From fabbe at paniq.net Mon Nov 8 20:44:10 2004 From: fabbe at paniq.net (Fabian Fagerholm) Date: Mon, 08 Nov 2004 21:44:10 +0200 Subject: [Help-gnutls] Exporting a PKCS#12 structure without the private key Message-ID: <1099943050.4432.8.camel@kernel> Hi! I've created a PKCS#12 file using gnutls certtool to distribute a certificate to some clients. However, it seems that certtool includes both the certificate and the private key in that file. But I absolutely do not want to distribute the key, only the certificate. From rom rom reading the OpenSSL mailing lists, I've learned that PKCS#12 files typically include both the certificate and the private key, but that it isn't stricly neccessary. A development version of OpenSSL can generate PKCS#12 files with either only the certificate or only the key. This option was not available before, because some programs had trouble handling such files. I also read that the certificate might be put into a PKCS#7 structure and the key in a PKCS#8 structure, but I have no idea if these formats are supported anywhere. Certtool seems to support PKCS#8 keys, but I don't know how that is going to help. Can certtool be used to put only the certificate into a PKCS#12 structure? Or is there another format besides PEM that would allow me to distribute only the certificate? Please Cc me on replies, I'm not subscribed to help-gnutls. Many thanks, -- Fabian Fagerholm -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From fabbe at paniq.net Mon Nov 8 20:46:46 2004 From: fabbe at paniq.net (Fabian Fagerholm) Date: Mon, 08 Nov 2004 21:46:46 +0200 Subject: [Help-gnutls] Exporting a PKCS#12 structure without the private key In-Reply-To: <1099943050.4432.8.camel@kernel> References: <1099943050.4432.8.camel@kernel> Message-ID: <1099943206.4432.9.camel@kernel> On Mon, 2004-11-08 at 21:44 +0200, Fabian Fagerholm wrote: > Please Cc me on replies, I'm not subscribed to help-gnutls. Err... I am in fact subscribed now, but if you want to Cc me, that's fine. Cheers, -- Fabian Fagerholm -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From jas at extundo.com Tue Nov 9 00:58:35 2004 From: jas at extundo.com (Simon Josefsson) Date: Tue, 09 Nov 2004 00:58:35 +0100 Subject: [Help-gnutls] Re: Exporting a PKCS#12 structure without the private key References: <1099943050.4432.8.camel@kernel> Message-ID: Fabian Fagerholm writes: > Hi! > > I've created a PKCS#12 file using gnutls certtool to distribute a > certificate to some clients. However, it seems that certtool includes > both the certificate and the private key in that file. But I absolutely > do not want to distribute the key, only the certificate. > > From rom rom reading the OpenSSL mailing lists, I've learned that PKCS#12 files > typically include both the certificate and the private key, but that it > isn't stricly neccessary. A development version of OpenSSL can generate > PKCS#12 files with either only the certificate or only the key. This > option was not available before, because some programs had trouble > handling such files. > > I also read that the certificate might be put into a PKCS#7 structure > and the key in a PKCS#8 structure, but I have no idea if these formats > are supported anywhere. Certtool seems to support PKCS#8 keys, but I > don't know how that is going to help. > > Can certtool be used to put only the certificate into a PKCS#12 > structure? I've made it possible to do so now in CVS. Hopefully the daily snapshot will build tonight, so you can test it tomorrow, even if you are not already building from CVS. It should then be possible to do: $ certtool --to-p12 --load-certificate ~/cert.pem > Or is there another format besides PEM that would allow me to > distribute only the certificate? The simplest