From fjugla at easter-eggs.com Tue Dec 11 11:40:51 2001 From: fjugla at easter-eggs.com (Florent Jugla) Date: 11 Dec 2001 11:40:51 +0100 Subject: [Help-gnutls] handshaking gnuTLS 0.2.90 Message-ID: <1008067251.9679.0.camel@marguerite> Hi, I try to use the GnuTLS library. In a first time, I was using the 0.2.2 version - I had just one problem when doing client authentication : the certificate of a client was accepted, but the server did not know the CA of the client ?? So, I decided to upgrade the library version and to use the last 0.2.90 one. I had a lot of problems because a lot of function names changed from one version to the other. Anyway, I could achieve my compilation ; but now, nothing is working. When I just do a server authentication (i.e, just the server has a certificate), the handshake do not complete. On the server side, everything seems fine, but on the client side, there's a problem. I join to this e-mail the end of the logs for the client and the server. Any idea ? Thank you Florent ----------------------------------- end of server.log GNUTLS_ASSERT: gnutls_buffers.c:729 GNUTLS_ASSERT: gnutls_buffers.c:747 GNUTLS_ASSERT: gnutls_buffers.c:639 GNUTLS Error: send Finished (-28) GNUTLS_ASSERT: gnutls_handshake.c:1619 GNUTLS_ASSERT: gnutls_buffers.c:673 Record: Sending Packet[1] Handshake(22) with length: 16 WRITE: Restoring old write. (7 bytes to send) WRITE: Will write 7 bytes to 5. WRITE: wrote 7 bytes to 5. Left 0 bytes. Total 7 bytes. 0000 - c4 60 6a dd 20 22 6f WRITE FLUSH: 157 [buffer: 0] Record: Sent Packet[1] Handshake(22) with length: 157 HANDSHAKE_FLUSH: written[1] 16 bytes HASH BUFFER: Cleared Data from buffer 12/10/2001 22:07:19 handshake was completed 12/10/2001 22:07:19 printInfo : entree fonction 12/10/2001 22:07:19 Version: TLS 1.0 12/10/2001 22:07:19 Key Exchange: X509PKI_RSA 12/10/2001 22:07:19 Compression: NULL 12/10/2001 22:07:19 Cipher: 3DES_CBC 12/10/2001 22:07:19 MAC: SHA 12/10/2001 22:07:19 printInfo : sortie fonction 12/10/2001 22:07:19 server got connection from 127.0.0.1:1220 12/10/2001 22:07:19 entree nbRead READ: -1 returned from 5, errno=11 GNUTLS_ASSERT: gnutls_buffers.c:213 12/10/2001 22:07:19 server read 0 bytes of header 12/10/2001 22:07:19 entree nbRead READ: -1 returned from 5, errno=11 GNUTLS_ASSERT: gnutls_buffers.c:213 12/10/2001 22:07:19 server read 0 bytes of header 12/10/2001 22:07:19 entree nbRead READ: Got 0 bytes from 5 READ: read 0 bytes from 5 0000 - GNUTLS_ASSERT: gnutls_buffers.c:433 GNUTLS_ASSERT: gnutls_record.c:747 Error from source <127.0.0.1:1220, fd -1>: ----------------------------------- end of client.log READ: Got 1 bytes from 4 READ: Got 1 bytes from 4 READ: Got 1 bytes from 4 READ: Got 1 bytes from 4 READ: Got 1 bytes from 4 READ: Got 1 bytes from 4 READ: -1 returned from 4, errno=11 READ: returning 8 bytes from 4 READ: read 8 bytes from 4 0000 - b6 11 c4 60 6a dd 20 22 RB: Have 148 bytes into buffer. Adding 8 bytes. RB: Requested 157 bytes GNUTLS_ASSERT: gnutls_buffers.c:441 GNUTLS_ASSERT: gnutls_buffers.c:832 GNUTLS_ASSERT: gnutls_handshake.c:698 GNUTLS_ASSERT: gnutls_handshake.c:808 GNUTLS Error: recv finished int (-28) GNUTLS_ASSERT: gnutls_handshake.c:448 GNUTLS Error: recv finished (-28) GNUTLS_ASSERT: gnutls_handshake.c:1672 Record: Expected Packet[0] Handshake(22) with length: 1 Record: Received Packet[0] Handshake(22) with length: 152 READ: Got 1 bytes from 4 READ: read 1 bytes from 4 0000 - 6f RB: Have 156 bytes into buffer. Adding 1 bytes. RB: Requested 157 bytes Record: Decrypted Packet[0] Handshake(22) with length: 16 HANDSHAKE BUFFER: Inserted 16 bytes of Data(22) HANDSHAKE BUFFER: Read 1 bytes of Data(22) HANDSHAKE BUFFER: Read 3 bytes of Data(22) Handshake: FINISHED was received [16 bytes] HASH BUFFER: Inserted 4 bytes of Data HANDSHAKE BUFFER: Read 12 bytes of Data(22) HASH BUFFER: Inserted 12 bytes of Data HASH BUFFER: Read 811 bytes of Data HASH BUFFER: Cleared