From tim.ruehsen at gmx.de Mon Oct 5 10:14:38 2015 From: tim.ruehsen at gmx.de (Tim Ruehsen) Date: Mon, 05 Oct 2015 10:14:38 +0200 Subject: [gnutls-devel] Hashing CA certs 'subject' to avoid cert preloading Message-ID: <8411448.dHq6cK7zic@blitz-lx> Hi Nikos, hi list members, I asked for this a while ago but have to come back to this. The following is a description based on my observations and assumptions: OpenSSL provides 'c_rehash' to create hashes for the system CA certs. These hashes are based on 'subject' (what else ?) and are used as symbolic links to the CA certs (e.g. on Debian in /etc/ssl/certs). To check a server cert on TLS connect, one just have to hash the 'issuer' and load the CA cert via the symbolic 'hash' link. This allows for a very fast TLS application startup (leaving away the preloading of ~180 CA certs). If possible, the hash/symlink utility should be compatible with OpenSSL's r_rehash. They use SHA1 hashing over 'canonicalized' data structures (ASN.1, DER, CER ? - I have not enough knowledge in that area). I am willing to write such a hashing tool (using C) and to implement this 'CACert load on demand' feature into Wget (just working on wget2 / libwget). What I need from you is: - API function creating 'subject' hash from a given cert. - API function creating 'issuer' hash from a given cert. - Example code loading a cert on demand (extending gnutls-cli). What do you think ? Regards, Tim From nmav at gnutls.org Tue Oct 6 09:40:13 2015 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 6 Oct 2015 09:40:13 +0200 Subject: [gnutls-devel] Hashing CA certs 'subject' to avoid cert preloading In-Reply-To: <8411448.dHq6cK7zic@blitz-lx> References: <8411448.dHq6cK7zic@blitz-lx> Message-ID: On Mon, Oct 5, 2015 at 10:14 AM, Tim Ruehsen wrote: > Hi Nikos, hi list members, > I asked for this a while ago but have to come back to this. > The following is a description based on my observations and assumptions: > OpenSSL provides 'c_rehash' to create hashes for the system CA certs. These > hashes are based on 'subject' (what else ?) and are used as symbolic links to > the CA certs (e.g. on Debian in /etc/ssl/certs). > To check a server cert on TLS connect, one just have to hash the 'issuer' and > load the CA cert via the symbolic 'hash' link. > This allows for a very fast TLS application startup (leaving away the > preloading of ~180 CA certs). > If possible, the hash/symlink utility should be compatible with OpenSSL's > r_rehash. They use SHA1 hashing over 'canonicalized' data structures (ASN.1, > DER, CER ? - I have not enough knowledge in that area). Stef Walter has reimplemented the rehash algorithm for p11-kit trust module, you may want to take a look there. > I am willing to write such a hashing tool (using C) and to implement this > 'CACert load on demand' feature into Wget (just working on wget2 / libwget). The problem with that format is that it is undocumented and changes with different versions of openssl (Stef has two versions in p11-kit). For gnutls, I am already encouraging the usage of the p11-kit trust module for verification (Fedora already ships with that and my understanding from debconf15 is that Debian plans to switch to that too), so any improvements with cert loading outside p11-kit will disappear at some point. I'm not really sure which format p11-kit uses for certificate loading, but my take would be to improve that one as it affects equally gnutls and nss applications. Said that, for a quick fix I think we can get away with a gnutls verification callback which calculates the rehash value using the code from p11-kit, then loads only the certificates that have this suffix using gnutls_certificate_set_x509_trust_file(), and using the normal verification functions after that. That of course would not be thread-safe. The DN of the certificates you can get it using gnutls_x509_crt_get_raw_issuer_dn(), and