From simon at josefsson.org Thu Feb 1 09:11:33 2007 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 01 Feb 2007 09:11:33 +0100 Subject: [Help-gnutls] Re: gnutls4win In-Reply-To: <20070201090509.734536dd@localhost> (Vincent Thomasset's message of "Thu\, 1 Feb 2007 09\:05\:09 +0100") References: <20070201090509.734536dd@localhost> Message-ID: <87mz3y70wa.fsf@latte.josefsson.org> Vincent Thomasset writes: > Hi, > > I noticed there was a lot of local paths (namely /home/jas/...) in the > packages available at http://josefsson.org/gnutls4win/ (at least in > the .exe installer). Hi! Can you be more specific, I can't seem to be able to verify that: jas at mocca:~/gnutls4win$ grep -l 'home/jas' gnutls-*.exe jas at mocca:~/gnutls4win$ I'm not that familiar with NSIS, maybe it includes some kind of debugging information. Anyway, all the source code for what goes into the installer is on the same web site. /Simon From simon at josefsson.org Thu Feb 1 11:43:24 2007 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 01 Feb 2007 11:43:24 +0100 Subject: [Help-gnutls] OpenCDK 0.5.13 Message-ID: <87abzy6tv7.fsf@latte.josefsson.org> The OpenCDK library implement basic parts of the OpenPGP message format. The aim of the library is *not* to replace any available OpenPGP version. There will be no support for key management (sign, revoke, alter preferences, ...) and some other parts are only rudimentary available. The main purpose is to handle and understand OpenPGP packets and to use basic operations. For example, encrypt/decrypt, sign/verify and packet parsing routines. The library is used by GnuTLS for OpenPGP support. Noteworthy changes in version 0.5.13 (2007-02-01) ------------------------------------------------ * Fixed shared library for newly added APIs in last release. * Add -no-undefined to LDFLAGS, to make opencdk build under mingw32. * Add AC_LIBTOOL_WIN32_DLL to configure.ac, which is required for * libtool to behave correctly for cross-compiles to mingw32. * Use gnulib for mingw32 support. Noteworthy changes in version 0.5.12 (2007-02-01) ------------------------------------------------ * Add new API to extract public/secret OpenPGP key to S-expr. The functions are cdk_pubkey_to_sexp and cdk_seckey_to_sexp. Patch by Mario Lenz . * Autoconf 2.60 and automake 1.10 are now required. * Doc fixes. Commercial support contracts for OpenCDK are available, and they help finance continued maintenance. Simon Josefsson Datakonsult, a Stockholm based privately held company, is currently funding OpenCDK maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. If you need help to use OpenCDK, or want to help others, you are invited to join our help-gnutls mailing list, see: . Here are the compressed sources (588KB): http://josefsson.org/gnutls/releases/opencdk/opencdk-0.5.13.tar.gz ftp://ftp.gnutls.org/pub/gnutls/opencdk/opencdk-0.5.13.tar.gz Here are GPG detached signatures using key 0xB565716F: http://josefsson.org/gnutls/releases/opencdk/opencdk-0.5.13.tar.gz.sig ftp://ftp.gnutls.org/pub/gnutls/opencdk/opencdk-0.5.13.tar.gz.sig The software is cryptographically signed by the author using an OpenPGP key identified by the following information: pub 1280R/B565716F 2002-05-05 [expires: 2007-02-15] uid Simon Josefsson uid Simon Josefsson sub 1280R/4D5D40AE 2002-05-05 [expires: 2007-02-15] sub 1024R/09CC4670 2006-03-18 [expires: 2007-04-22] sub 1024R/AABB1F7B 2006-03-18 [expires: 2007-04-22] sub 1024R/A14C401A 2006-03-18 [expires: 2007-04-22] The key is available from: http://josefsson.org/key.txt dns:b565716f.josefsson.org?TYPE=CERT Here are the SHA-1 and SHA-224 checksums: bff9daabfe8f20824e4d167a9dc11e0908f11370 opencdk-0.5.13.tar.gz 83f37a0551027849ec9905262334525cccb201cf opencdk-0.5.13.tar.gz.sig 2a790fc3175f6c6fe1e7d4616eef1ca3f8cb7966eeffba4c12fdad94 opencdk-0.5.13.tar.gz 7ac5ac3583f7fd88b65cc42a18cc2736dca6d08a0438fa839e06f0e4 opencdk-0.5.13.tar.gz.sig Enjoy, Timo, Nikos, Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From ludovic.courtes at laas.fr Thu Feb 1 16:01:49 2007 From: ludovic.courtes at laas.fr (Ludovic =?iso-8859-1?Q?Court=E8s?=) Date: Thu, 01 Feb 2007 16:01:49 +0100 Subject: [Help-gnutls] Re: TLS/OpenPGP draft expiring soon References: <87zm8jhyah.fsf@laas.fr> <17836.63955.481542.439077@squeak.fifthhorseman.net> <871wluj0tq.fsf@latte.josefsson.org> <1168974346.3210.25.camel@sarge> <87irf3kwov.fsf@latte.josefsson.org> <87ejprkt1i.fsf@latte.josefsson.org> Message-ID: <87y7nhgbvm.fsf@laas.fr> Hi, Simon Josefsson writes: > Also, creating examples and a self test for the OpenPGP stuff would be > useful. Have you managed to get it to work at all? I tried this: It works fine (with the little patches I posted), but I couldn't get `gnutls-cli' and `gnutls-serv' to work with it (haven't investigated yet). > jas at mocca:~/src/gnutls$ gpg -a --export-secret-keys b565716f > ~/privkey.gpg > > The above step would be nice to avoid, btw, although I'm not exactly > sure which file formats are supported/required. This area seems > under-documented. Yes, it'd be nice to avoid. GnuTLS key import functions now support both ASCII-armored and "raw" binary keys, it Does Work. ;-) The possible formats are documented in RFC 2440 I think. I'm not sure about the keyring format, though. Thanks, Ludovic. From ludovic.courtes at laas.fr Thu Feb 1 17:34:32 2007 From: ludovic.courtes at laas.fr (Ludovic =?iso-8859-1?Q?Court=E8s?=) Date: Thu, 01 Feb 2007 17:34:32 +0100 Subject: [Help-gnutls] Re: TLS/OpenPGP draft expiring soon References: <87zm8jhyah.fsf@laas.fr> <17836.63955.481542.439077@squeak.fifthhorseman.net> <871wluj0tq.fsf@latte.josefsson.org> <1168974346.3210.25.camel@sarge> <87irf3kwov.fsf@latte.josefsson.org> <87ejprkt1i.fsf@latte.josefsson.org> Message-ID: <87irelet0n.fsf@laas.fr> Hi, Simon Josefsson writes: > Also, creating examples and a self test for the OpenPGP stuff would be > useful. Have you managed to get it to work at all? It took me a while, but I finally found why `gnutls-serv' wouldn't do the job as expected (I knew it should work because I have small client/server of my own that do work). First, the patch below must be applied to `serv.c'. Then, actual DH and/or RSA parameters must be provided or generated for the server. So we end up with a command-line like this for the server: $ ./gnutls-serv --dhparams tls-dh-params \ --ctypes openpgp --pgpcertfile pub.asc \ --pgpkeyfile sec.asc And for the client: $ gnutls-cli --ctypes openpgp --pgpcertfile pub.asc \ --pgpkeyfile sec.asc -p 5556 localhost And it works like a charm, even with `--require-cert' passed to the server. Can you confirm? Thanks, Ludovic. -------------- next part -------------- A non-text attachment was scrubbed... Name: ,,serv.diff Type: text/x-patch Size: 531 bytes Desc: The patch URL: From ludovic.courtes at laas.fr Thu Feb 1 18:22:36 2007 From: ludovic.courtes at laas.fr (Ludovic =?iso-8859-1?Q?Court=E8s?=) Date: Thu, 01 Feb 2007 18:22:36 +0100 Subject: [Help-gnutls] Re: TLS/OpenPGP draft expiring soon References: <87zm8jhyah.fsf@laas.fr> <17836.63955.481542.439077@squeak.fifthhorseman.net> <871wluj0tq.fsf@latte.josefsson.org> <1168974346.3210.25.camel@sarge> <87irf3kwov.fsf@latte.josefsson.org> Message-ID: <87bqkddc83.fsf@laas.fr> Hi, Simon Josefsson writes: > It seems as if OpenCDK duplicate some of the functionality that > properly belong to GnuPG. However, as far as I know, there aren't any > APIs in GnuPG to do what OpenCDK does, even if the functionality is > there. >From [0], I have the feeling that GnuPG's OpenPGP message handling is not readily "librarifiable". So until the GnuPG developers decide to librarify it, it seems that there's no choice but to use OpenCDK in GnuTLS. However, distributing the OpenPGP message-related part of GnuPG as a library would be an additional burden for the GnuPG people, which they might want to avoid. Thanks, Ludovic. [0] http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/trunk/g10/ From simon at josefsson.org Fri Feb 2 13:00:02 2007 From: simon at josefsson.org (Simon Josefsson) Date: Fri, 02 Feb 2007 13:00:02 +0100 Subject: [Help-gnutls] Re: gnutls4win In-Reply-To: (acril's message of "Thu\, 1 Feb 2007 11\:03\:48 +0100") References: Message-ID: <87sldovkfx.fsf@latte.josefsson.org> acril writes: >> >> Hi! Can you be more specific, I can't seem to be able to verify that: >> > > Here's the output from grep: > > bin/libgnutls-config:3:prefix=/home/jas/gnutls4win/inst ... Ah, right. There are three categories of files which includes these paths: 1) DLL's and EXE's. This is probably because of debugging symbols, and those are useful. Perhaps we could have two installers, one with debugging symbols and one without. Although that is more work for me. Having optional *.gdb files with the debugging symbols may be the proper solution, but I don't know how to do that, and whether it works under mingw32. Thoughts and help here appreciated. 2) The *-config scripts. These are shell-scripts, and they are deprecated. I've removed them from gnutls.nsi. Come to think of it, maybe we should finally remove them from the real package too... 3) The *.la files. These are generated by libtool. I'm not sure they are ever useful, especially on the installed machine where the installed prefix will differ from those encoded in libtool. However, they are only installed if 'Developer libraries' was selected in the installer. That happens to be the default, and perhaps that isn't necessary. Although right now, I suspect most people installing GnuTLS for Windows are developers. /Simon From dellanna at csp.it Fri Feb 2 13:17:03 2007 From: dellanna at csp.it (dellanna at csp.it) Date: Fri, 2 Feb 2007 13:17:03 +0100 Subject: [Help-gnutls] gnutls with pgp In-Reply-To: <87sldovkfx.fsf@latte.josefsson.org> References: <87sldovkfx.fsf@latte.josefsson.org> Message-ID: <1170418623.45c32bbf0d773@csa.csp.it> Hi all, I should implement autenthication inside of web application with gnutls. I should use OpenPGP inside TLS connection (I do not use certificate X.509). It is possible in GnuTLS, but can someone indicate me any reference guide (with example server-client)? Thanks, Simone. ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From simon at josefsson.org Fri Feb 2 14:22:40 2007 From: simon at josefsson.org (Simon Josefsson) Date: Fri, 02 Feb 2007 14:22:40 +0100 Subject: [Help-gnutls] Re: gnutls with pgp In-Reply-To: <1170418623.45c32bbf0d773@csa.csp.it> (dellanna@csp.it's message of "Fri\, 2 Feb 2007 13\:17\:03 +0100") References: <87sldovkfx.fsf@latte.josefsson.org> <1170418623.45c32bbf0d773@csa.csp.it> Message-ID: <87k5z0vgm7.fsf@latte.josefsson.org> dellanna at csp.it writes: > Hi all, > I should implement autenthication inside of web application with gnutls. > I should use OpenPGP inside TLS connection (I do not use certificate X.509). > It is possible in GnuTLS, but can someone indicate me any reference guide (with > example server-client)? Hi! Yes, that should be possible. There are example code for a server in the GnuTLS manual: http://www.gnu.org/software/gnutls/manual/html_node/Echo-Server-with-OpenPGP-authentication.html There are no explicit examples for OpenPGP clients, but modifying the standard X.509 example: http://www.gnu.org/software/gnutls/manual/html_node/Simple-client-example-with-X_002e509-certificate-support.html using the hints from: http://www.gnu.org/software/gnutls/manual/html_node/Certificate-authentication.html should not be impossible. Note that this part of GnuTLS is not widely used, so it isn't unlikely that you run into problems. Let us know how it works for you! /Simon From simon at josefsson.org Fri Feb 2 14:50:17 2007 From: simon at josefsson.org (Simon Josefsson) Date: Fri, 02 Feb 2007 14:50:17 +0100 Subject: [Help-gnutls] Re: TLS/OpenPGP draft expiring soon In-Reply-To: <87irelet0n.fsf@laas.fr> (Ludovic =?iso-8859-1?Q?Court=E8s's?= message of "Thu\, 01 Feb 2007 17\:34\:32 +0100") References: <87zm8jhyah.fsf@laas.fr> <17836.63955.481542.439077@squeak.fifthhorseman.net> <871wluj0tq.fsf@latte.josefsson.org> <1168974346.3210.25.camel@sarge> <87irf3kwov.fsf@latte.josefsson.org> <87ejprkt1i.fsf@latte.josefsson.org> <87irelet0n.fsf@laas.fr> Message-ID: <87fy9ovfc6.fsf@latte.josefsson.org> ludovic.courtes at laas.fr (Ludovic Court?s) writes: > Hi, > > Simon Josefsson writes: > >> Also, creating examples and a self test for the OpenPGP stuff would be >> useful. Have you managed to get it to work at all? > > It took me a while, but I finally found why `gnutls-serv' wouldn't do > the job as expected (I knew it should work because I have small > client/server of my own that do work). > > First, the patch below must be applied to `serv.c'. Then, actual DH > and/or RSA parameters must be provided or generated for the server. So > we end up with a command-line like this for the server: > > $ ./gnutls-serv --dhparams tls-dh-params \ > --ctypes openpgp --pgpcertfile pub.asc \ > --pgpkeyfile sec.asc > > And for the client: > > $ gnutls-cli --ctypes openpgp --pgpcertfile pub.asc \ > --pgpkeyfile sec.asc -p 5556 localhost > > And it works like a charm, even with `--require-cert' passed to the > server. > > Can you confirm? Hi! Actually, the tools works fine without your patch, IF I use a newly generated key. Server: jas at mocca:~$ gnutls-serv --dhparams ~/dh.pem --pgpcertfile ~/.gnupg-foo/pub.txt --pgpkeyfile ~/.gnupg-foo/sec.txt Read Diffie Hellman parameters. Echo Server ready. Listening to port '5556'. * connection from ::ffff:127.0.0.1, port 48423 - Given server name[1]: localhost - Certificate type: OpenPGP # Key was created at: Fri Feb 2 14:32:23 CET 2007 # Key expires: Never # PGP Key version: 4 # PGP Key public key algorithm: DSA (1024 bits) # PGP Key fingerprint: BF:D6:44:C3:26:74:9E:3A:99:1E:D0:B5:C0:85:0D:AD:40:CD:57:C9 # NAME: Foo Bar - Peer's key is valid - Could not find a signer of the peer's key - Version: TLS 1.1 - Key Exchange: DHE DSS - Cipher: AES 128 CBC - MAC: SHA - Compression: DEFLATE Client: jas at mocca:~$ gnutls-cli --pgpcertfile ~/.gnupg-foo/pub.txt --pgpkeyfile ~/.gnupg-foo/sec.txt -p 5556 localhost Processed 1 client PGP certificate... Resolving 'localhost'... Connecting to '127.0.0.1:5556'... - Certificate type: OpenPGP # The hostname in the key does NOT match 'localhost'. # Key was created at: Fri Feb 2 14:32:23 CET 2007 # Key expires: Never # PGP Key version: 4 # PGP Key public key algorithm: DSA (1024 bits) # PGP Key fingerprint: BF:D6:44:C3:26:74:9E:3A:99:1E:D0:B5:C0:85:0D:AD:40:CD:57:C9 # NAME: Foo Bar - Peer's key is valid - Could not find a signer of the peer's key - Version: TLS 1.1 - Key Exchange: DHE DSS - Cipher: AES 128 CBC - MAC: SHA - Compression: DEFLATE - Handshake was completed - Simple Client Mode: This is quit nice, but there are some things we could do to make things easier. I'm thinking that gnutls-serv should use a static hard-coded D-H parameter if the user didn't supply one on the command line. Here is what I get if I test with my own key: jas at mocca:~/src/gnutls/src$ gpg -a --export-secret-keys b565716f > ~/privkey.gpgjas at mocca:~/src/gnutls/src$ gpg -a --export b565716f > ~/pubkey.gpg Server: jas at mocca:~/src/gnutls/src$ ./gnutls-serv --dhparams dh.pem --pgpcertfile ~/pubkey.gpg --pgpkeyfile ~/privkey.gpg Read Diffie Hellman parameters. Echo Server ready. Listening to port '5556'. Error in handshake Error: A TLS packet with unexpected length was received. Client: jas at mocca:~/src/gnutls/src$ ./gnutls-cli --pgpcertfile ~/pubkey.gpg --pgpkeyfile ~/privkey.gpg -p 5556 localhost Processed 1 client PGP certificate... Resolving 'localhost'... Connecting to '127.0.0.1:5556'... *** Fatal error: Decryption has failed. *** Handshake has failed GNUTLS ERROR: Decryption has failed. jas at mocca:~/src/gnutls/src$ Debugging indicates problems decrypting the challenge, in the client: |<2>| ASSERT: gnutls_pk.c:283 |<2>| ASSERT: gnutls_pk.c:359 |<2>| ASSERT: gnutls_sig.c:299 |<2>| ASSERT: gnutls_sig.c:468 |<2>| ASSERT: auth_dhe.c:233 |<2>| ASSERT: gnutls_kx.c:346 |<2>| ASSERT: gnutls_handshake.c:2235 I suspect OpenCDK uses the wrong RSA key to encrypt and/or decrypt the data. I have several old and expired keys in my private key. IIRC, even GnuPG had a similar problem with my key some time ago. /Simon From ludovic.courtes at laas.fr Fri Feb 2 16:16:36 2007 From: ludovic.courtes at laas.fr (Ludovic =?iso-8859-1?Q?Court=E8s?=) Date: Fri, 02 Feb 2007 16:16:36 +0100 Subject: [Help-gnutls] Re: TLS/OpenPGP draft expiring soon References: <87zm8jhyah.fsf@laas.fr> <17836.63955.481542.439077@squeak.fifthhorseman.net> <871wluj0tq.fsf@latte.josefsson.org> <1168974346.3210.25.camel@sarge> <87irf3kwov.fsf@latte.josefsson.org> <87ejprkt1i.fsf@latte.josefsson.org> <87irelet0n.fsf@laas.fr> <87fy9ovfc6.fsf@latte.josefsson.org> Message-ID: <8764ak7for.fsf@laas.fr> Hi, Simon Josefsson writes: > Hi! Actually, the tools works fine without your patch, IF I use a > newly generated key. Hmm, but without the patch, the DH parameters aren't used since the invocation of `gnutls_certificate_set_dh_params ()' is commented out, are they? > I suspect OpenCDK uses the wrong RSA key to encrypt and/or decrypt the > data. I have several old and expired keys in my private key. IIRC, > even GnuPG had a similar problem with my key some time ago. Then the key is to blame. ;-) Or at least GnuTLS should return a more appropriate error, like `GNUTLS_A_CERTIFICATE_EXPIRED'. Thanks, Ludovic. From dellanna at csp.it Fri Feb 2 16:43:23 2007 From: dellanna at csp.it (dellanna at csp.it) Date: Fri, 2 Feb 2007 16:43:23 +0100 Subject: [Help-gnutls] Re: gnutls with pgp In-Reply-To: <87k5z0vgm7.fsf@latte.josefsson.org> References: <87sldovkfx.fsf@latte.josefsson.org> <1170418623.45c32bbf0d773@csa.csp.it> <87k5z0vgm7.fsf@latte.josefsson.org> Message-ID: <1170431003.45c35c1b29a34@csa.csp.it> Ok, but if I try to compiler the example on manual "Echo Server with anonymous authentication" with command gcc, it return something like: "server.c:(.text+0x2e): undefined reference to `gnutls_set_default_priority'" this function is in the package . In this example I write #include . There is something to configure before gnutls work correctly? Simone. Scrive Simon Josefsson : > dellanna at csp.it writes: > > > Hi all, > > I should implement autenthication inside of web application with gnutls. > > I should use OpenPGP inside TLS connection (I do not use certificate > X.509). > > It is possible in GnuTLS, but can someone indicate me any reference guide > (with > > example server-client)? > > Hi! Yes, that should be possible. There are example code for a > server in the GnuTLS manual: > > http://www.gnu.org/software/gnutls/manual/html_node/Echo-Server-with-OpenPGP-authentication.html > > There are no explicit examples for OpenPGP clients, but modifying the > standard X.509 example: > > http://www.gnu.org/software/gnutls/manual/html_node/Simple-client-example-with-X_002e509-certificate-support.html > > using the hints from: > > http://www.gnu.org/software/gnutls/manual/html_node/Certificate-authentication.html > > should not be impossible. > > Note that this part of GnuTLS is not widely used, so it isn't unlikely > that you run into problems. Let us know how it works for you! > > /Simon > > ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From simon at josefsson.org Fri Feb 2 17:17:53 2007 From: simon at josefsson.org (Simon Josefsson) Date: Fri, 02 Feb 2007 17:17:53 +0100 Subject: [Help-gnutls] Re: TLS/OpenPGP draft expiring soon In-Reply-To: <8764ak7for.fsf@laas.fr> (Ludovic =?iso-8859-1?Q?Court=E8s's?