area of renegotiation. Information is here: >> >> http://extendedsubset.com/?p=8 >> >> During the process of running this bug (and its proposed solution) to >> ground, I implemented a patch to GNUTLS, attached. There are also >> two new >> files that implement the extension that solves the problem. >> >> There is lots of background in the above link, but the one missing >> part is >> the Internet Draft that has been tentatively agreed on by most of >> the major >> vendors (pending IETF action, of course). That draft is what I have >> implemented, and you should see it posted to the TLS IETF list >> tomorrow >> morning. >> >> I'd be happy to help in any way I can. > > What GnuTLS version is your patch for? We haven't used a configure.in > file in a long time. Would you mind reworking it for GnuTLS 2.8.x > and/or 2.9.x? Those are the latest stable and experimental branches. > > Once the copyright paper issue has been resolved, we could integrate > it. > > /Simon From simon at josefsson.org Fri Nov 6 16:50:17 2009 From: simon at josefsson.org (Simon Josefsson) Date: Fri, 06 Nov 2009 16:50:17 +0100 Subject: TLS renegotiation MITM In-Reply-To: <815C1CE2-C182-4A78-8279-EC23D4C0F5F4@phonefactor.com> (Steve Dispensa's message of "Fri, 6 Nov 2009 09:30:44 -0600") References: <87tyx7zxvz.fsf@mocca.josefsson.org> <815C1CE2-C182-4A78-8279-EC23D4C0F5F4@phonefactor.com> Message-ID: <87d43vps92.fsf@mocca.josefsson.org> "Steve Dispensa" writes: > Glad to. What's the best git tree? I thought I had the right one based > on the site. What link did you find on our site? I created a new page at http://www.gnu.org/software/gnutls/devel.html with some information. /Simon > Thanks. > > -Steve > > On Nov 6, 2009, at 5:36 AM, "Simon Josefsson" > wrote: > >> Steve Dispensa writes: >> >>> Hi, >>> >>> A colleague and I have released details of a new attack against TLS >>> in the >>> area of renegotiation. Information is here: >>> >>> http://extendedsubset.com/?p=8 >>> >>> During the process of running this bug (and its proposed solution) to >>> ground, I implemented a patch to GNUTLS, attached. There are also >>> two new >>> files that implement the extension that solves the problem. >>> >>> There is lots of background in the above link, but the one missing >>> part is >>> the Internet Draft that has been tentatively agreed on by most of >>> the major >>> vendors (pending IETF action, of course). That draft is what I have >>> implemented, and you should see it posted to the TLS IETF list >>> tomorrow >>> morning. >>> >>> I'd be happy to help in any way I can. >> >> What GnuTLS version is your patch for? We haven't used a configure.in >> file in a long time. Would you mind reworking it for GnuTLS 2.8.x >> and/or 2.9.x? Those are the latest stable and experimental branches. >> >> Once the copyright paper issue has been resolved, we could integrate >> it. >> >> /Simon From ludo at gnu.org Sat Nov 7 00:02:07 2009 From: ludo at gnu.org (Ludovic =?iso-8859-1?Q?Court=E8s?=) Date: Sat, 07 Nov 2009 00:02:07 +0100 Subject: =?utf-8?b?4oCYZ251dGxzLWNsaeKAmQ==?= should be linked against libgcrypt Message-ID: <87ljijfea8.fsf@gnu.org> Hello! I just compiled GnuTLS 2.8.5 for NixOS [0]. Unless I?m mistaken, ?gnutls-cli? must now explicitly be linked against libgcrypt since it?s a direct dependency: -gnutls_cli_LDADD = ../lib/libgnutls.la ../libextra/libgnutls-extra.la +gnutls_cli_LDADD = ../lib/libgnutls.la ../libextra/libgnutls-extra.la -lgcrypt Thanks, Ludo?. [0] http://hydra.nixos.org/job/nixpkgs/trunk/gnutls/all From ebb9 at byu.net Thu Nov 5 14:18:27 2009 From: ebb9 at byu.net (Eric Blake) Date: Thu, 05 Nov 2009 06:18:27 -0700 Subject: GNUTLS 2.8.5: Assertion failed on Solaris 8 Sparc In-Reply-To: <87d43xf7k5.fsf@mocca.josefsson.org> References: <87d43xf7k5.fsf@mocca.josefsson.org> Message-ID: <4AF2D0A3.8040904@byu.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 According to Simon Josefsson on 11/5/2009 6:02 AM: > A sizeof(__func__) == 0 seems odd. What is __func__ on Solaris? Is > there some other variable that contains the current function name on > Solaris? This is a known bug in the Solaris compiler, and gnulib just ignores the error. This line from test-func.c is telling: > /* On SunPRO C 5.9, sizeof __func__ evaluates to 0. The compiler warns: > "warning: null dimension: sizeof()". */ > #if !defined __SUNPRO_C > ASSERT (strlen (__func__) + 1 == sizeof __func__); > #endif - -- Don't work too hard, make some time for fun as well! Eric Blake ebb9 at byu.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Cygwin) Comment: Public key at home.comcast.net/~ericblake/eblake.gpg Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkry0KMACgkQ84KuGfSFAYCPIgCeLJ0jmtbSKx/+UnvwX/IWEt1Q 5OYAn3oUOpCdSTukmrU4HZXP4dwZTIOk =lVxd -----END PGP SIGNATURE----- From simon at josefsson.org Mon Nov 9 15:46:43 2009 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 09 Nov 2009 15:46:43 +0100 Subject: =?utf-8?b?4oCYZ251dGxzLWNsaeKAmQ==?= should be linked against libgcrypt In-Reply-To: <87ljijfea8.fsf@gnu.org> ("Ludovic =?iso-8859-1?Q?Court=E8s?= =?iso-8859-1?Q?=22's?= message of "Sat, 07 Nov 2009 00:02:07 +0100") References: <87ljijfea8.fsf@gnu.org> Message-ID: <87ws1zwyb0.fsf@mocca.josefsson.org> ludo at gnu.org (Ludovic Court?s) writes: > Hello! > > I just compiled GnuTLS 2.8.5 for NixOS [0]. Unless I?m mistaken, > ?gnutls-cli? must now explicitly be linked against libgcrypt since it?s > a direct dependency: > > -gnutls_cli_LDADD = ../lib/libgnutls.la ../libextra/libgnutls-extra.la > +gnutls_cli_LDADD = ../lib/libgnutls.la ../libextra/libgnutls-extra.la -lgcrypt Thanks, I happened to fix this recently on master but I backported it to 2.8.x now. /Simon From simon at josefsson.org Mon Nov 9 16:19:50 2009 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 09 Nov 2009 16:19:50 +0100 Subject: TLS Renegotiation problem Message-ID: <87d43rwwrt.fsf@mocca.josefsson.org> As you may have heard, people how found out how to attack TLS as used in many application protocols. For more info see: http://www.ietf.org/id/draft-rescorla-tls-renegotiation-00.txt http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html http://extendedsubset.com/ http://www.imperialviolet.org/2009/11/05/tls-reneg.html It is important to understand that you are not vulnerable unless you use renegotiation, which is not typical. If you use renegotiation, perhaps to request client certificates in a web server, the simplest "fix" is to disable any use of renegotiation. You don't need to do this if your application protocol is robust -- for example XMPP/Jabber appears to be robust against the problem. HTTPS is not robust. There is work ongoing to specify a new extension to make TLS renegotiation safe against this attack, and hopefully GnuTLS will support it soon. Patches have been published in http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3944 but not yet tested or verified, and the IETF/IANA has not allocated a TLS extension number for it yet either. /Simon From dkg at fifthhorseman.net Mon Nov 9 19:01:23 2009 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 09 Nov 2009 13:01:23 -0500 Subject: TLS Renegotiation problem In-Reply-To: <87d43rwwrt.fsf@mocca.josefsson.org> References: <87d43rwwrt.fsf@mocca.josefsson.org> Message-ID: <4AF858F3.9000204@fifthhorseman.net> On 11/09/2009 10:19 AM, Simon Josefsson wrote: > It is important to understand that you are not vulnerable unless you use > renegotiation, which is not typical. If you use renegotiation, perhaps > to request client certificates in a web server, the simplest "fix" is to > disable any use of renegotiation. My understanding is that the published attacks are undetectable from the client-side without the use of the newly-proposed extension. So barring that extension, it seems that that the protective workaround you describe (disabling renegotiation) needs to be done on the server side. Is there a way that this can be done generically with GnuTLS (e.g. a priority string, which could conceivably be passed into gnutls by an administrator without needing a rebuild), or should the server simply avoid calling gnutls_handshake() more than once per session? Regards, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 891 bytes Desc: OpenPGP digital signature URL: From simon at josefsson.org Tue Nov 10 08:02:48 2009 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 10 Nov 2009 08:02:48 +0100 Subject: GnuTLS 2.9.9 Message-ID: <874op29813.fsf@mocca.josefsson.org> The GnuTLS 2.9.x branch is NOT what you want for your stable system. It is intended for developers and experienced users. Here are the compressed sources (6.1MB): http://alpha.gnu.org/gnu/gnutls/gnutls-2.9.9.tar.bz2 ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.9.9.tar.bz2 Here is the OpenPGP signature: http://alpha.gnu.org/gnu/gnutls/gnutls-2.9.9.tar.bz2.sig ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.9.9.tar.bz2.sig Windows build: http://josefsson.org/gnutls4win/gnutls-2.9.9.exe http://josefsson.org/gnutls4win/gnutls-2.9.9.exe.sig http://josefsson.org/gnutls4win/gnutls-2.9.9.zip http://josefsson.org/gnutls4win/gnutls-2.9.9.zip.sig http://josefsson.org/gnutls4win/mingw32-gnutls_2.9.9-1_all.deb Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult AB, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. /Simon * Version 2.9.9 (released 2009-11-09) ** libgnutls: Cleanups and several bug fixes. Found by Steve Grubb and Tomas Mraz. ** Link libgcrypt explicitly to certtool, gnutls-cli, gnutls-serv. ** Fix --disable-valgrind-tests. Reported by Ingmar Vanhassel in . ** API and ABI modifications: No changes since last version. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 420 bytes Desc: not available URL: From simon at josefsson.org Tue Nov 10 08:08:49 2009 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 10 Nov 2009 08:08:49 +0100 Subject: TLS Renegotiation problem In-Reply-To: <4AF858F3.9000204@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Mon, 09 Nov 2009 13:01:23 -0500") References: <87d43rwwrt.fsf@mocca.josefsson.org> <4AF858F3.9000204@fifthhorseman.net> Message-ID: <87zl6u7t6m.fsf@mocca.josefsson.org> Daniel Kahn Gillmor writes: > On 11/09/2009 10:19 AM, Simon Josefsson wrote: >> It is important to understand that you are not vulnerable unless you use >> renegotiation, which is not typical. If you use renegotiation, perhaps >> to request client certificates in a web server, the simplest "fix" is to >> disable any use of renegotiation. > > My understanding is that the published attacks are undetectable from the > client-side without the use of the newly-proposed extension. Yes. > So barring that extension, it seems that that the protective > workaround you describe (disabling renegotiation) needs to be done on > the server side. > > Is there a way that this can be done generically with GnuTLS (e.g. a > priority string, which could conceivably be passed into gnutls by an > administrator without needing a rebuild), or should the server simply > avoid calling gnutls_handshake() more than once per session? In GnuTLS, rehandshaking needs to be done explicitly by servers when they get the GNUTLS_E_REHANDSHAKE error back from gnutls_record_recv. If servers don't call gnutls_handshake when that happens, there is no problem. So people can check their applications if they are vulnerable to this problem. For example, the mod_gnutls Apache plugin does not support renegotiation so there is no problem with it (this was the main case that I were concerned with): if (rc == GNUTLS_E_REHANDSHAKE) { /* A client has asked for a new Hankshake. Currently, we don't do it */ ap_log_error(APLOG_MARK, APLOG_INFO, ctxt->input_rc, ctxt->c->base_server, "GnuTLS: Error reading data. Client Requested a New Handshake." " (%d) '%s'", rc, gnutls_strerror(rc)); } Possibly we could indeed have a new mode where GnuTLS refuses to do renegotiation based on a priority string. /Simon From simon at josefsson.org Tue Nov 10 09:55:52 2009 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 10 Nov 2009 09:55:52 +0100 Subject: TLS Renegotiation problem In-Reply-To: <87zl6u7t6m.fsf@mocca.josefsson.org> (Simon Josefsson's message of "Tue, 10 Nov 2009 08:08:49 +0100") References: <87d43rwwrt.fsf@mocca.josefsson.org> <4AF858F3.9000204@fifthhorseman.net> <87zl6u7t6m.fsf@mocca.josefsson.org> Message-ID: <87ws1y4v3b.fsf@mocca.josefsson.org> Simon Josefsson writes: > For example, the mod_gnutls Apache plugin does not support renegotiation > so there is no problem with it (this was the main case that I were > concerned with): Other servers that use GnuTLS is Exim4 and GNU Mailutils. I checked the sources and cannot find any place where they performs TLS renegotiation. So as far as I can tell, they are safe too. (Of course, this assume that it is even possible to exploit this problem with SMTP/IMAP/POP3 which I haven't seen explained yet.) What other popular servers use GnuTLS? Is there _any_ GnuTLS server that is vulnerable? Not even our gnutls-serv appears to support renegotiation as far as I can tell. /Simon From simon at josefsson.org Tue Nov 10 12:29:04 2009 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 10 Nov 2009 12:29:04 +0100 Subject: TLS Renegotiation problem In-Reply-To: <20091110111754.GA14025@redhat.com> (Tomas Hoger's message of "Tue, 10 Nov 2009 12:17:54 +0100") References: <87d43rwwrt.fsf@mocca.josefsson.org> <4AF858F3.9000204@fifthhorseman.net> <87zl6u7t6m.fsf@mocca.josefsson.org> <87ws1y4v3b.fsf@mocca.josefsson.org> <20091110111754.GA14025@redhat.com> Message-ID: <87zl6u39fj.fsf@mocca.josefsson.org> Tomas Hoger writes: > On Tue, Nov 10, 2009 at 09:55:52AM +0100, Simon Josefsson wrote: >> What other popular servers use GnuTLS? > > CUPS and libvirt(d). No GNUTLS_E_REHANDSHAKE in their sources, client > requested renegotiations seem to fail. Thanks for checking. So to summarize, so far the following servers appears to not be affected by this problem when used with GnuTLS: gnutls-serv mod_gnutls exim4 mailutils CUPS libvirtd If the servers are linked with OpenSSL I don't know if they are vulnerable or not, it would depend on whether OpenSSL perform renegotiation without application interaction. So make sure they are linked to GnuTLS before declaring victory. I think we now have some evidence to suggest GnuTLS needn't do anything about this. It seems any use of rehandshake with GnuTLS is application-specific and then the answer is probably to fix that application instead of GnuTLS. Any more insight or thoughts on this is welcome. What GnuTLS needs to do, though, is to have a discussion of the issue in the manual where renegotiation is discussed, so application writers are aware of the problem. /Simon From thoger at redhat.com Tue Nov 10 14:22:16 2009 From: thoger at redhat.com (Tomas Hoger) Date: Tue, 10 Nov 2009 14:22:16 +0100 Subject: TLS Renegotiation problem In-Reply-To: <87zl6u39fj.fsf@mocca.josefsson.org> References: <87d43rwwrt.fsf@mocca.josefsson.org> <4AF858F3.9000204@fifthhorseman.net> <87zl6u7t6m.fsf@mocca.josefsson.org> <87ws1y4v3b.fsf@mocca.josefsson.org> <20091110111754.GA14025@redhat.com> <87zl6u39fj.fsf@mocca.josefsson.org> Message-ID: <20091110132216.GA15446@redhat.com> On Tue, Nov 10, 2009 at 12:29:04PM +0100, Simon Josefsson wrote: > If the servers are linked with OpenSSL I don't know if they are > vulnerable or not, it would depend on whether OpenSSL perform > renegotiation without application interaction. OpenSSL and NSS both do renegotiation transparently for application. > I think we now have some evidence to suggest GnuTLS needn't do anything > about this. It seems any use of rehandshake with GnuTLS is > application-specific and then the answer is probably to fix that > application instead of GnuTLS. Is that meant as meant as "no change needed" or "no urgent temporary hotfix needed"? Is the implementation of the proposed extension still the long-term plan, so that apps needing rehandshakes can do them safely? Thanks! th. From dispensa at phonefactor.com Tue Nov 10 15:08:00 2009 From: dispensa at phonefactor.com (Steve Dispensa) Date: Tue, 10 Nov 2009 08:08:00 -0600 Subject: TLS Renegotiation problem In-Reply-To: <20091110132216.GA15446@redhat.com> Message-ID: On 11/10/09 7:22 AM, "Tomas Hoger" wrote: >> I think we now have some evidence to suggest GnuTLS needn't do anything >> about this. It seems any use of rehandshake with GnuTLS is >> application-specific and then the answer is probably to fix that >> application instead of GnuTLS. > > Is that meant as meant as "no change needed" or "no urgent temporary hotfix > needed"? Is the implementation of the proposed extension still the > long-term plan, so that apps needing rehandshakes can do them safely? [sorry if I'm late to the game; we had a baby a few days ago and I'm sadly behind on e-mail and most other things.] I agree with Tomas. When I wrote up the patch, I noticed that there were a few impediments to doing renegotiation at all in the way things are currently implemented (unless I misunderstood, which I always quite possible). Still, at some point, someone is going to really need the feature (or decide that the implementation is incomplete without perfect support for it), and once that happens, the bug will magically appear unless the TLS extension I supported. There's also a good reason to support the extension from an interop standpoint - servers will want to detect patched clients in the (near?) future, so sending the extension along will be helpful. -Steve From simon at josefsson.org Tue Nov 10 17:43:55 2009 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 10 Nov 2009 17:43:55 +0100 Subject: TLS Renegotiation problem In-Reply-To: <20091110132216.GA15446@redhat.com> (Tomas Hoger's message of "Tue, 10 Nov 2009 14:22:16 +0100") References: <87d43rwwrt.fsf@mocca.josefsson.org> <4AF858F3.9000204@fifthhorseman.net> <87zl6u7t6m.fsf@mocca.josefsson.org> <87ws1y4v3b.fsf@mocca.josefsson.org> <20091110111754.GA14025@redhat.com> <87zl6u39fj.fsf@mocca.josefsson.org> <20091110132216.GA15446@redhat.com> Message-ID: <87my2u2uus.fsf@mocca.josefsson.org> Tomas Hoger writes: >> I think we now have some evidence to suggest GnuTLS needn't do anything >> about this. It seems any use of rehandshake with GnuTLS is >> application-specific and then the answer is probably to fix that >> application instead of GnuTLS. > > Is that meant as meant as "no change needed" or "no urgent temporary hotfix > needed"? Both. ;-) The situation appears to be that 1) there is no patch against GnuTLS that we can use as a temporary hotfix, and 2) there appears (so far) to be no servers that use GnuTLS in a way that is vulnerable to this problem. There _could_ be servers that use GnuTLS which were vulnerable. For these applications, the simplest short-term solution appears to be to remove/disable the TLS renegotiation code. That would be an urgent problem that needs to be addressed quickly, if there actually are deployed instances of that situation. If a majority of servers that used GnuTLS were vulnerable to this problem, I think we'd have to consider patching GnuTLS instead of recommending patching application. Compare when we changed X.509 path validation in GnuTLS to check expiry/activation times: it was not a GnuTLS problem but it affected so many applications and it made more sense to fix it in GnuTLS than change all the applications. Our survey of servers using GnuTLS indicates that we are not close to being in this situation for this problem. Daniel suggested to add a priority string to allow admin's to disable TLS renegotiation unconditionally without having to recompile application/libraries. That seems like a good idea, but there are no instances where we known that it would improve anything. Priority strings is a quite new features, so the application would have to make use of priority strings AND do renegotiation AND implement a protocol that is vulnerable to this attack (e.g., HTTP) in order for things to work. That situation seems unlikely, but could happen, and then we'll certainly implement Daniel's suggestion. We could also release a GnuTLS that does not support TLS renegotiation at all. Right now, that is not known to fix anything, so I don't see what you would gain in doing so. But we could end up needing to do that too. So, in summary, given (my) current knowledge there is no need to either patch GnuTLS or any server application using GnuTLS. > Is the implementation of the proposed extension still the long-term > plan, so that apps needing rehandshakes can do them safely? Yes. /Simon From simon at josefsson.org Tue Nov 10 17:49:28 2009 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 10 Nov 2009 17:49:28 +0100 Subject: TLS Renegotiation problem In-Reply-To: (Steve Dispensa's message of "Tue, 10 Nov 2009 08:08:00 -0600") References: <20091110132216.GA15446@redhat.com> Message-ID: <87iqdi2ulj.fsf@mocca.josefsson.org> Steve Dispensa writes: > On 11/10/09 7:22 AM, "Tomas Hoger" wrote: >>> I think we now have some evidence to suggest GnuTLS needn't do anything >>> about this. It seems any use of rehandshake with GnuTLS is >>> application-specific and then the answer is probably to fix that >>> application instead of GnuTLS. >> >> Is that meant as meant as "no change needed" or "no urgent temporary hotfix >> needed"? Is the implementation of the proposed extension still the >> long-term plan, so that apps needing rehandshakes can do them safely? > > [sorry if I'm late to the game; we had a baby a few days ago and I'm sadly > behind on e-mail and most other things.] Congratulations! Perfect timing.. ;) > I agree with Tomas. When I wrote up the patch, I noticed that there were a > few impediments to doing renegotiation at all in the way things are > currently implemented (unless I misunderstood, which I always quite > possible). Still, at some point, someone is going to really need the feature > (or decide that the implementation is incomplete without perfect support for > it), and once that happens, the bug will magically appear unless the TLS > extension I supported. > > There's also a good reason to support the extension from an interop > standpoint - servers will want to detect patched clients in the (near?) > future, so sending the extension along will be helpful. Definitely. Given a patch (and copyright assignment) for this, we could add it to the experimental branch today, and once the IANA has allocated a code point it could even be backported into the stable branch. But that would be completely unrelated to fixing any short-term security problem. /Simon From fw at deneb.enyo.de Tue Nov 10 19:13:27 2009 From: fw at deneb.enyo.de (Florian Weimer) Date: Tue, 10 Nov 2009 19:13:27 +0100 Subject: TLS Renegotiation problem In-Reply-To: <87my2u2uus.fsf@mocca.josefsson.org> (Simon Josefsson's message of "Tue, 10 Nov 2009 17:43:55 +0100") References: <87d43rwwrt.fsf@mocca.josefsson.org> <4AF858F3.9000204@fifthhorseman.net> <87zl6u7t6m.fsf@mocca.josefsson.org> <87ws1y4v3b.fsf@mocca.josefsson.org> <20091110111754.GA14025@redhat.com> <87zl6u39fj.fsf@mocca.josefsson.org> <20091110132216.GA15446@redhat.com> <87my2u2uus.fsf@mocca.josefsson.org> Message-ID: <87eio6b648.fsf@mid.deneb.enyo.de> * Simon Josefsson: > So, in summary, given (my) current knowledge there is no need to either > patch GnuTLS or any server application using GnuTLS. But GNUTLS would have to implement the extension to secure connections to servers which support renegotiation. From dispensa at phonefactor.com Tue Nov 10 20:27:00 2009 From: dispensa at phonefactor.com (Steve Dispensa) Date: Tue, 10 Nov 2009 13:27:00 -0600 Subject: TLS Renegotiation problem In-Reply-To: <87eio6b648.fsf@mid.deneb.enyo.de> Message-ID: On 11/10/09 12:13 PM, "Florian Weimer" wrote: > * Simon Josefsson: > >> So, in summary, given (my) current knowledge there is no need to either >> patch GnuTLS or any server application using GnuTLS. > > But GNUTLS would have to implement the extension to secure connections > to servers which support renegotiation. (...which support safe renegotiation using the extension - no such thing as safe renegotiation absent both client and server supporting the extension.) -Steve From fw at deneb.enyo.de Tue Nov 10 20:28:04 2009 From: fw at deneb.enyo.de (Florian Weimer) Date: Tue, 10 Nov 2009 20:28:04 +0100 Subject: TLS Renegotiation problem In-Reply-To: (Steve Dispensa's message of "Tue, 10 Nov 2009 13:27:00 -0600") References: Message-ID: <87y6me89iz.fsf@mid.deneb.enyo.de> * Steve Dispensa: > On 11/10/09 12:13 PM, "Florian Weimer" wrote: > >> * Simon Josefsson: >> >>> So, in summary, given (my) current knowledge there is no need to either >>> patch GnuTLS or any server application using GnuTLS. >> >> But GNUTLS would have to implement the extension to secure connections >> to servers which support renegotiation. > > (...which support safe renegotiation using the extension - no such thing as > safe renegotiation absent both client and server supporting the extension.) Eh, yes, this was sort-of implied. Thanks for the correction. From thoger at redhat.com Wed Nov 11 11:03:54 2009 From: thoger at redhat.com (Tomas Hoger) Date: Wed, 11 Nov 2009 11:03:54 +0100 Subject: TLS Renegotiation problem In-Reply-To: <87eio6b648.fsf@mid.deneb.enyo.de> References: <87d43rwwrt.fsf@mocca.josefsson.org> <4AF858F3.9000204@fifthhorseman.net> <87zl6u7t6m.fsf@mocca.josefsson.org> <87ws1y4v3b.fsf@mocca.josefsson.org> <20091110111754.GA14025@redhat.com> <87zl6u39fj.fsf@mocca.josefsson.org> <20091110132216.GA15446@redhat.com> <87my2u2uus.fsf@mocca.josefsson.org> <87eio6b648.fsf@mid.deneb.enyo.de> Message-ID: <20091111110354.5e39bc93@redhat.com> On Tue, 10 Nov 2009 19:13:27 +0100 Florian Weimer wrote: > > So, in summary, given (my) current knowledge there is no need to > > either patch GnuTLS or any server application using GnuTLS. > > But GNUTLS would have to implement the extension to secure connections > to servers which support renegotiation. Simon confirmed that the implementation of the extension is planned. I apologize for not properly specifying that "no change needed" was actually meant as "no change needed, not even reneg extension implemented", which caused the confusion. th. From thoger at redhat.com Tue Nov 10 12:17:54 2009 From: thoger at redhat.com (Tomas Hoger) Date: Tue, 10 Nov 2009 12:17:54 +0100 Subject: TLS Renegotiation problem In-Reply-To: <87ws1y4v3b.fsf@mocca.josefsson.org> References: <87d43rwwrt.fsf@mocca.josefsson.org> <4AF858F3.9000204@fifthhorseman.net> <87zl6u7t6m.fsf@mocca.josefsson.org> <87ws1y4v3b.fsf@mocca.josefsson.org> Message-ID: <20091110111754.GA14025@redhat.com> On Tue, Nov 10, 2009 at 09:55:52AM +0100, Simon Josefsson wrote: > What other popular servers use GnuTLS? CUPS and libvirt(d). No GNUTLS_E_REHANDSHAKE in their sources, client requested renegotiations seem to fail. th. From trupti.wilankar at hp.com Tue Nov 17 08:14:19 2009 From: trupti.wilankar at hp.com (Wilankar, Trupti) Date: Tue, 17 Nov 2009 07:14:19 +0000 Subject: Help required for CSR validation Message-ID: <0ED4D36695851D49AEA7D226C726B41D39A60854D0@GVW0440EXB.americas.hpqcorp.net> Hello, I am from the iTP WebServer development team. The webserver runs on the HP NonStop Kernel. We are enhancing the webserver to comply with the TLS 1.1 standards and are using GnuTLS to extend this support. We are facing problems with regards to validation of the CSR generated using the GnuTLS APIs. Though the CSR seems valid (as verified in OpenSSL and other online CSR decoders), CAs like Verisign, Thawte etc give an error while parsing the CSR. We generated CSRs with same DN attributes with GnuTLS and OpenSSL. After ASN1 parsing both the CSRs in OpenSSL, we found that the CSR generated by GnuTLS misses NULL paddings separating the CertificationRequestInfo, signatureAlgorithm and Signature. The output from OpenSSL asn1parse for CSR generated by OpenSSL (with similar DN attributes): $ openssl asn1parse -in openssl.req 0:d=0 hl=4 l= 452 cons: SEQUENCE 4:d=1 hl=4 l= 301 cons: SEQUENCE 8:d=2 hl=2 l= 1 prim: INTEGER :00 11:d=2 hl=3 l= 131 cons: SEQUENCE 14:d=3 hl=2 l= 11 cons: SET 16:d=4 hl=2 l= 9 cons: SEQUENCE 18:d=5 hl=2 l= 3 prim: OBJECT :countryName 23:d=5 hl=2 l= 2 prim: PRINTABLESTRING :IN 27:d=3 hl=2 l= 20 cons: SET 29:d=4 hl=2 l= 18 cons: SEQUENCE 31:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName 36:d=5 hl=2 l= 11 prim: PRINTABLESTRING :Maharashtra 49:d=3 hl=2 l= 15 cons: SET 51:d=4 hl=2 l= 13 cons: SEQUENCE 53:d=5 hl=2 l= 3 prim: OBJECT :localityName 58:d=5 hl=2 l= 6 prim: PRINTABLESTRING :Mumbai 66:d=3 hl=2 l= 34 cons: SET 68:d=4 hl=2 l= 32 cons: SEQUENCE 70:d=5 hl=2 l= 3 prim: OBJECT :organizationName 75:d=5 hl=2 l= 25 prim: PRINTABLESTRING :Tata Consultancy Services 102:d=3 hl=2 l= 15 cons: SET 104:d=4 hl=2 l= 13 cons: SEQUENCE 106:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName 111:d=5 hl=2 l= 6 prim: PRINTABLESTRING :HP NED 119:d=3 hl=2 l= 24 cons: SET 121:d=4 hl=2 l= 22 cons: SEQUENCE 123:d=5 hl=2 l= 3 prim: OBJECT :commonName 128:d=5 hl=2 l= 15 prim: PRINTABLESTRING :www.scarlet.com 145:d=2 hl=3 l= 159 cons: SEQUENCE 148:d=3 hl=2 l= 13 cons: SEQUENCE 150:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption 161:d=4 hl=2 l= 0 prim: NULL <========== 163:d=3 hl=3 l= 141 prim: BIT STRING 307:d=2 hl=2 l= 0 cons: cont [ 0 ] 309:d=1 hl=2 l= 13 cons: SEQUENCE 311:d=2 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption 322:d=2 hl=2 l= 0 prim: NULL <========== 324:d=1 hl=3 l= 129 prim: BIT STRING The output from OpenSSL asn1parse for CSR generated by GnuTLS: $ openssl asn1parse -in gnu.req 0:d=0 hl=4 l= 447 cons: SEQUENCE 4:d=1 hl=4 l= 298 cons: SEQUENCE 8:d=2 hl=2 l= 1 prim: INTEGER :00 11:d=2 hl=3 l= 131 cons: SEQUENCE 14:d=3 hl=2 l= 11 cons: SET 16:d=4 hl=2 l= 9 cons: SEQUENCE 18:d=5 hl=2 l= 3 prim: OBJECT :countryName 23:d=5 hl=2 l= 2 prim: PRINTABLESTRING :IN 27:d=3 hl=2 l= 15 cons: SET 29:d=4 hl=2 l= 13 cons: SEQUENCE 31:d=5 hl=2 l= 3 prim: OBJECT :localityName 36:d=5 hl=2 l= 6 prim: PRINTABLESTRING :Mumbai 44:d=3 hl=2 l= 20 cons: SET 46:d=4 hl=2 l= 18 cons: SEQUENCE 48:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName 53:d=5 hl=2 l= 11 prim: PRINTABLESTRING :Maharashtra 66:d=3 hl=2 l= 24 cons: SET 68:d=4 hl=2 l= 22 cons: SEQUENCE 70:d=5 hl=2 l= 3 prim: OBJECT :commonName 75:d=5 hl=2 l= 15 prim: PRINTABLESTRING :www.scarlet.com 92:d=3 hl=2 l= 15 cons: SET 94:d=4 hl=2 l= 13 cons: SEQUENCE 96:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName 101:d=5 hl=2 l= 6 prim: PRINTABLESTRING :HP NED 109:d=3 hl=2 l= 34 cons: SET 111:d=4 hl=2 l= 32 cons: SEQUENCE 113:d=5 hl=2 l= 3 prim: OBJECT :organizationName 118:d=5 hl=2 l= 25 prim: PRINTABLESTRING :Tata Consultancy Services 145:d=2 hl=3 l= 156 cons: SEQUENCE 148:d=3 hl=2 l= 11 cons: SEQUENCE 150:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption --> NULL field missing 161:d=3 hl=3 l= 140 prim: BIT STRING 304:d=2 hl=2 l= 0 cons: cont [ 0 ] 306:d=1 hl=2 l= 11 cons: SEQUENCE 308:d=2 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption --> NULL field missing 319:d=1 hl=3 l= 129 prim: BIT STRING The CSR generated using GnuTLS APIs: -----BEGIN NEW CERTIFICATE REQUEST----- MIIBvzCCASoCAQAwgYMxCzAJBgNVBAYTAklOMQ8wDQYDVQQHEwZNdW1iYWkxFDAS BgNVBAgTC01haGFyYXNodHJhMRgwFgYDVQQDEw93d3cuc2NhcmxldC5jb20xDzAN BgNVBAsTBkhQIE5FRDEiMCAGA1UEChMZVGF0YSBDb25zdWx0YW5jeSBTZXJ2aWNl czCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGAv/FlDNjp+Jer0dfnHpOMu06eaocT WWugFEZTIJHsq1h2cQAu3aox/aP047umkyvndEFB3lB3wDoIIeu42sC3rvanWXrN u5QYYxJbqSFjQNjncK5ZBuOkDpT+mr40THP5XasHJpDtyBi/eFLjkG5y8vncM9xM 7i9lwfWEsRHESmkCAwEAAaAAMAsGCSqGSIb3DQEBBQOBgQC8kcFxRVuPKaXZYxBT AH1uvH7kTr/yeC8L5A3ctdzMX0KR2JSN1eB5PhYXhMzZRfhLrFtx0IP0RJS7uc0/ 0mJ30lZpufbQSmJT+EIiamSm+zWvH3+SBn5VrP0gCyD0z5O3AK91YB9QXVFkCS/u 3WDjubwSoK4BmHY1W3z3xRSO1Q== -----END NEW CERTIFICATE REQUEST----- Is it possible that the CAs are unable to generate a valid certificate due to these NULL paddings or is there another reason why these CAs fail to parse the CSR. Thanks, Trupti -------------- next part -------------- An HTML attachment was scrubbed... URL: From simon at josefsson.org Tue Nov 17 11:32:46 2009 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 17 Nov 2009 11:32:46 +0100 Subject: TLS Renegotiation problem In-Reply-To: <87zl6u7t6m.fsf@mocca.josefsson.org> (Simon Josefsson's message of "Tue, 10 Nov 2009 08:08:49 +0100") References: <87d43rwwrt.fsf@mocca.josefsson.org> <4AF858F3.9000204@fifthhorseman.net> <87zl6u7t6m.fsf@mocca.josefsson.org> Message-ID: <87bpj11lwx.fsf@mocca.josefsson.org> Simon Josefsson writes: > In GnuTLS, rehandshaking needs to be done explicitly by servers when > they get the GNUTLS_E_REHANDSHAKE error back from gnutls_record_recv. > If servers don't call gnutls_handshake when that happens, there is no > problem. So people can check their applications if they are vulnerable > to this problem. For everyone's information, searching for "GNUTLS_E_REHANDSHAKE" in code is not be sufficient: that only takes care of the situation where the local client reacts on a renegotiation request from the remote server. You also have to search for "gnutls_rehandshake" to take care of the situation where the local server initiates the renegotiation request. I believe one still has to look carefully at each example to understand whether a particular instance is vulnerable or not: not all instances of TLS reneg appears vulnerable. For example, a server could make sure that before calling gnutls_rehandshake it reads all data coming from the client and performs input sanitizing on it because there is no guarantee that data comes from the same identity who performs the TLS rehandshake and sends more data later on. /Simon From nmav at gnutls.org Wed Nov 18 19:14:48 2009 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 18 Nov 2009 20:14:48 +0200 Subject: Help required for CSR validation In-Reply-To: <0ED4D36695851D49AEA7D226C726B41D39A60854D0@GVW0440EXB.americas.hpqcorp.net> References: <0ED4D36695851D49AEA7D226C726B41D39A60854D0@GVW0440EXB.americas.hpqcorp.net> Message-ID: <4B043998.8050102@gnutls.org> Wilankar, Trupti wrote: > Hello, > > I am from the iTP WebServer development team. The webserver runs on the HP NonStop Kernel. We are enhancing the webserver to comply with the TLS 1.1 standards and are using GnuTLS to extend this support. > We are facing problems with regards to validation of the CSR generated using the GnuTLS APIs. > Though the CSR seems valid (as verified in OpenSSL and other online CSR decoders), CAs like Verisign, Thawte etc give an error while parsing the CSR. > > We generated CSRs with same DN attributes with GnuTLS and OpenSSL. After ASN1 parsing both the CSRs in OpenSSL, we found that the CSR generated by GnuTLS misses NULL paddings separating the CertificationRequestInfo, signatureAlgorithm and Signature. [...] > Is it possible that the CAs are unable to generate a valid certificate due to these NULL paddings or is there another reason why these CAs fail to parse the CSR. Hi, Thanks for bringing that up to me. Probably it might be some error in the parsing library of the CA. I attach you a quick fix and if it works for you I will add an option to encode using this format in certtool. regards, Nikos -------------- next part -------------- A non-text attachment was scrubbed... Name: null-encoding.patch Type: text/x-patch Size: 955 bytes Desc: not available URL: From thoger at redhat.com Wed Nov 18 19:28:52 2009 From: thoger at redhat.com (Tomas Hoger) Date: Wed, 18 Nov 2009 19:28:52 +0100 Subject: TLS Renegotiation problem In-Reply-To: <87bpj11lwx.fsf@mocca.josefsson.org> References: <87d43rwwrt.fsf@mocca.josefsson.org> <4AF858F3.9000204@fifthhorseman.net> <87zl6u7t6m.fsf@mocca.josefsson.org> <87bpj11lwx.fsf@mocca.josefsson.org> Message-ID: <20091118192852.15c4563c@redhat.com> On Tue, 17 Nov 2009 11:32:46 +0100 Simon Josefsson wrote: > > In GnuTLS, rehandshaking needs to be done explicitly by servers when > > they get the GNUTLS_E_REHANDSHAKE error back from > > gnutls_record_recv. If servers don't call gnutls_handshake when > > that happens, there is no problem. So people can check their > > applications if they are vulnerable to this problem. > > For everyone's information, searching for "GNUTLS_E_REHANDSHAKE" in > code is not be sufficient: that only takes care of the situation > where the local client reacts on a renegotiation request from the > remote server. > > You also have to search for "gnutls_rehandshake" to take care of the > situation where the local server initiates the renegotiation request. I did a search for that in Red Hat Enterprise Linux sources and I've not found anything using it. Google codesearch finds it in mod_gnutls though. From a 30sec look, it may be using it in similar cases as mod_ssl / mod_nss. th. From trupti.wilankar at hp.com Thu Nov 19 11:43:22 2009 From: trupti.wilankar at hp.com (Wilankar, Trupti) Date: Thu, 19 Nov 2009 10:43:22 +0000 Subject: Help required for CSR validation In-Reply-To: <4B043998.8050102@gnutls.org> References: <0ED4D36695851D49AEA7D226C726B41D39A60854D0@GVW0440EXB.americas.hpqcorp.net> <4B043998.8050102@gnutls.org> Message-ID: <0ED4D36695851D49AEA7D226C726B41D39A60F37F8@GVW0440EXB.americas.hpqcorp.net> Hi Nikos, Thanks for the patch. Although the NULL fields are now visible in the CSR (as verified in OpenSSL), the CSR is still not acceptable by the CAs like Verisign, Thawte, GeoTrust etc. Verisign continues to give the error 'CSR encoding error. Submit a valid CSR.' Any thoughts as to what could be causing this issue. We have tried changing various parameters of the CSR like version, signature algorithm etc.. but nothing works. Regards, Trupti -----Original Message----- From: Nikos Mavrogiannopoulos [mailto:n.mavrogiannopoulos at gmail.com] On Behalf Of Nikos Mavrogiannopoulos Sent: Wednesday, November 18, 2009 11:45 PM To: Wilankar, Trupti Cc: gnutls-devel at gnu.org; Konjarla, Pavan; Amburle, Rohan Subject: Re: Help required for CSR validation Wilankar, Trupti wrote: > Hello, > > I am from the iTP WebServer development team. The webserver runs on the HP NonStop Kernel. We are enhancing the webserver to comply with the TLS 1.1 standards and are using GnuTLS to extend this support. > We are facing problems with regards to validation of the CSR generated using the GnuTLS APIs. > Though the CSR seems valid (as verified in OpenSSL and other online CSR decoders), CAs like Verisign, Thawte etc give an error while parsing the CSR. > > We generated CSRs with same DN attributes with GnuTLS and OpenSSL. After ASN1 parsing both the CSRs in OpenSSL, we found that the CSR generated by GnuTLS misses NULL paddings separating the CertificationRequestInfo, signatureAlgorithm and Signature. [...] > Is it possible that the CAs are unable to generate a valid certificate due to these NULL paddings or is there another reason why these CAs fail to parse the CSR. Hi, Thanks for bringing that up to me. Probably it might be some error in the parsing library of the CA. I attach you a quick fix and if it works for you I will add an option to encode using this format in certtool. regards, Nikos From simon at josefsson.org Thu Nov 19 18:17:43 2009 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 19 Nov 2009 18:17:43 +0100 Subject: Help required for CSR validation In-Reply-To: <0ED4D36695851D49AEA7D226C726B41D39A60F37F8@GVW0440EXB.americas.hpqcorp.net> (Trupti Wilankar's message of "Thu, 19 Nov 2009 10:43:22 +0000") References: <0ED4D36695851D49AEA7D226C726B41D39A60854D0@GVW0440EXB.americas.hpqcorp.net> <4B043998.8050102@gnutls.org> <0ED4D36695851D49AEA7D226C726B41D39A60F37F8@GVW0440EXB.americas.hpqcorp.net> Message-ID: <878we2303s.fsf@mocca.josefsson.org> "Wilankar, Trupti" writes: > Hi Nikos, > Thanks for the patch. Although the NULL fields are now visible in the CSR (as verified in OpenSSL), the CSR is still not acceptable by the CAs like Verisign, Thawte, GeoTrust etc. Verisign continues to give the error 'CSR encoding error. Submit a valid CSR.' > Any thoughts as to what could be causing this issue. We have tried changing various parameters of the CSR like version, signature algorithm etc.. but nothing works. One common problem is that you add too much or too little information in the DN -- try just adding a CN of the hostname, and skip everything else, OR try make sure that all normal fields like O, OU, L, etc are filled in. I've used GnuTLS to generate CSRs for against some commercial CAs and it did work but required quite some testing to see what they expect -- but I assume when you use OpenSSL. You may also need a recent GnuTLS to make sure you assert the right key usage bits. /Simon > Regards, > Trupti > > -----Original Message----- > From: Nikos Mavrogiannopoulos [mailto:n.mavrogiannopoulos at gmail.com] On Behalf Of Nikos Mavrogiannopoulos > Sent: Wednesday, November 18, 2009 11:45 PM > To: Wilankar, Trupti > Cc: gnutls-devel at gnu.org; Konjarla, Pavan; Amburle, Rohan > Subject: Re: Help required