you'll have to read the issuer DN of all certificates in the chain as returned by gnutls_certificate_get_peers(). The above should work, but not sure whether it is complete (i.e., if there are cases where the issuer cannot be found). Once you have some proof of concept code with the above that, we could consider to add that in gnutls, but I'm not sure how easy is that, as this approach breaks basic assumptions such as that the certificate credentials are read-only for sessions. regards, Nikos From tim.ruehsen at gmx.de Wed Oct 7 16:28:47 2015 From: tim.ruehsen at gmx.de (Tim Ruehsen) Date: Wed, 07 Oct 2015 16:28:47 +0200 Subject: [gnutls-devel] Hashing CA certs 'subject' to avoid cert preloading In-Reply-To: References: <8411448.dHq6cK7zic@blitz-lx> Message-ID: <2564338.FYNjY27DFa@blitz-lx> Hi Nikos, On Tuesday 06 October 2015 09:40:13 Nikos Mavrogiannopoulos wrote: > On Mon, Oct 5, 2015 at 10:14 AM, Tim Ruehsen wrote: > > Hi Nikos, hi list members, > > I asked for this a while ago but have to come back to this. > > The following is a description based on my observations and assumptions: > > OpenSSL provides 'c_rehash' to create hashes for the system CA certs. > > These > > hashes are based on 'subject' (what else ?) and are used as symbolic links > > to the CA certs (e.g. on Debian in /etc/ssl/certs). > > To check a server cert on TLS connect, one just have to hash the 'issuer' > > and load the CA cert via the symbolic 'hash' link. > > This allows for a very fast TLS application startup (leaving away the > > preloading of ~180 CA certs). > > If possible, the hash/symlink utility should be compatible with OpenSSL's > > r_rehash. They use SHA1 hashing over 'canonicalized' data structures > > (ASN.1, DER, CER ? - I have not enough knowledge in that area). > > Stef Walter has reimplemented the rehash algorithm for p11-kit trust > module, you may want to take a look there. Thanks for pointing me to p11-kit. It reads interesting and I will have a closer look at the API and source code soon. Maybe I can drop in working on the proposed OCSP / CRL daemon, something I also already thought of. > > I am willing to write such a hashing tool (using C) and to implement this > > 'CACert load on demand' feature into Wget (just working on wget2 / > > libwget). > The problem with that format is that it is undocumented and changes > with different versions of openssl (Stef has two versions in p11-kit). FYI, there is the old (legacy) hash and the current (based on SHA1). > For gnutls, I am already encouraging the usage of the p11-kit trust > module for verification (Fedora already ships with that and my > understanding from debconf15 is that Debian plans to switch to that > too), so any improvements with cert loading outside p11-kit will > disappear at some point. I'm not really sure which format p11-kit uses > for certificate loading, but my take would be to improve that one as > it affects equally gnutls and nss applications. > > Said that, for a quick fix I think we can get away with ... I am not in a hurry. p11-kit sounds like the right place to work on. Thanks for putting me on the right way. Regards, Tim From buytenh at wantstofly.org Mon Oct 12 14:24:16 2015 From: buytenh at wantstofly.org (Lennert Buytenhek) Date: Mon, 12 Oct 2015 15:24:16 +0300 Subject: [gnutls-devel] [PATCH, RFC] Fix memory leak in wrap_nettle_hash_algorithm(). Message-ID: <20151012122416.GM14230@wantstofly.org> wrap_nettle_hash_algorithm() leaks an mpz_t if it is called with pk == GNUTLS_PK_RSA and sig == NULL, in which case it will return without going through the regular exit path that clears the mpz_t it allocated at the beginning of the function. Use the regular exit path instead to fix this. This leak can be triggered via calls to gnutls_pubkey_get_preferred_hash_algorithm(). Signed-off-by: Lennert Buytenhek --- gnutls-3.3.18/lib/nettle/pk.c.orig 