= message of "Fri\, 02 Feb 2007 16\:16\:36 +0100") References: <87zm8jhyah.fsf@laas.fr> <17836.63955.481542.439077@squeak.fifthhorseman.net> <871wluj0tq.fsf@latte.josefsson.org> <1168974346.3210.25.camel@sarge> <87irf3kwov.fsf@latte.josefsson.org> <87ejprkt1i.fsf@latte.josefsson.org> <87irelet0n.fsf@laas.fr> <87fy9ovfc6.fsf@latte.josefsson.org> <8764ak7for.fsf@laas.fr> Message-ID: <87abzwzg7i.fsf@latte.josefsson.org> ludovic.courtes at laas.fr (Ludovic Court?s) writes: > Hi, > > Simon Josefsson writes: > >> Hi! Actually, the tools works fine without your patch, IF I use a >> newly generated key. > > Hmm, but without the patch, the DH parameters aren't used since the > invocation of `gnutls_certificate_set_dh_params ()' is commented out, > are they? Doesn't it work for you? Setting the DH and export RSA parameters are done through the 'get_params' function, if I understand correctly. >> I suspect OpenCDK uses the wrong RSA key to encrypt and/or decrypt the >> data. I have several old and expired keys in my private key. IIRC, >> even GnuPG had a similar problem with my key some time ago. > > Then the key is to blame. ;-) > > Or at least GnuTLS should return a more appropriate error, like > `GNUTLS_A_CERTIFICATE_EXPIRED'. Yes. Alas, I can't send my private key for debugging... ;) If I get time, I'll debug it. The important thing is that it seems to work. I'll add a client example and perhaps a self test too. I'm still not certain what these parameters do, though: --pgpkeyring FILE PGP Key ring file to use. --pgptrustdb FILE PGP trustdb file to use. I can guess that the former is used to search for keys when only the fingerprint is sent, and the latter is used for WoT verification, but neither seem to work. If I understand correctly, this should work: jas at mocca:~$ gnutls-serv --dhparams ~/dh.pem --pgpcertfile ~/.gnupg-foo/pub.txt --pgpkeyfile ~/.gnupg-foo/sec.txt --pgpkeyring ~/.gnupg-foo/pub.txt Read Diffie Hellman parameters. Echo Server ready. Listening to port '5556'. Error in handshake Error: Could not get OpenPGP key. jas at mocca:~$ gnutls-cli --pgpcertfile ~/.gnupg-foo/pub.txt --pgpkeyfile ~/.gnupg-foo/sec.txt -p 5556 localhost -f Processed 1 client PGP certificate... Resolving 'localhost'... Connecting to '127.0.0.1:5556'... *** Fatal error: Error in the push function. *** Handshake has failed GNUTLS ERROR: Error in the push function. jas at mocca:~$ But as you can see, the server wasn't able to find the OpenPGP key. The error message on the client seems sub-optimal too. Maybe this is an ASCII vs binary issue. Ah, yes, it is. After: jas at mocca:~$ gpg -a --export-secret-keys 40CD57C9 > ~/.gnupg/sec.bin jas at mocca:~$ gpg --export-secret-keys 40CD57C9 > ~/.gnupg/sec.bin Then it works: jas at mocca:~$ gnutls-serv --dhparams ~/dh.pem --pgpcertfile ~/.gnupg-foo/pub.txt --pgpkeyfile ~/.gnupg-foo/sec.txt --pgpkeyring ~/.gnupg-foo/pub.bin Read Diffie Hellman parameters. Echo Server ready. Listening to port '5556'. * connection from ::ffff:127.0.0.1, port 41465 - Given server name[1]: localhost - Certificate type: OpenPGP # Key was created at: Fri Feb 2 14:32:23 CET 2007 # Key expires: Never # PGP Key version: 4 # PGP Key public key algorithm: DSA (1024 bits) # PGP Key fingerprint: BF:D6:44:C3:26:74:9E:3A:99:1E:D0:B5:C0:85:0D:AD:40:CD:57:C9 # NAME: Foo Bar - Peer's key is valid - Version: TLS 1.1 - Key Exchange: DHE DSS - Cipher: AES 128 CBC - MAC: SHA - Compression: DEFLATE ... jas at mocca:~$ gnutls-cli --pgpcertfile ~/.gnupg-foo/pub.txt --pgpkeyfile ~/.gnupg-foo/sec.txt -p 5556 localhost -f Processed 1 client PGP certificate... Resolving 'localhost'... Connecting to '127.0.0.1:5556'... - Certificate type: OpenPGP # The hostname in the key does NOT match 'localhost'. # Key was created at: Fri Feb 2 14:32:23 CET 2007 # Key expires: Never # PGP Key version: 4 # PGP Key public key algorithm: DSA (1024 bits) # PGP Key fingerprint: BF:D6:44:C3:26:74:9E:3A:99:1E:D0:B5:C0:85:0D:AD:40:CD:57:C9 # NAME: Foo Bar - Peer's key is valid - Could not find a signer of the peer's key - Version: TLS 1.1 - Key Exchange: DHE DSS - Cipher: AES 128 CBC - MAC: SHA - Compression: DEFLATE - Handshake was completed - Simple Client Mode: jas at mocca:~$ Although it looks pretty serious that the server doesn't complain about a missing signer for the key now. Is it using the keyring as the trustdb? The trustdb parameter doesn't seem to have the binary vs ASCII problem, and the signer stuff seem to work: jas at mocca:~$ gnutls-serv --dhparams ~/dh.pem --pgpcertfile ~/.gnupg-foo/pub.txt --pgpkeyfile ~/.gnupg-foo/sec.txt --pgptrustdb ~/.gnupg-foo/pub.txt Read Diffie Hellman parameters. Echo Server ready. Listening to port '5556'. * connection from ::ffff:127.0.0.1, port 39134 - Given server name[1]: localhost - Certificate type: OpenPGP # Key was created at: Fri Feb 2 14:32:23 CET 2007 # Key expires: Never # PGP Key version: 4 # PGP Key public key algorithm: DSA (1024 bits) # PGP Key fingerprint: BF:D6:44:C3:26:74:9E:3A:99:1E:D0:B5:C0:85:0D:AD:40:CD:57:C9 # NAME: Foo Bar - Peer's key is valid - Version: TLS 1.1 - Key Exchange: DHE DSS - Cipher: AES 128 CBC - MAC: SHA - Compression: DEFLATE client: jas at mocca:~$ gnutls-cli --pgpcertfile ~/.gnupg-foo/pub.txt --pgpkeyfile ~/.gnupg-foo/sec.txt -p 5556 localhost Processed 1 client PGP certificate... Resolving 'localhost'... Connecting to '127.0.0.1:5556'... - Certificate type: OpenPGP # The hostname in the key does NOT match 'localhost'. # Key was created at: Fri Feb 2 14:32:23 CET 2007 # Key expires: Never # PGP Key version: 4 # PGP Key public key algorithm: DSA (1024 bits) # PGP Key fingerprint: BF:D6:44:C3:26:74:9E:3A:99:1E:D0:B5:C0:85:0D:AD:40:CD:57:C9 # NAME: Foo Bar - Peer's key is valid - Could not find a signer of the peer's key - Version: TLS 1.1 - Key Exchange: DHE DSS - Cipher: AES 128 CBC - MAC: SHA - Compression: DEFLATE - Handshake was completed - Simple Client Mode: So there are a few problems: * use static DH if none are supplied * fix reading of ASCII OpenPGP keyrings * fix error message in client when the server cannot find the openpgp key * investigate whether the server thinks the client's cert is ok when a keyring is specified * add self-tests for the above :) and most importantly: * document how everything works, with examples like those in this message Thanks, Simon From simon at josefsson.org Tue Feb 6 07:44:36 2007 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 06 Feb 2007 07:44:36 +0100 Subject: [Help-gnutls] Re: gnutls with pgp In-Reply-To: <1170431003.45c35c1b29a34@csa.csp.it> (dellanna@csp.it's message of "Fri\, 2 Feb 2007 16\:43\:23 +0100") References: <87sldovkfx.fsf@latte.josefsson.org> <1170418623.45c32bbf0d773@csa.csp.it> <87k5z0vgm7.fsf@latte.josefsson.org> <1170431003.45c35c1b29a34@csa.csp.it> Message-ID: <87tzxzg4yz.fsf@latte.josefsson.org> dellanna at csp.it writes: > Ok, > but if I try to compiler the example on manual "Echo Server with anonymous > authentication" with command gcc, it return something like: > "server.c:(.text+0x2e): undefined reference to `gnutls_set_default_priority'" > this function is in the package . > In this example I write #include . There is something to > configure before gnutls work correctly? Did you forget to link the program with the gnutls library? You'll need to compile it using something like this: cc -o foo foo.c -I/path/to/gnutls/include -L/path/to/gnutls/lib -lgnutls Alternatively, if you built GnuTLS yourself, invoke 'make' in the doc/examples/ directory. The examples are built when you build GnuTLS. /Simon > Simone. > > Scrive Simon Josefsson : > >> dellanna at csp.it writes: >> >> > Hi all, >> > I should implement autenthication inside of web application with gnutls. >> > I should use OpenPGP inside TLS connection (I do not use certificate >> X.509). >> > It is possible in GnuTLS, but can someone indicate me any reference guide >> (with >> > example server-client)? >> >> Hi! Yes, that should be possible. There are example code for a >> server in the GnuTLS manual: >> >> > http://www.gnu.org/software/gnutls/manual/html_node/Echo-Server-with-OpenPGP-authentication.html >> >> There are no explicit examples for OpenPGP clients, but modifying the >> standard X.509 example: >> >> > http://www.gnu.org/software/gnutls/manual/html_node/Simple-client-example-with-X_002e509-certificate-support.html >> >> using the hints from: >> >> > http://www.gnu.org/software/gnutls/manual/html_node/Certificate-authentication.html >> >> should not be impossible. >> >> Note that this part of GnuTLS is not widely used, so it isn't unlikely >> that you run into problems. Let us know how it works for you! >> >> /Simon >> >> > > > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. From dg at cowlark.com Wed Feb 7 00:22:13 2007 From: dg at cowlark.com (David Given) Date: Tue, 06 Feb 2007 23:22:13 +0000 Subject: [Help-gnutls] SMTP TLS & Thunderbird Message-ID: I'm trying to use GNUTLS to implement TLS functionality on an SMTP daemon I've got. It's nearly working really well; the example in 7.4.5 was really useful. I've implemented the code in the server to do the TLS handshake, and everything works fine when I connect to it with gnutls-cli. Unfortunately, when I try it with real data, using Thunderbird, it doesn't work. Handshake fails with "Could not negotiate a supported cipher suite." Thunderbird appears to be using OpenSSL. GNUTLS *does* work with OpenSSL, right? If so, can anyone offer any suggestions as to what might be going on, and how to fix it? This is with GNUTLS 1.4.0-3ubuntu1 on Ubuntu Edgy Eft and Thunderbird 1.5.0.9. -- ??? ?????????????? ??? http://www.cowlark.com ??????????????????? ? "I have always wished for my computer to be as easy to use as my ? telephone; my wish has come true because I can no longer figure out how to ? use my telephone." --- Bjarne Stroustrup -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature URL: From simon at josefsson.org Wed Feb 7 07:35:40 2007 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 07 Feb 2007 07:35:40 +0100 Subject: [Help-gnutls] Re: SMTP TLS & Thunderbird In-Reply-To: (David Given's message of "Tue\, 06 Feb 2007 23\:22\:13 +0000") References: Message-ID: <87zm7qbhkz.fsf@latte.josefsson.org> David Given writes: > I'm trying to use GNUTLS to implement TLS functionality on an SMTP daemon I've > got. It's nearly working really well; the example in 7.4.5 was really useful. > > I've implemented the code in the server to do the TLS handshake, and > everything works fine when I connect to it with gnutls-cli. Unfortunately, > when I try it with real data, using Thunderbird, it doesn't work. Handshake > fails with "Could not negotiate a supported cipher suite." > > Thunderbird appears to be using OpenSSL. GNUTLS *does* work