for CSR validation > > Wilankar, Trupti wrote: >> Hello, >> >> I am from the iTP WebServer development team. The webserver runs on the HP NonStop Kernel. We are enhancing the webserver to comply with the TLS 1.1 standards and are using GnuTLS to extend this support. >> We are facing problems with regards to validation of the CSR generated using the GnuTLS APIs. >> Though the CSR seems valid (as verified in OpenSSL and other online CSR decoders), CAs like Verisign, Thawte etc give an error while parsing the CSR. >> >> We generated CSRs with same DN attributes with GnuTLS and OpenSSL. After ASN1 parsing both the CSRs in OpenSSL, we found that the CSR generated by GnuTLS misses NULL paddings separating the CertificationRequestInfo, signatureAlgorithm and Signature. > [...] >> Is it possible that the CAs are unable to generate a valid certificate due to these NULL paddings or is there another reason why these CAs fail to parse the CSR. > > Hi, > Thanks for bringing that up to me. Probably it might be some error in the parsing library of the CA. I attach you a quick fix and if it works for you I will add an option to encode using this format in certtool. > > regards, > Nikos From trupti.wilankar at hp.com Fri Nov 20 12:49:48 2009 From: trupti.wilankar at hp.com (Wilankar, Trupti) Date: Fri, 20 Nov 2009 11:49:48 +0000 Subject: Help required for CSR validation In-Reply-To: <878we2303s.fsf@mocca.josefsson.org> References: <0ED4D36695851D49AEA7D226C726B41D39A60854D0@GVW0440EXB.americas.hpqcorp.net> <4B043998.8050102@gnutls.org> <0ED4D36695851D49AEA7D226C726B41D39A60F37F8@GVW0440EXB.americas.hpqcorp.net> <878we2303s.fsf@mocca.josefsson.org> Message-ID: <0ED4D36695851D49AEA7D226C726B41D39A60F3D19@GVW0440EXB.americas.hpqcorp.net> Hello Simon, We have tried various combinations of DNs. But, we end up with the same error. We have ported GnuTLS 2.6.5 on our environment (HP NonStop Kernel). We have also downloaded Windows versions 2.8.5 and 2.9.9. CSRs generated by using certtool provided by the above 3 versions fail to get a valid certificate. We face the same problem when using GnuTLS APIs to generate a CSR. However, CSR generated by OpenSSL with the same DN fields and keys give us a valid trial certificate. We are kind of stuck and do not know how to proceed further. Any guidelines to generate a valid CSR (acceptable by CAs) would be of great help. Thanks, Trupti -----Original Message----- From: Simon Josefsson [mailto:simon at josefsson.org] Sent: Thursday, November 19, 2009 10:48 PM To: Wilankar, Trupti Cc: Nikos Mavrogiannopoulos; Konjarla, Pavan; gnutls-devel at gnu.org; Amburle, Rohan Subject: Re: Help required for CSR validation "Wilankar, Trupti" writes: > Hi Nikos, > Thanks for the patch. Although the NULL fields are now visible in the CSR (as verified in OpenSSL), the CSR is still not acceptable by the CAs like Verisign, Thawte, GeoTrust etc. Verisign continues to give the error 'CSR encoding error. Submit a valid CSR.' > Any thoughts as to what could be causing this issue. We have tried changing various parameters of the CSR like version, signature algorithm etc.. but nothing works. One common problem is that you add too much or too little information in the DN -- try just adding a CN of the hostname, and skip everything else, OR try make sure that all normal fields like O, OU, L, etc are filled in. I've used GnuTLS to generate CSRs for against some commercial CAs and it did work but required quite some testing to see what they expect -- but I assume when you use OpenSSL. You may also need a recent GnuTLS to make sure you assert the right key usage bits. /Simon > Regards, > Trupti > > -----Original Message----- > From: Nikos Mavrogiannopoulos [mailto:n.mavrogiannopoulos at gmail.com] On Behalf Of Nikos Mavrogiannopoulos > Sent: Wednesday, November 18, 2009 11:45 PM > To: Wilankar, Trupti > Cc: gnutls-devel at gnu.org; Konjarla, Pavan; Amburle, Rohan > Subject: Re: Help required for CSR validation > > Wilankar, Trupti wrote: >> Hello, >> >> I am from the iTP WebServer development team. The webserver runs on the HP NonStop Kernel. We are enhancing the webserver to comply with the TLS 1.1 standards and are using GnuTLS to extend this support. >> We are facing problems with regards to validation of the CSR generated using the GnuTLS APIs. >> Though the CSR seems valid (as verified in OpenSSL and other online CSR decoders), CAs like Verisign, Thawte etc give an error while parsing the CSR. >> >> We generated CSRs with same DN attributes with GnuTLS and OpenSSL. After ASN1 parsing both the CSRs in OpenSSL, we found that the CSR generated by GnuTLS misses NULL paddings separating the CertificationRequestInfo, signatureAlgorithm and Signature. > [...] >> Is it possible that the CAs are unable to generate a valid certificate due to these NULL paddings or is there another reason why these CAs fail to parse the CSR. > > Hi, > Thanks for bringing that up to me. Probably it might be some error in the parsing library of the CA. I attach you a quick fix and if it works for you I will add an option to encode using this format in certtool. > > regards, > Nikos From nmav at gnutls.org Sat Nov 21 20:10:05 2009 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sat, 21 Nov 2009 21:10:05 +0200 Subject: Help required for CSR validation In-Reply-To: <0ED4D36695851D49AEA7D226C726B41D39A60F3D19@GVW0440EXB.americas.hpqcorp.net> References: <0ED4D36695851D49AEA7D226C726B41D39A60854D0@GVW0440EXB.americas.hpqcorp.net> <4B043998.8050102@gnutls.org> <0ED4D36695851D49AEA7D226C726B41D39A60F37F8@GVW0440EXB.americas.hpqcorp.net> <878we2303s.fsf@mocca.josefsson.org> <0ED4D36695851D49AEA7D226C726B41D39A60F3D19@GVW0440EXB.americas.hpqcorp.net> Message-ID: <4B083B0D.8070403@gnutls.org> Wilankar, Trupti wrote: > Hello Simon, > > We have tried various combinations of DNs. But, we end up with the same error. > We have ported GnuTLS 2.6.5 on our environment (HP NonStop Kernel). We have also downloaded Windows versions 2.8.5 and 2.9.9. > CSRs generated by using certtool provided by the above 3 versions fail to get a valid certificate. > We face the same problem when using GnuTLS APIs to generate a CSR. > > However, CSR generated by OpenSSL with the same DN fields and keys give us a valid trial certificate. > > We are kind of stuck and do not know how to proceed further. Any guidelines to generate a valid CSR (acceptable by CAs) would be of great help. Could you send me two identical CSRs one with openssl and the other with gnutls? From david.kirkby at onetel.net Sun Nov 22 03:38:06 2009 From: david.kirkby at onetel.net (Dr. David Kirkby) Date: Sun, 22 Nov 2009 02:38:06 +0000 Subject: GnuTLS 2.9.9 - uses non-portable option to grep. In-Reply-To: <874op29813.fsf@mocca.josefsson.org> References: <874op29813.fsf@mocca.josefsson.org> Message-ID: <4B08A40E.6000705@onetel.net> Simon Josefsson wrote: > The GnuTLS 2.9.x branch is NOT what you want for your stable system. It > is intended for developers and experienced users. > > Here are the compressed sources (6.1MB): > http://alpha.gnu.org/gnu/gnutls/gnutls-2.9.9.tar.bz2 Well, I'm neither, but I thought I'd give it a try for you on a Sun Ultra 27 running OpenSolaris. configure: summary of build options: version: 2.9.9 shared 42:4:16 Host type: i386-pc-solaris2.11 Install prefix: /usr/local Compiler: gcc -std=gnu99 Warning flags: errors: warnings: Library types: Shared=yes, Static=yes Valgrind: no Guile wrappers: no C++ library: yes OpenSSL library: yes PASS: openpgpself grep: illegal option -- q Usage: grep -hblcnsviw pattern file . . . RFC 2253 escaping not working? FAIL: rfc2253-escape-test =================================== 1 of 43 tests failed Please report to bug-gnutls at gnu.org =================================== -q which is an option to GNU grep is not supported by the standard grep in Solaris. (There is a POSIX compatible version at /usr/xpg4/bin/grep, but it is not the default grep in /usr/bin/grep.) It would be better to send the output of grep to /dev/null, as that will work on any grep. Dave From trupti.wilankar at hp.com Mon Nov 23 08:23:56 2009 From: trupti.wilankar at hp.com (Wilankar, Trupti) Date: Mon, 23 Nov 2009 07:23:56 +0000 Subject: Help required for CSR validation In-Reply-To: <4B083B0D.8070403@gnutls.org> References: <0ED4D36695851D49AEA7D226C726B41D39A60854D0@GVW0440EXB.americas.hpqcorp.net> <4B043998.8050102@gnutls.org> <0ED4D36695851D49AEA7D226C726B41D39A60F37F8@GVW0440EXB.americas.hpqcorp.net> <878we2303s.fsf@mocca.josefsson.org> <0ED4D36695851D49AEA7D226C726B41D39A60F3D19@GVW0440EXB.americas.hpqcorp.net> <4B083B0D.8070403@gnutls.org> Message-ID: <0ED4D36695851D49AEA7D226C726B41D39A6B17BC5@GVW0440EXB.americas.hpqcorp.net> Hi, I have used Certtool from GnuTLS Windows version 2.9.9. A 2048 bit private key was generated using Certtool (Command: certtool -p --outfile priv.key --bits 2048). This private key was used to create CSRs, both on OpenSSL and Certtool. The DN fields (C, CN, ST, L, O, OU) used in both CSRs are also same. CSR from OpenSSL: (Command: openssl req -new -nodes -key priv.key -out openssl.req) -----BEGIN CERTIFICATE REQUEST----- MIICtTCCAZ0CAQAwcDELMAkGA1UEBhMCSU4xFDASBgNVBAgTC01haGFyYXNodHJh MQ8wDQYDVQQHEwZNdW1iYWkxCzAJBgNVBAoTAkhQMQwwCgYDVQQLEwNORUQxHzAd BgNVBAMTFk5CVENTMDEudGNzaHAudGNwbi5jb20wggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQCr466EI1r+P8ql3hSj9iTajyNF2D5hg4Q6+5F/V/3Kgcg7 TVpNp4Hoeq1UV7mHZ41ILCwydsy2zQTP9GGG4FiOsMfWUpBHutJmzsHDaiHrd+ZQ 4QrHS21iG6nOqhJ2R7d24H+aWlXqIniIJrZ7+qYUZyr06ViG75IZ9RLOzd9BLZeY TkIJEiHmApoh9oUcET31XJ1jbE+QsWD3pOFptEGBt3tq3uAGC4Fg91mQDMQdvsB4 coxUUJszoK6aPLQwhmKbXTmIE+9V83rp/4cyQGP7+xugt8xLzkuB/U0i2TqM0Io4 UUUUfuTXG0WTTB9w6DHjaa2udOhMRlAzZWVWQQZPAgMBAAGgADANBgkqhkiG9w0B AQQFAAOCAQEAMJR9MY1wzgAU6GqvQets13etdZwA/IxJhdBTWVtSRMWIydHFnOjB ZTEkB3vbW6YkenhKEd4Ok14DYD5UwB5p5KjdZZGzxSepYiE+orjLoz2A+RD0dNWj bXTH/3TIDZqHAXUVFnSjG3EpR0nIG/KctwYAJHRO7SLvi1qz1/VLc94k7ZjyV+ua vG+eSoqVVl4lSuEVxX2aHiIS4qETDZXGeGOqyj78ZlUpW3rqXT5H5SzzDVaSgi09 B/ElT1S5U2b7jFJGbtaw9JrYIaYyIxiHwsQyNYRR+SUhYfeqSCP0jPAu7Egf/ov6 Gp2XrVua/I+h281LN2TZZ1GVe7+VGxnYIg== -----END CERTIFICATE REQUEST----- CSR from Certtool: (Command: certtool --generate-request --load-privkey priv.key --outfile gnutls.req) -----BEGIN NEW CERTIFICATE REQUEST----- MIIC4DCCAcoCAQAwcDELMAkGA1UEBhMCSU4xCzAJBgNVBAoTAkhQMQwwCgYDVQQL EwNORUQxDzANBgNVBAcTBk11bWJhaTEUMBIGA1UECBMLTWFoYXJhc2h0cmExHzAd BgNVBAMTFk5CVENTMDEudGNzaHAudGNwbi5jb20wggEfMAsGCSqGSIb3DQEBAQOC AQ4AMIIBCQKCAQCr466EI1r+P8ql3hSj9iTajyNF2D5hg4Q6+5F/V/3Kgcg7TVpN p4Hoeq1UV7mHZ41ILCwydsy2zQTP9GGG4FiOsMfWUpBHutJmzsHDaiHrd+ZQ4QrH S21iG6nOqhJ2R7d24H+aWlXqIniIJrZ7+qYUZyr06ViG75IZ9RLOzd9BLZeYTkIJ EiHmApoh9oUcET31XJ1jbE+QsWD3pOFptEGBt3tq3uAGC4Fg91mQDMQdvsB4coxU UJszoK6aPLQwhmKbXTmIE+9V83rp/4cyQGP7+xugt8xLzkuB/U0i2TqM0Io4UUUU fuTXG0WTTB9w6DHjaa2udOhMRlAzZWVWQQZPAgMBAAGgMDAuBgkqhkiG9w0BCQ4x ITAfMAwGA1UdEwEB/wQCMAAwDwYDVR0PAQH/BAUDAweAADALBgkqhkiG9w0BAQUD ggEBAG4aCIve3sc/QjCctS7STGEp9WZ8t9OPLHlhX+hp07L4g9Nhi83Xk6Ses5pw z9dvn0+Bb34h+dnTjfsvsVwM2Kk5BII9gj1T12JsrbalJxlqAXkEu28w7/gJvR0q /a5wXS19/2pmmN9WpGVnSAeJ46tYG8nA2fPdACIG/QwYD1FW78NHn2NcFiYNKS9Q OR2ZXMYXYfiBaHUeudY4ve8Phlx5nmFF4mk30fC+I0pWGBXA04fbunSybnURjfh+ AdfL01LI6ShkfNLUywEq5/zmGA+HyGnBWjwlYBWlG6B0O4Yjtfye/qgqlBtXcQ7e f0HYlL3oOiHADwPtqJ9REuJb//s= -----END NEW CERTIFICATE REQUEST----- We were able to generate a trial certificate from VeriSign using the OpenSSL CSR but got the error ' CSR encoding error. Submit a valid CSR.' with Certtool CSR. Thanks, Trupti -----Original Message----- From: Nikos Mavrogiannopoulos [mailto:n.mavrogiannopoulos at gmail.com] On Behalf Of Nikos Mavrogiannopoulos Sent: Sunday, November 22, 2009 12:40 AM To: Wilankar, Trupti Cc: Simon Josefsson; Konjarla, Pavan; gnutls-devel at gnu.org; Amburle, Rohan Subject: Re: Help required for CSR validation Wilankar, Trupti wrote: > Hello Simon, > > We have tried various combinations of DNs. But, we end up with the same error. > We have ported GnuTLS 2.6.5 on our environment (HP NonStop Kernel). We have also downloaded Windows versions 2.8.5 and 2.9.9. > CSRs generated by using certtool provided by the above 3 versions fail to get a valid certificate. > We face the same problem when using GnuTLS APIs to generate a CSR. > > However, CSR generated by OpenSSL with the same DN fields and keys give us a valid trial certificate. > > We are kind of stuck and do not know how to proceed further. Any guidelines to generate a valid CSR (acceptable by CAs) would be of great help. Could you send me two identical CSRs one with openssl and the other with gnutls? From simon at josefsson.org Mon Nov 23 11:13:37 2009 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 23 Nov 2009 11:13:37 +0100 Subject: GnuTLS 2.9.9 - uses non-portable option to grep. In-Reply-To: <4B08A40E.6000705@onetel.net> (David Kirkby's message of "Sun, 22 Nov 2009 02:38:06 +0000") References: <874op29813.fsf@mocca.josefsson.org> <4B08A40E.6000705@onetel.net> Message-ID: <876391v99q.fsf@mocca.josefsson.org> "Dr. David Kirkby" writes: > Simon Josefsson wrote: >> The GnuTLS 2.9.x branch is NOT what you want for your stable system. It >> is intended for developers and experienced users. >> >> Here are the compressed sources (6.1MB): >> http://alpha.gnu.org/gnu/gnutls/gnutls-2.9.9.tar.bz2 > > Well, I'm neither, but I thought I'd give it a try for you on a Sun > Ultra 27 running OpenSolaris. Thank you very much! > grep: illegal option -- q > Usage: grep -hblcnsviw pattern file . . . > RFC 2253 escaping not working? > FAIL: rfc2253-escape-test > =================================== > 1 of 43 tests failed > Please report to bug-gnutls at gnu.org > =================================== > > > -q which is an option to GNU grep is not supported by the standard > grep in Solaris. (There is a POSIX compatible version at > /usr/xpg4/bin/grep, but it is not the default grep in /usr/bin/grep.) > > It would be better to send the output of grep to /dev/null, as that > will work on any grep. I agree, and have fixed this now: http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=54e9b7ccb2bb724e7dffa4e2b6e7e7db2910ef16 Thanks, /Simon From dkg at fifthhorseman.net Mon Nov 23 19:58:57 2009 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 23 Nov 2009 13:58:57 -0500 Subject: Help required for CSR validation In-Reply-To: <0ED4D36695851D49AEA7D226C726B41D39A6B17BC5@GVW0440EXB.americas.hpqcorp.net> References: <0ED4D36695851D49AEA7D226C726B41D39A60854D0@GVW0440EXB.americas.hpqcorp.net> <4B043998.8050102@gnutls.org> <0ED4D36695851D49AEA7D226C726B41D39A60F37F8@GVW0440EXB.americas.hpqcorp.net> <878we2303s.fsf@mocca.josefsson.org> <0ED4D36695851D49AEA7D226C726B41D39A60F3D19@GVW0440EXB.americas.hpqcorp.net> <4B083B0D.8070403@gnutls.org> <0ED4D36695851D49AEA7D226C726B41D39A6B17BC5@GVW0440EXB.americas.hpqcorp.net> Message-ID: <4B0ADB71.4060107@fifthhorseman.net> On 11/23/2009 02:23 AM, Wilankar, Trupti wrote: > > CSR from OpenSSL: (Command: openssl req -new -nodes -key priv.key -out openssl.req) > > -----BEGIN CERTIFICATE REQUEST----- [...] > -----END CERTIFICATE REQUEST----- > > CSR from Certtool: (Command: certtool --generate-request --load-privkey priv.key --outfile gnutls.req) > > -----BEGIN NEW CERTIFICATE REQUEST----- [...] > -----END NEW CERTIFICATE REQUEST----- this is perhaps a long shot, but could it be the "NEW" that VeriSign doesn't like? can you try changing the header and footer lines and re-submitting? --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 891 bytes Desc: OpenPGP digital signature URL: From trupti.wilankar at hp.com Tue Nov 24 11:10:47 2009 From: trupti.wilankar at hp.com (Wilankar, Trupti) Date: Tue, 24 Nov 2009 10:10:47 +0000 Subject: Help required for CSR validation In-Reply-To: <4B0ADB71.4060107@fifthhorseman.net> References: <0ED4D36695851D49AEA7D226C726B41D39A60854D0@GVW0440EXB.americas.hpqcorp.net> <4B043998.8050102@gnutls.org> <0ED4D36695851D49AEA7D226C726B41D39A60F37F8@GVW0440EXB.americas.hpqcorp.net> <878we2303s.fsf@mocca.josefsson.org> <0ED4D36695851D49AEA7D226C726B41D39A60F3D19@GVW0440EXB.americas.hpqcorp.net> <4B083B0D.8070403@gnutls.org> <0ED4D36695851D49AEA7D226C726B41D39A6B17BC5@GVW0440EXB.americas.hpqcorp.net> <4B0ADB71.4060107@fifthhorseman.net> Message-ID: <0ED4D36695851D49AEA7D226C726B41D39A6B18185@GVW0440EXB.americas.hpqcorp.net> Hi Daniel, We had tried removing "NEW" from the header and footer in the Certtool CSR and then submitting the CSR. It still gives the same error. We even tried adding "NEW" in the header and footer lines in OpenSSL CSR and that works. So, apparently VeriSign does not have a problem with the "NEW" Regards, Trupti -----Original Message----- From: Daniel Kahn Gillmor [mailto:dkg at fifthhorseman.net] Sent: Tuesday, November 24, 2009 12:29 AM To: Wilankar, Trupti Cc: Nikos Mavrogiannopoulos; Konjarla, Pavan; Simon Josefsson; gnutls-devel at gnu.org; Amburle, Rohan Subject: Re: Help required for CSR validation On 11/23/2009 02:23 AM, Wilankar, Trupti wrote: > > CSR from OpenSSL: (Command: openssl req -new -nodes -key priv.key -out > openssl.req) > > -----BEGIN CERTIFICATE REQUEST----- [...] > -----END CERTIFICATE REQUEST----- > > CSR from Certtool: (Command: certtool --generate-request > --load-privkey priv.key --outfile gnutls.req) > > -----BEGIN NEW CERTIFICATE REQUEST----- [...] > -----END NEW CERTIFICATE REQUEST----- this is perhaps a long shot, but could it be the "NEW" that VeriSign doesn't like? can you try changing the header and footer lines and re-submitting? --dkg From nmav at gnutls.org Tue Nov 24 20:15:19 2009 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 24 Nov 2009 21:15:19 +0200 Subject: Help required for CSR validation In-Reply-To: <0ED4D36695851D49AEA7D226C726B41D39A6B17BC5@GVW0440EXB.americas.hpqcorp.net> References: <0ED4D36695851D49AEA7D226C726B41D39A60854D0@GVW0440EXB.americas.hpqcorp.net> <4B043998.8050102@gnutls.org> <0ED4D36695851D49AEA7D226C726B41D39A60F37F8@GVW0440EXB.americas.hpqcorp.net> <878we2303s.fsf@mocca.josefsson.org> <0ED4D36695851D49AEA7D226C726B41D39A60F3D19@GVW0440EXB.americas.hpqcorp.net> <4B083B0D.8070403@gnutls.org> <0ED4D36695851D49AEA7D226C726B41D39A6B17BC5@GVW0440EXB.americas.hpqcorp.net> Message-ID: <4B0C30C7.7050706@gnutls.org> Wilankar, Trupti wrote: > Hi, > > I have used Certtool from GnuTLS Windows version 2.9.9. > A 2048 bit private key was generated using Certtool (Command: certtool -p --outfile priv.key --bits 2048). > This private key was used to create CSRs, both on OpenSSL and Certtool. The DN fields (C, CN, ST, L, O, OU) used in both CSRs are also same. > > CSR from OpenSSL: (Command: openssl req -new -nodes -key priv.key -out openssl.req) Those certificate requests differ in the sense that the second has extensions. I suspect that you already tried without (from your first mail), but anyway a patch is attached to build without. In any case if you can please send one certificate with certtool that doesn't contain extensions and doesn't get accepted by the authority you try. (is there an easy way for me to try that?) best regards. Nikos > > -----BEGIN CERTIFICATE REQUEST----- > MIICtTCCAZ0CAQAwcDELMAkGA1UEBhMCSU4xFDASBgNVBAgTC01haGFyYXNodHJh > MQ8wDQYDVQQHEwZNdW1iYWkxCzAJBgNVBAoTAkhQMQwwCgYDVQQLEwNORUQxHzAd > BgNVBAMTFk5CVENTMDEudGNzaHAudGNwbi5jb20wggEiMA0GCSqGSIb3DQEBAQUA > A4IBDwAwggEKAoIBAQCr466EI1r+P8ql3hSj9iTajyNF2D5hg4Q6+5F/V/3Kgcg7 > TVpNp4Hoeq1UV7mHZ41ILCwydsy2zQTP9GGG4FiOsMfWUpBHutJmzsHDaiHrd+ZQ > 4QrHS21iG6nOqhJ2R7d24H+aWlXqIniIJrZ7+qYUZyr06ViG75IZ9RLOzd9BLZeY > TkIJEiHmApoh9oUcET31XJ1jbE+QsWD3pOFptEGBt3tq3uAGC4Fg91mQDMQdvsB4 > coxUUJszoK6aPLQwhmKbXTmIE+9V83rp/4cyQGP7+xugt8xLzkuB/U0i2TqM0Io4 > UUUUfuTXG0WTTB9w6DHjaa2udOhMRlAzZWVWQQZPAgMBAAGgADANBgkqhkiG9w0B > AQQFAAOCAQEAMJR9MY1wzgAU6GqvQets13etdZwA/IxJhdBTWVtSRMWIydHFnOjB > ZTEkB3vbW6YkenhKEd4Ok14DYD5UwB5p5KjdZZGzxSepYiE+orjLoz2A+RD0dNWj > bXTH/3TIDZqHAXUVFnSjG3EpR0nIG/KctwYAJHRO7SLvi1qz1/VLc94k7ZjyV+ua > vG+eSoqVVl4lSuEVxX2aHiIS4qETDZXGeGOqyj78ZlUpW3rqXT5H5SzzDVaSgi09 > B/ElT1S5U2b7jFJGbtaw9JrYIaYyIxiHwsQyNYRR+SUhYfeqSCP0jPAu7Egf/ov6 > Gp2XrVua/I+h281LN2TZZ1GVe7+VGxnYIg== > -----END CERTIFICATE REQUEST----- > > CSR from Certtool: (Command: certtool --generate-request --load-privkey priv.key --outfile gnutls.req) > > -----BEGIN NEW CERTIFICATE REQUEST----- > MIIC4DCCAcoCAQAwcDELMAkGA1UEBhMCSU4xCzAJBgNVBAoTAkhQMQwwCgYDVQQL > EwNORUQxDzANBgNVBAcTBk11bWJhaTEUMBIGA1UECBMLTWFoYXJhc2h0cmExHzAd > BgNVBAMTFk5CVENTMDEudGNzaHAudGNwbi5jb20wggEfMAsGCSqGSIb3DQEBAQOC > AQ4AMIIBCQKCAQCr466EI1r+P8ql3hSj9iTajyNF2D5hg4Q6+5F/V/3Kgcg7TVpN > p4Hoeq1UV7mHZ41ILCwydsy2zQTP9GGG4FiOsMfWUpBHutJmzsHDaiHrd+ZQ4QrH > S21iG6nOqhJ2R7d24H+aWlXqIniIJrZ7+qYUZyr06ViG75IZ9RLOzd9BLZeYTkIJ > EiHmApoh9oUcET31XJ1jbE+QsWD3pOFptEGBt3tq3uAGC4Fg91mQDMQdvsB4coxU > UJszoK6aPLQwhmKbXTmIE+9V83rp/4cyQGP7+xugt8xLzkuB/U0i2TqM0Io4UUUU > fuTXG0WTTB9w6DHjaa2udOhMRlAzZWVWQQZPAgMBAAGgMDAuBgkqhkiG9w0BCQ4x > ITAfMAwGA1UdEwEB/wQCMAAwDwYDVR0PAQH/BAUDAweAADALBgkqhkiG9w0BAQUD > ggEBAG4aCIve3sc/QjCctS7STGEp9WZ8t9OPLHlhX+hp07L4g9Nhi83Xk6Ses5pw > z9dvn0+Bb34h+dnTjfsvsVwM2Kk5BII9gj1T12JsrbalJxlqAXkEu28w7/gJvR0q > /a5wXS19/2pmmN9WpGVnSAeJ46tYG8nA2fPdACIG/QwYD1FW78NHn2NcFiYNKS9Q > OR2ZXMYXYfiBaHUeudY4ve8Phlx5nmFF4mk30fC+I0pWGBXA04fbunSybnURjfh+ > AdfL01LI6ShkfNLUywEq5/zmGA+HyGnBWjwlYBWlG6B0O4Yjtfye/qgqlBtXcQ7e > f0HYlL3oOiHADwPtqJ9REuJb//s= > -----END NEW CERTIFICATE REQUEST----- > > We were able to generate a trial certificate from VeriSign using the OpenSSL CSR but got the error ' CSR encoding error. Submit a valid CSR.' with Certtool CSR. > > Thanks, > Trupti -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: patch URL: From nmav at gnutls.org Tue Nov 24 20:34:25 2009 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 24 Nov 2009 21:34:25 +0200 Subject: Help required for CSR validation In-Reply-To: <0ED4D36695851D49AEA7D226C726B41D39A6B17BC5@GVW0440EXB.americas.hpqcorp.net> References: <0ED4D36695851D49AEA7D226C726B41D39A60854D0@GVW0440EXB.americas.hpqcorp.net> <4B043998.8050102@gnutls.org> <0ED4D36695851D49AEA7D226C726B41D39A60F37F8@GVW0440EXB.americas.hpqcorp.net> <878we2303s.fsf@mocca.josefsson.org> <0ED4D36695851D49AEA7D226C726B41D39A60F3D19@GVW0440EXB.americas.hpqcorp.net> <4B083B0D.8070403@gnutls.org> <0ED4D36695851D49AEA7D226C726B41D39A6B17BC5@GVW0440EXB.americas.hpqcorp.net> Message-ID: <4B0C3541.7000000@gnutls.org> Wilankar, Trupti wrote: > Hi, > > I have used Certtool from GnuTLS Windows version 2.9.9. > A 2048 bit private key was generated using Certtool (Command: certtool -p --outfile priv.key --bits 2048). > This private key was used to create CSRs, both on OpenSSL and Certtool. The DN fields (C, CN, ST, L, O, OU) used in both CSRs are also same. Could you also try this patch? I noticed that integers in bit strings in openssl contain a leading zero. This patch makes certtool behave the same. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: patch-int URL: From bkasarov at gmail.com Tue Nov 24 20:54:22 2009 From: bkasarov at gmail.com (Boyan Kasarov) Date: Tue, 24 Nov 2009 21:54:22 +0200 Subject: Help required for CSR validation In-Reply-To: <4B0C3541.7000000@gnutls.org> References: <0ED4D36695851D49AEA7D226C726B41D39A60854D0@GVW0440EXB.americas.hpqcorp.net> <4B043998.8050102@gnutls.org> <0ED4D36695851D49AEA7D226C726B41D39A60F37F8@GVW0440EXB.americas.hpqcorp.net> <878we2303s.fsf@mocca.josefsson.org> <0ED4D36695851D49AEA7D226C726B41D39A60F3D19@GVW0440EXB.americas.hpqcorp.net> <4B083B0D.8070403@gnutls.org> <0ED4D36695851D49AEA7D226C726B41D39A6B17BC5@GVW0440EXB.americas.hpqcorp.net> <4B0C3541.7000000@gnutls.org> Message-ID: <1259092462.29095.43.camel@localhost> Hello, This patch works for RSA, but doesn't for DSA. Greetings Boyan ? 21:34 +0200 ?? 24.11.2009 (??), Nikos Mavrogiannopoulos ??????: > Wilankar, Trupti wrote: > > Hi, > > > > I have used Certtool from GnuTLS Windows version 2.9.9. > > A 2048 bit private key was generated using Certtool (Command: certtool -p --outfile priv.key --bits 2048). > > This private key was used to create CSRs, both on OpenSSL and Certtool. The DN fields (C, CN, ST, L, O, OU) used in both CSRs are also same. > > Could you also try this patch? I noticed that integers in bit strings in > openssl contain a leading zero. This patch makes certtool behave the same. > > ???????? ? ???????????? ????? ????????? ???? (patch-int) > diff --git a/lib/x509/mpi.c b/lib/x509/mpi.c > index dc18eaa..50ce873 100644 > --- a/lib/x509/mpi.c > +++ b/lib/x509/mpi.c > @@ -380,14 +380,14 @@ _gnutls_x509_write_rsa_params (bigint_t * params, int params_size, > return _gnutls_asn2err (result); > } > > - result = _gnutls_x509_write_int (spk, "modulus", params[0], 0); > + result = _gnutls_x509_write_int (spk, "modulus", params[0], 1); > if (result < 0) > { > gnutls_assert (); > goto cleanup; > } > > - result = _gnutls_x509_write_int (spk, "publicExponent", params[1], 0); > + result = _gnutls_x509_write_int (spk, "publicExponent", params[1], 1); > if (result < 0) > { > gnutls_assert (); > @@ -514,21 +514,21 @@ _gnutls_x509_write_dsa_params (bigint_t * params, int params_size, > return _gnutls_asn2err (result); > } > > - result = _gnutls_x509_write_int (spk, "p", params[0], 0); > + result = _gnutls_x509_write_int (spk, "p", params[0], 1); > if (result < 0) > { > gnutls_assert (); > goto cleanup; > } > > - result = _gnutls_x509_write_int (spk, "q", params[1], 0); > + result = _gnutls_x509_write_int (spk, "q", params[1], 1); > if (result < 0) > { > gnutls_assert (); > goto cleanup; > } > > - result = _gnutls_x509_write_int (spk, "g", params[2], 0); > + result = _gnutls_x509_write_int (spk, "g", params[2], 1); > if (result < 0) > { > gnutls_assert (); > @@ -580,7 +580,7 @@ _gnutls_x509_write_dsa_public_key (bigint_t * params, int params_size, > return _gnutls_asn2err (result); > } > > - result = _gnutls_x509_write_int (spk, "", params[3], 0); > + result = _gnutls_x509_write_int (spk, "", params[3], 1); > if (result < 0) > { > gnutls_assert (); > _______________________________________________ > Gnutls-devel mailing list > Gnutls-devel at gnu.org > http://lists.gnu.org/mailman/listinfo/gnutls-devel From nmav at gnutls.org Tue Nov 24 21:55:13 2009 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 24 Nov 2009 22:55:13 +0200 Subject: Help required for CSR validation In-Reply-To: <1259092462.29095.43.camel@localhost> References: <0ED4D36695851D49AEA7D226C726B41D39A60854D0@GVW0440EXB.americas.hpqcorp.net> <4B043998.8050102@gnutls.org> <0ED4D36695851D49AEA7D226C726B41D39A60F37F8@GVW0440EXB.americas.hpqcorp.net> <878we2303s.fsf@mocca.josefsson.org> <0ED4D36695851D49AEA7D226C726B41D39A60F3D19@GVW0440EXB.americas.hpqcorp.net> <4B083B0D.8070403@gnutls.org> <0ED4D36695851D49AEA7D226C726B41D39A6B17BC5@GVW0440EXB.americas.hpqcorp.net> <4B0C3541.7000000@gnutls.org> <1259092462.29095.43.camel@localhost> Message-ID: <4B0C4831.7060300@gnutls.org> Boyan Kasarov wrote: > Hello, > > This patch works for RSA, but doesn't for DSA. Hello, I do not understand. Did DSA keys got accepted before and now they don't or no matter the patch or not they don't get accepted? If that this the case, could you send me a DSA crq from gnutls that fails and a crq with the same information from say openssl that gets accepted by your CA? regards, Nikos From bkasarov at gmail.com Tue Nov 24 22:56:23 2009 From: bkasarov at gmail.com (Boyan Kasarov) Date: Tue, 24 Nov 2009 23:56:23 +0200 Subject: Help required for CSR validation In-Reply-To: <4B0C4831.7060300@gnutls.org> References: <0ED4D36695851D49AEA7D226C726B41D39A60854D0@GVW0440EXB.americas.hpqcorp.net> <4B043998.8050102@gnutls.org> <0ED4D36695851D49AEA7D226C726B41D39A60F37F8@GVW0440EXB.americas.hpqcorp.net> <878we2303s.fsf@mocca.josefsson.org> <0ED4D36695851D49AEA7D226C726B41D39A60F3D19@GVW0440EXB.americas.hpqcorp.net> <4B083B0D.8070403@gnutls.org> <0ED4D36695851D49AEA7D226C726B41D39A6B17BC5@GVW0440EXB.americas.hpqcorp.net> <4B0C3541.7000000@gnutls.org> <1259092462.29095.43.camel@localhost> <4B0C4831.7060300@gnutls.org> Message-ID: <1259099783.31433.93.camel@localhost> Hello, Soory for the short answer. Without the patch both RSA and DSA fail. With the patch RSA works, but DSA still doesn't. I am attaching 3 CSR. dsa-no-patch - this is without the patch, it does not work with VeriSign. dsa-patch - this is the patched version, it also does not work with VeriSign. dsa-openssl- this one is generated with openssl, it works with VeriSign. generate-request.c - I used this modified example from the documentation to generate the requests. I used VeriSign trial service from this link - http://www.verisign.com/ssl/buy-ssl-certificates/free-ssl-certificate-trial/index.html Greetings, Boyan ? 22:55 +0200 ?? 24.11.2009 (??), Nikos Mavrogiannopoulos ??????: > Boyan Kasarov wrote: > > Hello, > > > > This patch works for RSA, but doesn't for DSA. > > Hello, > I do not understand. Did DSA keys got accepted before and now they > don't or no matter the patch or not they don't get accepted? If that > this the case, could you send me a DSA crq from gnutls that fails and a > crq with the same information from say openssl that gets accepted by > your CA? > > regards, > Nikos -------------- next part -------------- A non-text attachment was scrubbed... Name: dsa-no-patch.pem Type: application/x-x509-ca-cert Size: 2318 bytes Desc: not available URL: -------------- next part -------------- Offset| Len |LenByte| ======+======+=======+====================================================================== 0| 1649| 3| SEQUENCE : 4| 1012| 3| SEQUENCE : 8| 1| 1| INTEGER : 0 11| 145| 2| SEQUENCE : 14| 11| 1| SET : 16| 9| 1| SEQUENCE : 18| 3| 1| OBJECT IDENTIFIER : countryName [2.5.4.6] 23| 2| 1| PRINTABLE STRING : 'GB' 27| 19| 1| SET : 29| 17| 1| SEQUENCE : 31| 3| 1| OBJECT IDENTIFIER : stateOrProvinceName [2.5.4.8] 36| 10| 1| PRINTABLE STRING : | | | 'HelloWorld' 48| 19| 1| SET : 50| 17| 1| SEQUENCE : 52| 3| 1| OBJECT IDENTIFIER : localityName [2.5.4.7] 57| 10| 1| PRINTABLE STRING : | | | 'HelloWorld' 69| 19| 1| SET : 71| 17| 1| SEQUENCE : 73| 3| 1| OBJECT IDENTIFIER : organizationName [2.5.4.10] 78| 10| 1| PRINTABLE STRING : | | | 'HelloWorld' 90| 19| 1| SET : 92| 17| 1| SEQUENCE : 94| 3| 1| OBJECT IDENTIFIER : organizationalUnitName [2.5.4.11] 99| 10| 1| PRINTABLE STRING : | | | 'HelloWorld' 111| 19| 1| SET : 113| 17| 1| SEQUENCE : 115| 3| 1| OBJECT IDENTIFIER : commonName [2.5.4.3] 120| 10| 1| PRINTABLE STRING : | | | 'HelloWorld' 132| 25| 1| SET : 134| 23| 1| SEQUENCE : 136| 9| 1| OBJECT IDENTIFIER : emailAddress [1.2.840.113549.1.9.1] 147| 10| 1| IA5 STRING : | | | 'HelloWorld' 159| 832| 3| SEQUENCE : 163| 563| 3| SEQUENCE : 167| 7| 1| OBJECT IDENTIFIER : dsa [1.2.840.10040.4.1] 176| 550| 3| SEQUENCE : 180| 256| 3| INTEGER : | | | EC74E240F166222E18158BBF610F682FC00A0C9BAE | | | 1C04C46CF4EC7D64593ACDF16B831E02CF8E5814AC | | | 831FA788004BCDADF9F9A0A3C2330C68677A6C2383 | | | ADAF8A523EFABBA19E0B353BEE16F38F1DA9A99573 | | | 33C19BB1535C73587C45EB0CAF3BE0B540B1F02029 | | | 5C8AA52875DABD0CD409A78D195F1215CE4A6F8E63 | | | C1B95BED3E1413B883F710865DD22F9942D6F14348 | | | 54B607B3ECF0EEB11A1FF122A583D79286FCCC9718 | | | 83CBE579FA07DA646BD73C940BB9D5FF0C50D779DD | | | CC5921E0D943671A7D7F3A48DB0A430956A7A501AF | | | 26D4A8633C9D24162769C9B655A622258B797E4F4F | | | 11C88C6963A4CC8E6FDC7AF7549A838C425B029F5C | | | E86920A3 440| 28| 1| INTEGER : | | | F76CB1617AA68DBA84F6D88281ECD8C3E2E67773D1 | | | 5CFFD56768EC4B 470| 256| 3| INTEGER : | | | 660979C1FF3156343A9269969987A49F474A8D6F3C | | | 444E907AC06479544EEF2785F6EE97A4C372E95DA6 | | | FCC9A3C1F74E4DC5DAA04A9B57F606FAB01EF88AF2 | | | FEBEC21944E589B7CC5EB1BC7B135D6A7753F690C8 | | | 5CD2D5B4430D4308CFD5D56535E66556213826D4E5 | | | C62EEC2154F74908583F59CDC97304795FF8C288ED | | | 13B412CE1F1F5513202A61087EAAAB04273CA36381 | | | 7B2D65CB52ED5629B0837BEE7D458D2C6B1D012F83 | | | 5B0DE22CCBC8B18B17CBA0A518AE7808DF422F1453 | | | FB69A8EF12400B2CBB4E653114344B57FD56B6C1CA | | | EB9BBBC2E3370B72EDD1797F48B7D5779D43B55A72 | | | 7CD20C2779E11CD6E4CFDFF050E4C6F87F9EBB20F8 | | | 27843860 730| 261| 3| BIT STRING UnusedBits:0 : 735| 256| 3| INTEGER : | | | 1998E929B534D6FB258A64D6517A39F60F429F146822D | | | A954E53FB453516459A74CF7CCBF6D96775B52292420E | | | 3BD9C2AAC2B0D8C1E923323264865CEBBFB7DEE18DB9F | | | AE31DFBD763A7E4CF1AE32E44203015E944B14086DE69 | | | 05D23B6BAFF544BCDE8CAB1602306A4F895A96035A5A5 | | | 2009CF38B364EE9DADA417E892A7271A6A9771B492298 | | | 55C7A8B03FBE71EF210A6746C8F1F710219ECA7C88EE6 | | | 318A9A2900606AD5FA6D402EB9F144EABF65F00F87AF0 | | | 03A7E4FB3AAE8DABC09827B8702FC7BA1B39FB6D9DB97 | | | 0969CA4CDE035D9B2C8AB9AFEDE9DE2C2669C7BD30D68 | | | 5DFD8F515A92EC4B25CAC399A1CF0639B12EBFF4658AF | | | ACE22FBEE1A1170C1 995| 23| 1| CONTEXT SPECIFIC (0) : 997| 21| 1| SEQUENCE : 999| 9| 1| OBJECT IDENTIFIER : challengePassword [1.2.840.113549.1.9.7] 1010| 8| 1| SET : 1012| 6| 1| PRINTABLE STRING : | | | '123456' 1020| 563| 3| SEQUENCE : 1024| 7| 1| OBJECT IDENTIFIER : dsaWithSha1 [1.2.840.10040.4.3] 1033| 550| 3| SEQUENCE : 1037| 256| 3| INTEGER : | | | EC74E240F166222E18158BBF610F682FC00A0C9BAE1C04C4 | | | 6CF4EC7D64593ACDF16B831E02CF8E5814AC831FA788004B | | | CDADF9F9A0A3C2330C68677A6C2383ADAF8A523EFABBA19E | | | 0B353BEE16F38F1DA9A9957333C19BB1535C73587C45EB0C | | | AF3BE0B540B1F020295C8AA52875DABD0CD409A78D195F12 | | | 15CE4A6F8E63C1B95BED3E1413B883F710865DD22F9942D6 | | | F1434854B607B3ECF0EEB11A1FF122A583D79286FCCC9718 | | | 83CBE579FA07DA646BD73C940BB9D5FF0C50D779DDCC5921 | | | E0D943671A7D7F3A48DB0A430956A7A501AF26D4A8633C9D | | | 24162769C9B655A622258B797E4F4F11C88C6963A4CC8E6F | | | DC7AF7549A838C425B029F5CE86920A3 1297| 28| 1| INTEGER : | | | F76CB1617AA68DBA84F6D88281ECD8C3E2E67773D15CFFD5 | | | 6768EC4B 1327| 256| 3| INTEGER : | | | 660979C1FF3156343A9269969987A49F474A8D6F3C444E90 | | | 7AC06479544EEF2785F6EE97A4C372E95DA6FCC9A3C1F74E | | | 4DC5DAA04A9B57F606FAB01EF88AF2FEBEC21944E589B7CC | | | 5EB1BC7B135D6A7753F690C85CD2D5B4430D4308CFD5D565 | | | 35E66556213826D4E5C62EEC2154F74908583F59CDC97304 | | | 795FF8C288ED13B412CE1F1F5513202A61087EAAAB04273C | | | A363817B2D65CB52ED5629B0837BEE7D458D2C6B1D012F83 | | | 5B0DE22CCBC8B18B17CBA0A518AE7808DF422F1453FB69A8 | | | EF12400B2CBB4E653114344B57FD56B6C1CAEB9BBBC2E337 | | | 0B72EDD1797F48B7D5779D43B55A727CD20C2779E11CD6E4 | | | CFDFF050E4C6F87F9EBB20F827843860 1587| 64| 1| BIT STRING UnusedBits:0 : 1590| 61| 1| SEQUENCE : 1592| 29| 1| INTEGER : | | | 00DA66983720B3091570356E132DBF6FF841A24C542ABA69 | | | F5290B9F48 1623| 28| 1| INTEGER : | | | 78C7D74BC280FC91EE574AD02694A75094A5086FBC529E01 | | | 840E65FA -------------- next part -------------- A non-text attachment was scrubbed... Name: dsa-patch.pem Type: application/x-x509-ca-cert Size: 2322 bytes Desc: not available URL: -------------- next part -------------- Offset| Len |LenByte| ======+======+=======+====================================================================== 0| 1652| 3| SEQUENCE : 4| 1014| 3| SEQUENCE : 8| 1| 1| INTEGER : 0 11| 145| 2| SEQUENCE : 14| 11| 1| SET : 16| 9| 1| SEQUENCE : 18| 3| 1| OBJECT IDENTIFIER : countryName [2.5.4.6] 23| 2| 1| PRINTABLE STRING : 'GB' 27| 19| 1| SET : 29| 17| 1| SEQUENCE : 31| 3| 1| OBJECT IDENTIFIER : stateOrProvinceName [2.5.4.8] 36| 10| 1| PRINTABLE STRING : | | | 'HelloWorld' 48| 19| 1| SET : 50| 17| 1| SEQUENCE : 52| 3| 1| OBJECT IDENTIFIER : localityName [2.5.4.7] 57| 10| 1| PRINTABLE STRING : | | | 'HelloWorld' 69| 19| 1| SET : 71| 17| 1| SEQUENCE : 73| 3| 1| OBJECT IDENTIFIER : organizationName [2.5.4.10] 78| 10| 1| PRINTABLE STRING : | | | 'HelloWorld' 90| 19| 1| SET : 92| 17| 1| SEQUENCE : 94| 3| 1| OBJECT IDENTIFIER : organizationalUnitName [2.5.4.11] 99| 10| 1| PRINTABLE STRING : | | | 'HelloWorld' 111| 19| 1| SET : 113| 17| 1| SEQUENCE : 115| 3| 1| OBJECT IDENTIFIER : commonName [2.5.4.3] 120| 10| 1| PRINTABLE STRING : | | | 'HelloWorld' 132| 25| 1| SET : 134| 23| 1| SEQUENCE : 136| 9| 1| OBJECT IDENTIFIER : emailAddress [1.2.840.113549.1.9.1] 147| 10| 1| IA5 STRING : | | | 'HelloWorld' 159| 834| 3| SEQUENCE : 163| 565| 3| SEQUENCE : 167| 7| 1| OBJECT IDENTIFIER : dsa [1.2.840.10040.4.1] 176| 552| 3| SEQUENCE : 180| 257| 3| INTEGER : | | | 00BD538597A862A719429AEA56B1F972DB9EDB9E4F | | | 15280BFE3D69E2E2E8BB0BEBC56D1F81450A439EC0 | | | C5BB63C5C2386267680FBEBAD4B03980C2AEC80D1F | | | A279624D45BE66D6C252B8C50FDFB6645E30F99E71 | | | 345BA2741CF61A44DB5725B3B5346711A1584A2F2A | | | A47D520709C48BDCDC1769E768A322B663160DA70C | | | 72C9398C60D1D4D3AD0E40DB03532EF4CA9E0AAE3C | | | F467603DBD3555DE1512328E7B72EEDEEDD06C9F3C | | | A0C9EA4E54AC6A03E998A61A67438A5924713CB57C | | | D2ED9FA3AD1E814766ADE089D48B30A9ABC7500268 | | | 5669F1A5F6E25CAE6B6A63136E6470E1E90D17A4F2 | | | 98D0D159982D46A8183BBF3071EB430B47168E00A3 | | | 4E2F18B3BB 441| 29| 1| INTEGER : | | | 009D1B57C18AE27EF5A5D678FB8644E28C65CF463F | | | 063DB578243A045D 472| 256| 3| INTEGER : | | | 185D4A09AF58A210A7955C7FC5FE5A9544054EEDD4 | | | C66E666780C7E012F1EAE1B1B9B2D423EEDD85FF4F | | | 459124782BF54985674911AA3D9FDA4076F71738B4 | | | CD2E6351208635A33617BFB2B520C6E989DC5F98DC | | | 8671B31491907BCDF66178264615702D4ED201EBF2 | | | 3C10127774B4D55D55A2C7FA60BC0AC64E09CCA253 | | | B46F92B9CF13EF9E49232C7E10F0FD7CF6ACA8E6AA | | | CD359967972AE003260A36B2AC4781E885DF3342C3 | | | 68BE4FC9DA52C05A81EF2EB6C53DF9F0A7E36E8F06 | | | 0B21EB77ED12E0738D93C8C6658611ECA0AE5534F1 | | | 4E48A02F003BE081C6391ABBA9C4F120B7787B5DB2 | | | 9954E85FE006392B089888B0B38063201128899A0A | | | 2728EC3E 732| 261| 3| BIT STRING UnusedBits:0 : 737| 256| 3| INTEGER : | | | 0511690574AD3A85637B39281E5474AC7FB210F6CD1D0 | | | 2CA46FC7EAF80930DBB804F202BC261D020E249D4FCF1 | | | 6372A1DEF9211E98685C28F6A20963974BB10134EACF4 | | | 4220002E2F9B916BDD8CD9529A2DA7C19D187BD3A732B | | | AA350923A09E019B0838BC7CD6145635B2F3E4E814201 | | | 41FE2EBEF43087B149D0E6CA5FB7A2F5BB42060DBB326 | | | 686EFD6FD1287D330CF52BBC3B20E9CB42C8BC7F925C5 | | | 993CBA21896C45D5A27113C0AF13E2FDB37BC4850ED7F | | | F2EED0CB2563BF143CD7AE31C8EDF96D1371B63D12F52 | | | BFB30853FD7F87DDDF43CBFA1BAF04FE2B3C417F3D7D8 | | | 7638708EDC2E2797A570CCD8131DC55EF60EBB60771B6 | | | 68726B041F084051A 997| 23| 1| CONTEXT SPECIFIC (0) : 999| 21| 1| SEQUENCE : 1001| 9| 1| OBJECT IDENTIFIER : challengePassword [1.2.840.113549.1.9.7] 1012| 8| 1| SET : 1014| 6| 1| PRINTABLE STRING : | | | '123456' 1022| 565| 3| SEQUENCE : 1026| 7| 1| OBJECT IDENTIFIER : dsaWithSha1 [1.2.840.10040.4.3] 1035| 552| 3| SEQUENCE : 1039| 257| 3| INTEGER : | | | 00BD538597A862A719429AEA56B1F972DB9EDB9E4F15280B | | | FE3D69E2E2E8BB0BEBC56D1F81450A439EC0C5BB63C5C238 | | | 6267680FBEBAD4B03980C2AEC80D1FA279624D45BE66D6C2 | | | 52B8C50FDFB6645E30F99E71345BA2741CF61A44DB5725B3 | | | B5346711A1584A2F2AA47D520709C48BDCDC1769E768A322 | | | B663160DA70C72C9398C60D1D4D3AD0E40DB03532EF4CA9E | | | 0AAE3CF467603DBD3555DE1512328E7B72EEDEEDD06C9F3C | | | A0C9EA4E54AC6A03E998A61A67438A5924713CB57CD2ED9F | | | A3AD1E814766ADE089D48B30A9ABC75002685669F1A5F6E2 | | | 5CAE6B6A63136E6470E1E90D17A4F298D0D159982D46A818 | | | 3BBF3071EB430B47168E00A34E2F18B3BB 1300| 29| 1| INTEGER : | | | 009D1B57C18AE27EF5A5D678FB8644E28C65CF463F063DB5 | | | 78243A045D 1331| 256| 3| INTEGER : | | | 185D4A09AF58A210A7955C7FC5FE5A9544054EEDD4C66E66 | | | 6780C7E012F1EAE1B1B9B2D423EEDD85FF4F459124782BF5 | | | 4985674911AA3D9FDA4076F71738B4CD2E6351208635A336 | | | 17BFB2B520C6E989DC5F98DC8671B31491907BCDF6617826 | | | 4615702D4ED201EBF23C10127774B4D55D55A2C7FA60BC0A | | | C64E09CCA253B46F92B9CF13EF9E49232C7E10F0FD7CF6AC | | | A8E6AACD359967972AE003260A36B2AC4781E885DF3342C3 | | | 68BE4FC9DA52C05A81EF2EB6C53DF9F0A7E36E8F060B21EB | | | 77ED12E0738D93C8C6658611ECA0AE5534F14E48A02F003B | | | E081C6391ABBA9C4F120B7787B5DB29954E85FE006392B08 | | | 9888B0B38063201128899A0A2728EC3E 1591| 63| 1| BIT STRING UnusedBits:0 : 1594| 60| 1| SEQUENCE : 1596| 28| 1| INTEGER : | | | 782E4EC5E388E504A91F588840D89BD91548D2F4725FE62B | | | ADA5D9A7 1626| 28| 1| INTEGER : | | | 7C1A5BBBC3FF2A58318E88692DAF0FC4A79713012B43434A | | | 854DAB8F -------------- next part -------------- A non-text attachment was scrubbed... Name: generate-request.c Type: text/x-csrc Size: 2459 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: dsa-openssl.pem Type: application/x-x509-ca-cert Size: 1529 bytes Desc: not available URL: -------------- next part -------------- Offset| Len |LenByte| ======+======+=======+====================================================================== 0| 1072| 3| SEQUENCE : 4| 1007| 3| SEQUENCE : 8| 1| 1| INTEGER : 0 11| 145| 2| SEQUENCE : 14| 11| 1| SET : 16| 9| 1| SEQUENCE : 18| 3| 1| OBJECT IDENTIFIER : countryName [2.5.4.6] 23| 2| 1| PRINTABLE STRING : 'GB' 27| 19| 1| SET : 29| 17| 1| SEQUENCE : 31| 3| 1| OBJECT IDENTIFIER : stateOrProvinceName [2.5.4.8] 36| 10| 1| PRINTABLE STRING : | | | 'HelloWorld' 48| 19| 1| SET : 50| 17| 1| SEQUENCE : 52| 3| 1| OBJECT IDENTIFIER : localityName [2.5.4.7] 57| 10| 1| PRINTABLE STRING : | | | 'HelloWorld' 69| 19| 1| SET : 71| 17| 1| SEQUENCE : 73| 3| 1| OBJECT IDENTIFIER : organizationName [2.5.4.10] 78| 10| 1| PRINTABLE STRING : | | | 