From nmav at gnutls.org Fri Apr 7 08:14:11 2017 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 07 Apr 2017 08:14:11 +0200 Subject: [gnutls-devel] gnutls 3.5.11 Message-ID: <1491545651.4737.2.camel@gnutls.org> Hello,? ?I've just released gnutls 3.5.11. This is a bug fix release on the 3.5.x branch. * Version 3.5.11 (released 2017-04-07) ** gnutls.pc: do not include libtool options into Libs.private. ** libgnutls: Fixed issue when rehandshaking without a client certificate in ???a session which initially used one. Reported by Frantisek Sumsal. ** libgnutls: Addressed read of 4 bytes past the end of buffer in OpenPGP ???certificate parsing. Issues found using oss-fuzz project and were fixed ???by Alex Gaynor: ???https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=737 ???https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=824 ** libgnutls: Introduced locks in gnutls_pkcs11_privkey_t structure access. ???That allows PKCS#11 operations such as signing to be performed with the ???same object from multiple threads. ** libgnutls: Added support for MacOSX key chain for obtaining trust store's ???root CA certificates. That is, gnutls_x509_trust_list_add_system_trust() and ???gnutls_certificate_set_x509_system_trust() will load the certificates from ???the key chain. That also means that we no longer check for a default trust ???store file in configure when building on MacOSX (unless explicitly asked to). ???Patch by David Caldwell. ** libgnutls: when disabling OpenPGP authentication, the resulting library ???is ABI compatible (with openpgp related functions being stubs that fail ???on invocation). ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded directly from .??A list of GnuTLS mirrors can be found at . Here are the XZ compressed sources: ? ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/gnutls-3.5.11.tar.xz Here are OpenPGP detached signatures signed using key 0x96865171: ? ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/gnutls-3.5.11.tar.xz.sig Note that it has been signed with my openpgp key: pub???3104R/96865171 2008-05-04 [expires: 2028-04-29] uid??????????????????Nikos Mavrogiannopoulos gnutls.org> uid??????????????????Nikos Mavrogiannopoulos gmail.com> sub???2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub???2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From fgunbin at fastmail.fm Fri Apr 7 16:56:12 2017 From: fgunbin at fastmail.fm (Filipp Gunbin) Date: Fri, 07 Apr 2017 17:56:12 +0300 Subject: [gnutls-devel] gnutls 3.5.11 In-Reply-To: <1491545651.4737.2.camel@gnutls.org> (Nikos Mavrogiannopoulos's message of "Fri, 07 Apr 2017 08:14:11 +0200") References: <1491545651.4737.2.camel@gnutls.org> Message-ID: Hello, I seem to have trouble building with gcc-6.3.0 on macOS, can you help please? Filipp /System/Library/Frameworks/CoreFoundation.framework/Headers/CFDateFormatter.h:53:34: error: 'introduced' undeclared here (not in a function) kCFISO8601DateFormatWithYear API_AVAILABLE(macosx(10.12), ios(10.0), watchos(3.0), tvos(10.0)) = (1UL << 0), ^ /System/Library/Frameworks/CoreFoundation.framework/Headers/CFURL.h:777:39: error: 'deprecated' undeclared here (not in a function) const CFStringRef kCFURLLabelColorKey API_DEPRECATED("Use NSURLLabelColorKey", macosx(10.6, 10.12), ios(4.0, 10.0), watchos(2.0, 3.0), tvos(9.0, 10.0)); ^ /System/Library/Frameworks/CoreFoundation.framework/Headers/CFURL.h:777:39: error: 'message' undeclared here (not in a function) const CFStringRef kCFURLLabelColorKey API_DEPRECATED("Use NSURLLabelColorKey", macosx(10.6, 10.12), ios(4.0, 10.0), watchos(2.0, 3.0), tvos(9.0, 10.0)); ^ In file included from /System/Library/Frameworks/Security.framework/Headers/AuthSession.h:32:0, from /System/Library/Frameworks/Security.framework/Headers/Security.h:43, from system/certs.c:49: /System/Library/Frameworks/Security.framework/Headers/Authorization.h:192:7: error: variably modified 'bytes' at file scope char bytes[kAuthorizationExternalFormLength]; From nmav at gnutls.org Sat Apr 8 09:41:51 2017 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sat, 08 Apr 2017 09:41:51 +0200 Subject: [gnutls-devel] gnutls 3.5.11 In-Reply-To: References: <1491545651.4737.2.camel@gnutls.org> Message-ID: <1491637311.2343.1.camel@gnutls.org> On Fri, 2017-04-07 at 17:56 +0300, Filipp Gunbin wrote: > Hello, > > I seem to have trouble building with gcc-6.3.0 on macOS, can you help > please? It seems that certain system headers do not compile with gcc on macosx. You'll have to use clang at this point. Please follow up at: https://gitlab.com/gnutls/gnutls/merge_requests/342 regards, Nikos From andreas.radke at mailbox.org Sat Apr 8 14:15:36 2017 From: andreas.radke at mailbox.org (Andreas Radke) Date: Sat, 8 Apr 2017 14:15:36 +0200 Subject: [gnutls-devel] gnutls 3.5.11 In-Reply-To: <1491545651.4737.2.camel@gnutls.org> References: <1491545651.4737.2.camel@gnutls.org> Message-ID: <20170408141536.6d5afb33@laptop64.home> With this new release the test suite fails here: FAIL: trust-store ================= doit:64: no certificates were found in system trust store! FAIL trust-store (exit status: 1) Any idea what has changed? -Andy Arch Linux -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 488 bytes Desc: Digitale Signatur von OpenPGP URL: From ametzler at bebt.de Sat Apr 8 14:39:56 2017 From: ametzler at bebt.de (Andreas Metzler) Date: Sat, 8 Apr 2017 14:39:56 +0200 Subject: [gnutls-devel] gnutls 3.5.11 In-Reply-To: <20170408141536.6d5afb33@laptop64.home> References: <1491545651.4737.2.camel@gnutls.org> <20170408141536.6d5afb33@laptop64.home> Message-ID: <20170408123956.ojnat25veqbnlnil@argenau.bebt.de> On 2017-04-08 Andreas Radke wrote: > With this new release the test suite fails here: > FAIL: trust-store > ================= > doit:64: no certificates were found in system trust store! > FAIL trust-store (exit status: 1) > Any idea what has changed? Hello, This happens if gnutls is built with e.g. --with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt and /etc/ssl/certs/ca-certificates.crt is empty/non-existing when running the testsuite. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From tim.ruehsen at gmx.de Mon Apr 10 11:24:44 2017 From: tim.ruehsen at gmx.de (=?UTF-8?Q?Tim_R=c3=bchsen?=) Date: Mon, 10 Apr 2017 11:24:44 +0200 Subject: [gnutls-devel] Missing git tag 3.5.11 ? Message-ID: <78421054-6360-9e70-61de-33348c3cab85@gmx.de> I can't find the git tag for 3.5.11 on Gitlab !? Regards, Tim -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From tim.ruehsen at gmx.de Mon Apr 10 12:44:04 2017 From: tim.ruehsen at gmx.de (=?UTF-8?Q?Tim_R=c3=bchsen?=) Date: Mon, 10 Apr 2017 12:44:04 +0200 Subject: [gnutls-devel] TCP Fast Open for OSX Message-ID: Attached is patch to implement TFO on OSX. I can't test that personally (no OSX here), but basically the same code is used in Wget2 and it survives OSX Travis CI. Use this code as you like. Regards, Tim -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-lib-system-fastopen-Add-TCP-Fast-Open-for-OSX.patch Type: text/x-patch Size: 2117 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From fgunbin at fastmail.fm Mon Apr 10 15:56:31 2017 From: fgunbin at fastmail.fm (Filipp Gunbin) Date: Mon, 10 Apr 2017 16:56:31 +0300 Subject: [gnutls-devel] gnutls 3.5.11 In-Reply-To: <1491637311.2343.1.camel@gnutls.org> (Nikos Mavrogiannopoulos's message of "Sat, 08 Apr 2017 09:41:51 +0200") References: <1491545651.4737.2.camel@gnutls.org> <1491637311.2343.1.camel@gnutls.org> Message-ID: On 08/04/2017 09:41 +0200, Nikos Mavrogiannopoulos wrote: > On Fri, 2017-04-07 at 17:56 +0300, Filipp Gunbin wrote: >> Hello, >> >> I seem to have trouble building with gcc-6.3.0 on macOS, can you help >> please? > > It seems that certain system headers do not compile with gcc on