with OpenSSL, > right? If so, can anyone offer any suggestions as to what might be going on, > and how to fix it? > > This is with GNUTLS 1.4.0-3ubuntu1 on Ubuntu Edgy Eft and Thunderbird 1.5.0.9. That error happens if the server doesn't offer a ciphersuite that the client can accept. Often this is caused by missing X.509 CA and/or server certificate. Check with 'gnutls-cli' what key exchange is negotiated. If it is ANON, most clients will refuse to talk to you. Btw, example 7.4.5 is for anonymous authentication, try 7.4.1 instead. It is easy to change things, just add a X.509 credential and assign it to the session. /Simon From dellanna at csp.it Wed Feb 7 10:38:01 2007 From: dellanna at csp.it (dellanna at csp.it) Date: Wed, 7 Feb 2007 10:38:01 +0100 Subject: [Help-gnutls] Re: gnutls with pgp In-Reply-To: <87tzxzg4yz.fsf@latte.josefsson.org> References: <87sldovkfx.fsf@latte.josefsson.org> <1170418623.45c32bbf0d773@csa.csp.it> <87k5z0vgm7.fsf@latte.josefsson.org> <1170431003.45c35c1b29a34@csa.csp.it> <87tzxzg4yz.fsf@latte.josefsson.org> Message-ID: <1170841081.45c99df937538@csa.csp.it> Hi, I installed gnutls with Synaptic Package Manager ( in ubuntu 6.06) and I don't know what is gnutls library directory... If I download gnutls from ftp://ftp.gnupg.org/gcrypt/alpha/gnutls/ what is the packet I need to use gnutls in my applications? In manual there aren't instructions releted to configuration of my environment. Can you help me, please? Simone. Scrive Simon Josefsson : > dellanna at csp.it writes: > > > Ok, > > but if I try to compiler the example on manual "Echo Server with anonymous > > authentication" with command gcc, it return something like: > > "server.c:(.text+0x2e): undefined reference to > `gnutls_set_default_priority'" > > this function is in the package . > > In this example I write #include . There is something to > > configure before gnutls work correctly? > > Did you forget to link the program with the gnutls library? You'll > need to compile it using something like this: > > cc -o foo foo.c -I/path/to/gnutls/include -L/path/to/gnutls/lib -lgnutls > > Alternatively, if you built GnuTLS yourself, invoke 'make' in the > doc/examples/ directory. The examples are built when you build > GnuTLS. > > /Simon > > > Simone. > > > > Scrive Simon Josefsson : > > > >> dellanna at csp.it writes: > >> > >> > Hi all, > >> > I should implement autenthication inside of web application with gnutls. > >> > I should use OpenPGP inside TLS connection (I do not use certificate > >> X.509). > >> > It is possible in GnuTLS, but can someone indicate me any reference > guide > >> (with > >> > example server-client)? > >> > >> Hi! Yes, that should be possible. There are example code for a > >> server in the GnuTLS manual: > >> > >> > > > http://www.gnu.org/software/gnutls/manual/html_node/Echo-Server-with-OpenPGP-authentication.html > >> > >> There are no explicit examples for OpenPGP clients, but modifying the > >> standard X.509 example: > >> > >> > > > http://www.gnu.org/software/gnutls/manual/html_node/Simple-client-example-with-X_002e509-certificate-support.html > >> > >> using the hints from: > >> > >> > > > http://www.gnu.org/software/gnutls/manual/html_node/Certificate-authentication.html > >> > >> should not be impossible. > >> > >> Note that this part of GnuTLS is not widely used, so it isn't unlikely > >> that you run into problems. Let us know how it works for you! > >> > >> /Simon > >> > >> > > > > > > > > > > ---------------------------------------------------------------- > > This message was sent using IMP, the Internet Messaging Program. > > ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From simon at josefsson.org Wed Feb 7 11:01:16 2007 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 07 Feb 2007 11:01:16 +0100 Subject: [Help-gnutls] Re: gnutls with pgp In-Reply-To: <1170841081.45c99df937538@csa.csp.it> (dellanna@csp.it's message of "Wed\, 7 Feb 2007 10\:38\:01 +0100") References: <87sldovkfx.fsf@latte.josefsson.org> <1170418623.45c32bbf0d773@csa.csp.it> <87k5z0vgm7.fsf@latte.josefsson.org> <1170431003.45c35c1b29a34@csa.csp.it> <87tzxzg4yz.fsf@latte.josefsson.org> <1170841081.45c99df937538@csa.csp.it> Message-ID: <87ps8mb82b.fsf@latte.josefsson.org> dellanna at csp.it writes: > Hi, > I installed gnutls with Synaptic Package Manager ( in ubuntu 6.06) and I don't > know what is gnutls library directory... Then it is installed in the default path, /usr/lib. You don't have to specify the -I or -L parameters at all. Just add "-lgnutls" when building it. > If I download gnutls from ftp://ftp.gnupg.org/gcrypt/alpha/gnutls/ > what is the packet I need to use gnutls in my applications? > In manual there aren't instructions releted to configuration of my environment. > Can you help me, please? See the file INSTALL, but if GnuTLS comes with your distribution, you don't need to build it yourself. /Simon > Simone. > > Scrive Simon Josefsson : > >> dellanna at csp.it writes: >> >> > Ok, >> > but if I try to compiler the example on manual "Echo Server with anonymous >> > authentication" with command gcc, it return something like: >> > "server.c:(.text+0x2e): undefined reference to >> `gnutls_set_default_priority'" >> > this function is in the package . >> > In this example I write #include . There is something to >> > configure before gnutls work correctly? >> >> Did you forget to link the program with the gnutls library? You'll >> need to compile it using something like this: >> >> cc -o foo foo.c -I/path/to/gnutls/include -L/path/to/gnutls/lib -lgnutls >> >> Alternatively, if you built GnuTLS yourself, invoke 'make' in the >> doc/examples/ directory. The examples are built when you build >> GnuTLS. >> >> /Simon >> >> > Simone. >> > >> > Scrive Simon Josefsson : >> > >> >> dellanna at csp.it writes: >> >> >> >> > Hi all, >> >> > I should implement autenthication inside of web application with gnutls. >> >> > I should use OpenPGP inside TLS connection (I do not use certificate >> >> X.509). >> >> > It is possible in GnuTLS, but can someone indicate me any reference >> guide >> >> (with >> >> > example server-client)? >> >> >> >> Hi! Yes, that should be possible. There are example code for a >> >> server in the GnuTLS manual: >> >> >> >> >> > >> > http://www.gnu.org/software/gnutls/manual/html_node/Echo-Server-with-OpenPGP-authentication.html >> >> >> >> There are no explicit examples for OpenPGP clients, but modifying the >> >> standard X.509 example: >> >> >> >> >> > >> > http://www.gnu.org/software/gnutls/manual/html_node/Simple-client-example-with-X_002e509-certificate-support.html >> >> >> >> using the hints from: >> >> >> >> >> > >> > http://www.gnu.org/software/gnutls/manual/html_node/Certificate-authentication.html >> >> >> >> should not be impossible. >> >> >> >> Note that this part of GnuTLS is not widely used, so it isn't unlikely >> >> that you run into problems. Let us know how it works for you! >> >> >> >> /Simon >> >> >> >> >> > >> > >> > >> > >> > ---------------------------------------------------------------- >> > This message was sent using IMP, the Internet Messaging Program. >> >> > > > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. From dellanna at csp.it Wed Feb 7 14:41:37 2007 From: dellanna at csp.it (dellanna at csp.it) Date: Wed, 7 Feb 2007 14:41:37 +0100 Subject: [Help-gnutls] Re: gnutls with pgp In-Reply-To: <87ps8mb82b.fsf@latte.josefsson.org> References: <87sldovkfx.fsf@latte.josefsson.org> <1170418623.45c32bbf0d773@csa.csp.it> <87k5z0vgm7.fsf@latte.josefsson.org> <1170431003.45c35c1b29a34@csa.csp.it> <87tzxzg4yz.fsf@latte.josefsson.org> <1170841081.45c99df937538@csa.csp.it> <87ps8mb82b.fsf@latte.josefsson.org> Message-ID: <1170855697.45c9d7118c6d4@csa.csp.it> Ok, now, if I run cc -ex-serv-anon ex-serv-anon.c -I/usr/lib/ -L /usr/lib/ -lgnutls (for server with anonymous authentication) it work correctly...the output is the following: Server ready. Listening to port '5556' But if I run cc -ex-client1 ex-client1.c -I/usr/lib/ -L /usr/lib/ -lgnutls on client machine (for client anonymous) it return the following error: _______________________________________________________________ /usr/bin/ld: warning: cannot find entry symbol x-client1; defaulting to 0000000008048908 /tmp/ccbQ8aPE.o: In function `main':ex-client1.c:(.text+0x97): undefined reference to `tcp_connect' :ex-client1.c:(.text+0x1fd): undefined reference to `tcp_close' collect2: ld returned 1 exit status _______________________________________________________________ What is the problem for you? Simone. Scrive Simon Josefsson : > dellanna at csp.it writes: > > > Hi, > > I installed gnutls with Synaptic Package Manager ( in ubuntu 6.06) and I > don't > > know what is gnutls library directory... > > Then it is installed in the default path, /usr/lib. You don't have to > specify the -I or -L parameters at all. Just add "-lgnutls" when > building it. > > > If I download gnutls from ftp://ftp.gnupg.org/gcrypt/alpha/gnutls/ > > what is the packet I need to use gnutls in my applications? > > In manual there aren't instructions releted to configuration of my > environment. > > Can you help me, please? > > See the file INSTALL, but if GnuTLS comes with your distribution, you > don't need to build it yourself. > > /Simon > > > Simone. > > > > Scrive Simon Josefsson : > > > >> dellanna at csp.it writes: > >> > >> > Ok, > >> > but if I try to compiler the example on manual "Echo Server with > anonymous > >> > authentication" with command gcc, it return something like: > >> > "server.c:(.text+0x2e): undefined reference to > >> `gnutls_set_default_priority'" > >> > this function is in the package . > >> > In this example I write #include . There is something > to > >> > configure before gnutls work correctly? > >> > >> Did you forget to link the program with the gnutls library? You'll > >> need to compile it using something like this: > >> > >> cc -o foo foo.c -I/path/to/gnutls/include -L/path/to/gnutls/lib -lgnutls > >> > >> Alternatively, if you built GnuTLS yourself, invoke 'make' in the > >> doc/examples/ directory. The examples