2015-05-23 11:36:13.000000000 +0300 +++ gnutls-3.3.18/lib/nettle/pk.c 2015-10-12 14:47:54.437991944 +0300 @@ -1963,41 +1963,42 @@ static int wrap_nettle_hash_algorithm(gn struct rsa_public_key pub; const mac_entry_st *me; int ret; mpz_init(s); switch (pk) { case GNUTLS_PK_DSA: case GNUTLS_PK_EC: me = _gnutls_dsa_q_to_hash(pk, issuer_params, NULL); if (hash_algo) *hash_algo = (gnutls_digest_algorithm_t)me->id; ret = 0; break; case GNUTLS_PK_RSA: if (sig == NULL) { /* return a sensible algorithm */ if (hash_algo) *hash_algo = GNUTLS_DIG_SHA256; - return 0; + ret = 0; + break; } _rsa_params_to_pubkey(issuer_params, &pub); digest_size = sizeof(digest); nettle_mpz_set_str_256_u(s, sig->size, sig->data); ret = extract_digest_info(&pub, &di, &rdi, s); if (ret == 0) { ret = GNUTLS_E_PK_SIG_VERIFY_FAILED; gnutls_assert(); goto cleanup; } digest_size = sizeof(digest); if ((ret = decode_ber_digest_info(&di, hash_algo, digest, &digest_size)) < 0) { gnutls_assert(); === leaktest.c #include #include #include int main(void) { gnutls_x509_privkey_t key; int ret; gnutls_privkey_t privkey; gnutls_pubkey_t pubkey; int i; gnutls_global_init(); ret = gnutls_x509_privkey_init(&key); if (ret) goto err; ret = gnutls_x509_privkey_generate(key, GNUTLS_PK_RSA, 512, 0); if (ret < 0) goto err; ret = gnutls_privkey_init(&privkey); if (ret < 0) goto err; ret = gnutls_privkey_import_x509(privkey, key, 0); if (ret < 0) goto err; ret = gnutls_pubkey_init(&pubkey); if (ret < 0) goto err; ret = gnutls_pubkey_import_privkey(pubkey, privkey, 0, 0); if (ret < 0) goto err; for (i = 0; i < 1000; i++) { gnutls_digest_algorithm_t dig; /* * @@@ FIXME: this leaks memory on gnutls 3.3.18 (8 bytes * per call on x86_64). */ ret = gnutls_pubkey_get_preferred_hash_algorithm(pubkey, &dig, NULL); if (ret < 0) goto err; } gnutls_pubkey_deinit(pubkey); gnutls_privkey_deinit(privkey); gnutls_x509_privkey_deinit(key); gnutls_global_deinit(); return 0; err: gnutls_perror(ret); return 1; } === valgrind output before patch $ valgrind --leak-check=full ./leaktest ==20025== Memcheck, a memory error detector ==20025== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==20025== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info ==20025== Command: ./leaktest ==20025== ==20025== ==20025== HEAP SUMMARY: ==20025== in use at exit: 8,000 bytes in 1,000 blocks ==20025== total heap usage: 2,928 allocs, 1,928 frees, 152,484 bytes allocated ==20025== ==20025== 8,000 bytes in 1,000 blocks are definitely lost in loss record 1 of 1 ==20025== at 0x4C28C50: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==20025== by 0x604A7B8: __gmp_default_allocate (in /usr/lib64/libgmp.so.10.2.0) ==20025== by 0x6059327: __gmpz_init (in /usr/lib64/libgmp.so.10.2.0) ==20025== by 0x4F56AC7: wrap_nettle_hash_algorithm (pk.c:1967) ==20025== by 0x4EEA51A: _gnutls_x509_verify_algorithm (verify.c:1201) ==20025== by 0x4E84CA4: _gnutls_pk_get_hash_algorithm (gnutls_pk.c:233) ==20025== by 0x4E9BC7C: gnutls_pubkey_get_preferred_hash_algorithm (gnutls_pubkey.c:270) ==20025== by 0x40124E: main (in /home/buytenh/tlstest/leaktest) ==20025== ==20025== LEAK SUMMARY: ==20025== definitely lost: 8,000 bytes in 1,000 blocks ==20025== indirectly lost: 0 bytes in 0 blocks ==20025== possibly lost: 0 bytes in 0 blocks ==20025== still reachable: 0 bytes in 0 blocks ==20025== suppressed: 0 bytes in 0 blocks ==20025== ==20025== For counts of detected and suppressed errors, rerun with: -v ==20025== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) === valgrind output after patch $ valgrind --leak-check=full ./leaktest ==22747== Memcheck, a memory error detector ==22747== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==22747== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info ==22747== Command: ./leaktest ==22747== ==22747== ==22747== HEAP SUMMARY: ==22747== in use at exit: 0 bytes in 0 blocks ==22747== total heap