macosx. > You'll have to use clang at this point. Please follow up at: > https://gitlab.com/gnutls/gnutls/merge_requests/342 Thanks! From andreas.radke at mailbox.org Mon Apr 10 20:36:59 2017 From: andreas.radke at mailbox.org (Andreas Radke) Date: Mon, 10 Apr 2017 20:36:59 +0200 Subject: [gnutls-devel] gnutls 3.5.11 In-Reply-To: <20170408123956.ojnat25veqbnlnil@argenau.bebt.de> References: <1491545651.4737.2.camel@gnutls.org> <20170408141536.6d5afb33@laptop64.home> <20170408123956.ojnat25veqbnlnil@argenau.bebt.de> Message-ID: <20170410203659.09260cd2@laptop64.home> Am Sat, 8 Apr 2017 14:39:56 +0200 schrieb Andreas Metzler : > On 2017-04-08 Andreas Radke wrote: > > With this new release the test suite fails here: > > > FAIL: trust-store > > ================= > > > doit:64: no certificates were found in system trust store! > > FAIL trust-store (exit status: 1) > > > Any idea what has changed? > > Hello, > > This happens if gnutls is built with e.g. > --with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt > and /etc/ssl/certs/ca-certificates.crt is empty/non-existing when > running the testsuite. > > cu Andreas lrwxrwxrwx 1 root root 49 Mar 7 22:05 /etc/ssl/certs/ca-certificates.crt -> ../../ca-certificates/extracted/tls-ca-bundle.pem # ACCVRAIZ1 -----BEGIN CERTIFICATE----- MIIH0zCCBbugAwIBAgIIXsO3pkN/pOAwDQYJKoZIhvcNAQEFBQAwQjESMBAGA1UE AwwJQUNDVlJBSVoxMRAwDgYDVQQLDAdQS0lBQ0NWMQ0wCwYDVQQKDARBQ0NWMQsw CQYDVQQGEwJFUzAeFw0xMTA1MDUwOTM3MzdaFw0zMDEyMzEwOTM3MzdaMEIxEjAQ May this happen because we use a symlink? The file is not empty. We build using --with-default-trust-store-pkcs11="pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit" The test was introduced with this commit: https://gitlab.com/gnutls/gnutls/commit/8d740ae87fae9c1237421dd24825b78103c5da36 -Andy -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 488 bytes Desc: Digitale Signatur von OpenPGP URL: From ametzler at bebt.de Tue Apr 11 07:05:14 2017 From: ametzler at bebt.de (Andreas Metzler) Date: Tue, 11 Apr 2017 07:05:14 +0200 Subject: [gnutls-devel] gnutls 3.5.11 In-Reply-To: <20170410203659.09260cd2@laptop64.home> References: <1491545651.4737.2.camel@gnutls.org> <20170408141536.6d5afb33@laptop64.home> <20170408123956.ojnat25veqbnlnil@argenau.bebt.de> <20170410203659.09260cd2@laptop64.home> Message-ID: <20170411050514.doy77kuutuu2fkjl@argenau.bebt.de> On 2017-04-10 Andreas Radke wrote: > Am Sat, 8 Apr 2017 14:39:56 +0200 schrieb Andreas Metzler : >> On 2017-04-08 Andreas Radke wrote: >>> With this new release the test suite fails here: >>> FAIL: trust-store >>> ================= >>> doit:64: no certificates were found in system trust store! >>> FAIL trust-store (exit status: 1) >> This happens if gnutls is built with e.g. >> --with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt >> and /etc/ssl/certs/ca-certificates.crt is empty/non-existing when >> running the testsuite. > lrwxrwxrwx 1 root root 49 Mar 7 > 22:05 /etc/ssl/certs/ca-certificates.crt > -> ../../ca-certificates/extracted/tls-ca-bundle.pem # ACCVRAIZ1 > -----BEGIN CERTIFICATE----- > MIIH0zCCBbugAwIBAgIIXsO3pkN/pOAwDQYJKoZIhvcNAQEFBQAwQjESMBAGA1UE > AwwJQUNDVlJBSVoxMRAwDgYDVQQLDAdQS0lBQ0NWMQ0wCwYDVQQKDARBQ0NWMQsw > CQYDVQQGEwJFUzAeFw0xMTA1MDUwOTM3MzdaFw0zMDEyMzEwOTM3MzdaMEIxEjAQ > May this happen because we use a symlink? The file is not empty. We > build using > --with-default-trust-store-pkcs11="pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit" You are using a different trust-store, that is why I wrote "e.g.". If --with-default-trust-store-file=/some/file is used, then /some/file needs to contain some certs for the test to succeed. In your case "pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit" would have to work. Is it possible that your missing some glue-package? cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From n.mavrogiannopoulos at gmail.com Tue Apr 11 10:06:25 