'HelloWorld' 90| 19| 1| SET : 92| 17| 1| SEQUENCE : 94| 3| 1| OBJECT IDENTIFIER : organizationalUnitName [2.5.4.11] 99| 10| 1| PRINTABLE STRING : | | | 'HelloWorld' 111| 19| 1| SET : 113| 17| 1| SEQUENCE : 115| 3| 1| OBJECT IDENTIFIER : commonName [2.5.4.3] 120| 10| 1| PRINTABLE STRING : | | | 'HelloWorld' 132| 25| 1| SET : 134| 23| 1| SEQUENCE : 136| 9| 1| OBJECT IDENTIFIER : emailAddress [1.2.840.113549.1.9.1] 147| 10| 1| IA5 STRING : | | | 'HelloWorld' 159| 827| 3| SEQUENCE : 163| 558| 3| SEQUENCE : 167| 7| 1| OBJECT IDENTIFIER : dsa [1.2.840.10040.4.1] 176| 545| 3| SEQUENCE : 180| 257| 3| INTEGER : | | | 00CA6AA5D961C122E803AFC4DC215440C31AF21DBB | | | 8B4E32138D1BAAB0E8EBED2623B10AD41FCDF10EF2 | | | 38162D6F838707389AB4F9FE3A9DA8482EDA94DC72 | | | 579776478A36419E2EFA157908AA284BAC55E9AABB | | | 677114615BCF9B83F8364BC582D04CAB89E21C69E0 | | | 4D72BEDB1558386FB0A867787576EB3B9629A68A2E | | | 0C6B9F76DC96568FB1B1C5222215C9A3F1071EDD79 | | | EA0055E2649AE0B3EC234CEB7C25EFD26061F77836 | | | 4F120877A282A5BDA015ED9521AC5ABF7A588859A5 | | | 2E9691CB816F739AE2FAABAD11B34E5EB86A607F74 | | | 2DC927A89934005706DEE7EFB167DF4DFD7F1632F1 | | | B2C0EC674CC95CD0E46E53687DDAAD8DC22485BAFE | | | AD1C36DCA5 441| 21| 1| INTEGER : | | | 00B2381ABDC2E070F172E2BB1ECE6E8F3C54AB98CB 464| 257| 3| INTEGER : | | | 00AEF9955B3AE9D1E0FA2E1520F12C0381EFA252C7 | | | BF958B881466ADA04565BE9635C1E6BA15FB6CA258 | | | BD2F800A1829EA2E6621CA62C7E32D7E6ACF3B10C6 | | | 2936D6DE4BD4AE4ED2F78319B701337BB11A699C3B | | | 8D4C13D38355AA8730781935B9345CF8581D9BDFB4 | | | F56E875D6EC1902EAD64DC2608179CA867F6126075 | | | 333FBB345B27ED8A3FA332C87317327BFFDBC185B4 | | | 3A53C72C4E98F01BC7296C98E66F41F54090CA65EB | | | F013E515ACB15EDDE1684A1BACA02CD4FE982756DD | | | CF4B74BF1CCDD3110D490426CDA0D72A0E3A6A4BDC | | | 5F7C855D92A0F6AC45872C1AC4F85C2CD96CF1C98C | | | 6DD41B16EB42DA58DD9783BAC394C67F27C83FE748 | | | A39A00AF42 725| 261| 3| BIT STRING UnusedBits:0 : 730| 256| 3| INTEGER : | | | 4BCAB085BD81CA06C0FD13CBEB555CDD0A6DB0650EC63 | | | C64C5BF0CEC3D6133387452DA5982610ACBE4AF1A31DC | | | A719CF90D4455D5B664B3E8478D2B146638F6F8140871 | | | F1AD064A835EF1868CD1EDFE698E25AD77903F4F6C40E | | | 0B3656CEF63905049785A62039554F61BF905E07F0E8F | | | 1479C4BDEBE3F9FE3872B31D385AB952F44F9471C24BD | | | 2BCDF736E72E73BBA02336FA322824C564D4B59882BC9 | | | A4BA612658A4490334DCE026EDA0142A5C409C8510E9B | | | 764FE96A11D7303565CB439573C65D1F6C450F5407E24 | | | BA944466DAF2BEB6D65E52CF4326DBBA63687798E72F0 | | | 9E44F7184C292D790D81B7AF1EA6A3CAF08D92A2A0E5F | | | 35C3CE6055E27B97D 990| 23| 1| CONTEXT SPECIFIC (0) : 992| 21| 1| SEQUENCE : 994| 9| 1| OBJECT IDENTIFIER : challengePassword [1.2.840.113549.1.9.7] 1005| 8| 1| SET : 1007| 6| 1| PRINTABLE STRING : | | | '123456' 1015| 9| 1| SEQUENCE : 1017| 7| 1| OBJECT IDENTIFIER : dsaWithSha1 [1.2.840.10040.4.3] 1026| 48| 1| BIT STRING UnusedBits:0 : 1029| 45| 1| SEQUENCE : 1031| 21| 1| INTEGER : | | | 00AA44085D22ED2E7F9F092C889AEFA09A7CED3C3C 1054| 20| 1| INTEGER : | | | 5C28C370092B18F6491303196E1F11384C61FE9F From david.kirkby at onetel.net Wed Nov 25 02:57:27 2009 From: david.kirkby at onetel.net (Dr. David Kirkby) Date: Wed, 25 Nov 2009 01:57:27 +0000 Subject: gnutls-2.2.1 fails to build on HP-UX Message-ID: <4B0C8F07.6060205@onetel.net> In the Sage project, gnutls is causing a problem on both OpenSolaris and HP-UX. The latter is not a supported OS, but I have tried building parts of Sage on it. This is the HP-UX error. http://trac.sagemath.org/sage_trac/ticket/7511 Any thoughts why this may be happening? We tried a later version, and that was causing problems not only on HP-UX and OpenSolaris, but also on Solaris 10 (SPARC). If any developer needs access to a Solaris 10 (SPARC) or HP-UX 11.11 (PA-RISC) processor, I can provide it. The SPARC is a newish 16-core machine. The latter is an old machine I personally own, but do allow others access to it. Dave From dlphsharma at gmail.com Wed Nov 25 08:05:38 2009 From: dlphsharma at gmail.com (Ravi Sharma) Date: Tue, 24 Nov 2009 23:05:38 -0800 (PST) Subject: Invitation to connect on LinkedIn Message-ID: <1804954522.8986017.1259132738817.JavaMail.app@ech3-cdn13.prod> LinkedIn ------------ I'd like to add you to my professional network on LinkedIn. - Ravi Confirm that you know Ravi Sharma https://www.linkedin.com/e/isd/887212062/s1Z2m7wA/ Every day, millions of professionals like Ravi Sharma use LinkedIn to connect with colleagues, find experts, and explore opportunities. ------ (c) 2009, LinkedIn Corporation -------------- next part -------------- An HTML attachment was scrubbed... URL: From lfinsto at gwdg.de Wed Nov 25 10:03:22 2009 From: lfinsto at gwdg.de (lfinsto at gwdg.de) Date: Wed, 25 Nov 2009 10:03:22 +0100 (CET) Subject: Build error on 64-bit machine Message-ID: <38097.134.76.5.25.1259139802.squirrel@mailbox.gwdg.de> Hello, When following the instructions for building GNUTLS using `autoreconf' on a 64-bit machine (x86_64) with Linux kernel version 2.6.27.29-0.1-default (OpenSuse), I got the following error: serv.c: In function 'main': serv.c:1170: error: cast to pointer from integer of different size [-Wint-to-pointer-cast] make[3]: *** [serv.o] Error 1 make[3]: Leaving directory `/home/lfinsto/gnutls/src' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/home/lfinsto/gnutls/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/home/lfinsto/gnutls' make: *** [all] Error 2 The version of GNUTLS was from the GIT repository on Nov. 18, 2009; version 2.9.10, assuming the version numbers of `certtool' and `gnutls-cli' correspond with the package version numbers. I was able to build the package by calling `configure' with the appropriate argument for turning off the option for treating warnings as errors, etc. Laurence Finston From trupti.wilankar at hp.com Wed Nov 25 13:14:22 2009 From: trupti.wilankar at hp.com (Wilankar, Trupti) Date: Wed, 25 Nov 2009 12:14:22 +0000 Subject: Help required for CSR validation In-Reply-To: <4B0C3541.7000000@gnutls.org> References: <0ED4D36695851D49AEA7D226C726B41D39A60854D0@GVW0440EXB.americas.hpqcorp.net> <4B043998.8050102@gnutls.org> <0ED4D36695851D49AEA7D226C726B41D39A60F37F8@GVW0440EXB.americas.hpqcorp.net> <878we2303s.fsf@mocca.josefsson.org> <0ED4D36695851D49AEA7D226C726B41D39A60F3D19@GVW0440EXB.americas.hpqcorp.net> <4B083B0D.8070403@gnutls.org> <0ED4D36695851D49AEA7D226C726B41D39A6B17BC5@GVW0440EXB.americas.hpqcorp.net> <4B0C3541.7000000@gnutls.org> Message-ID: <0ED4D36695851D49AEA7D226C726B41D39A6B1873D@GVW0440EXB.americas.hpqcorp.net> Hi Nikos, Thanks for the patch. CSR generated by Certtool is now accepted by VeriSign. Regards, Trupti -----Original Message----- From: Nikos Mavrogiannopoulos [mailto:n.mavrogiannopoulos at gmail.com] On Behalf Of Nikos Mavrogiannopoulos Sent: Wednesday, November 25, 2009 1:04 AM To: Wilankar, Trupti Cc: Simon Josefsson; Konjarla, Pavan; gnutls-devel at gnu.org; Amburle, Rohan Subject: Re: Help required for CSR validation Wilankar, Trupti wrote: > Hi, > > I have used Certtool from GnuTLS Windows version 2.9.9. > A 2048 bit private key was generated using Certtool (Command: certtool -p --outfile priv.key --bits 2048). > This private key was used to create CSRs, both on OpenSSL and Certtool. The DN fields (C, CN, ST, L, O, OU) used in both CSRs are also same. Could you also try this patch? I noticed that integers in bit strings in openssl contain a leading zero. This patch makes certtool behave the same. From simon at josefsson.org Thu Nov 26 11:18:19 2009 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 26 Nov 2009 11:18:19 +0100 Subject: gnutls-2.2.1 fails to build on HP-UX In-Reply-To: <4B0C8F07.6060205@onetel.net> (David Kirkby's message of "Wed, 25 Nov 2009 01:57:27 +0000") References: <4B0C8F07.6060205@onetel.net> Message-ID: <87iqcxfv2s.fsf@mocca.josefsson.org> "Dr. David Kirkby" writes: > In the Sage project, gnutls is causing a problem on both OpenSolaris > and HP-UX. The latter is not a supported OS, but I have tried building > parts of Sage on it. > > This is the HP-UX error. > > http://trac.sagemath.org/sage_trac/ticket/7511 > > Any thoughts why this may be happening? HP-UX doesn't have sockaddr_storage, but I believe gnulib should work around that problem -- however that is probably only in much more recent GnuTLS releases than the 2.2.1 that you used. > We tried a later version, and that was causing problems not only on > HP-UX and OpenSolaris, but also on Solaris 10 (SPARC). Details? The recent releases should work relatively fine on Solaris, we've merged several patches for it lately. Unless you back-port security fixes to 2.2.x, you want to use the 2.8.x release to get proper security fixes. > If any developer needs access to a Solaris 10 (SPARC) or HP-UX 11.11 > (PA-RISC) processor, I can provide it. The SPARC is a newish 16-core > machine. The latter is an old machine I personally own, but do allow > others access to it. You sent me login info on this earlier (thanks!), but I haven't had time to test it yet -- will try to do it soon. /Simon From nmav at gnutls.org Thu Nov 26 23:27:11 2009 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 27 Nov 2009 00:27:11 +0200 Subject: Help required for CSR validation In-Reply-To: <1259099783.31433.93.camel@localhost> References: <0ED4D36695851D49AEA7D226C726B41D39A60854D0@GVW0440EXB.americas.hpqcorp.net> <4B043998.8050102@gnutls.org> <0ED4D36695851D49AEA7D226C726B41D39A60F37F8@GVW0440EXB.americas.hpqcorp.net> <878we2303s.fsf@mocca.josefsson.org> <0ED4D36695851D49AEA7D226C726B41D39A60F3D19@GVW0440EXB.americas.hpqcorp.net> <4B083B0D.8070403@gnutls.org> <0ED4D36695851D49AEA7D226C726B41D39A6B17BC5@GVW0440EXB.americas.hpqcorp.net> <4B0C3541.7000000@gnutls.org> <1259092462.29095.43.camel@localhost> <4B0C4831.7060300@gnutls.org> <1259099783.31433.93.camel@localhost> Message-ID: <4B0F00BF.5030001@gnutls.org> Boyan Kasarov wrote: > Hello, > > Soory for the short answer. Without the patch both RSA and DSA fail. > With the patch RSA works, but DSA still doesn't. > > I am attaching 3 CSR. Thank you. From a quick glimpse it seems there might be a problem with the certtool's dsa structure. I'll check it as soon as I can. regards, Nikos From nmav at gnutls.org Fri Nov 27 23:50:41 2009 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sat, 28 Nov 2009 00:50:41 +0200 Subject: Help required for CSR validation In-Reply-To: <1259099783.31433.93.camel@localhost> References: <0ED4D36695851D49AEA7D226C726B41D39A60854D0@GVW0440EXB.americas.hpqcorp.net> <4B043998.8050102@gnutls.org> <0ED4D36695851D49AEA7D226C726B41D39A60F37F8@GVW0440EXB.americas.hpqcorp.net> <878we2303s.fsf@mocca.josefsson.org> <0ED4D36695851D49AEA7D226C726B41D39A60F3D19@GVW0440EXB.americas.hpqcorp.net> <4B083B0D.8070403@gnutls.org> <0ED4D36695851D49AEA7D226C726B41D39A6B17BC5@GVW0440EXB.americas.hpqcorp.net> <4B0C3541.7000000@gnutls.org> <1259092462.29095.43.camel@localhost> <4B0C4831.7060300@gnutls.org> <1259099783.31433.93.camel@localhost> Message-ID: <4B1057C1.1030802@gnutls.org> Boyan Kasarov wrote: > Soory for the short answer. Without the patch both RSA and DSA fail. > With the patch RSA works, but DSA still doesn't. It should be now fixed with this patch. This patch removed some optional parameters that were added for DSA. It seems that verisign didn't like them to be there. best regards, Nikos -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: patch.dsa.crq URL: From david.kirkby at onetel.net Sun Nov 29 02:06:50 2009 From: david.kirkby at onetel.net (Dr. David Kirkby) Date: Sun, 29 Nov 2009 01:06:50 +0000 Subject: gnutls failure on Solaris 10 update 7 gcc 4.4.1 Message-ID: <4B11C92A.5010507@onetel.net> I reported on the thread: "gnutls-2.2.1 fails to build on HP-UX" that upgrading to a later version of gnutls had not solved the problem on HP-UX, but had created one on Solaris 10. Simon Josefsson asked for the details, so here they are. (I thought it appropriate to start a new thread). The setup is * Sun Blade 2000, 2 x 1200 MHz UltraSPARC III+ processors * 8 GB RAM. * gcc 4.4.1 configured to use the Sun linker and assembler. * Solaris 10 update 7 (released 05/2009) * GNU make * Nothing from GNU binutils - as, ar, ld, ranlib etc are all Sun. This build took place inside Sage, but all that does is configure gnutls with some options, which I list below. Sage is a large bit of maths software http://www.sagemath.org/ which includes gnutls 2.2.1, but I created a new package for Sage, using gnutls 2.8.5. But the build script it simply configures it as below. I've left a note which is in the build script, which may not be appropriate any more. You may wish to comment on that. # --disable-cxx is needed to compile on OSX. # See http://www.nabble.com/%22gnutls%22-under-Darwin-%28was%3A-CVS-commit%3A-pkgsrc-security-gnutls%29-tf3062958.html#a8573149 ./configure --prefix="$SAGE_LOCAL" --enable-shared --disable-static --disable-cxx --enable-guile=no Whether there are more appropriate options I do not know. Note, gcc is configured to use both the Sun linker and assembler - not GNU ones. This might be relevant to the final error message. gnutls-2.8.5/src/src/tests.h gnutls-2.8.5/src/src/psk-gaa.c gnutls-2.8.5/src/src/tls_test-gaa.h gnutls-2.8.5/src/src/prime.c gnutls-2.8.5/src/src/serv-gaa.c gnutls-2.8.5/src/src/serv.gaa gnutls-2.8.5/src/configure.ac Finished extraction **************************************************** Host system uname -a: SunOS swan 5.10 Generic_141444-09 sun4u sparc SUNW,Sun-Blade-1000 **************************************************** **************************************************** CC Version gcc -v Using built-in specs. Target: sparc-sun-solaris2.10 Configured with: ../gcc-4.4.1/configure --prefix=/usr/local/gcc-4.4.1-sun-linker/ --with-as=/usr/ccs/bin/as --without-gnu-as --with-ld=/usr/ccs/bin/ld --without-gnu-ld --enable-languages=c,c++,fortran --with-mpfr-include=/usr/local/include --with-mpfr-lib=/usr/local/lib --with-gmp-include=/usr/local/include --with-gmp-lib=/usr/local/lib CC=/usr/sfw/bin/gcc CXX=/usr/sfw/bin/g++ LDFLAGS='-R /usr/local/lib -L /usr/local/lib' Thread model: posix gcc version 4.4.1 (GCC) **************************************************** Deleting old gnutls libraries in /export/home/drkirkby/sage-4.2.1/local/lib checking for a BSD-compatible install... /usr/local/bin/ginstall -c checking whether build environment is sane... yes checking for a thread-safe mkdir -p... build-aux/install-sh -c -d checking for gawk... no checking for mawk... no checking for nawk... nawk checking whether make sets $(MAKE)... yes *** *** Checking for compilation programs... checking for gcc... gcc checking for C compiler default output file name... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed checking for style of include used by make... GNU checking dependency style of gcc... gcc3 checking whether ln -s works... yes checking for pkg-config... /usr/bin/pkg-config checking pkg-config is at least version 0.9.0... yes checking for gtkdoc-check... no checking for gtkdoc-rebase... no checking for gtkdoc-mkpdf... no checking whether to build gtk-doc documentation... no checking for gaa... no configure: WARNING: *** *** GAA was not found. It is only needed if you wish to modify *** the source code or command-line description files. In this case, *** you may want to get it from http://gaa.sourceforge.net/ and *** read doc/README.gaa. *** checking for ranlib... ranlib checking build system type... sparc-sun-solaris2.10 checking host system type... sparc-sun-solaris2.10 checking how to run the C preprocessor... gcc -E checking for grep that handles long lines and -e... /usr/sfw/bin/ggrep checking for egrep... /usr/sfw/bin/ggrep -E checking for ANSI C header files... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking minix/config.h usability... no checking minix/config.h presence... no checking for minix/config.h... no checking whether it is safe to define __EXTENSIONS__... yes checking for _LARGEFILE_SOURCE value needed for large files... no checking for gcc option to accept ISO C99... -std=gnu99 checking for gcc -std=gnu99 option to accept ISO Standard C... (cached) -std=gnu99 configure: autobuild project... GnuTLS configure: autobuild revision... 2.8.5 configure: autobuild hostname... swan configure: autobuild timestamp... 20091129T004624Z checking for inline... inline checking whether we are using the GNU C++ compiler... yes checking whether g++ accepts -g... yes checking dependency style of g++... gcc3 checking for ld used by GCC... ld checking if the linker (ld) is GNU ld... no checking for shared library run path origin... done checking for 64-bit host... no checking for libgcrypt... yes checking how to link with libgcrypt... /export/home/drkirkby/sage-4.2.1/local/lib/libgcrypt.so -L/export/home/drkirkby/sage-4.2.1/local/lib /export/home/drkirkby/sage-4.2.1/local/lib/libgpg-error.so -lsocket -R/export/home/drkirkby/sage-4.2.1/local/lib checking for libtasn1... no configure: WARNING: *** *** Libtasn1 was not found. Will use the included one. checking whether to use the included minitasn1... yes checking whether to include LZO compression support... no checking whether C99 macros are supported... yes checking whether to enable Opaque PRF input support... no checking whether to disable SRP authentication support... no checking whether to disable PSK authentication support... no checking whether to disable anonymous authentication support... no checking whether to disable Camellia cipher... no checking whether to disable extra PKI stuff... no checking whether to disable OpenPGP Certificate authentication support... no checking size of void *... 4 checking size of long... 4 checking size of int... 4 checking sys/socket.h usability... yes checking sys/socket.h presence... yes checking for sys/socket.h... yes checking arpa/inet.h usability... yes checking arpa/inet.h presence... yes checking for arpa/inet.h... yes checking errno.h usability... yes checking errno.h presence... yes checking for errno.h... yes checking float.h usability... yes checking float.h presence... yes checking for float.h... yes checking netdb.h usability... yes checking netdb.h presence... yes checking for netdb.h... yes checking netinet/in.h usability... yes checking netinet/in.h presence... yes checking for netinet/in.h... yes checking stdio_ext.h usability... yes checking stdio_ext.h presence... yes checking for stdio_ext.h... yes checking termios.h usability... yes checking termios.h presence... yes checking for termios.h... yes checking sys/select.h usability... yes checking sys/select.h presence... yes checking for sys/select.h... yes checking stdarg.h usability... yes checking stdarg.h presence... yes checking for stdarg.h... yes checking for stdint.h... (cached) yes checking wchar.h usability... yes checking wchar.h presence... yes checking for wchar.h... yes checking stdio.h usability... yes checking stdio.h presence... yes checking for stdio.h... yes checking for stdlib.h... (cached) yes checking for string.h... (cached) yes checking for sys/stat.h... (cached) yes checking sys/time.h usability... yes checking sys/time.h presence... yes checking for sys/time.h... yes checking for unistd.h... (cached) yes checking sys/wait.h usability... yes checking sys/wait.h presence... yes checking for sys/wait.h... yes checking sys/ioctl.h usability... yes checking sys/ioctl.h presence... yes checking for sys/ioctl.h... yes checking whether to disable OpenSSL compatibility layer... yes checking for library containing setsockopt... -lsocket checking for ANSI C header files... (cached) yes checking for fork... yes checking for valgrind... no checking whether self tests are run under valgrind... no checking for uint... yes checking whether building Guile bindings... no checking for cfg_get_context in -lcfg+... no configure: WARNING: *** *** Libcfg+ was not found. Will use the included one. checking whether to use the included libcfg... yes checking for a sed that does not truncate output... /usr/bin/sed checking for fgrep... /usr/sfw/bin/ggrep -F checking for ld used by gcc -std=gnu99... ld checking if the linker (ld) is GNU ld... no checking for BSD- or MS-compatible name lister (nm)... /usr/ccs/bin/nm -p checking the name lister (/usr/ccs/bin/nm -p) interface... BSD nm checking the maximum length of command line arguments... 