usage: 2,750 allocs, 2,750 frees, 148,677 bytes allocated ==22747== ==22747== All heap blocks were freed -- no leaks are possible ==22747== ==22747== For counts of detected and suppressed errors, rerun with: -v ==22747== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) From nmav at gnutls.org Mon Oct 12 21:18:48 2015 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 12 Oct 2015 21:18:48 +0200 Subject: [gnutls-devel] [PATCH, RFC] Fix memory leak in wrap_nettle_hash_algorithm(). In-Reply-To: <20151012122416.GM14230@wantstofly.org> References: <20151012122416.GM14230@wantstofly.org> Message-ID: <1444677528.2797.0.camel@gnutls.org> On Mon, 2015-10-12 at 15:24 +0300, Lennert Buytenhek wrote: > wrap_nettle_hash_algorithm() leaks an mpz_t if it is called with > pk == GNUTLS_PK_RSA and sig == NULL, in which case it will return > without going through the regular exit path that clears the mpz_t > it allocated at the beginning of the function. Use the regular > exit path instead to fix this. Thank you, applied. From bruce.dubbs at gmail.com Thu Oct 15 02:38:00 2015 From: bruce.dubbs at gmail.com (Bruce Dubbs) Date: Wed, 14 Oct 2015 19:38:00 -0500 Subject: [gnutls-devel] dtls test failure Message-ID: <561EF568.7070808@gmail.com> ============================================= GnuTLS 3.4.5: tests/dtls/test-suite.log ============================================= # TOTAL: 1 # PASS: 0 # SKIP: 0 # XFAIL: 0 # FAIL: 1 # XPASS: 0 # ERROR: 0 .. contents:: :depth: 2 FAIL: dtls ========== ./dtls-stress: relocation error: ./dtls-stress: symbol gnutls_pkcs11_init, version GNUTLS_3_4 not defined in file libgnutls.so.30 with link time reference ----------------- The reason for this failure is that a previous version of libgnutls was installed in /usr/lib: /usr/lib/libgnutls.so -> libgnutls.so.30.3.0 Removing /usr/lib/libgnutls.so allowed all tests to pass and the install recreates /usr/lib/libgnutls.so. -- Bruce Dubbs linuxfromscratch.org From alexvong1995 at gmail.com Mon Oct 19 16:46:15 2015 From: alexvong1995 at gmail.com (Alex Vong) Date: Mon, 19 Oct 2015 22:46:15 +0800 Subject: [gnutls-devel] gnutls-guile segfault during test Message-ID: Hi Guilers, Today, I try to run `$ ./pre-inst-env guix build gnutls' to build gnutls from source and I get an error telling me a segfault has occurred. I re-run the command with -K flag and the tar ball is in the attachment. Can anyone reproduce this? OS: Debian (stable) Package manager: Guix (latest version from guix pull) Cheers, Alex Making check in guile make[1]: Entering directory '/tmp/nix-build-gnutls-3.4.1.drv-1/gnutls-3.4.1/guile' Making check in modules make[2]: Entering directory '/tmp/nix-build-gnutls-3.4.1.drv-1/gnutls-3.4.1/guile/modules' make[2]: Nothing to be done for 'check'. make[2]: Leaving directory '/tmp/nix-build-gnutls-3.4.1.drv-1/gnutls-3.4.1/guile/modules' Making check in src make[2]: Entering directory '/tmp/nix-build-gnutls-3.4.1.drv-1/gnutls-3.4.1/guile/src' make check-am make[3]: Entering directory '/tmp/nix-build-gnutls-3.4.1.drv-1/gnutls-3.4.1/guile/src' make[3]: Nothing to be done for 'check-am'. make[3]: Leaving directory '/tmp/nix-build-gnutls-3.4.1.drv-1/gnutls-3.4.1/guile/src' make[2]: Leaving directory '/tmp/nix-build-gnutls-3.4.1.drv-1/gnutls-3.4.1/guile/src' Making check in tests make[2]: Entering directory '/tmp/nix-build-gnutls-3.4.1.drv-1/gnutls-3.4.1/guile/tests' make check-TESTS make[3]: Entering directory '/tmp/nix-build-gnutls-3.4.1.drv-1/gnutls-3.4.1/guile/tests' make[4]: Entering directory '/tmp/nix-build-gnutls-3.4.1.drv-1/gnutls-3.4.1/guile/tests' PASS: errors.scm PASS: pkcs-import-export.scm PASS: anonymous-auth.scm PASS: session-record-port.scm PASS: x509-certificates.scm PASS: priorities.scm PASS: openpgp-keys.scm PASS: x509-auth.scm PASS: openpgp-keyring.scm ../../build-aux/test-driver: line 107: 10540 Segmentation fault "$@" > $log_file 2>&1 FAIL: openpgp-auth.scm PASS: srp-base64.scm make[5]: Entering directory '/tmp/nix-build-gnutls-3.4.1.drv-1/gnutls-3.4.1/guile/tests' make[5]: Nothing to be done for 'all'. make[5]: Leaving directory '/tmp/nix-build-gnutls-3.4.1.drv-1/gnutls-3.4.1/guile/tests' ============================================================================ Testsuite summary for GnuTLS 3.4.1 ============================================================================ # TOTAL: 11 # PASS: 10 # SKIP: 0 # XFAIL: 0 # FAIL: 1 # XPASS: 0 # ERROR: 0 ============================================================================ See guile/tests/test-suite.log Please report to bugs at gnutls.org ============================================================================ Makefile:1485: recipe for target 'test-suite.log' failed make[4]: *** [test-suite.log] Error 1 make[4]: Leaving directory '/tmp/nix-build-gnutls-3.4.1.drv-1/gnutls-3.4.1/guile/tests' Makefile:1591: recipe for target 'check-TESTS' failed make[3]: *** [check-TESTS] Error 2 make[3]: Leaving directory '/tmp/nix-build-gnutls-3.4.1.drv-1/gnutls-3.4.1/guile/tests' Makefile:1734: recipe for target 'check-am' failed make[2]: *** [check-am] Error 2 make[2]: Leaving directory '/tmp/nix-build-gnutls-3.4.1.drv-1/gnutls-3.4.1/guile/tests' Makefile:1313: recipe for target 'check-recursive' failed make[1]: *** [check-recursive] Error 1 make[1]: Leaving directory '/tmp/nix-build-gnutls-3.4.1.drv-1/gnutls-3.4.1/guile' Makefile:1387: recipe for target 'check-recursive' failed make: *** [check-recursive] Error 1 phase `check' failed after 222 seconds note: keeping build directory `/tmp/nix-build-gnutls-3.4.1.drv-1' builder for `/gnu/store/2n3z9khc28vldclpbnl819mcplyw38xs-gnutls-3.4.1.drv' failed with exit code 1 @ build-failed /gnu/store/2n3z9khc28vldclpbnl819mcplyw38xs-gnutls-3.4.1.drv - 1 builder for `/gnu/store/2n3z9khc28vldclpbnl819mcplyw38xs-gnutls-3.4.1.drv' failed with exit code 1 guix build: error: build failed: build of `/gnu/store/2n3z9khc28vldclpbnl819mcplyw38xs-gnutls-3.4.1.drv' failed -------------- next part -------------- A non-text attachment was scrubbed... Name: nix-build-gnutls-3.4.1.drv-1.tar.xz Type: application/x-xz Size: 12231220 bytes Desc: not available URL: From nmav at gnutls.org Tue Oct 20 18:19:30 2015 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 20 Oct 2015 18:19:30 +0200 Subject: [gnutls-devel] gnutls 3.4.6 Message-ID: <1445357970.19238.1.camel@gnutls.org> Hello, I've just released gnutls 3.4.6. This version fixes bugs and adds minor features to the next stable branch. * Version 3.4.6 (released 2015-10-20) ** libgnutls: Added new simple verification functions. That avoids the need to install a callback to perform certificate verification. See doc/examples/ex-client-x509.c for usage. ** libgnutls: Introduced the security parameter 'future' which is at the 256-bit level of security, and 'ultra' was aligned to its documented size at 192-bits. ** libgnutls: When writing a certificate into a PKCS #11 token, ensure that CKA_SERIAL_NUMBER and CKA_ISSUER are written. Reported by Sumit Bose. ** libgnutls: Allow the presence of legacy ciphers and key exchanges in priority strings and consider them a no-op. ** libgnutls: Handle the extended master secret as a mandatory extension. That fixes incompatibility issues with Chromium (#45). Reported by Hubert Kario. ** libgnutls: Added the ability to copy a public key into a PKCS #11 token. ** tools: Added support for LDAP and XMPP negotiation for STARTTLS. ** p11tool: Allow writing a public key into a PKCS #11 token. ** certtool: Key generation security level was switched to HIGH. That is, by default the tool generates 3072 bit keys for RSA and DSA. ** API and ABI modifications: gnutls_session_set_verify_function: Added gnutls_session_set_verify_cert: Added gnutls_session_set_verify_cert2: Added gnutls_session_get_verify_cert_status: Added