2017 From: n.mavrogiannopoulos at gmail.com (Nikos Mavrogianopoulos) Date: Tue, 11 Apr 2017 11:06:25 +0300 Subject: [gnutls-devel] gnutls 3.5.11 In-Reply-To: <20170410203659.09260cd2@laptop64.home> References: <1491545651.4737.2.camel@gnutls.org> <20170408141536.6d5afb33@laptop64.home> <20170408123956.ojnat25veqbnlnil@argenau.bebt.de> <20170410203659.09260cd2@laptop64.home> Message-ID: There was an issue with pkcs11 trust stores and this test. Check the repo for the fix. On April 10, 2017 9:36:59 PM GMT+03:00, Andreas Radke wrote: >Am Sat, 8 Apr 2017 14:39:56 +0200 >schrieb Andreas Metzler : > >> On 2017-04-08 Andreas Radke wrote: >> > With this new release the test suite fails here: >> >> > FAIL: trust-store >> > ================= >> >> > doit:64: no certificates were found in system trust store! >> > FAIL trust-store (exit status: 1) >> >> > Any idea what has changed? >> >> Hello, >> >> This happens if gnutls is built with e.g. >> --with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt >> and /etc/ssl/certs/ca-certificates.crt is empty/non-existing when >> running the testsuite. >> >> cu Andreas > >lrwxrwxrwx 1 root root 49 Mar 7 >22:05 /etc/ssl/certs/ca-certificates.crt >-> ../../ca-certificates/extracted/tls-ca-bundle.pem # ACCVRAIZ1 >-----BEGIN CERTIFICATE----- >MIIH0zCCBbugAwIBAgIIXsO3pkN/pOAwDQYJKoZIhvcNAQEFBQAwQjESMBAGA1UE >AwwJQUNDVlJBSVoxMRAwDgYDVQQLDAdQS0lBQ0NWMQ0wCwYDVQQKDARBQ0NWMQsw >CQYDVQQGEwJFUzAeFw0xMTA1MDUwOTM3MzdaFw0zMDEyMzEwOTM3MzdaMEIxEjAQ > > >May this happen because we use a symlink? The file is not empty. We >build using >--with-default-trust-store-pkcs11="pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit" > >The test was introduced with this commit: >https://gitlab.com/gnutls/gnutls/commit/8d740ae87fae9c1237421dd24825b78103c5da36 > >-Andy -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -------------- next part -------------- An HTML attachment was scrubbed... URL: From nmav at gnutls.org Tue Apr 11 22:19:29 2017 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 11 Apr 2017 23:19:29 +0300 Subject: [gnutls-devel] TCP Fast Open for OSX In-Reply-To: References: Message-ID: Thank you. I've created a merge request for it: https://gitlab.com/gnutls/gnutls/merge_requests/356 On Mon, Apr 10, 2017 at 1:44 PM, Tim R?hsen wrote: > Attached is patch to implement TFO on OSX. > > I can't test that personally (no OSX here), but basically the same code > is used in Wget2 and it survives OSX Travis CI. > > Use this code as you like. > > Regards, Tim > > > _______________________________________________ > Gnutls-devel mailing list > Gnutls-devel at lists.gnutls.org > http://lists.gnupg.org/mailman/listinfo/gnutls-devel From nmav at gnutls.org Tue Apr 11 22:59:48 2017 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 11 Apr 2017 23:59:48 +0300 Subject: [gnutls-devel] TCP Fast Open for OSX In-Reply-To: References: Message-ID: On Tue, Apr 11, 2017 at 11:19 PM, Nikos Mavrogiannopoulos wrote: > Thank you. I've created a merge request for it: > https://gitlab.com/gnutls/gnutls/merge_requests/356 It seems there is a build failure on macosx: https://travis-ci.org/gnutls/gnutls/builds/221101215 system/fastopen.c:121:3: error: expected expression sa_endpoints_t endpoints = { .sae_dstaddr = (struct sockaddr*)&p->connect_addr, .sae_dstaddrlen = p->connect_addrlen }; ^ system/fastopen.c:122:23: error: use of undeclared identifier 'endpoints' ret = connectx(fd, &endpoints, SAE_ASSOCID_ANY, CONNECT_RESUME_ON_READ_WRITE | CONNECT_DATA_IDEMPOTENT, NULL, 0, NULL, NULL); regards, Nikos From tim.ruehsen at gmx.de Fri Apr 14 19:20:03 2017 From: tim.ruehsen at gmx.de (Tim =?ISO-8859-1?Q?R=FChsen?