is to distribute the certificates as-is (i.e., DER/PEM). PKCS#12 is typically used when you are transferring the private key. You can create a degenerative PKCS#7 structure with only certificates, but if someone isn't forcing you to use this approach, I'd say forget about it. Incidentally, it seems certtool doesn't support this either. Thanks. From fabbe at paniq.net Tue Nov 9 13:48:21 2004 From: fabbe at paniq.net (Fabian Fagerholm) Date: Tue, 09 Nov 2004 14:48:21 +0200 Subject: [Help-gnutls] Bug in certtool Message-ID: <1100004501.5014.7.camel@kernel> Hi, I found that certtool crashes when I generate a certificate with a CRL distribution point URI. When I invoke certtool like this: certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca-cert.pem --bits 4096 The program crashes at this point: Enter the URI of the CRL distribution point: http://www.example.org/example.crl Segmentation fault A gdb backtrace shows the following: #0 0x4007a934 in asn1_write_value () from /tmp/lib/libgnutls.so.12 #1 0x4005d8e1 in _gnutls_x509_ext_gen_crl_dist_points () from /tmp/lib/libgnutls.so.12 #2 0x400723fe in gnutls_x509_crt_set_crl_dist_points () from /tmp/lib/libgnutls.so.12 #3 0x0804db65 in generate_self_signed () #4 0x0804e000 in gaa_parser () #5 0x0804d32d in main () I got certtool from http://josefsson.org/daily/gnutls/gnutls-20041109.tar.gz and compiled it and installed it in /tmp just to test. The same error was present in the latest Debian-packaged version, which is based on gnutls 1.0.16. Has anyone else experienced this? Cheers, -- Fabian Fagerholm -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From fabbe at paniq.net Tue Nov 9 14:05:44 2004 From: fabbe at paniq.net (Fabian Fagerholm) Date: Tue, 09 Nov 2004 15:05:44 +0200 Subject: [Help-gnutls] Re: Exporting a PKCS#12 structure without the private key In-Reply-To: References: <1099943050.4432.8.camel@kernel> Message-ID: <1100005544.5014.13.camel@kernel> On Tue, 2004-11-09 at 00:58 +0100, Simon Josefsson wrote: > I've made it possible to do so now in CVS. > > Hopefully the daily snapshot will build tonight, so you can test it > tomorrow, even if you are not already building from CVS. > > It should then be possible to do: > > $ certtool --to-p12 --load-certificate ~/cert.pem This seems to work nicely -- thank you! > The simplest is to distribute the certificates as-is (i.e., DER/PEM). > > PKCS#12 is typically used when you are transferring the private key. > > You can create a degenerative PKCS#7 structure with only certificates, > but if someone isn't forcing you to use this approach, I'd say forget > about it. Incidentally, it seems certtool doesn't support this > either. It seems that some programs will not work with the DER or PEM formats, but require the use of PKCS#12. That's obviously a big flaw in those programs, especially if PKCS#12 is primarily meant as a format that should always contain a certificate and its key. I really can't imagine that it would be a common requirement to supply the secret key to your users... Cheers, -- Fabian Fagerholm -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From nmav at gnutls.org Wed Nov 10 23:11:08 2004 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 10 Nov 2004 23:11:08 +0100 Subject: [Help-gnutls] Bug in certtool In-Reply-To: <1100004501.5014.7.camel@kernel> References: <1100004501.5014.7.camel@kernel> Message-ID: <200411102311.08239.nmav@gnutls.org> On Tuesday 09 November 2004 13:48, Fabian Fagerholm wrote: > Hi, > I found that certtool crashes when I generate a certificate with a CRL > distribution point URI. When I invoke certtool like this: Hello Fabian, I've just corrected this problem in the cvs version of gnutls (unstable branch only). -- Nikos Mavrogiannopoulos From smurf