are built when you build > >> GnuTLS. > >> > >> /Simon > >> > >> > Simone. > >> > > >> > Scrive Simon Josefsson : > >> > > >> >> dellanna at csp.it writes: > >> >> > >> >> > Hi all, > >> >> > I should implement autenthication inside of web application with > gnutls. > >> >> > I should use OpenPGP inside TLS connection (I do not use certificate > >> >> X.509). > >> >> > It is possible in GnuTLS, but can someone indicate me any reference > >> guide > >> >> (with > >> >> > example server-client)? > >> >> > >> >> Hi! Yes, that should be possible. There are example code for a > >> >> server in the GnuTLS manual: > >> >> > >> >> > >> > > >> > > > http://www.gnu.org/software/gnutls/manual/html_node/Echo-Server-with-OpenPGP-authentication.html > >> >> > >> >> There are no explicit examples for OpenPGP clients, but modifying the > >> >> standard X.509 example: > >> >> > >> >> > >> > > >> > > > http://www.gnu.org/software/gnutls/manual/html_node/Simple-client-example-with-X_002e509-certificate-support.html > >> >> > >> >> using the hints from: > >> >> > >> >> > >> > > >> > > > http://www.gnu.org/software/gnutls/manual/html_node/Certificate-authentication.html > >> >> > >> >> should not be impossible. > >> >> > >> >> Note that this part of GnuTLS is not widely used, so it isn't unlikely > >> >> that you run into problems. Let us know how it works for you! > >> >> > >> >> /Simon > >> >> > >> >> > >> > > >> > > >> > > >> > > >> > ---------------------------------------------------------------- > >> > This message was sent using IMP, the Internet Messaging Program. > >> > >> > > > > > > > > > > ---------------------------------------------------------------- > > This message was sent using IMP, the Internet Messaging Program. > > ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From simon at josefsson.org Wed Feb 7 15:06:13 2007 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 07 Feb 2007 15:06:13 +0100 Subject: [Help-gnutls] Re: gnutls with pgp In-Reply-To: <1170855697.45c9d7118c6d4@csa.csp.it> (dellanna@csp.it's message of "Wed\, 7 Feb 2007 14\:41\:37 +0100") References: <87sldovkfx.fsf@latte.josefsson.org> <1170418623.45c32bbf0d773@csa.csp.it> <87k5z0vgm7.fsf@latte.josefsson.org> <1170431003.45c35c1b29a34@csa.csp.it> <87tzxzg4yz.fsf@latte.josefsson.org> <1170841081.45c99df937538@csa.csp.it> <87ps8mb82b.fsf@latte.josefsson.org> <1170855697.45c9d7118c6d4@csa.csp.it> Message-ID: <877iuuawq2.fsf@latte.josefsson.org> dellanna at csp.it writes: > Ok, > now, if I run cc -ex-serv-anon ex-serv-anon.c -I/usr/lib/ -L /usr/lib/ -lgnutls > (for server with anonymous authentication) it work correctly...the output is the > following: > > Server ready. Listening to port '5556' > > But if I run cc -ex-client1 ex-client1.c -I/usr/lib/ -L /usr/lib/ -lgnutls on > client machine (for client anonymous) it return the following error: Try: cc -o ex-client1 ex-client1.c -lgnutls instead. > _______________________________________________________________ > /usr/bin/ld: warning: cannot find entry symbol x-client1; defaulting to > 0000000008048908 > /tmp/ccbQ8aPE.o: In function `main':ex-client1.c:(.text+0x97): undefined > reference to `tcp_connect' > :ex-client1.c:(.text+0x1fd): undefined reference to `tcp_close' > collect2: ld returned 1 exit status > _______________________________________________________________ > > What is the problem for you? The tcp_* functions are needed. Download this file as tcp.c: http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/*checkout*/gnutls/doc/examples/tcp.c?root=GNU+TLS+Library&content-type=text%2Fplain and build it too, e.g.: cc -o ex-client1 ex-client1.c tcp.c -lgnutls I have added that file as another section in the manual. /Simon > Simone. > > Scrive Simon Josefsson : > >> dellanna at csp.it writes: >> >> > Hi, >> > I installed gnutls with Synaptic Package Manager ( in ubuntu 6.06) and I >> don't >> > know what is gnutls library directory... >> >> Then it is installed in the default path, /usr/lib. You don't have to >> specify the -I or -L parameters at all. Just add "-lgnutls" when >> building it. >> >> > If I download gnutls from ftp://ftp.gnupg.org/gcrypt/alpha/gnutls/ >> > what is the packet I need to use gnutls in my applications? >> > In manual there aren't instructions releted to configuration of my >> environment. >> > Can you help me, please? >> >> See the file INSTALL, but if GnuTLS comes with your distribution, you >> don't need to build it yourself. >> >> /Simon >> >> > Simone. >> > >> > Scrive Simon Josefsson : >> > >> >> dellanna at csp.it writes: >> >> >> >> > Ok, >> >> > but if I try to compiler the example on manual "Echo Server with >> anonymous >> >> > authentication" with command gcc, it return something like: >> >> > "server.c:(.text+0x2e): undefined reference to >> >> `gnutls_set_default_priority'" >> >> > this function is in the package . >> >> > In this example I write #include . There is something >> to >> >> > configure before gnutls work correctly? >> >> >> >> Did you forget to link the program with the gnutls library? You'll >> >> need to compile it using something like this: >> >> >> >> cc -o foo foo.c -I/path/to/gnutls/include -L/path/to/gnutls/lib -lgnutls >> >> >> >> Alternatively, if you built GnuTLS yourself, invoke 'make' in the >> >> doc/examples/ directory. The examples are built when you build >> >> GnuTLS. >> >> >> >> /Simon >> >> >> >> > Simone. >> >> > >> >> > Scrive Simon Josefsson : >> >> > >> >> >> dellanna at csp.it writes: >> >> >> >> >> >> > Hi all, >> >> >> > I should implement autenthication inside of web application with >> gnutls. >> >> >> > I should use OpenPGP inside TLS connection (I do not use certificate >> >> >> X.509). >> >> >> > It is possible in GnuTLS, but can someone indicate me any reference >> >> guide >> >> >> (with >> >> >> > example server-client)? >> >> >> >> >> >> Hi! Yes, that should be possible. There are example code for a >> >> >> server in the GnuTLS manual: >> >> >> >> >> >> >> >> > >> >> >> > >> > http://www.gnu.org/software/gnutls/manual/html_node/Echo-Server-with-OpenPGP-authentication.html >> >> >> >> >> >> There are no explicit examples for OpenPGP clients, but modifying the >> >> >> standard X.509 example: >> >> >> >> >> >> >> >> > >> >> >> > >> > http://www.gnu.org/software/gnutls/manual/html_node/Simple-client-example-with-X_002e509-certificate-support.html >> >> >> >> >> >> using the hints from: >> >> >> >> >> >> >> >> > >> >> >> > >> > http://www.gnu.org/software/gnutls/manual/html_node/Certificate-authentication.html >> >> >> >> >> >> should not be impossible. >> >> >> >> >> >> Note that this part of GnuTLS is not widely used, so it isn't unlikely >> >> >> that you run into problems. Let us know how it works for you! >> >> >> >> >> >> /Simon >> >> >> >> >> >> >> >> > >> >> > >> >> > >> >> > >> >> > ---------------------------------------------------------------- >> >> > This message was sent using IMP, the Internet Messaging Program. >> >> >> >> >> > >> > >> > >> > >> > ---------------------------------------------------------------- >> > This message was sent using IMP, the Internet Messaging Program. >> >> > > > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. From dellanna at csp.it Wed Feb 7 15:59:20 2007 From: dellanna at csp.it (dellanna at csp.it) Date: Wed, 7 Feb 2007 15:59:20 +0100 Subject: [Help-gnutls] Re: gnutls with pgp In-Reply-To: <877iuuawq2.fsf@latte.josefsson.org> References: <87sldovkfx.fsf@latte.josefsson.org> <1170418623.45c32bbf0d773@csa.csp.it> <87k5z0vgm7.fsf@latte.josefsson.org> <1170431003.45c35c1b29a34@csa.csp.it> <87tzxzg4yz.fsf@latte.josefsson.org> <1170841081.45c99df937538@csa.csp.it> <87ps8mb82b.fsf@latte.josefsson.org> <1170855697.45c9d7118c6d4@csa.csp.it> <877iuuawq2.fsf@latte.josefsson.org> Message-ID: <1170860360.45c9e94832994@csa.csp.it> Yes, with cc -o ex-client1 ex-client1.c tcp.c -lgnutls it was generated the output " ex-client1", but if I run ./ex-client1 the application return "Connect error". I work on LAN and there is the server machine in waiting on port 5556. The client machine should to connect on server machine with TLS. The client application is complete? Simone. Scrive Simon Josefsson : > dellanna at csp.it writes: > > > Ok, > > now, if I run cc -ex-serv-anon ex-serv-anon.c -I/usr/lib/ -L /usr/lib/ > -lgnutls > > (for server with anonymous authentication) it work correctly...the output > is the > > following: > > > > Server ready. Listening to port '5556' > > > > But if I run cc -ex-client1 ex-client1.c -I/usr/lib/ -L /usr/lib/ -lgnutls > on > > client machine (for client anonymous) it return the following error: > > Try: > > cc -o ex-client1 ex-client1.c -lgnutls > > instead. > > > _______________________________________________________________ > > /usr/bin/ld: warning: cannot find entry symbol x-client1; defaulting to > > 0000000008048908 > > /tmp/ccbQ8aPE.o: In function `main':ex-client1.c:(.text+0x97): undefined > > reference to `tcp_connect' > > :ex-client1.c:(.text+0x1fd): undefined reference to `tcp_close' > > collect2: ld returned 1 exit status > > _______________________________________________________________ > > > > What is the problem for you? > > The tcp_* functions are needed. Download this file as tcp.c: > > http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/*checkout*/gnutls/doc/examples/tcp.c?root=GNU+TLS+Library&content-type=text%2Fplain > > and build it too, e.g.: > > cc -o ex-client1 ex-client1.c tcp.c -lgnutls > > I have added that file as another section in the manual. > > /Simon > > > Simone. > > > > Scrive Simon Josefsson : > > > >> dellanna at csp.it writes: > >> > >> > Hi, > >> > I installed gnutls with Synaptic Package Manager ( in ubuntu 6.06) and I > >> don't > >> > know what is gnutls library directory... > >> > >> Then it is installed in the default path, /usr/lib. You don't have to > >> specify the -I or -L parameters at all. Just add "-lgnutls" when > >> building it. > >> > >> > If I download gnutls from ftp://ftp.gnupg.org/gcrypt/alpha/gnutls/ > >> > what is the packet I need to use gnutls in my applications? > >> > In