=) Date: Fri, 14 Apr 2017 19:20:03 +0200 Subject: [gnutls-devel] Searchable gnutls-devel archive ? Message-ID: <2259704.Z9q8DxueMD@debian> Hi, is there a searchable gnutls-devel archive ? (Gmane doesn't work, gnu.org has the archive up to 2015) Many thanks, Tim -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part. URL: From normalperson at yhbt.net Fri Apr 14 21:21:26 2017 From: normalperson at yhbt.net (Eric Wong) Date: Fri, 14 Apr 2017 19:21:26 +0000 Subject: [gnutls-devel] Searchable gnutls-devel archive ? In-Reply-To: <2259704.Z9q8DxueMD@debian> References: <2259704.Z9q8DxueMD@debian> Message-ID: <20170414192126.GA24899@whir> Tim R?hsen wrote: > Hi, > > is there a searchable gnutls-devel archive ? > > (Gmane doesn't work, gnu.org has the archive up to 2015) Hi Tim, I work on public-inbox(*) which uses git and (optionally) Xapian for search. It is probably most notable for mirroring the git at vger.kernel.org list at https://public-inbox.org/git/ where Xapian search is enabled. It's all AGPL-3+ so you (or anybody else) can run it themselves: git clone https://public-inbox.org/ public-inbox There's an INSTALL document and perlpod manpages for all the important commands. I could offer to host this list, but I really don't want to end up like Lars (of gmane) and get overloaded nor have any server I maintain become a single-point-of-failure. I tried my best to design everything to work on cheap hardware; and regularly test on a 2005 Centrino laptop :) The biggest downside is the size of Xapian DB, but gnutls seems much quieter than git at vger Feel free to mail meta at public-inbox.org if you have any questions, comments or need help setting it up. From martin at martin.st Tue Apr 18 08:20:55 2017 From: martin at martin.st (=?ISO-8859-15?Q?Martin_Storsj=F6?=) Date: Tue, 18 Apr 2017 09:20:55 +0300 (EEST) Subject: [gnutls-devel] gnutls 3.5.10 In-Reply-To: <87tw6pr4c3.fsf@wheatstone.g10code.de> References: <1488783939.18801.2.camel@gnutls.org> <1489855997.4127.3.camel@gnutls.org> <87tw6pr4c3.fsf@wheatstone.g10code.de> Message-ID: Hi Werner, On Sun, 19 Mar 2017, Werner Koch wrote: > On Sat, 18 Mar 2017 21:22, martin at martin.st said: > >> Despite that, it does seem to exist on disk at that path though, so it >> just seems like the listing isn't refreshed after the last release was > > Hmmm, the cron jobs re-creates the index every 3 hours: > > # Create HTML index files for the FTP server > 20 20/3 * * * root /etc/mk-ftp-index.html.sh > > it seems that it did not worked this time. I just kicked it and the > index is now updated. I attach the script in case someone wants to > check it for for a bug. Thanks - when you manually ran it last time, it did work properly, but the newly released 3.5.11 still doesn't show up at https://www.gnupg.org/ftp/gcrypt/gnutls/v3.5/. Is there perhaps some perms issue/difference betwen when running from cron versus when run manually? // Martin From nmav at gnutls.org Thu Apr 20 10:04:43 2017 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 20 Apr 2017 10:04:43 +0200 Subject: [gnutls-devel] Missing git tag 3.5.11 ? In-Reply-To: <78421054-6360-9e70-61de-33348c3cab85@gmx.de> References: <78421054-6360-9e70-61de-33348c3cab85@gmx.de> Message-ID: On Mon, Apr 10, 2017 at 11:24 AM, Tim R?hsen wrote: > I can't find the git tag for 3.5.11 on Gitlab !? I must have forgotten tagging it. Pushed now. regards, Nikos From nmav at gnutls.org Thu Apr 20 17:42:20 2017 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 20 Apr 2017 17:42:20 +0200 Subject: [gnutls-devel] Searchable gnutls-devel archive ? In-Reply-To: <2259704.Z9q8DxueMD@debian> References: <2259704.Z9q8DxueMD@debian> Message-ID: On Fri, Apr 14, 2017 at 7:20 PM, Tim R?hsen wrote: > Hi, > > is there a searchable gnutls-devel archive ? > (Gmane doesn't work, gnu.org has the archive up to 2015) There is: http://marc.info/?l=gnutls-dev Since gmane does not seem to recover, I've removed the links to it at the support page and linked to marc.info instead. Eric's public-inbox is quite tempting to use too, but I want to avoid adding more infrastructure to maintain. regards, Nikos