Data from buffer Error from source : -- Florent Jugla / Easter-Eggs Sp?cialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - M?tro Gait? Phone: +33 (0) 1 43 35 00 37 - Fax: +33 (0) 1 43 35 00 76 mailto:fjugla at easter-eggs.com - http://www.easter-eggs.com From nmav at hellug.gr Wed Dec 12 11:47:54 2001 From: nmav at hellug.gr (Nikos Mavroyanopoulos) Date: Wed, 12 Dec 2001 12:47:54 +0200 Subject: [Help-gnutls] handshaking gnuTLS 0.2.90 In-Reply-To: <1008067251.9679.0.camel@marguerite> References: <1008067251.9679.0.camel@marguerite> Message-ID: <20011212124754.0da6ddb2.nmav@hellug.gr> On 11 Dec 2001 11:40:51 +0100 Florent Jugla wrote: > Hi, > I try to use the GnuTLS library. > In a first time, I was using the 0.2.2 version - I had just one problem > when doing client authentication : the certificate of a client was > accepted, but the server did not know the CA of the client ?? The server only knows the CAs you provide him (using gnutls_x509pki_set_server_trust() or the equivalent in 0.2.2. > So, I decided to upgrade the library version and to use the last 0.2.90 0.2.9x versions are there for testing purposes. You'd better wait for 0.3.0 or get 0.2.11. > from one version to the other. Anyway, I could achieve my compilation ; > but now, nothing is working. When I just do a server authentication > (i.e, just the server has a certificate), the handshake do not complete. What's the error code returned? Do the examples in the documentation work? The logs you attached showed no fatal error in gnutls. Do you handle the returned error codes properly? > Any idea ? Thank you > Florent > -- > Florent Jugla / Easter-Eggs Sp?cialiste GNU/Linux > 44-46 rue de l'Ouest - 75014 Paris - France - M?tro Gait? > Phone: +33 (0) 1 43 35 00 37 - Fax: +33 (0) 1 43 35 00 76 > mailto:fjugla at easter-eggs.com - http://www.easter-eggs.com -- Nikos Mavroyanopoulos mailto:nmav at hellug.gr From fjugla at easter-eggs.com Thu Dec 13 10:41:47 2001 From: fjugla at easter-eggs.com (Florent Jugla) Date: 13 Dec 2001 10:41:47 +0100 Subject: [Help-gnutls] handshaking gnuTLS 0.2.90 In-Reply-To: <20011212124754.0da6ddb2.nmav@hellug.gr> References: <1008067251.9679.0.camel@marguerite> <20011212124754.0da6ddb2.nmav@hellug.gr> Message-ID: <1008236508.24661.1.camel@marguerite> On Wed, 2001-12-12 at 11:47, Nikos Mavroyanopoulos wrote: > On 11 Dec 2001 11:40:51 +0100 Florent Jugla wrote: > > > Hi, > > I try to use the GnuTLS library. > > In a first time, I was using the 0.2.2 version - I had just one problem > > when doing client authentication : the certificate of a client was > > accepted, but the server did not know the CA of the client ?? > The server only knows the CAs you provide him (using gnutls_x509pki_set_server_trust() > or the equivalent in 0.2.2. > In that case, the server knew a given CA, (let's call it ca1), but the certificate of the client was signed by another CA (ca2). When the client sent its certificate, this certificate was accepted by the server. Have I got to do a special check in the server implementation in order to verify that my server knows the CA the certificate of the client was signed with ? > > > So, I decided to upgrade the library version and to use the last 0.2.90 > 0.2.9x versions are there for testing purposes. You'd better wait for 0.3.0 > or get 0.2.11. > ok, I tried to use the CVS version, but when I make the project, a file is missing (.ltconfig). Do you know what the problem is ? > > from one version to the other. Anyway, I could achieve my compilation ; > > but now, nothing is working. When I just do a server authentication > > (i.e, just the server has a certificate), the handshake do not complete. > What's the error code returned? Do the examples in the documentation work? > The logs you attached showed no fatal error in gnutls. Do you handle the > returned error codes properly? I did not test the examples in the documentation. I will check the