at smurf.noris.de Thu Nov 11 00:49:28 2004 From: smurf at smurf.noris.de (Matthias Urlichs) Date: Thu, 11 Nov 2004 00:49:28 +0100 Subject: [Help-gnutls] Bug in certtool In-Reply-To: <200411102311.08239.nmav@gnutls.org> References: <1100004501.5014.7.camel@kernel> <200411102311.08239.nmav@gnutls.org> Message-ID: <20041110234928.GD14987@kiste> Hi, Nikos Mavrogiannopoulos: > > I found that certtool crashes when I generate a certificate with a CRL > > distribution point URI. When I invoke certtool like this: > > I've just corrected this problem in the cvs version of gnutls (unstable > branch only). > Are you going to backport the fix to the stable branch? -- Matthias Urlichs | {M:U} IT Design @ m-u-it.de | smurf at smurf.noris.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From fabbe at paniq.net Thu Nov 11 08:03:48 2004 From: fabbe at paniq.net (Fabian Fagerholm) Date: Thu, 11 Nov 2004 09:03:48 +0200 Subject: [Help-gnutls] Bug in certtool In-Reply-To: <200411102311.08239.nmav@gnutls.org> References: <1100004501.5014.7.camel@kernel> <200411102311.08239.nmav@gnutls.org> Message-ID: <1100156628.4724.8.camel@kernel> On Wed, 2004-11-10 at 23:11 +0100, Nikos Mavrogiannopoulos wrote: > I've just corrected this problem in the cvs version of gnutls (unstable > branch only). I tried the latest snapshot (20041111) and it works nicely. Thanks! -- Fabian Fagerholm -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From nmav at gnutls.org Thu Nov 11 09:02:54 2004 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 11 Nov 2004 09:02:54 +0100 Subject: [Help-gnutls] Bug in certtool In-Reply-To: <20041110234928.GD14987@kiste> References: <1100004501.5014.7.camel@kernel> <200411102311.08239.nmav@gnutls.org> <20041110234928.GD14987@kiste> Message-ID: <200411110902.55088.nmav@gnutls.org> On Thursday 11 November 2004 00:49, Matthias Urlichs wrote: > > > I found that certtool crashes when I generate a certificate with a CRL > > > distribution point URI. When I invoke certtool like this: > > > > I've just corrected this problem in the cvs version of gnutls (unstable > > branch only). > > Are you going to backport the fix to the stable branch? I just backported it. -- Nikos Mavrogiannopoulos From jas at extundo.com Thu Nov 11 11:15:50 2004 From: jas at extundo.com (Simon Josefsson) Date: Thu, 11 Nov 2004 11:15:50 +0100 Subject: [Help-gnutls] Bug tracking system? Message-ID: Hello. What do people think about using some kind of bug tracking system? For me, it is difficult to keep track of all bug reports, and I have a feeling I sometimes forget some reports. Personally, I think all bug tracking systems I've tried are horrible. Can anyone recommend any specific software? Bugzilla seem to be popular, so I'm leaning towards using it. However, I hear it is rather messy to set up. So if someone can sponsor us by adding a GnuTLS product in their Bugzilla system, and let use it, that would be appreciated. Thanks, Simon From jas at extundo.com Thu Nov 11 14:50:57 2004 From: jas at extundo.com (Simon Josefsson) Date: Thu, 11 Nov 2004 14:50:57 +0100 Subject: [Help-gnutls] Re: Bug tracking system? References: Message-ID: Simon Josefsson writes: > Hello. What do people think about using some kind of bug tracking > system? For me, it is difficult to keep track of all bug reports, and > I have a feeling I sometimes forget some reports. It was suggested to use Savannah's bug tracker, so I enabled it and added the snprintf problem. If people like to try it, please go ahead and add your bugs, but I can't promise we'll continue using it: https://savannah.gnu.org/support/?group=gnutls Of course, sending emails still work, and for most things is probably preferable. However, if a problem can't be resolved immediately, it may be