manual there aren't instructions releted to configuration of my > >> environment. > >> > Can you help me, please? > >> > >> See the file INSTALL, but if GnuTLS comes with your distribution, you > >> don't need to build it yourself. > >> > >> /Simon > >> > >> > Simone. > >> > > >> > Scrive Simon Josefsson : > >> > > >> >> dellanna at csp.it writes: > >> >> > >> >> > Ok, > >> >> > but if I try to compiler the example on manual "Echo Server with > >> anonymous > >> >> > authentication" with command gcc, it return something like: > >> >> > "server.c:(.text+0x2e): undefined reference to > >> >> `gnutls_set_default_priority'" > >> >> > this function is in the package . > >> >> > In this example I write #include . There is > something > >> to > >> >> > configure before gnutls work correctly? > >> >> > >> >> Did you forget to link the program with the gnutls library? You'll > >> >> need to compile it using something like this: > >> >> > >> >> cc -o foo foo.c -I/path/to/gnutls/include -L/path/to/gnutls/lib > -lgnutls > >> >> > >> >> Alternatively, if you built GnuTLS yourself, invoke 'make' in the > >> >> doc/examples/ directory. The examples are built when you build > >> >> GnuTLS. > >> >> > >> >> /Simon > >> >> > >> >> > Simone. > >> >> > > >> >> > Scrive Simon Josefsson : > >> >> > > >> >> >> dellanna at csp.it writes: > >> >> >> > >> >> >> > Hi all, > >> >> >> > I should implement autenthication inside of web application with > >> gnutls. > >> >> >> > I should use OpenPGP inside TLS connection (I do not use > certificate > >> >> >> X.509). > >> >> >> > It is possible in GnuTLS, but can someone indicate me any > reference > >> >> guide > >> >> >> (with > >> >> >> > example server-client)? > >> >> >> > >> >> >> Hi! Yes, that should be possible. There are example code for a > >> >> >> server in the GnuTLS manual: > >> >> >> > >> >> >> > >> >> > > >> >> > >> > > >> > > > http://www.gnu.org/software/gnutls/manual/html_node/Echo-Server-with-OpenPGP-authentication.html > >> >> >> > >> >> >> There are no explicit examples for OpenPGP clients, but modifying > the > >> >> >> standard X.509 example: > >> >> >> > >> >> >> > >> >> > > >> >> > >> > > >> > > > http://www.gnu.org/software/gnutls/manual/html_node/Simple-client-example-with-X_002e509-certificate-support.html > >> >> >> > >> >> >> using the hints from: > >> >> >> > >> >> >> > >> >> > > >> >> > >> > > >> > > > http://www.gnu.org/software/gnutls/manual/html_node/Certificate-authentication.html > >> >> >> > >> >> >> should not be impossible. > >> >> >> > >> >> >> Note that this part of GnuTLS is not widely used, so it isn't > unlikely > >> >> >> that you run into problems. Let us know how it works for you! > >> >> >> > >> >> >> /Simon > >> >> >> > >> >> >> > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > ---------------------------------------------------------------- > >> >> > This message was sent using IMP, the Internet Messaging Program. > >> >> > >> >> > >> > > >> > > >> > > >> > > >> > ---------------------------------------------------------------- > >> > This message was sent using IMP, the Internet Messaging Program. > >> > >> > > > > > > > > > > ---------------------------------------------------------------- > > This message was sent using IMP, the Internet Messaging Program. > > ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From simon at josefsson.org Wed Feb 7 16:19:31 2007 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 07 Feb 2007 16:19:31 +0100 Subject: [Help-gnutls] Re: gnutls with pgp In-Reply-To: <1170860360.45c9e94832994@csa.csp.it> (dellanna@csp.it's message of "Wed\, 7 Feb 2007 15\:59\:20 +0100") References: <87sldovkfx.fsf@latte.josefsson.org> <1170418623.45c32bbf0d773@csa.csp.it> <87k5z0vgm7.fsf@latte.josefsson.org> <1170431003.45c35c1b29a34@csa.csp.it> <87tzxzg4yz.fsf@latte.josefsson.org> <1170841081.45c99df937538@csa.csp.it> <87ps8mb82b.fsf@latte.josefsson.org> <1170855697.45c9d7118c6d4@csa.csp.it> <877iuuawq2.fsf@latte.josefsson.org> <1170860360.45c9e94832994@csa.csp.it> Message-ID: <873b5iatbw.fsf@latte.josefsson.org> dellanna at csp.it writes: > Yes, > with cc -o ex-client1 ex-client1.c tcp.c -lgnutls it was generated the output " > ex-client1", but if I run ./ex-client1 the application return "Connect error". > I work on LAN and there is the server machine in waiting on port 5556. The > client machine should to connect on server machine with TLS. > The client application is complete? The client connects to "localhost:5556". Do you have a server running there? The error you get indicate that there is no server. Remember, you will want to modify the client in order to do anything useful, so I recommend to start reading its source code to understand what it does. /Simon > Simone. > > Scrive Simon Josefsson : > >> dellanna at csp.it writes: >> >> > Ok, >> > now, if I run cc -ex-serv-anon ex-serv-anon.c -I/usr/lib/ -L /usr/lib/ >> -lgnutls >> > (for server with anonymous authentication) it work correctly...the output >> is the >> > following: >> > >> > Server ready. Listening to port '5556' >> > >> > But if I run cc -ex-client1 ex-client1.c -I/usr/lib/ -L /usr/lib/ -lgnutls >> on >> > client machine (for client anonymous) it return the following error: >> >> Try: >> >> cc -o ex-client1 ex-client1.c -lgnutls >> >> instead. >> >> > _______________________________________________________________ >> > /usr/bin/ld: warning: cannot find entry symbol x-client1; defaulting to >> > 0000000008048908 >> > /tmp/ccbQ8aPE.o: In function `main':ex-client1.c:(.text+0x97): undefined >> > reference to `tcp_connect' >> > :ex-client1.c:(.text+0x1fd): undefined reference to `tcp_close' >> > collect2: ld returned 1 exit status >> > _______________________________________________________________ >> > >> > What is the problem for you? >> >> The tcp_* functions are needed. Download this file as tcp.c: >> >> > http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/*checkout*/gnutls/doc/examples/tcp.c?root=GNU+TLS+Library&content-type=text%2Fplain >> >> and build it too, e.g.: >> >> cc -o ex-client1 ex-client1.c tcp.c -lgnutls >> >> I have added that file as another section in the manual. >> >> /Simon >> >> > Simone. >> > >> > Scrive Simon Josefsson : >> > >> >> dellanna at csp.it writes: >> >> >> >> > Hi, >> >> > I installed gnutls with Synaptic Package Manager ( in ubuntu 6.06) and I >> >> don't >> >> > know what is gnutls library directory... >> >> >> >> Then it is installed in the default path, /usr/lib. You don't have to >> >> specify the -I or -L parameters at all. Just add "-lgnutls" when >> >> building it. >> >> >> >> > If I download gnutls from ftp://ftp.gnupg.org/gcrypt/alpha/gnutls/ >> >> > what is the packet I need to use gnutls in my applications? >> >> > In manual there aren't instructions releted to configuration of my >> >> environment. >> >> > Can you help me, please? >> >> >> >> See the file INSTALL, but if GnuTLS comes with your distribution, you >> >> don't need to build it yourself. >> >> >> >> /Simon >> >> >> >> > Simone. >> >> > >> >> > Scrive Simon Josefsson : >> >> > >> >> >> dellanna at csp.it writes: >> >> >> >> >> >> > Ok, >> >> >> > but if I try to compiler the example on manual "Echo Server with >> >> anonymous >> >> >> > authentication" with command gcc, it return something like: >> >> >> > "server.c:(.text+0x2e): undefined reference to >> >> >> `gnutls_set_default_priority'" >> >> >> > this function is in the package . >> >> >> > In this example I write #include . There is >> something >> >> to >> >> >> > configure before gnutls work correctly? >> >> >> >> >> >> Did you forget to link the program with the gnutls library? You'll >> >> >> need to compile it using something like this: >> >> >> >> >> >> cc -o foo foo.c -I/path/to/gnutls/include -L/path/to/gnutls/lib >> -lgnutls >> >> >> >> >> >> Alternatively, if you built GnuTLS yourself, invoke 'make' in the >> >> >> doc/examples/ directory. The examples are built when you build >> >> >> GnuTLS. >> >> >> >> >> >> /Simon >> >> >> >> >> >> > Simone. >> >> >> > >> >> >> > Scrive Simon Josefsson : >> >> >> > >> >> >> >> dellanna at csp.it writes: >> >> >> >> >> >> >> >> > Hi all, >> >> >> >> > I should implement autenthication inside of web application with >> >> gnutls. >> >> >> >> > I should use OpenPGP inside TLS connection (I do not use >> certificate >> >> >> >> X.509). >> >> >> >> > It is possible in GnuTLS, but can someone indicate me any >> reference >> >> >> guide >> >> >> >> (with >> >> >> >> > example server-client)? >> >> >> >> >> >> >> >> Hi! Yes, that should be possible. There are example code for a >> >> >> >> server in the GnuTLS manual: >> >> >> >> >> >> >> >> >> >> >> > >> >> >> >> >> > >> >> >> > >> > http://www.gnu.org/software/gnutls/manual/html_node/Echo-Server-with-OpenPGP-authentication.html >> >> >> >> >> >> >> >> There are no explicit examples for OpenPGP clients, but modifying >> the >> >> >> >> standard X.509 example: >> >> >> >> >> >> >> >> >> >> >> > >> >> >> >> >> > >> >> >> > >> > http://www.gnu.org/software/gnutls/manual/html_node/Simple-client-example-with-X_002e509-certificate-support.html >> >> >> >> >> >> >> >> using the hints from: >> >> >> >> >> >> >> >> >> >> >> > >> >> >> >> >> > >> >> >> > >> > http://www.gnu.org/software/gnutls/manual/html_node/Certificate-authentication.html >> >> >> >> >> >> >> >> should not be impossible. >> >> >> >> >> >> >> >> Note that this part of GnuTLS is not widely used, so it isn't >> unlikely >> >> >> >> that you run into problems. Let us know how it works for you! >> >> >> >> >> >> >> >> /Simon >> >> >> >> >> >> >> >> >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > ---------------------------------------------------------------- >> >> >> > This message was sent using IMP, the Internet Messaging Program. >> >> >> >> >> >> >> >> > >> >> > >> >> > >> >> > >> >> > ---------------------------------------------------------------- >> >> > This message was sent using IMP, the Internet Messaging Program. >> >> >> >> >> > >> > >> > >> > >> > ---------------------------------------------------------------- >> > This