gnutls_pkcs11_copy_pubkey: Added Getting the Software ==================== GnuTLS may be downloaded directly from .??A list of GnuTLS mirrors can be found at . Here are the XZ and LZIP compressed sources: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.6.tar.xz ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.6.tar.lz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.6.tar.xz.sig ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.6.tar.lz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From ametzler at bebt.de Tue Oct 20 20:00:44 2015 From: ametzler at bebt.de (Andreas Metzler) Date: Tue, 20 Oct 2015 20:00:44 +0200 Subject: [gnutls-devel] gnutls 3.4.6 In-Reply-To: <1445357970.19238.1.camel@gnutls.org> References: <1445357970.19238.1.camel@gnutls.org> Message-ID: <20151020180043.GA2123@downhill.g.la> On 2015-10-20 Nikos Mavrogiannopoulos wrote: > Hello, > I've just released gnutls 3.4.6. This version fixes bugs and adds > minor features to the next stable branch. [...] > ** API and ABI modifications: > gnutls_session_set_verify_function: Added > gnutls_session_set_verify_cert: Added > gnutls_session_set_verify_cert2: Added > gnutls_session_get_verify_cert_status: Added Hello, these are marked with "Since: 3.5.0", trivial patch attached. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Documentation-update.patch Type: text/x-diff Size: 1941 bytes Desc: not available URL: From nmav at gnutls.org Wed Oct 21 09:07:23 2015 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 21 Oct 2015 09:07:23 +0200 Subject: [gnutls-devel] gnutls 3.4.6 In-Reply-To: <20151020180043.GA2123@downhill.g.la> References: <1445357970.19238.1.camel@gnutls.org> <20151020180043.GA2123@downhill.g.la> Message-ID: On Tue, Oct 20, 2015 at 8:00 PM, Andreas Metzler wrote: > On 2015-10-20 Nikos Mavrogiannopoulos wrote: >> Hello, >> I've just released gnutls 3.4.6. This version fixes bugs and adds >> minor features to the next stable branch. > [...] >> ** API and ABI modifications: >> gnutls_session_set_verify_function: Added >> gnutls_session_set_verify_cert: Added >> gnutls_session_set_verify_cert2: Added >> gnutls_session_get_verify_cert_status: Added > Hello, > these are marked with "Since: 3.5.0", trivial patch attached. Applied, thank you! From nmav at gnutls.org Tue Oct 27 15:56:53 2015 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 27 Oct 2015 15:56:53 +0100 Subject: [gnutls-devel] CFP: Security Devroom @ FOSDEM'16 Message-ID: [I'll be co-organizing the security devroom, if loyal list members are around ping me! ] Next FOSDEM [1] will, again, have a security devroom, this time on the topic of "Security and Privacy in modern software". We'd like to invite submissions of talks and presentations from developers, security researchers and other interested representatives of open source and free software and hardware projects. This is the call for talks and presentations that will take place in the Security devroom at FOSDEM 2016. Our topic this year: Cryptography has been the foundation of modern crypto software, however, it is only a small fraction of the technology required to achieve security and privacy for users. Thus this year's topic is to focus on the other parts that make software secure: usability, the protection against side-channels, message length analysis, fingerprinting, secure coding practices, code review processes etc. We welcome presentations of security software and hardware which take into account these factors, and presentations that analyze other's solutions. For up-to-date submission and event information: https://github.com/security-devroom/fosdem-2016 The security devroom will be held on Sunday 31st of January 2016 in Brussels, Belgium at ULB. Feel free to forward this announcement to any relevant FOSS project mailing list. [1] https://fosdem.org/2016/ [2] https://github.com/security-devroom/fosdem-2016