forgotten unless added to a bug tracker like this. Hm. I'm not sure how good savannah's system is. I clicked on some link to re-label the snprintf bug report as a "Bug request" instead of a "Support request", and then the bug disappeared and I can't find it. I'll add it again... Thanks, Simon From pete at geckoworks.com Sun Nov 14 19:46:21 2004 From: pete at geckoworks.com (Pete Naylor) Date: Sun, 14 Nov 2004 10:46:21 -0800 Subject: [Help-gnutls] gnutls problem with mozilla mail Message-ID: <20041114184621.GO10505@geckoworks.com> Hi - I'm trying to setup Exim version 4.43 with GnuTLS 1.0.23 (Solaris 8 Sparc) to provide secure SMTP. In testing, I've found that Eudora and MS Outlook Express work fine, but Thunderbird and the Netscape mail client do not. Both fail with a message indicating that the connection was lost - closer inspection of the server shows that the server process died. At first I thought perhaps Exim had a bug - but I get the same result when I use gnutls-serv for testing. Here is what I see when I truss the process... REC[6f130]: Sent Packet[4] Handshake(22) with length: 9 write(2, " R E C [ 6 f 1 3 0 ] : ".., 56) = 56 recv(4, 0x00051EF8, 5, 0) Err#11 EAGAIN |<2write(2, " | < 2", 3) = 3 >| write(2, " > | ", 3) = 3 ASSERT: gnutls_buffers.c:231 write(2, " A S S E R T : g n u t".., 29) = 29 |<2write(2, " | < 2", 3) >| write(2, " > | ", 3) ASSERT: gnutls_buffers.c:888 write(2, " A S S E R T : g n u t".., 29) = 29 |<2write(2, " | < 2", 3) = 3 >| write(2, " > | ", 3) = 3 ASSERT: gnutls_handshake.c:851 write(2, " A S S E R T : g n u t".., 31) = 31 fcntl(4, F_GETFL, 0x00000000) = 130 fcntl(4, F_SETFL, 0x00000082) = 0 poll(0xFFBFEAE8, 2, -1) (sleeping...) poll(0xFFBFEAE8, 2, -1) = 1 recv(4, "1503\0\002", 5, 0) = 5 |<4write(2, " | < 4", 3) = 3 >| write(2, " > | ", 3) = 3 REC[6f130]: Expected Packet[1] Handshake(22) with length: 1 write(2, " R E C [ 6 f 1 3 0 ] : ".., 60) = 60 |<4write(2, " | < 4", 3) = 3 >| write(2, " > | ", 3) = 3 REC[6f130]: Received Packet[1] Alert(21) with length: 2 write(2, " R E C [ 6 f 1 3 0 ] : ".., 56) = 56 recv(4, "01 )", 2, 0) = 2 |<4write(2, " | < 4", 3) = 3 >| write(2, " > | ", 3) = 3 REC[6f130]: Decrypted Packet[1] Alert(21) with length: 2 write(2, " R E C [ 6 f 1 3 0 ] : ".., 57) = 57 Incurred fault #6, FLTBOUNDS %pc = 0xFEFB44E4 siginfo: SIGSEGV SEGV_MAPERR addr=0x00000000 Received signal #11, SIGSEGV [default] siginfo: SIGSEGV SEGV_MAPERR addr=0x00000000 It seems to die after receiving the Alert(21) packet, which I understand means that decryption failed. Beyond that I do not understand the problem. Can anyone help me to see what is going wrong? From jas at extundo.com Sun Nov 14 22:44:27 2004 From: jas at extundo.com (Simon Josefsson) Date: Sun, 14 Nov 2004 22:44:27 +0100 Subject: [Help-gnutls] Re: gnutls problem with mozilla mail References: <20041114184621.GO10505@geckoworks.com> Message-ID: Pete Naylor writes: > Hi - I'm trying to setup Exim version 4.43 with GnuTLS 1.0.23 (Solaris 8 > Sparc) to provide secure SMTP. In testing, I've found that Eudora and MS > Outlook Express work fine, but Thunderbird and the Netscape mail client do > not. Both fail with a message indicating that the connection was lost - > closer inspection of the server shows that the server process died. At > first I thought perhaps Exim had a bug - but I get the same result when I > use gnutls-serv for testing. Here is what I see when I truss the > process... ... > > It seems to die after receiving the Alert(21) packet, which I understand > means that decryption failed. Beyond that I do not understand the > problem. Can anyone help me to see what is going wrong? You could try and rebuild gnutls using CFLAGS=-g and run the server under gdb, and when it crashes, invoke 'bt full'.