message was sent using IMP, the Internet Messaging Program. >> >> > > > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. From dellanna at csp.it Wed Feb 7 17:02:42 2007 From: dellanna at csp.it (dellanna at csp.it) Date: Wed, 7 Feb 2007 17:02:42 +0100 Subject: [Help-gnutls] Re: gnutls with pgp In-Reply-To: <873b5iatbw.fsf@latte.josefsson.org> References: <87sldovkfx.fsf@latte.josefsson.org> <1170418623.45c32bbf0d773@csa.csp.it> <87k5z0vgm7.fsf@latte.josefsson.org> <1170431003.45c35c1b29a34@csa.csp.it> <87tzxzg4yz.fsf@latte.josefsson.org> <1170841081.45c99df937538@csa.csp.it> <87ps8mb82b.fsf@latte.josefsson.org> <1170855697.45c9d7118c6d4@csa.csp.it> <877iuuawq2.fsf@latte.josefsson.org> <1170860360.45c9e94832994@csa.csp.it> <873b5iatbw.fsf@latte.josefsson.org> Message-ID: <1170864162.45c9f822ee08e@csa.csp.it> I want to build the following scenario (with gnutls) One archtecture client-server (in lan)... when client open the connection with server, it be used TLS with autentication PGP-based. It is possible to start from ex-serv-anon and ex-client1. isn't it? There is some reference on this mechanism? (this is gnutls mechanism) Simone. Scrive Simon Josefsson : > dellanna at csp.it writes: > > > Yes, > > with cc -o ex-client1 ex-client1.c tcp.c -lgnutls it was generated the > output " > > ex-client1", but if I run ./ex-client1 the application return "Connect > error". > > I work on LAN and there is the server machine in waiting on port 5556. The > > client machine should to connect on server machine with TLS. > > The client application is complete? > > The client connects to "localhost:5556". Do you have a server running > there? The error you get indicate that there is no server. > > Remember, you will want to modify the client in order to do anything > useful, so I recommend to start reading its source code to understand > what it does. > > /Simon > > > Simone. > > > > Scrive Simon Josefsson : > > > >> dellanna at csp.it writes: > >> > >> > Ok, > >> > now, if I run cc -ex-serv-anon ex-serv-anon.c -I/usr/lib/ -L /usr/lib/ > >> -lgnutls > >> > (for server with anonymous authentication) it work correctly...the > output > >> is the > >> > following: > >> > > >> > Server ready. Listening to port '5556' > >> > > >> > But if I run cc -ex-client1 ex-client1.c -I/usr/lib/ -L /usr/lib/ > -lgnutls > >> on > >> > client machine (for client anonymous) it return the following error: > >> > >> Try: > >> > >> cc -o ex-client1 ex-client1.c -lgnutls > >> > >> instead. > >> > >> > _______________________________________________________________ > >> > /usr/bin/ld: warning: cannot find entry symbol x-client1; defaulting to > >> > 0000000008048908 > >> > /tmp/ccbQ8aPE.o: In function `main':ex-client1.c:(.text+0x97): undefined > >> > reference to `tcp_connect' > >> > :ex-client1.c:(.text+0x1fd): undefined reference to `tcp_close' > >> > collect2: ld returned 1 exit status > >> > _______________________________________________________________ > >> > > >> > What is the problem for you? > >> > >> The tcp_* functions are needed. Download this file as tcp.c: > >> > >> > > > http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/*checkout*/gnutls/doc/examples/tcp.c?root=GNU+TLS+Library&content-type=text%2Fplain > >> > >> and build it too, e.g.: > >> > >> cc -o ex-client1 ex-client1.c tcp.c -lgnutls > >> > >> I have added that file as another section in the manual. > >> > >> /Simon > >> > >> > Simone. > >> > > >> > Scrive Simon Josefsson : > >> > > >> >> dellanna at csp.it writes: > >> >> > >> >> > Hi, > >> >> > I installed gnutls with Synaptic Package Manager ( in ubuntu 6.06) > and I > >> >> don't > >> >> > know what is gnutls library directory... > >> >> > >> >> Then it is installed in the default path, /usr/lib. You don't have to > >> >> specify the -I or -L parameters at all. Just add "-lgnutls" when > >> >> building it. > >> >> > >> >> > If I download gnutls from ftp://ftp.gnupg.org/gcrypt/alpha/gnutls/ > >> >> > what is the packet I need to use gnutls in my applications? > >> >> > In manual there aren't instructions releted to configuration of my > >> >> environment. > >> >> > Can you help me, please? > >> >> > >> >> See the file INSTALL, but if GnuTLS comes with your distribution, you > >> >> don't need to build it yourself. > >> >> > >> >> /Simon > >> >> > >> >> > Simone. > >> >> > > >> >> > Scrive Simon Josefsson : > >> >> > > >> >> >> dellanna at csp.it writes: > >> >> >> > >> >> >> > Ok, > >> >> >> > but if I try to compiler the example on manual "Echo Server with > >> >> anonymous > >> >> >> > authentication" with command gcc, it return something like: > >> >> >> > "server.c:(.text+0x2e): undefined reference to > >> >> >> `gnutls_set_default_priority'" > >> >> >> > this function is in the package . > >> >> >> > In this example I write #include . There is > >> something > >> >> to > >> >> >> > configure before gnutls work correctly? > >> >> >> > >> >> >> Did you forget to link the program with the gnutls library? You'll > >> >> >> need to compile it using something like this: > >> >> >> > >> >> >> cc -o foo foo.c -I/path/to/gnutls/include -L/path/to/gnutls/lib > >> -lgnutls > >> >> >> > >> >> >> Alternatively, if you built GnuTLS yourself, invoke 'make' in the > >> >> >> doc/examples/ directory. The examples are built when you build > >> >> >> GnuTLS. > >> >> >> > >> >> >> /Simon > >> >> >> > >> >> >> > Simone. > >> >> >> > > >> >> >> > Scrive Simon Josefsson : > >> >> >> > > >> >> >> >> dellanna at csp.it writes: > >> >> >> >> > >> >> >> >> > Hi all, > >> >> >> >> > I should implement autenthication inside of web application > with > >> >> gnutls. > >> >> >> >> > I should use OpenPGP inside TLS connection (I do not use > >> certificate > >> >> >> >> X.509). > >> >> >> >> > It is possible in GnuTLS, but can someone indicate me any > >> reference > >> >> >> guide > >> >> >> >> (with > >> >> >> >> > example server-client)? > >> >> >> >> > >> >> >> >> Hi! Yes, that should be possible. There are example code for a > >> >> >> >> server in the GnuTLS manual: > >> >> >> >> > >> >> >> >> > >> >> >> > > >> >> >> > >> >> > > >> >> > >> > > >> > > > http://www.gnu.org/software/gnutls/manual/html_node/Echo-Server-with-OpenPGP-authentication.html > >> >> >> >> > >> >> >> >> There are no explicit examples for OpenPGP clients, but modifying > >> the > >> >> >> >> standard X.509 example: > >> >> >> >> > >> >> >> >> > >> >> >> > > >> >> >> > >> >> > > >> >> > >> > > >> > > > http://www.gnu.org/software/gnutls/manual/html_node/Simple-client-example-with-X_002e509-certificate-support.html > >> >> >> >> > >> >> >> >> using the hints from: > >> >> >> >> > >> >> >> >> > >> >> >> > > >> >> >> > >> >> > > >> >> > >> > > >> > > > http://www.gnu.org/software/gnutls/manual/html_node/Certificate-authentication.html > >> >> >> >> > >> >> >> >> should not be impossible. > >> >> >> >> > >> >> >> >> Note that this part of GnuTLS is not widely used, so it isn't > >> unlikely > >> >> >> >> that you run into problems. Let us know how it works for you! > >> >> >> >> > >> >> >> >> /Simon > >> >> >> >> > >> >> >> >> > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > ---------------------------------------------------------------- > >> >> >> > This message was sent using IMP, the Internet Messaging Program. > >> >> >> > >> >> >> > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > ---------------------------------------------------------------- > >> >> > This message was sent using IMP, the Internet Messaging Program. > >> >> > >> >> > >> > > >> > > >> > > >> > > >> > ---------------------------------------------------------------- > >> > This message was sent using IMP, the Internet Messaging Program. > >> > >> > > > > > > > > > > ---------------------------------------------------------------- > > This message was sent using IMP, the Internet Messaging Program. > > ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From simon at josefsson.org Wed Feb 7 17:10:21 2007 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 07 Feb 2007 17:10:21 +0100 Subject: [Help-gnutls] Re: gnutls with pgp In-Reply-To: <1170864162.45c9f822ee08e@csa.csp.it> (dellanna@csp.it's message of "Wed\, 7 Feb 2007 17\:02\:42 +0100") References: <87sldovkfx.fsf@latte.josefsson.org> <1170418623.45c32bbf0d773@csa.csp.it> <87k5z0vgm7.fsf@latte.josefsson.org> <1170431003.45c35c1b29a34@csa.csp.it> <87tzxzg4yz.fsf@latte.josefsson.org> <1170841081.45c99df937538@csa.csp.it> <87ps8mb82b.fsf@latte.josefsson.org> <1170855697.45c9d7118c6d4@csa.csp.it> <877iuuawq2.fsf@latte.josefsson.org> <1170860360.45c9e94832994@csa.csp.it> <873b5iatbw.fsf@latte.josefsson.org> <1170864162.45c9f822ee08e@csa.csp.it> Message-ID: <87tzxy9ceq.fsf@latte.josefsson.org> dellanna at csp.it writes: > I want to build the following scenario (with gnutls) > One archtecture client-server (in lan)... when client open the connection with > server, it be used TLS with autentication PGP-based. > It is possible to start from ex-serv-anon and ex-client1. isn't it? > There is some reference on this mechanism? (this is gnutls mechanism) Yes, you should be able to start from those two examples and make that work. For testing, you should even be able to create that configuration using the command line tools gnutls-cli and gnutls-serv. That may be simpler to start with. I'm not sure what you mean by a reference, but the manual should contain the necessary documentation. You'll need to modify the code to suite your needs, of course. Don't forget to look at src/cli.c and src/serv.c (the source code to gnutls-cli and gnutls-serv) for more hints, they are slightly more capable than the example code. /Simon > Simone. > > Scrive Simon Josefsson : > >> dellanna at csp.it writes: >> >> > Yes, >> > with cc -o ex-client1 ex-client1.c tcp.c -lgnutls it was generated the >> output " >> > ex-client1", but if I run ./ex-client1 the application return "Connect >> error". >> > I work on LAN and there is the server machine in waiting on port 5556. The >> > client machine should to connect on server machine with TLS. >> > The client application is