error code returned (not today) Thank you Florent Jugla > > > Any idea ? Thank you > > Florent > > > -- > > Florent Jugla / Easter-Eggs Sp?cialiste GNU/Linux > > 44-46 rue de l'Ouest - 75014 Paris - France - M?tro Gait? > > Phone: +33 (0) 1 43 35 00 37 - Fax: +33 (0) 1 43 35 00 76 > > mailto:fjugla at easter-eggs.com - http://www.easter-eggs.com > > -- > Nikos Mavroyanopoulos > mailto:nmav at hellug.gr -- Florent Jugla / Easter-Eggs Sp?cialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - M?tro Gait? Phone: +33 (0) 1 43 35 00 37 - Fax: +33 (0) 1 43 35 00 76 mailto:fjugla at easter-eggs.com - http://www.easter-eggs.com From nmav at hellug.gr Thu Dec 13 11:30:09 2001 From: nmav at hellug.gr (Nikos Mavroyanopoulos) Date: Thu, 13 Dec 2001 12:30:09 +0200 Subject: [Help-gnutls] handshaking gnuTLS 0.2.90 In-Reply-To: <1008236508.24661.1.camel@marguerite> References: <1008067251.9679.0.camel@marguerite> <20011212124754.0da6ddb2.nmav@hellug.gr> <1008236508.24661.1.camel@marguerite> Message-ID: <20011213123009.10b3d86f.nmav@hellug.gr> On 13 Dec 2001 10:41:47 +0100 Florent Jugla wrote: > In that case, the server knew a given CA, (let's call it ca1), but the > certificate of the client was signed by another CA (ca2). When the > client sent its certificate, this certificate was accepted by the > server. Have I got to do a special check in the server implementation in > order to verify that my server knows the CA the certificate of the > client was signed with ? You need to verify the given certificate (this is not automaticaly done in the handshake). (the function is gnutls_x509pki_get_peer_certificate_status()). > ok, I tried to use the CVS version, but when I make the project, a file > is missing (.ltconfig). Do you know what the problem is ? It is not easy to compile cvs. Read doc/README.CVS > Thank you > Florent Jugla -- Nikos Mavroyanopoulos mailto:nmav at hellug.gr From fjugla at easter-eggs.com Thu Dec 20 11:20:22 2001 From: fjugla at easter-eggs.com (Florent Jugla) Date: 20 Dec 2001 11:20:22 +0100 Subject: [Help-gnutls] using serveral certificates on the server side Message-ID: <1008843622.8733.55.camel@marguerite> Hello, I am using the CVS version of GnuTLS. - the server asks for a client authentication - the server knows two CAs: ca1 and ca2 (I give them through a PEM encoded file) - the client knows one CA: ca1 - the server has got a ca1 signed certificate - the client has got a ca2 signed certificate I have the following problem: --> When doing the handshake, the connection to the server is refused (code : -9). When I just put one certificate (ca2) in the certificate file used by the server, everything works fine. It is like if the server did not use the second certificate when giving it several certificates. Have I got something wrong? thank you -- Florent Jugla / Easter-Eggs Sp?cialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - M?tro Gait? Phone: +33 (0) 1 43 35 00 37 - Fax: +33 (0) 1 43 35 00 76 mailto:fjugla at easter-eggs.com - http://www.easter-eggs.com From nmav at hellug.gr Sun Dec 30 21:00:46 2001 From: nmav at hellug.gr (Nikos Mavroyanopoulos) Date: Sun, 30 Dec 2001 22:00:46 +0200 Subject: [Help-gnutls] using serveral certificates on the server side Message-ID: <20011230220046.6271c497.nmav@hellug.gr> > I am using the CVS version of GnuTLS. > - the server asks for a client authentication > - the server knows two CAs: ca1 and ca2 (I give them through a PEM > encoded file) > - the client knows one CA: ca1 > - the server has got a ca1 signed certificate > - the client has got a ca2 signed certificate > I have the following problem:=20 > --> When doing the handshake, the connection to the server is refused > (code : -9). [...] > It is like if the server did not use the second certificate when giving > it several certificates. Well this was a bug in the client side of gnutls. I've just commited a fix in the cvs. -- Nikos Mavroyanopoulos