786240 checking whether the shell understands some XSI constructs... yes checking whether the shell understands "+="... no checking for ld option to reload object files... -r checking for objdump... objdump checking how to recognize dependent libraries... pass_all checking for ar... ar checking for strip... strip checking for ranlib... (cached) ranlib checking command to parse /usr/ccs/bin/nm -p output from gcc -std=gnu99 object... ok checking for dlfcn.h... yes checking whether we are using the GNU C++ compiler... (cached) yes checking whether g++ accepts -g... (cached) yes checking dependency style of g++... (cached) gcc3 checking how to run the C++ preprocessor... g++ -E checking for objdir... .libs checking if gcc -std=gnu99 supports -fno-rtti -fno-exceptions... no checking for gcc -std=gnu99 option to produce PIC... -fPIC -DPIC checking if gcc -std=gnu99 PIC flag -fPIC -DPIC works... yes checking if gcc -std=gnu99 static flag -static works... no checking if gcc -std=gnu99 supports -c -o file.o... conftest*: No such file or directory yes checking if gcc -std=gnu99 supports -c -o file.o... (cached) yes checking whether the gcc -std=gnu99 linker (ld) supports shared libraries... yes checking whether -lc should be explicitly linked in... conftest*: No such file or directory yes checking dynamic linker characteristics... solaris2.10 ld.so checking how to hardcode library paths into programs... immediate checking whether stripping libraries is possible... no checking if libtool supports shared libraries... yes checking whether to build shared libraries... yes checking whether to build static libraries... no checking for ld used by g++... ld checking if the linker (ld) is GNU ld... no checking whether the g++ linker (ld) supports shared libraries... yes checking for g++ option to produce PIC... -fPIC -DPIC checking if g++ PIC flag -fPIC -DPIC works... yes checking if g++ static flag -static works... no checking if g++ supports -c -o file.o... conftest*: No such file or directory yes checking if g++ supports -c -o file.o... (cached) yes checking whether the g++ linker (ld) supports shared libraries... yes checking dynamic linker characteristics... solaris2.10 ld.so checking how to hardcode library paths into programs... immediate checking whether the preprocessor supports include_next... yes checking whether is self-contained... yes checking for shutdown... no checking for struct sockaddr_storage... yes checking for sa_family_t... yes checking for working alloca.h... yes checking for alloca... yes checking for complete errno.h... yes checking whether strerror_r is declared... yes checking for strerror_r... yes checking whether strerror_r returns char *... no checking whether stdin defaults to large file offsets... yes checking for library containing gethostbyname... -lnsl checking for library containing getservbyname... -lsocket checking for C/C++ restrict keyword... __restrict checking for IPv4 sockets... yes checking for IPv6 sockets... yes checking whether getdelim is declared... no checking whether getline is declared... no checking whether getpass is declared... yes checking for __fsetlocking... yes checking for tcgetattr... yes checking for tcsetattr... yes checking for lstat... yes checking for vasnprintf... no checking for gettimeofday... yes checking whether fflush_unlocked is declared... no checking whether flockfile is declared... yes checking whether fputs_unlocked is declared... no checking whether funlockfile is declared... yes checking whether putc_unlocked is declared... yes checking whether defines MIN and MAX... no checking whether defines MIN and MAX... no checking whether malloc, realloc, calloc are POSIX compliant... yes checking whether is self-contained... yes checking whether snprintf is declared... yes checking for stdbool.h that conforms to C99... yes checking for _Bool... yes checking for long long int... yes checking for unsigned long long int... yes checking for working strerror function... yes checking whether stat file-mode macros are broken... no checking for struct timeval... yes checking for wchar_t... yes checking for wint_t... yes checking for size_t... yes checking for inttypes.h... yes checking for stdint.h... yes checking for intmax_t... yes checking for snprintf... yes checking for strnlen... no checking for wcslen... yes checking for wcsnlen... no checking for mbrtowc... yes checking for wcrtomb... yes checking whether _snprintf is declared... no checking whether ungetc works on arbitrary bytes... yes checking for alloca as a compiler built-in... yes checking for error_at_line... no checking for fseeko... yes configure: checking how to do getaddrinfo, freeaddrinfo and getnameinfo checking for library containing getaddrinfo... -lsocket checking for getaddrinfo... yes checking for gai_strerror (possibly via ws2tcpip.h)... yes checking for struct sockaddr.sa_len... no checking whether getaddrinfo is declared... yes checking whether freeaddrinfo is declared... yes checking whether gai_strerror is declared... yes checking whether getnameinfo is declared... yes checking for struct addrinfo... yes checking for getdelim... no checking for flockfile... yes checking for funlockfile... yes checking whether getc_unlocked is declared... yes checking for getline... no checking for getdelim... (cached) no checking for flockfile... (cached) yes checking for funlockfile... (cached) yes checking whether getc_unlocked is declared... (cached) yes checking whether __fsetlocking is declared... yes checking for library containing gethostbyname... (cached) -lnsl checking for library containing inet_ntop... -lnsl checking whether inet_ntop is declared... yes checking for inet_pton... no checking whether inet_pton is declared... yes checking whether lseek detects pipes... yes checking whether is self-contained... yes checking for pmccabe... false checking for readline... -ltermcap checking how to link with libreadline... /export/home/drkirkby/sage-4.2.1/local/lib/libreadline.so -R/export/home/drkirkby/sage-4.2.1/local/lib -ltermcap checking readline/readline.h usability... yes checking readline/readline.h presence... yes checking for readline/readline.h... yes checking whether select supports a 0 argument... yes checking for library containing getservbyname... (cached) -lsocket checking for stdint.h... (cached) yes checking for SIZE_MAX... yes checking for snprintf... (cached) yes checking whether snprintf respects a size of 1... yes checking for library containing setsockopt... (cached) -lsocket checking for socklen_t... yes checking for va_copy... yes checking whether stdint.h conforms to C99... no checking sys/inttypes.h usability... yes checking sys/inttypes.h presence... yes checking for sys/inttypes.h... yes checking sys/bitypes.h usability... no checking sys/bitypes.h presence... no checking for sys/bitypes.h... no checking for bit size of ptrdiff_t... 32 checking for bit size of size_t... 32 checking for bit size of sig_atomic_t... 32 checking for bit size of wchar_t... 32 checking for bit size of wint_t... 32 checking whether sig_atomic_t is signed... yes checking whether wchar_t is signed... yes checking whether wint_t is signed... yes checking for ptrdiff_t integer literal suffix... checking for size_t integer literal suffix... u checking for sig_atomic_t integer literal suffix... checking for wchar_t integer literal suffix... l checking for wint_t integer literal suffix... l checking for random.h... no checking for struct random_data... no checking whether is self-contained... (cached) yes checking whether is self-contained... (cached) yes checking for shutdown... (cached) no checking for struct sockaddr_storage... (cached) yes checking for sa_family_t... (cached) yes checking for nlink_t... yes checking for ptrdiff_t... yes checking whether is standalone... yes checking for stdint.h... (cached) yes checking for gettimeofday with POSIX signature... yes checking whether gettimeofday clobbers localtime buffer... no checking for wchar_t... (cached) yes checking for wint_t... (cached) yes checking whether declares ioctl... no checking for shutdown... (cached) no configure: creating ./config.status config.status: creating guile/pre-inst-guile config.status: creating Makefile config.status: creating doc/Makefile config.status: creating doc/credentials/Makefile config.status: creating doc/credentials/openpgp/Makefile config.status: creating doc/credentials/srp/Makefile config.status: creating doc/credentials/x509/Makefile config.status: creating doc/cyclo/Makefile config.status: creating doc/doxygen/Doxyfile config.status: creating doc/examples/Makefile config.status: creating doc/manpages/Makefile config.status: creating doc/reference/Makefile config.status: creating doc/scripts/Makefile config.status: creating gl/Makefile config.status: creating gl/tests/Makefile config.status: creating guile/Makefile config.status: creating guile/modules/Makefile config.status: creating guile/src/Makefile config.status: creating guile/tests/Makefile config.status: creating src/Makefile config.status: creating src/cfg/Makefile config.status: creating src/cfg/platon/Makefile config.status: creating src/cfg/platon/str/Makefile config.status: creating tests/Makefile config.status: creating tests/key-id/Makefile config.status: creating tests/openpgp-certs/Makefile config.status: creating tests/pathlen/Makefile config.status: creating tests/pkcs1-padding/Makefile config.status: creating tests/pkcs12-decode/Makefile config.status: creating tests/pkcs8-decode/Makefile config.status: creating tests/rsa-md5-collision/Makefile config.status: creating tests/sha2/Makefile config.status: creating tests/userid/Makefile config.status: creating config.h config.status: executing depfiles commands config.status: executing libtool commands libtoolT: No such file or directory === configuring in lib (/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src/lib) configure: running /bin/bash ./configure --disable-option-checking '--prefix=/export/home/drkirkby/sage-4.2.1/local' '--enable-shared' '--disable-static' '--disable-cxx' '--enable-guile=no' 'CC=gcc' 'LDFLAGS=' 'CXX=g++' --cache-file=/dev/null --srcdir=. checking for a BSD-compatible install... /usr/local/bin/ginstall -c checking whether build environment is sane... yes checking for a thread-safe mkdir -p... build-aux/install-sh -c -d checking for gawk... no checking for mawk... no checking for nawk... nawk checking whether make sets $(MAKE)... yes checking for gcc... gcc checking for C compiler default output file name... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed checking for style of include used by make... GNU checking dependency style of gcc... gcc3 checking for ranlib... ranlib checking build system type... sparc-sun-solaris2.10 checking host system type... sparc-sun-solaris2.10 checking how to run the C preprocessor... gcc -E checking for grep that handles long lines and -e... /usr/sfw/bin/ggrep checking for egrep... /usr/sfw/bin/ggrep -E checking for ANSI C header files... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking minix/config.h usability... no checking minix/config.h presence... no checking for minix/config.h... no checking whether it is safe to define __EXTENSIONS__... yes checking for _LARGEFILE_SOURCE value needed for large files... no checking for a sed that does not truncate output... /usr/bin/sed checking for fgrep... /usr/sfw/bin/ggrep -F checking for ld used by gcc... ld checking if the linker (ld) is GNU ld... no checking for BSD- or MS-compatible name lister (nm)... /usr/ccs/bin/nm -p checking the name lister (/usr/ccs/bin/nm -p) interface... BSD nm checking whether ln -s works... yes checking the maximum length of command line arguments... 786240 checking whether the shell understands some XSI constructs... yes checking whether the shell understands "+="... no checking for ld option to reload object files... -r checking for objdump... objdump checking how to recognize dependent libraries... pass_all checking for ar... ar checking for strip... strip checking for ranlib... (cached) ranlib checking command to parse /usr/ccs/bin/nm -p output from gcc object... ok checking for dlfcn.h... yes checking for objdir... .libs checking if gcc supports -fno-rtti -fno-exceptions... no checking for gcc option to produce PIC... -fPIC -DPIC checking if gcc PIC flag -fPIC -DPIC works... yes checking if gcc static flag -static works... no checking if gcc supports -c -o file.o... conftest*: No such file or directory yes checking if gcc supports -c -o file.o... (cached) yes checking whether the gcc linker (ld) supports shared libraries... yes checking whether -lc should be explicitly linked in... conftest*: No such file or directory yes checking dynamic linker characteristics... solaris2.10 ld.so checking how to hardcode library paths into programs... immediate checking whether stripping libraries is possible... no checking if libtool supports shared libraries... yes checking whether to build shared libraries... yes checking whether to build static libraries... no checking for ld used by GCC... ld checking if the linker (ld) is GNU ld... no checking for shared library run path origin... done checking for libgcrypt... yes checking how to link with libgcrypt... /export/home/drkirkby/sage-4.2.1/local/lib/libgcrypt.so -L/export/home/drkirkby/sage-4.2.1/local/lib /export/home/drkirkby/sage-4.2.1/local/lib/libgpg-error.so -lsocket -R/export/home/drkirkby/sage-4.2.1/local/lib checking for libtasn1... no configure: WARNING: *** *** Libtasn1 was not found. Will use the included one. checking whether to use the included minitasn1... yes checking whether to include LZO compression support... no checking whether C99 macros are supported... yes checking whether to enable Opaque PRF input support... no checking whether to disable SRP authentication support... no checking whether to disable PSK authentication support... no checking whether to disable anonymous authentication support... no checking whether to disable Camellia cipher... no checking whether to disable extra PKI stuff... no checking whether to disable OpenPGP Certificate authentication support... no checking size of void *... 4 checking size of long... 4 checking size of int... 4 checking whether NLS is requested... yes checking for msgfmt... no checking for gmsgfmt... : checking for xgettext... no checking for msgmerge... no checking for CFPreferencesCopyAppValue... no checking for CFLocaleCopyCurrent... no checking for GNU gettext in libc... no checking for iconv... yes checking for working iconv... yes checking for GNU gettext in libintl... no checking whether to use NLS... no checking whether byte ordering is bigendian... yes checking for ssize_t... yes checking size of unsigned long int... 4 checking size of unsigned int... 4 checking whether to include zlib compression support... yes checking for libz... yes checking how to link with libz... /export/home/drkirkby/sage-4.2.1/local/lib/libz.so -R/export/home/drkirkby/sage-4.2.1/local/lib checking for working alloca.h... yes checking for alloca... yes checking whether the preprocessor supports include_next... yes checking for errno.h... yes checking for float.h... yes checking for netdb.h... yes checking for sys/socket.h... yes checking for stdint.h... (cached) yes checking for wchar.h... yes checking for stdio.h... yes checking for stdlib.h... (cached) yes checking for string.h... (cached) yes checking for strings.h... (cached) yes checking for sys/stat.h... (cached) yes checking for time.h... yes checking for sys/time.h... yes checking for unistd.h... (cached) yes checking for complete errno.h... yes checking whether stdin defaults to large file offsets... yes checking whether memmem is declared... no checking whether defines MIN and MAX... no checking whether defines MIN and MAX... no checking whether malloc, realloc, calloc are POSIX compliant... yes checking whether snprintf is declared... yes checking for inline... inline checking whether is self-contained... yes checking for shutdown... no checking for struct sockaddr_storage... yes checking for sa_family_t... yes checking for stdbool.h that conforms to C99... yes checking for _Bool... yes checking for long long int... yes checking for unsigned long long int... yes checking for C/C++ restrict keyword... __restrict checking for lstat... yes checking for vasnprintf... no checking whether stat file-mode macros are broken... no checking for struct timespec in ... yes checking for wchar_t... yes checking for wint_t... yes checking for size_t... yes checking for inttypes.h... yes checking for stdint.h... yes checking for intmax_t... yes checking for snprintf... yes checking for strnlen... no checking for wcslen... yes checking for wcsnlen... no checking for mbrtowc... yes checking for wcrtomb... yes checking whether _snprintf is declared... no checking whether vsnprintf is declared... yes checking whether ungetc works on arbitrary bytes... yes checking for alloca as a compiler built-in... yes checking byteswap.h usability... no checking byteswap.h presence... no checking for byteswap.h... no checking for fseeko... yes checking whether __func__ is available... yes checking if gcc/ld supports -Wl,--output-def... no checking if LD -Wl,--version-script works... no checking whether lseek detects pipes... yes checking for memmem... no checking for memmove... yes checking for stdint.h... (cached) yes checking for SIZE_MAX... yes checking for snprintf... (cached) yes checking whether snprintf respects a size of 1... yes checking for library containing setsockopt... -lsocket checking for socklen_t... yes checking whether stdint.h conforms to C99... no checking sys/inttypes.h usability... yes checking sys/inttypes.h presence... yes checking for sys/inttypes.h... yes checking sys/bitypes.h usability... no checking sys/bitypes.h presence... no checking for sys/bitypes.h... no checking for bit size of ptrdiff_t... 32 checking for bit size of size_t... 32 checking for bit size of sig_atomic_t... 32 checking for bit size of wchar_t... 32 checking for bit size of wint_t... 32 checking whether sig_atomic_t is signed... yes checking whether wchar_t is signed... yes checking whether wint_t is signed... yes checking for ptrdiff_t integer literal suffix... checking for size_t integer literal suffix... u checking for sig_atomic_t integer literal suffix... checking for wchar_t integer literal suffix... l checking for wint_t integer literal suffix... l checking for random.h... no checking for struct random_data... no checking for strcasecmp... yes checking for strncasecmp... yes checking whether strncasecmp is declared... yes checking for strverscmp... no checking whether is self-contained... (cached) yes checking for shutdown... (cached) no checking for struct sockaddr_storage... (cached) yes checking for sa_family_t... (cached) yes checking for nlink_t... yes checking whether localtime_r is compatible with its POSIX signature... yes checking for ptrdiff_t... yes checking for vasprintf... no checking for vsnprintf... yes checking whether snprintf respects a size of 1... (cached) yes checking whether is standalone... yes checking for stdint.h... (cached) yes checking for wchar_t... (cached) yes checking for wint_t... (cached) yes checking for shutdown... (cached) no checking whether we are using the GNU C++ compiler... yes checking whether g++ accepts -g... yes checking dependency style of g++... gcc3 checking whether we are using the GNU C++ compiler... (cached) yes checking whether g++ accepts -g... (cached) yes checking dependency style of g++... (cached) gcc3 checking how to run the C++ preprocessor... g++ -E checking for ld used by g++... ld checking if the linker (ld) is GNU ld... no checking whether the g++ linker (ld) supports shared libraries... yes checking for g++ option to produce PIC... -fPIC -DPIC checking if g++ PIC flag -fPIC -DPIC works... yes checking if g++ static flag -static works... no checking if g++ supports -c -o file.o... conftest*: No such file or directory yes checking if g++ supports -c -o file.o... (cached) yes checking whether the g++ linker (ld) supports shared libraries... yes checking dynamic linker characteristics... solaris2.10 ld.so checking how to hardcode library paths into programs... immediate configure: creating ./config.status config.status: creating Makefile config.status: creating gnutls.pc config.status: creating gl/Makefile config.status: creating gl/tests/Makefile config.status: creating includes/Makefile config.status: creating includes/gnutls/gnutls.h config.status: creating minitasn1/Makefile config.status: creating opencdk/Makefile config.status: creating openpgp/Makefile config.status: creating po/Makefile.in config.status: creating x509/Makefile config.status: creating config.h config.status: executing depfiles commands config.status: executing libtool commands libtoolT: No such file or directory config.status: executing po-directories commands config.status: creating po/POTFILES config.status: creating po/Makefile === configuring in libextra (/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src/libextra) configure: running /bin/bash ./configure --disable-option-checking '--prefix=/export/home/drkirkby/sage-4.2.1/local' '--enable-shared' '--disable-static' '--disable-cxx' '--enable-guile=no' 'CC=gcc' 'LDFLAGS=' 'CXX=g++' --cache-file=/dev/null --srcdir=. checking for a BSD-compatible install... /usr/local/bin/ginstall -c checking whether build environment is sane... yes checking for a thread-safe mkdir -p... build-aux/install-sh -c -d checking for gawk... no checking for mawk... no checking for nawk... nawk checking whether make sets $(MAKE)... yes checking for gcc... gcc checking for C compiler default output file name... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed checking for style of include used by make... GNU checking dependency style of gcc... gcc3 checking for ranlib... ranlib checking build system type... sparc-sun-solaris2.10 checking host system type... sparc-sun-solaris2.10 checking how to run the C preprocessor... gcc -E checking for grep that handles long lines and -e... /usr/sfw/bin/ggrep checking for egrep... /usr/sfw/bin/ggrep -E checking for ANSI C header files... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking minix/config.h usability... no checking minix/config.h presence... no checking for minix/config.h... no checking whether it is safe to define __EXTENSIONS__... yes checking for a sed that does not truncate output... /usr/bin/sed checking for fgrep... /usr/sfw/bin/ggrep -F checking for ld used by gcc... ld checking if the linker (ld) is GNU ld... no checking for BSD- or MS-compatible name lister (nm)... /usr/ccs/bin/nm -p checking the name lister (/usr/ccs/bin/nm -p) interface... BSD nm checking whether ln -s works... yes checking the maximum length of command line arguments... 786240 checking whether the shell understands some XSI constructs... yes checking whether the shell understands "+="... no checking for ld option to reload object files... -r checking for objdump... objdump checking how to recognize dependent libraries... pass_all checking for ar... ar checking for strip... strip checking for ranlib... (cached) ranlib checking command to parse /usr/ccs/bin/nm -p output from gcc object... ok checking for dlfcn.h... yes checking for objdir... .libs checking if gcc supports -fno-rtti -fno-exceptions... no checking for gcc option to produce PIC... -fPIC -DPIC checking if gcc PIC flag -fPIC -DPIC works... yes checking if gcc static flag -static works... no checking if gcc supports -c -o file.o... conftest*: No such file or directory yes checking if gcc supports -c -o file.o... (cached) yes checking whether the gcc linker (ld) supports shared libraries... yes checking whether -lc should be explicitly linked in... conftest*: No such file or directory yes checking dynamic linker characteristics... solaris2.10 ld.so checking how to hardcode library paths into programs... immediate checking whether stripping libraries is possible... no checking if libtool supports shared libraries... yes checking whether to build shared libraries... yes checking whether to build static libraries... no checking for ld used by GCC... ld checking if the linker (ld) is GNU ld... no checking for shared library run path origin... done checking for 64-bit host... no checking for libgcrypt... yes checking how to link with libgcrypt... /export/home/drkirkby/sage-4.2.1/local/lib/libgcrypt.so -L/export/home/drkirkby/sage-4.2.1/local/lib /export/home/drkirkby/sage-4.2.1/local/lib/libgpg-error.so -lsocket -R/export/home/drkirkby/sage-4.2.1/local/lib checking for libtasn1... no configure: WARNING: *** *** Libtasn1 was not found. Will use the included one. checking whether to use the included minitasn1... yes checking whether to include LZO compression support... no checking whether C99 macros are supported... yes checking whether to enable Opaque PRF input support... no checking whether to disable SRP authentication support... no checking whether to disable PSK authentication support... no checking whether to disable anonymous authentication support... no checking whether to disable Camellia cipher... no checking whether to disable extra PKI stuff... no checking whether to disable OpenPGP Certificate authentication support... no checking size of void *... 4 checking size of long... 4 checking size of int... 4 checking for inline... inline checking for sys/socket.h... yes checking whether to disable OpenSSL compatibility layer... yes checking for library containing setsockopt... -lsocket checking whether byte ordering is bigendian... yes checking for C/C++ restrict keyword... __restrict checking if gcc/ld supports -Wl,--output-def... no checking if LD -Wl,--version-script works... no configure: creating ./config.status config.status: creating Makefile config.status: creating gnutls-extra.pc config.status: creating gl/Makefile config.status: creating includes/Makefile config.status: creating config.h config.status: executing depfiles commands config.status: executing libtool commands libtoolT: No such file or directory configure: summary of build options: version: 2.8.5 shared 40:12:14 Host type: sparc-sun-solaris2.10 Install prefix: /export/home/drkirkby/sage-4.2.1/local Compiler: gcc -std=gnu99 Warning flags: errors: warnings: Library types: Shared=yes, Static=no Valgrind: Guile wrappers: no C++ library: no OpenSSL library: yes cat: cannot open ./.prev-version make[2]: Entering directory `/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src' make all-recursive cat: cannot open ./.prev-version make[3]: Entering directory `/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src' Making all in lib make[4]: Entering directory `/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src/lib' make all-recursive make[5]: Entering directory `/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src/lib' Making all in gl make[6]: Entering directory `/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src/lib/gl' { echo '/* DO NOT EDIT! GENERATED AUTOMATICALLY! */'; \ cat ./alloca.in.h; \ } > alloca.h-t mv -f alloca.h-t alloca.h { echo '/* DO NOT EDIT! GENERATED AUTOMATICALLY! */'; \ cat ./byteswap.in.h; \ } > byteswap.h-t mv -f byteswap.h-t byteswap.h rm -f stdint.h-t stdint.h { echo '/* DO NOT EDIT! GENERATED AUTOMATICALLY! */'; \ sed -e 's/@''HAVE_STDINT_H''@/1/g' \ -e 's|@''INCLUDE_NEXT''@|include_next|g' \ -e 's|@''PRAGMA_SYSTEM_HEADER''@|#pragma GCC system_header|g' \ -e 's|@''NEXT_STDINT_H''@||g' \ -e 's/@''HAVE_SYS_TYPES_H''@/1/g' \ -e 's/@''HAVE_INTTYPES_H''@/1/g' \ -e 's/@''HAVE_SYS_INTTYPES_H''@/1/g' \ -e 's/@''HAVE_SYS_BITYPES_H''@/0/g' \ -e 's/@''HAVE_LONG_LONG_INT''@/1/g' \ -e 's/@''HAVE_UNSIGNED_LONG_LONG_INT''@/1/g' \ -e 's/@''APPLE_UNIVERSAL_BUILD''@/0/g' \ -e 's/@''BITSIZEOF_PTRDIFF_T''@/32/g' \ -e 's/@''PTRDIFF_T_SUFFIX''@//g' \ -e 's/@''BITSIZEOF_SIG_ATOMIC_T''@/32/g' \ -e 's/@''HAVE_SIGNED_SIG_ATOMIC_T''@/1/g' \ -e 's/@''SIG_ATOMIC_T_SUFFIX''@//g' \ -e 's/@''BITSIZEOF_SIZE_T''@/32/g' \ -e 's/@''SIZE_T_SUFFIX''@/u/g' \ -e 's/@''BITSIZEOF_WCHAR_T''@/32/g' \ -e 's/@''HAVE_SIGNED_WCHAR_T''@/1/g' \ -e 's/@''WCHAR_T_SUFFIX''@/l/g' \ -e 's/@''BITSIZEOF_WINT_T''@/32/g' \ -e 's/@''HAVE_SIGNED_WINT_T''@/1/g' \ -e 's/@''WINT_T_SUFFIX''@/l/g' \ < ./stdint.in.h; \ } > stdint.h-t mv stdint.h-t stdint.h rm -f stdio.h-t stdio.h { echo '/* DO NOT EDIT! GENERATED AUTOMATICALLY! */' && \ sed -e 's|@''INCLUDE_NEXT''@|include_next|g' \ -e 's|@''PRAGMA_SYSTEM_HEADER''@|#pragma GCC system_header|g' \ -e 's|@''NEXT_STDIO_H''@||g' \ -e 's|@''GNULIB_FPRINTF''@|1|g' \ -e 's|@''GNULIB_FPRINTF_POSIX''@|0|g' \ -e 's|@''GNULIB_PRINTF''@|1|g' \ -e 's|@''GNULIB_PRINTF_POSIX''@|0|g' \ -e 's|@''GNULIB_SNPRINTF''@|1|g' \ -e 's|@''GNULIB_SPRINTF_POSIX''@|0|g' \ -e 's|@''GNULIB_VFPRINTF''@|1|g' \ -e 's|@''GNULIB_VFPRINTF_POSIX''@|0|g' \ -e 's|@''GNULIB_VPRINTF''@|1|g' \ -e 's|@''GNULIB_VPRINTF_POSIX''@|0|g' \ -e 's|@''GNULIB_VSNPRINTF''@|1|g' \ -e 's|@''GNULIB_VSPRINTF_POSIX''@|0|g' \ -e 's|@''GNULIB_DPRINTF''@|0|g' \ -e 's|@''GNULIB_VDPRINTF''@|0|g' \ -e 's|@''GNULIB_VASPRINTF''@|1|g' \ -e 's|@''GNULIB_OBSTACK_PRINTF''@|0|g' \ -e 's|@''GNULIB_OBSTACK_PRINTF_POSIX''@|0|g' \ -e 's|@''GNULIB_FOPEN''@|0|g' \ -e 's|@''GNULIB_FREOPEN''@|0|g' \ -e 's|@''GNULIB_FSEEK''@|0|g' \ -e 's|@''GNULIB_FSEEKO''@|1|g' \ -e 's|@''GNULIB_FTELL''@|0|g' \ -e 's|@''GNULIB_FTELLO''@|0|g' \ -e 's|@''GNULIB_FFLUSH''@|0|g' \ -e 's|@''GNULIB_FCLOSE''@|0|g' \ -e 's|@''GNULIB_FPUTC''@|1|g' \ -e 's|@''GNULIB_PUTC''@|1|g' \ -e 's|@''GNULIB_PUTCHAR''@|1|g' \ -e 's|@''GNULIB_FPUTS''@|1|g' \ -e 's|@''GNULIB_PUTS''@|1|g' \ -e 's|@''GNULIB_FWRITE''@|1|g' \ -e 's|@''GNULIB_GETDELIM''@|0|g' \ -e 's|@''GNULIB_GETLINE''@|0|g' \ -e 's|@''GNULIB_PERROR''@|0|g' \ -e 's|@''GNULIB_STDIO_H_SIGPIPE''@|0|g' \ -e 's|@''REPLACE_STDIO_WRITE_FUNCS''@|0|g' \ -e 's|@''REPLACE_FPRINTF''@|0|g' \ -e 's|@''REPLACE_VFPRINTF''@|0|g' \ -e 's|@''REPLACE_PRINTF''@|0|g' \ -e 's|@''REPLACE_VPRINTF''@|0|g' \ -e 's|@''REPLACE_SNPRINTF''@|0|g' \ -e 's|@''HAVE_DECL_SNPRINTF''@|1|g' \ -e 's|@''REPLACE_VSNPRINTF''@|0|g' \ -e 's|@''HAVE_DECL_VSNPRINTF''@|1|g' \ -e 's|@''REPLACE_SPRINTF''@|0|g' \ -e 's|@''REPLACE_VSPRINTF''@|0|g' \ -e 's|@''HAVE_DPRINTF''@|1|g' \ -e 's|@''REPLACE_DPRINTF''@|0|g' \ -e 's|@''HAVE_VDPRINTF''@|1|g' \ -e 's|@''REPLACE_VDPRINTF''@|0|g' \ -e 's|@''HAVE_VASPRINTF''@|0|g' \ -e 's|@''REPLACE_VASPRINTF''@|0|g' \ -e 's|@''HAVE_DECL_OBSTACK_PRINTF''@|1|g' \ -e 's|@''REPLACE_OBSTACK_PRINTF''@|0|g' \ -e 's|@''REPLACE_FOPEN''@|0|g' \ -e 's|@''REPLACE_FREOPEN''@|0|g' \ -e 's|@''REPLACE_FSEEKO''@|0|g' \ -e 's|@''REPLACE_FSEEK''@|0|g' \ -e 's|@''REPLACE_FTELLO''@|0|g' \ -e 's|@''REPLACE_FTELL''@|0|g' \ -e 's|@''REPLACE_FFLUSH''@|0|g' \ -e 's|@''REPLACE_FCLOSE''@|0|g' \ -e 's|@''HAVE_DECL_GETDELIM''@|1|g' \ -e 's|@''HAVE_DECL_GETLINE''@|1|g' \ -e 's|@''REPLACE_GETLINE''@|0|g' \ -e 's|@''REPLACE_PERROR''@|0|g' \ -e '/definition of GL_LINK_WARNING/r ../build-aux/link-warning.h' \ < ./stdio.in.h; \ } > stdio.h-t mv stdio.h-t stdio.h rm -f stdlib.h-t stdlib.h { echo '/* DO NOT EDIT! GENERATED AUTOMATICALLY! */' && \ sed -e 's|@''INCLUDE_NEXT''@|include_next|g' \ -e 's|@''PRAGMA_SYSTEM_HEADER''@|#pragma GCC system_header|g' \ -e 's|@''NEXT_STDLIB_H''@||g' \ -e 's|@''HAVE_RANDOM_H''@|0|g' \ -e 's|@''GNULIB_MALLOC_POSIX''@|0|g' \ -e 's|@''GNULIB_REALLOC_POSIX''@|1|g' \ -e 's|@''GNULIB_CALLOC_POSIX''@|0|g' \ -e 's|@''GNULIB_ATOLL''@|0|g' \ -e 's|@''GNULIB_GETLOADAVG''@|0|g' \ -e 's|@''GNULIB_GETSUBOPT''@|0|g' \ -e 's|@''GNULIB_MKDTEMP''@|0|g' \ -e 's|@''GNULIB_MKSTEMP''@|0|g' \ -e 's|@''GNULIB_PUTENV''@|0|g' \ -e 's|@''GNULIB_RANDOM_R''@|0|g' \ -e 's|@''GNULIB_RPMATCH''@|0|g' \ -e 's|@''GNULIB_SETENV''@|0|g' \ -e 's|@''GNULIB_STRTOD''@|0|g' \ -e 's|@''GNULIB_STRTOLL''@|0|g' \ -e 's|@''GNULIB_STRTOULL''@|0|g' \ -e 's|@''GNULIB_UNSETENV''@|0|g' \ -e 's|@''HAVE_ATOLL''@|1|g' \ -e 's|@''HAVE_CALLOC_POSIX''@|1|g' \ -e 's|@''HAVE_GETSUBOPT''@|1|g' \ -e 's|@''HAVE_MALLOC_POSIX''@|1|g' \ -e 's|@''HAVE_MKDTEMP''@|1|g' \ -e 's|@''HAVE_REALLOC_POSIX''@|1|g' \ -e 's|@''HAVE_RANDOM_R''@|1|g' \ -e 's|@''HAVE_RPMATCH''@|1|g' \ -e 's|@''HAVE_SETENV''@|1|g' \ -e 's|@''HAVE_STRTOD''@|1|g' \ -e 's|@''HAVE_STRTOLL''@|1|g' \ -e 's|@''HAVE_STRTOULL''@|1|g' \ -e 's|@''HAVE_STRUCT_RANDOM_DATA''@|0|g' \ -e 's|@''HAVE_SYS_LOADAVG_H''@|0|g' \ -e 's|@''HAVE_UNSETENV''@|1|g' \ -e 's|@''HAVE_DECL_GETLOADAVG''@|1|g' \ -e 's|@''REPLACE_MKSTEMP''@|0|g' \ -e 's|@''REPLACE_PUTENV''@|0|g' \ -e 's|@''REPLACE_STRTOD''@|0|g' \ -e 's|@''VOID_UNSETENV''@|0|g' \ -e '/definition of GL_LINK_WARNING/r ../build-aux/link-warning.h' \ < ./stdlib.in.h; \ } > stdlib.h-t mv stdlib.h-t stdlib.h rm -f string.h-t string.h { echo '/* DO NOT EDIT! GENERATED AUTOMATICALLY! */' && \ sed -e 's|@''INCLUDE_NEXT''@|include_next|g' \ -e 's|@''PRAGMA_SYSTEM_HEADER''@|#pragma GCC system_header|g' \ -e 's|@''NEXT_STRING_H''@||g' \ -e 's|@''GNULIB_MBSLEN''@|0|g' \ -e 's|@''GNULIB_MBSNLEN''@|0|g' \ -e 's|@''GNULIB_MBSCHR''@|0|g' \ -e 's|@''GNULIB_MBSRCHR''@|0|g' \ -e 's|@''GNULIB_MBSSTR''@|0|g' \ -e 's|@''GNULIB_MBSCASECMP''@|0|g' \ -e 's|@''GNULIB_MBSNCASECMP''@|0|g' \ -e 's|@''GNULIB_MBSPCASECMP''@|0|g' \ -e 's|@''GNULIB_MBSCASESTR''@|0|g' \ -e 's|@''GNULIB_MBSCSPN''@|0|g' \ -e 's|@''GNULIB_MBSPBRK''@|0|g' \ -e 's|@''GNULIB_MBSSPN''@|0|g' \ -e 's|@''GNULIB_MBSSEP''@|0|g' \ -e 's|@''GNULIB_MBSTOK_R''@|0|g' \ -e 's|@''GNULIB_MEMMEM''@|1|g' \ -e 's|@''GNULIB_MEMPCPY''@|0|g' \ -e 's|@''GNULIB_MEMRCHR''@|0|g' \ -e 's|@''GNULIB_RAWMEMCHR''@|0|g' \ -e 's|@''GNULIB_STPCPY''@|0|g' \ -e 's|@''GNULIB_STPNCPY''@|0|g' \ -e 's|@''GNULIB_STRCHRNUL''@|0|g' \ -e 's|@''GNULIB_STRDUP''@|0|g' \ -e 's|@''GNULIB_STRNDUP''@|0|g' \ -e 's|@''GNULIB_STRNLEN''@|0|g' \ -e 's|@''GNULIB_STRPBRK''@|0|g' \ -e 's|@''GNULIB_STRSEP''@|0|g' \ -e 's|@''GNULIB_STRSTR''@|0|g' \ -e 's|@''GNULIB_STRCASESTR''@|0|g' \ -e 's|@''GNULIB_STRTOK_R''@|0|g' \ -e 's|@''GNULIB_STRERROR''@|0|g' \ -e 's|@''GNULIB_STRSIGNAL''@|0|g' \ -e 's|@''GNULIB_STRVERSCMP''@|1|g' \ -e 's|@''HAVE_DECL_MEMMEM''@|0|g' \ -e 's|@''HAVE_MEMPCPY''@|1|g' \ -e 's|@''HAVE_DECL_MEMRCHR''@|1|g' \ -e 's|@''HAVE_RAWMEMCHR''@|1|g' \ -e 's|@''HAVE_STPCPY''@|1|g' \ -e 's|@''HAVE_STPNCPY''@|1|g' \ -e 's|@''HAVE_STRCHRNUL''@|1|g' \ -e 's|@''HAVE_DECL_STRDUP''@|1|g' \ -e 's|@''HAVE_STRNDUP''@|1|g' \ -e 's|@''HAVE_DECL_STRNDUP''@|1|g' \ -e 's|@''HAVE_DECL_STRNLEN''@|1|g' \ -e 's|@''HAVE_STRPBRK''@|1|g' \ -e 's|@''HAVE_STRSEP''@|1|g' \ -e 's|@''HAVE_STRCASESTR''@|1|g' \ -e 's|@''HAVE_DECL_STRTOK_R''@|1|g' \ -e 's|@''HAVE_DECL_STRERROR''@|1|g' \ -e 's|@''HAVE_DECL_STRSIGNAL''@|1|g' \ -e 's|@''HAVE_STRVERSCMP''@|0|g' \ -e 's|@''REPLACE_MEMMEM''@|0|g' \ -e 's|@''REPLACE_STRCASESTR''@|0|g' \ -e 's|@''REPLACE_STRDUP''@|0|g' \ -e 's|@''REPLACE_STRSTR''@|0|g' \ -e 's|@''REPLACE_STRERROR''@|0|g' \ -e 's|@''REPLACE_STRSIGNAL''@|0|g' \ -e '/definition of GL_LINK_WARNING/r ../build-aux/link-warning.h' \ < ./string.in.h; \ } > string.h-t mv string.h-t string.h rm -f strings.h-t strings.h { echo '/* DO NOT EDIT! GENERATED AUTOMATICALLY! */' && \ sed -e 's|@''INCLUDE_NEXT''@|include_next|g' \ -e 's|@''PRAGMA_SYSTEM_HEADER''@|#pragma GCC system_header|g' \ -e 's|@''NEXT_STRINGS_H''@||g' \ -e 's|@''HAVE_STRCASECMP''@|1|g' \ -e 's|@''HAVE_DECL_STRNCASECMP''@|1|g' \ -e '/definition of GL_LINK_WARNING/r ../build-aux/link-warning.h' \ < ./strings.in.h; \ } > strings.h-t mv strings.h-t strings.h ../build-aux/install-sh -c -d sys rm -f sys/stat.h-t sys/stat.h { echo '/* DO NOT EDIT! GENERATED AUTOMATICALLY! */'; \ sed -e 's|@''INCLUDE_NEXT''@|include_next|g' \ -e 's|@''PRAGMA_SYSTEM_HEADER''@|#pragma GCC system_header|g' \ -e 's|@''NEXT_SYS_STAT_H''@||g' \ -e 's|@''GNULIB_LCHMOD''@|0|g' \ -e 's|@''GNULIB_LSTAT''@|0|g' \ -e 's|@''HAVE_LCHMOD''@|1|g' \ -e 's|@''HAVE_LSTAT''@|1|g' \ -e 's|@''REPLACE_LSTAT''@|0|g' \ -e 's|@''REPLACE_MKDIR''@|0|g' \ -e '/definition of GL_LINK_WARNING/r ../build-aux/link-warning.h' \ < ./sys_stat.in.h; \ } > sys/stat.h-t mv sys/stat.h-t sys/stat.h rm -f time.h-t time.h { echo '/* DO NOT EDIT! GENERATED AUTOMATICALLY! */' && \ sed -e 's|@''INCLUDE_NEXT''@|include_next|g' \ -e 's|@''PRAGMA_SYSTEM_HEADER''@|#pragma GCC system_header|g' \ -e 's|@NEXT_TIME_H''@||g' \ -e 's|@REPLACE_LOCALTIME_R''@|0|g' \ -e 's|@REPLACE_NANOSLEEP''@|GNULIB_PORTCHECK|g' \ -e 's|@REPLACE_STRPTIME''@|GNULIB_PORTCHECK|g' \ -e 's|@REPLACE_TIMEGM''@|GNULIB_PORTCHECK|g' \ -e 's|@SYS_TIME_H_DEFINES_STRUCT_TIMESPEC''@|0|g' \ -e 's|@TIME_H_DEFINES_STRUCT_TIMESPEC''@|1|g' \ < ./time.in.h; \ } > time.h-t mv time.h-t time.h rm -f unistd.h-t unistd.h { echo '/* DO NOT EDIT! GENERATED AUTOMATICALLY! */'; \ sed -e 's|@''HAVE_UNISTD_H''@|1|g' \ -e 's|@''INCLUDE_NEXT''@|include_next|g' \ -e 's|@''PRAGMA_SYSTEM_HEADER''@|#pragma GCC system_header|g' \ -e 's|@''NEXT_UNISTD_H''@||g' \ -e 's|@''GNULIB_CHOWN''@|0|g' \ -e 's|@''GNULIB_CLOSE''@|0|g' \ -e 's|@''GNULIB_DUP2''@|0|g' \ -e 's|@''GNULIB_ENVIRON''@|0|g' \ -e 's|@''GNULIB_EUIDACCESS''@|0|g' \ -e 's|@''GNULIB_FCHDIR''@|0|g' \ -e 's|@''GNULIB_FSYNC''@|0|g' \ -e 's|@''GNULIB_FTRUNCATE''@|0|g' \ -e 's|@''GNULIB_GETCWD''@|0|g' \ -e 's|@''GNULIB_GETDOMAINNAME''@|0|g' \ -e 's|@''GNULIB_GETDTABLESIZE''@|0|g' \ -e 's|@''GNULIB_GETHOSTNAME''@|0|g' \ -e 's|@''GNULIB_GETLOGIN_R''@|0|g' \ -e 's|@''GNULIB_GETPAGESIZE''@|0|g' \ -e 's|@''GNULIB_GETUSERSHELL''@|0|g' \ -e 's|@''GNULIB_LCHOWN''@|0|g' \ -e 's|@''GNULIB_LINK''@|0|g' \ -e 's|@''GNULIB_LSEEK''@|1|g' \ -e 's|@''GNULIB_READLINK''@|0|g' \ -e 's|@''GNULIB_SLEEP''@|0|g' \ -e 's|@''GNULIB_UNISTD_H_SIGPIPE''@|0|g' \ -e 's|@''GNULIB_WRITE''@|0|g' \ -e 's|@''HAVE_DUP2''@|1|g' \ -e 's|@''HAVE_EUIDACCESS''@|1|g' \ -e 's|@''HAVE_FSYNC''@|1|g' \ -e 's|@''HAVE_FTRUNCATE''@|1|g' \ -e 's|@''HAVE_GETDOMAINNAME''@|1|g' \ -e 's|@''HAVE_GETDTABLESIZE''@|1|g' \ -e 's|@''HAVE_GETHOSTNAME''@|1|g' \ -e 's|@''HAVE_GETPAGESIZE''@|1|g' \ -e 's|@''HAVE_GETUSERSHELL''@|1|g' \ -e 's|@''HAVE_LINK''@|1|g' \ -e 's|@''HAVE_READLINK''@|1|g' \ -e 's|@''HAVE_SLEEP''@|1|g' \ -e 's|@''HAVE_DECL_ENVIRON''@|1|g' \ -e 's|@''HAVE_DECL_GETLOGIN_R''@|1|g' \ -e 's|@''HAVE_OS_H''@|0|g' \ -e 's|@''HAVE_SYS_PARAM_H''@|0|g' \ -e 's|@''REPLACE_CHOWN''@|0|g' \ -e 's|@''REPLACE_CLOSE''@|0|g' \ -e 's|@''REPLACE_FCHDIR''@|0|g' \ -e 's|@''REPLACE_GETCWD''@|0|g' \ -e 's|@''REPLACE_GETPAGESIZE''@|0|g' \ -e 's|@''REPLACE_LCHOWN''@|0|g' \ -e 's|@''REPLACE_LSEEK''@|0|g' \ -e 's|@''REPLACE_WRITE''@|0|g' \ -e 's|@''UNISTD_H_HAVE_WINSOCK2_H''@|0|g' \ -e '/definition of GL_LINK_WARNING/r ../build-aux/link-warning.h' \ < ./unistd.in.h; \ } > unistd.h-t mv unistd.h-t unistd.h make all-recursive make[7]: Entering directory `/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src/lib/gl' Making all in tests make[8]: Entering directory `/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src/lib/gl/tests' make all-recursive make[9]: Entering directory `/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src/lib/gl/tests' make[10]: Entering directory `/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src/lib/gl/tests' make[10]: Nothing to be done for `all-am'. make[10]: Leaving directory `/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src/lib/gl/tests' make[9]: Leaving directory `/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src/lib/gl/tests' make[8]: Leaving directory `/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src/lib/gl/tests' make[8]: Entering directory `/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src/lib/gl' /bin/bash ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. -I../intl -I/export/home/drkirkby/sage-4.2.1/local/include -g -O2 -MT c-ctype.lo -MD -MP -MF .deps/c-ctype.Tpo -c -o c-ctype.lo c-ctype.c .libs/c-ctype.o: No such file or directory c-ctype.lo: No such file or directory c-ctype.loT: No such file or directory libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -I../intl -I/export/home/drkirkby/sage-4.2.1/local/include -g -O2 -MT c-ctype.lo -MD -MP -MF .deps/c-ctype.Tpo -c c-ctype.c -fPIC -DPIC -o .libs/c-ctype.o mv -f .deps/c-ctype.Tpo .deps/c-ctype.Plo /bin/bash ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. -I../intl -I/export/home/drkirkby/sage-4.2.1/local/include -g -O2 -MT close-hook.lo -MD -MP -MF .deps/close-hook.Tpo -c -o close-hook.lo close-hook.c .libs/close-hook.o: No such file or directory close-hook.lo: No such file or directory close-hook.loT: No such file or directory libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -I../intl -I/export/home/drkirkby/sage-4.2.1/local/include -g -O2 -MT close-hook.lo -MD -MP -MF .deps/close-hook.Tpo -c close-hook.c -fPIC -DPIC -o .libs/close-hook.o mv -f .deps/close-hook.Tpo .deps/close-hook.Plo /bin/bash ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. -I../intl -I/export/home/drkirkby/sage-4.2.1/local/include -g -O2 -MT sockets.lo -MD -MP -MF .deps/sockets.Tpo -c -o sockets.lo sockets.c .libs/sockets.o: No such file or directory sockets.lo: No such file or directory sockets.loT: No such file or directory libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -I../intl -I/export/home/drkirkby/sage-4.2.1/local/include -g -O2 -MT sockets.lo -MD -MP -MF .deps/sockets.Tpo -c sockets.c -fPIC -DPIC -o .libs/sockets.o mv -f .deps/sockets.Tpo .deps/sockets.Plo /bin/bash ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. -I../intl -I/export/home/drkirkby/sage-4.2.1/local/include -g -O2 -MT asnprintf.lo -MD -MP -MF .deps/asnprintf.Tpo -c -o asnprintf.lo asnprintf.c .libs/asnprintf.o: No such file or directory asnprintf.lo: No such file or directory asnprintf.loT: No such file or directory libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -I../intl -I/export/home/drkirkby/sage-4.2.1/local/include -g -O2 -MT asnprintf.lo -MD -MP -MF .deps/asnprintf.Tpo -c asnprintf.c -fPIC -DPIC -o .libs/asnprintf.o mv -f .deps/asnprintf.Tpo .deps/asnprintf.Plo /bin/bash ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. -I../intl -I/export/home/drkirkby/sage-4.2.1/local/include -g -O2 -MT asprintf.lo -MD -MP -MF .deps/asprintf.Tpo -c -o asprintf.lo asprintf.c .libs/asprintf.o: No such file or directory asprintf.lo: No such file or directory asprintf.loT: No such file or directory libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -I../intl -I/export/home/drkirkby/sage-4.2.1/local/include -g -O2 -MT asprintf.lo -MD -MP -MF .deps/asprintf.Tpo -c asprintf.c -fPIC -DPIC -o .libs/asprintf.o mv -f .deps/asprintf.Tpo .deps/asprintf.Plo /bin/bash ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. -I../intl -I/export/home/drkirkby/sage-4.2.1/local/include -g -O2 -MT memmem.lo -MD -MP -MF .deps/memmem.Tpo -c -o memmem.lo memmem.c .libs/memmem.o: No such file or directory memmem.lo: No such file or directory memmem.loT: No such file or directory libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -I../intl -I/export/home/drkirkby/sage-4.2.1/local/include -g -O2 -MT memmem.lo -MD -MP -MF .deps/memmem.Tpo -c memmem.c -fPIC -DPIC -o .libs/memmem.o mv -f .deps/memmem.Tpo .deps/memmem.Plo /bin/bash ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. -I../intl -I/export/home/drkirkby/sage-4.2.1/local/include -g -O2 -MT printf-args.lo -MD -MP -MF .deps/printf-args.Tpo -c -o printf-args.lo printf-args.c .libs/printf-args.o: No such file or directory printf-args.lo: No such file or directory printf-args.loT: No such file or directory libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -I../intl -I/export/home/drkirkby/sage-4.2.1/local/include -g -O2 -MT printf-args.lo -MD -MP -MF .deps/printf-args.Tpo -c printf-args.c -fPIC -DPIC -o .libs/printf-args.o mv -f .deps/printf-args.Tpo .deps/printf-args.Plo /bin/bash ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. -I../intl -I/export/home/drkirkby/sage-4.2.1/local/include -g -O2 -MT printf-parse.lo -MD -MP -MF .deps/printf-parse.Tpo -c -o printf-parse.lo printf-parse.c .libs/printf-parse.o: No such file or directory printf-parse.lo: No such file or directory printf-parse.loT: No such file or directory libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -I../intl -I/export/home/drkirkby/sage-4.2.1/local/include -g -O2 -MT printf-parse.lo -MD -MP -MF .deps/printf-parse.Tpo -c printf-parse.c -fPIC -DPIC -o .libs/printf-parse.o mv -f .deps/printf-parse.Tpo .deps/printf-parse.Plo /bin/bash ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. -I../intl -I/export/home/drkirkby/sage-4.2.1/local/include -g -O2 -MT read-file.lo -MD -MP -MF .deps/read-file.Tpo -c -o read-file.lo read-file.c .libs/read-file.o: No such file or directory read-file.lo: No such file or directory read-file.loT: No such file or directory libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -I../intl -I/export/home/drkirkby/sage-4.2.1/local/include -g -O2 -MT read-file.lo -MD -MP -MF .deps/read-file.Tpo -c read-file.c -fPIC -DPIC -o .libs/read-file.o mv -f .deps/read-file.Tpo .deps/read-file.Plo /bin/bash ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. -I../intl -I/export/home/drkirkby/sage-4.2.1/local/include -g -O2 -MT strverscmp.lo -MD -MP -MF .deps/strverscmp.Tpo -c -o strverscmp.lo strverscmp.c .libs/strverscmp.o: No such file or directory strverscmp.lo: No such file or directory strverscmp.loT: No such file or directory libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -I../intl -I/export/home/drkirkby/sage-4.2.1/local/include -g -O2 -MT strverscmp.lo -MD -MP -MF .deps/strverscmp.Tpo -c strverscmp.c -fPIC -DPIC -o .libs/strverscmp.o mv -f .deps/strverscmp.Tpo .deps/strverscmp.Plo /bin/bash ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. -I../intl -I/export/home/drkirkby/sage-4.2.1/local/include -g -O2 -MT vasnprintf.lo -MD -MP -MF .deps/vasnprintf.Tpo -c -o vasnprintf.lo vasnprintf.c .libs/vasnprintf.o: No such file or directory vasnprintf.lo: No such file or directory vasnprintf.loT: No such file or directory libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -I../intl -I/export/home/drkirkby/sage-4.2.1/local/include -g -O2 -MT vasnprintf.lo -MD -MP -MF .deps/vasnprintf.Tpo -c vasnprintf.c -fPIC -DPIC -o .libs/vasnprintf.o mv -f .deps/vasnprintf.Tpo .deps/vasnprintf.Plo /bin/bash ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. -I../intl -I/export/home/drkirkby/sage-4.2.1/local/include -g -O2 -MT vasprintf.lo -MD -MP -MF .deps/vasprintf.Tpo -c -o vasprintf.lo vasprintf.c .libs/vasprintf.o: No such file or directory vasprintf.lo: No such file or directory vasprintf.loT: No such file or directory libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -I../intl -I/export/home/drkirkby/sage-4.2.1/local/include -g -O2 -MT vasprintf.lo -MD -MP -MF .deps/vasprintf.Tpo -c vasprintf.c -fPIC -DPIC -o .libs/vasprintf.o mv -f .deps/vasprintf.Tpo .deps/vasprintf.Plo /bin/bash ../libtool --tag=CC --mode=link gcc -g -O2 -o liblgnu.la c-ctype.lo close-hook.lo sockets.lo asnprintf.lo asprintf.lo memmem.lo printf-args.lo printf-parse.lo read-file.lo strverscmp.lo vasnprintf.lo vasprintf.lo libtool: link: ar cru .libs/liblgnu.a .libs/c-ctype.o .libs/close-hook.o .libs/sockets.o .libs/asnprintf.o .libs/asprintf.o .libs/memmem.o .libs/printf-args.o .libs/printf-parse.o .libs/read-file.o .libs/strverscmp.o .libs/vasnprintf.o .libs/vasprintf.o libtool: link: ranlib .libs/liblgnu.a liblgnu.la: No such file or directory libtool: link: ( cd ".libs" && rm "liblgnu.la" && ln -s "../liblgnu.la" "liblgnu.la" ) liblgnu.la: No such file or directory make[8]: *** [liblgnu.la] Error 2 make[8]: Leaving directory `/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src/lib/gl' make[7]: *** [all-recursive] Error 1 make[7]: Leaving directory `/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src/lib/gl' make[6]: *** [all] Error 2 make[6]: Leaving directory `/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src/lib/gl' make[5]: *** [all-recursive] Error 1 make[5]: Leaving directory `/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src/lib' make[4]: *** [all] Error 2 make[4]: Leaving directory `/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src/lib' make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/export/home/drkirkby/sage-4.2.1/spkg/build/gnutls-2.8.5/src' failed to build GNUTLS real 2m0.076s user 0m51.307s sys 1m5.651s sage: An error occurred while installing gnutls-2.8.5 From david.kirkby at onetel.net Sun Nov 29 02:19:09 2009 From: david.kirkby at onetel.net (Dr. David Kirkby) Date: Sun, 29 Nov 2009 01:19:09 +0000 Subject: gnutls-2.2.1 fails to build on HP-UX In-Reply-To: <87iqcxfv2s.fsf@mocca.josefsson.org> References: <4B0C8F07.6060205@onetel.net> <87iqcxfv2s.fsf@mocca.josefsson.org> Message-ID: <4B11CC0D.7080400@onetel.net> Simon Josefsson wrote: > "Dr. David Kirkby" writes: > >> In the Sage project, gnutls is causing a problem on both OpenSolaris >> and HP-UX. The latter is not a supported OS, but I have tried building >> parts of Sage on it. >> >> This is the HP-UX error. >> >> http://trac.sagemath.org/sage_trac/ticket/7511 >> >> Any thoughts why this may be happening? > > HP-UX doesn't have sockaddr_storage, but I believe gnulib should work > around that problem -- however that is probably only in much more recent > GnuTLS releases than the 2.2.1 that you used. > >> We tried a later version, and that was causing problems not only on >> HP-UX and OpenSolaris, but also on Solaris 10 (SPARC). > > Details? The recent releases should work relatively fine on Solaris, See the other thread "gnutls failure on Solaris 10 update 7 gcc 4.4.1" (sorry, I should have put the version of gnutls in the title, but it is documented in the email) Dave From david.kirkby at onetel.net Sun Nov 29 02:32:12 2009 From: david.kirkby at onetel.net (Dr. David Kirkby) Date: Sun, 29 Nov 2009 01:32:12 +0000 Subject: gnutls-2.8.5 failure on OpenSolaris Message-ID: <4B11CF1C.7060809@onetel.net> I tried to build gnutls-2.8.5 on a Sun Ultra 27 running OpenSolaris 06/2009, with gcc 3.4.3 (the only one supplied with OpenSolaris). It fails, unless I add the 'nsl' library to to LDFLAGS. bash-3.2$ uname -a SunOS hawk 5.11 snv_111b i86pc i386 i86pc bash-3.2$ cat /etc/release OpenSolaris 2009.06 snv_111b X86 Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. Use is subject to license terms. Assembled 07 May 2009 bash-3.2$ gcc -v Reading specs from /usr/sfw/lib/gcc/i386-pc-solaris2.11/3.4.3/specs Configured with: /builds2/sfwnv-111a/usr/src/cmd/gcc/gcc-3.4.3/configure --prefix=/usr/sfw --with-as=/usr/sfw/bin/gas --with-gnu-as --with-ld=/usr/ccs/bin/ld --without-gnu-ld --enable-languages=c,c++,f77,objc --enable-shared Thread model: posix gcc version 3.4.3 (csl-sol210-3_4-20050802) ./configure --with-libgcrypt-prefix=/usr libtool: link: gcc -std=gnu99 -g -O2 -o ex-crq ex-crq.o ./.libs/libexamples.a ../../lib/.libs/libgnutls.so -L/usr/lib ../../libextra/.libs/libgnutls-extra.so /export/home/drkirkby/gnutls-2.8.5/lib/.libs/libgnutls.so -ltasn1 -lz -lgcrypt ../../gl/.libs/libgnu.a -lsocket -R/export/home/drkirkby/gnutls-2.8.5/lib/.libs -R/export/home/drkirkby/gnutls-2.8.5/libextra/.libs -R/usr/local/lib ld: warning: file /export/home/drkirkby/gnutls-2.8.5/lib/.libs/libgnutls.so: linked to ../../lib/.libs/libgnutls.so: attempted multiple inclusion of file gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I../.. -I../../lib/includes -I../../lib/includes -I../../libextra/includes -I../../gl -I../../gl -g -O2 -MT ex-serv1.o -MD -MP -MF .deps/ex-serv1.Tpo -c -o ex-serv1.o ex-serv1.c mv -f .deps/ex-serv1.Tpo .deps/ex-serv1.Po /bin/sh ../../libtool --tag=CC --mode=link gcc -std=gnu99 -g -O2 -no-install -o ex-serv1 ex-serv1.o libexamples.la ../../lib/libgnutls.la ../../libextra/libgnutls-extra.la ../../gl/libgnu.la -lsocket libtool: link: gcc -std=gnu99 -g -O2 -o ex-serv1 ex-serv1.o ./.libs/libexamples.a ../../lib/.libs/libgnutls.so -L/usr/lib ../../libextra/.libs/libgnutls-extra.so /export/home/drkirkby/gnutls-2.8.5/lib/.libs/libgnutls.so -ltasn1 -lz -lgcrypt ../../gl/.libs/libgnu.a -lsocket -R/export/home/drkirkby/gnutls-2.8.5/lib/.libs -R/export/home/drkirkby/gnutls-2.8.5/libextra/.libs -R/usr/local/lib ld: warning: file /export/home/drkirkby/gnutls-2.8.5/lib/.libs/libgnutls.so: linked to ../../lib/.libs/libgnutls.so: attempted multiple inclusion of file Undefined first referenced symbol in file inet_ntop ex-serv1.o (symbol belongs to implicit dependency /usr/lib/libnsl.so.1) ld: fatal: symbol referencing errors. No output written to ex-serv1 collect2: ld returned 1 exit status make[4]: *** [ex-serv1] Error 1 make[4]: Leaving directory `/export/home/drkirkby/gnutls-2.8.5/doc/examples' make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/export/home/drkirkby/gnutls-2.8.5/doc' make[2]: *** [all] Error 2 make[2]: Leaving directory `/export/home/drkirkby/gnutls-2.8.5/doc' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/export/home/drkirkby/gnutls-2.8.5' make: *** [all] Error 2 Configuring with: ./configure --with-libgcrypt-prefix=/usr 'LDFLAGS=-lnsl' allows it to build ok From simon at josefsson.org Sun Nov 29 14:49:48 2009 From: simon at josefsson.org (Simon Josefsson) Date: Sun, 29 Nov 2009 14:49:48 +0100 Subject: gnutls-2.2.1 fails to build on HP-UX In-Reply-To: <4B0C8F07.6060205@onetel.net> (David Kirkby's message of "Wed, 25 Nov 2009 01:57:27 +0000") References: <4B0C8F07.6060205@onetel.net> Message-ID: <87d431zbib.fsf@mocca.josefsson.org> "Dr. David Kirkby" writes: > We tried a later version, and that was causing problems not only on > HP-UX and OpenSolaris, but also on Solaris 10 (SPARC). I have built the latest daily 2.9.10 snapshot on t2.math.washington.edu now (Solaris 10?) and it worked fine except for another 'grep -q'-ism which I have fixed. Expect the next 2.9.10 release to build without any errors on it. /Simon From simon at josefsson.org Sun Nov 29 14:52:02 2009 From: simon at josefsson.org (Simon Josefsson) Date: Sun, 29 Nov 2009 14:52:02 +0100 Subject: missing file Message-ID: <878wdpzbel.fsf@mocca.josefsson.org> Nikos, did you forget to commit some file? cryptodev.c:29:30: error: crypto/cryptodev.h: No such file or directory /Simon From david.kirkby at onetel.net Sun Nov 29 16:48:38 2009 From: david.kirkby at onetel.net (Dr. David Kirkby) Date: Sun, 29 Nov 2009 15:48:38 +0000 Subject: gnutls-2.2.1 fails to build on HP-UX In-Reply-To: <87d431zbib.fsf@mocca.josefsson.org> References: <4B0C8F07.6060205@onetel.net> <87d431zbib.fsf@mocca.josefsson.org> Message-ID: <4B1297D6.4050802@onetel.net> Simon Josefsson wrote: > "Dr. David Kirkby" writes: > >> We tried a later version, and that was causing problems not only on >> HP-UX and OpenSolaris, but also on Solaris 10 (SPARC). > > I have built the latest daily 2.9.10 snapshot on t2.math.washington.edu > now (Solaris 10?) Yes, 't2' runs Solaris 10 update 8. (Solaris 10 came out in March 2005, and has been updated 8 times since). It's a machine based on Sun's SPARC processors. For what it is worth, there are 4 combinations of Solaris * Solaris 10 on SPARC processors (like t2) * Solaris 10 on x86 processors * OpenSolaris on SPARC processors (quite rare) * OpenSolaris on x86 processors. Did you build the gnutls snapshot with gcc, or the Sun compilers in /opt/SUNWspro/bin ? It would be good if gnutls would build with the Sun C (/opt/SUNWspro/bin/cc) and C++ (/opt/SUNWspro/bin/CC) compilers, as they generate faster code than gcc. The Sun compilers also tend to be a bit more problematic to build with, as they are far more fussy about the code than the GNU compilers. They enforce the C standards much more rigidly, whereas gcc allows numerous extensions to the C language. I've not tried to build gnutls with the Sun compilers yet myself. I might as well not bother until I get an up to date snapshot. OpenSolaris is Sun more 'experimental' Solaris version. It has more up to date tools, but is less well tested than Solaris 10. I built gnutls 2.8.5 on OpenSolaris (the latest 06/2009 edition), using gcc, but needed to configure gnutls with: ./configure --with-libgcrypt-prefix=/usr 'LDFLAGS=-lnsl' otherwise, without setting LDFLAGS, 'inet_ntop' was an unresolved symbol. William Stein could give you access to a OpenSolaris virtual machine. But if I can get a snapshot, I can test it quite easily. I've already sent you the account details for the HP-UX machine. > and it worked fine except for another 'grep -q'-ism > which I have fixed. Good. > Expect the next 2.9.10 release to build without any > errors on it. > > /Simon That's good news. If you can test on the HP-UX machine, I would appreciate it. If you do not feel you are able to test for a few days, then let me know and I will power the machine off until you are able to. It uses quite a bit of power, so I do not wish to run it unless its being used. Dave From david.kirkby at onetel.net Sun Nov 29 17:03:45 2009 From: david.kirkby at onetel.net (Dr. David Kirkby) Date: Sun, 29 Nov 2009 16:03:45 +0000 Subject: gnutls-2.2.1 fails to build on HP-UX In-Reply-To: <4B1297D6.4050802@onetel.net> References: <4B0C8F07.6060205@onetel.net> <87d431zbib.fsf@mocca.josefsson.org> <4B1297D6.4050802@onetel.net> Message-ID: <4B129B61.3040101@onetel.net> Dr. David Kirkby wrote: > Simon Josefsson wrote: >> "Dr. David Kirkby" writes: >> >>> We tried a later version, and that was causing problems not only on >>> HP-UX and OpenSolaris, but also on Solaris 10 (SPARC). >> >> I have built the latest daily 2.9.10 snapshot on t2.math.washington.edu >> now (Solaris 10?) > > Yes, 't2' runs Solaris 10 update 8. (Solaris 10 came out in March 2005, > and has been updated 8 times since). It's a machine based on Sun's SPARC > processors. For what it is worth, there are 4 combinations of Solaris > > * Solaris 10 on SPARC processors (like t2) > * Solaris 10 on x86 processors > * OpenSolaris on SPARC processors (quite rare) > * OpenSolaris on x86 processors. I mean they are all current - there are of course older releases. From nmav at gnutls.org Sun Nov 29 23:29:45 2009 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 30 Nov 2009 00:29:45 +0200 Subject: missing file In-Reply-To: <878wdpzbel.fsf@mocca.josefsson.org> References: <878wdpzbel.fsf@mocca.josefsson.org> Message-ID: <4B12F5D9.3060603@gnutls.org> Simon Josefsson wrote: > Nikos, did you forget to commit some file? > > cryptodev.c:29:30: error: crypto/cryptodev.h: No such file or directory It was including this file unconditionally. Now it should be ok (only included if --enable-cryptodev is specified). If you have a cpu with crypto accelerator that is supported by linux (via and some amd geode cpus have), and you use cryptodev you should get quite a difference. For some reason I get big difference by using the kernel aes implementation. nmav at crystal:~/cvs/gnutls/src$ ./benchmark Checking AES (8kb payload)... Transferred 58720 kb in 1.40 secs: 41883.21 kbyte/sec Checking AES (16kb payload)... Transferred 117440 kb in 2.71 secs: 43384.01 kbyte/sec Checking AES (32kb payload)... Transferred 234881 kb in 5.37 secs: 43780.25 kbyte/sec [after cryptodev module loaded] nmav at crystal:~/cvs/gnutls/src$ ./benchmark Checking AES (8kb payload)... Transferred 58720 kb in 0.49 secs: 120328.39 kbyte/sec Checking AES (16kb payload)... Transferred 117440 kb in 0.82 secs: 142871.67 kbyte/sec Checking AES (32kb payload)... Transferred 234881 kb in 1.64 secs: 143045.69 kbyte/sec PS. I cannot seem to get how configure.ac works now. I have added a cryptodev test in configure.ac (global), but the ENABLE_CRYPTODEV definition is only in root config.h and lib/config.h does not have it (gnutls_int.h doesn't include the root one). How can I add a check like that? From simon at josefsson.org Mon Nov 30 16:16:20 2009 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 30 Nov 2009 16:16:20 +0100 Subject: missing file In-Reply-To: <4B12F5D9.3060603@gnutls.org> (Nikos Mavrogiannopoulos's message of "Mon, 30 Nov 2009 00:29:45 +0200") References: <878wdpzbel.fsf@mocca.josefsson.org> <4B12F5D9.3060603@gnutls.org> Message-ID: <87pr70t54r.fsf@mocca.josefsson.org> Nikos Mavrogiannopoulos writes: > Simon Josefsson wrote: >> Nikos, did you forget to commit some file? >> >> cryptodev.c:29:30: error: crypto/cryptodev.h: No such file or directory > > It was including this file unconditionally. Now it should be ok (only > included if --enable-cryptodev is specified). If you have a cpu with > crypto accelerator that is supported by linux (via and some amd geode > cpus have), and you use cryptodev you should get quite a difference. For > some reason I get big difference by using the kernel aes implementation. > > nmav at crystal:~/cvs/gnutls/src$ ./benchmark > Checking AES (8kb payload)... Transferred 58720 kb in 1.40 secs: > 41883.21 kbyte/sec > Checking AES (16kb payload)... Transferred 117440 kb in 2.71 secs: > 43384.01 kbyte/sec > Checking AES (32kb payload)... Transferred 234881 kb in 5.37 secs: > 43780.25 kbyte/sec > > [after cryptodev module loaded] > nmav at crystal:~/cvs/gnutls/src$ ./benchmark > Checking AES (8kb payload)... Transferred 58720 kb in 0.49 secs: > 120328.39 kbyte/sec > Checking AES (16kb payload)... Transferred 117440 kb in 0.82 secs: > 142871.67 kbyte/sec > Checking AES (32kb payload)... Transferred 234881 kb in 1.64 secs: > 143045.69 kbyte/sec Nice! > PS. I cannot seem to get how configure.ac works now. I have added a > cryptodev test in configure.ac (global), but the ENABLE_CRYPTODEV > definition is only in root config.h and lib/config.h does not have it > (gnutls_int.h doesn't include the root one). How can I add a check like > that? There is a lib/configure.ac too. Put all configure checks that are specific to lib/ stuff into that configure.ac. If there are things that are common between lib/ and libextra/, put those checks into lib/m4/hooks.m4. /Simon