complete? >> >> The client connects to "localhost:5556". Do you have a server running >> there? The error you get indicate that there is no server. >> >> Remember, you will want to modify the client in order to do anything >> useful, so I recommend to start reading its source code to understand >> what it does. >> >> /Simon >> >> > Simone. >> > >> > Scrive Simon Josefsson : >> > >> >> dellanna at csp.it writes: >> >> >> >> > Ok, >> >> > now, if I run cc -ex-serv-anon ex-serv-anon.c -I/usr/lib/ -L /usr/lib/ >> >> -lgnutls >> >> > (for server with anonymous authentication) it work correctly...the >> output >> >> is the >> >> > following: >> >> > >> >> > Server ready. Listening to port '5556' >> >> > >> >> > But if I run cc -ex-client1 ex-client1.c -I/usr/lib/ -L /usr/lib/ >> -lgnutls >> >> on >> >> > client machine (for client anonymous) it return the following error: >> >> >> >> Try: >> >> >> >> cc -o ex-client1 ex-client1.c -lgnutls >> >> >> >> instead. >> >> >> >> > _______________________________________________________________ >> >> > /usr/bin/ld: warning: cannot find entry symbol x-client1; defaulting to >> >> > 0000000008048908 >> >> > /tmp/ccbQ8aPE.o: In function `main':ex-client1.c:(.text+0x97): undefined >> >> > reference to `tcp_connect' >> >> > :ex-client1.c:(.text+0x1fd): undefined reference to `tcp_close' >> >> > collect2: ld returned 1 exit status >> >> > _______________________________________________________________ >> >> > >> >> > What is the problem for you? >> >> >> >> The tcp_* functions are needed. Download this file as tcp.c: >> >> >> >> >> > >> > http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/*checkout*/gnutls/doc/examples/tcp.c?root=GNU+TLS+Library&content-type=text%2Fplain >> >> >> >> and build it too, e.g.: >> >> >> >> cc -o ex-client1 ex-client1.c tcp.c -lgnutls >> >> >> >> I have added that file as another section in the manual. >> >> >> >> /Simon >> >> >> >> > Simone. >> >> > >> >> > Scrive Simon Josefsson : >> >> > >> >> >> dellanna at csp.it writes: >> >> >> >> >> >> > Hi, >> >> >> > I installed gnutls with Synaptic Package Manager ( in ubuntu 6.06) >> and I >> >> >> don't >> >> >> > know what is gnutls library directory... >> >> >> >> >> >> Then it is installed in the default path, /usr/lib. You don't have to >> >> >> specify the -I or -L parameters at all. Just add "-lgnutls" when >> >> >> building it. >> >> >> >> >> >> > If I download gnutls from ftp://ftp.gnupg.org/gcrypt/alpha/gnutls/ >> >> >> > what is the packet I need to use gnutls in my applications? >> >> >> > In manual there aren't instructions releted to configuration of my >> >> >> environment. >> >> >> > Can you help me, please? >> >> >> >> >> >> See the file INSTALL, but if GnuTLS comes with your distribution, you >> >> >> don't need to build it yourself. >> >> >> >> >> >> /Simon >> >> >> >> >> >> > Simone. >> >> >> > >> >> >> > Scrive Simon Josefsson : >> >> >> > >> >> >> >> dellanna at csp.it writes: >> >> >> >> >> >> >> >> > Ok, >> >> >> >> > but if I try to compiler the example on manual "Echo Server with >> >> >> anonymous >> >> >> >> > authentication" with command gcc, it return something like: >> >> >> >> > "server.c:(.text+0x2e): undefined reference to >> >> >> >> `gnutls_set_default_priority'" >> >> >> >> > this function is in the package . >> >> >> >> > In this example I write #include . There is >> >> something >> >> >> to >> >> >> >> > configure before gnutls work correctly? >> >> >> >> >> >> >> >> Did you forget to link the program with the gnutls library? You'll >> >> >> >> need to compile it using something like this: >> >> >> >> >> >> >> >> cc -o foo foo.c -I/path/to/gnutls/include -L/path/to/gnutls/lib >> >> -lgnutls >> >> >> >> >> >> >> >> Alternatively, if you built GnuTLS yourself, invoke 'make' in the >> >> >> >> doc/examples/ directory. The examples are built when you build >> >> >> >> GnuTLS. >> >> >> >> >> >> >> >> /Simon >> >> >> >> >> >> >> >> > Simone. >> >> >> >> > >> >> >> >> > Scrive Simon Josefsson : >> >> >> >> > >> >> >> >> >> dellanna at csp.it writes: >> >> >> >> >> >> >> >> >> >> > Hi all, >> >> >> >> >> > I should implement autenthication inside of web application >> with >> >> >> gnutls. >> >> >> >> >> > I should use OpenPGP inside TLS connection (I do not use >> >> certificate >> >> >> >> >> X.509). >> >> >> >> >> > It is possible in GnuTLS, but can someone indicate me any >> >> reference >> >> >> >> guide >> >> >> >> >> (with >> >> >> >> >> > example server-client)? >> >> >> >> >> >> >> >> >> >> Hi! Yes, that should be possible. There are example code for a >> >> >> >> >> server in the GnuTLS manual: >> >> >> >> >> >> >> >> >> >> >> >> >> >> > >> >> >> >> >> >> >> > >> >> >> >> >> > >> >> >> > >> > http://www.gnu.org/software/gnutls/manual/html_node/Echo-Server-with-OpenPGP-authentication.html >> >> >> >> >> >> >> >> >> >> There are no explicit examples for OpenPGP clients, but modifying >> >> the >> >> >> >> >> standard X.509 example: >> >> >> >> >> >> >> >> >> >> >> >> >> >> > >> >> >> >> >> >> >> > >> >> >> >> >> > >> >> >> > >> > http://www.gnu.org/software/gnutls/manual/html_node/Simple-client-example-with-X_002e509-certificate-support.html >> >> >> >> >> >> >> >> >> >> using the hints from: >> >> >> >> >> >> >> >> >> >> >> >> >> >> > >> >> >> >> >> >> >> > >> >> >> >> >> > >> >> >> > >> > http://www.gnu.org/software/gnutls/manual/html_node/Certificate-authentication.html >> >> >> >> >> >> >> >> >> >> should not be impossible. >> >> >> >> >> >> >> >> >> >> Note that this part of GnuTLS is not widely used, so it isn't >> >> unlikely >> >> >> >> >> that you run into problems. Let us know how it works for you! >> >> >> >> >> >> >> >> >> >> /Simon >> >> >> >> >> >> >> >> >> >> >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > ---------------------------------------------------------------- >> >> >> >> > This message was sent using IMP, the Internet Messaging Program. >> >> >> >> >> >> >> >> >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > ---------------------------------------------------------------- >> >> >> > This message was sent using IMP, the Internet Messaging Program. >> >> >> >> >> >> >> >> > >> >> > >> >> > >> >> > >> >> > ---------------------------------------------------------------- >> >> > This message was sent using IMP, the Internet Messaging Program. >> >> >> >> >> > >> > >> > >> > >> > ---------------------------------------------------------------- >> > This message was sent using IMP, the Internet Messaging Program. >> >> > > > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. From m at tthias.eu Wed Feb 7 22:28:08 2007 From: m at tthias.eu (Matthias Wimmer) Date: Wed, 07 Feb 2007 22:28:08 +0100 Subject: [Help-gnutls] Re: Verifying subjectAltNames In-Reply-To: <45BE5ABF.6020005@tthias.eu> References: <45B958D7.6000007@tthias.eu> <87y7npdcmm.fsf@latte.josefsson.org> <45BA6C88.2080201@tthias.eu> <87ps8xbo8o.fsf@latte.josefsson.org> <45BE5ABF.6020005@tthias.eu> Message-ID: <45CA4468.6020704@tthias.eu> Hi Simon! I now implemented checking of id-on-xmppAddr in the RFC 3920 server using libtasn1 directly (to be compatible with existing versions of GnuTLS). But I am still interested in having direct id-on-xmppAddr support in GnuTLS, so I continued thinking about an interface: I don't think that our initial idea would be working. (Having one or two functions returning the OID for an otherName and its content.) This won't work, as I think we cannot know the content of the otherName.value part. In case of id-on-xmppAddr it is an UTF8String, but I guess it might also use other string representations. So we will still be only able to return known types of otherName. Right? So if I am not wrong, we should be able to just extend gnutls_x509_subject_alt_name_t to be able to represent id-on-xmppAddr and report the new value back in gnutls_x509_crt_get_subject_alt_name(). Matthias From dg at cowlark.com Thu Feb 8 02:12:39 2007 From: dg at cowlark.com (David Given) Date: Thu, 08 Feb 2007 01:12:39 +0000 Subject: [Help-gnutls] Re: SMTP TLS & Thunderbird In-Reply-To: <87zm7qbhkz.fsf@latte.josefsson.org> References: <87zm7qbhkz.fsf@latte.josefsson.org> Message-ID: Simon Josefsson wrote: [...] > That error happens if the server doesn't offer a ciphersuite that the > client can accept. Often this is caused by missing X.509 CA and/or > server certificate. Check with 'gnutls-cli' what key exchange is > negotiated. If it is ANON, most clients will refuse to talk to you. > > Btw, example 7.4.5 is for anonymous authentication, try 7.4.1 instead. > It is easy to change things, just add a X.509 credential and assign it > to the session. Thanks. I was rather hoping to do without --- having to create a self-signed certificate adds quite a lot of complexity to my install procedure --- but if I have to... Incidentally, creating a private key with certtool takes several minutes. Doing the same with openssl req appears to be more or less instant. Is this normal? -- ??? ?????????????? ??? http://www.cowlark.com ??????????????????? ? "I have always wished for my computer to be as easy to use as my ? telephone; my wish has come true because I can no longer figure out how to ? use my telephone." --- Bjarne Stroustrup -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature URL: From simon at josefsson.org Thu Feb 8 07:55:19 2007 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 08 Feb 2007 07:55:19 +0100 Subject: [Help-gnutls] Re: SMTP TLS & Thunderbird In-Reply-To: (David Given's message of "Thu\, 08 Feb 2007 01\:12\:39 +0000") References: <87zm7qbhkz.fsf@latte.josefsson.org> Message-ID: <87lkj99m08.fsf@latte.josefsson.org> David Given writes: > Simon Josefsson wrote: > [...] >> That error happens if the server doesn't offer a ciphersuite that the >> client can accept. Often this is caused by missing X.509 CA and/or >> server certificate. Check with 'gnutls-cli' what key exchange is >> negotiated. If it is ANON, most clients will refuse to talk to you. >> >> Btw, example 7.4.5 is for anonymous authentication, try 7.4.1 instead. >> It is easy to change things, just add a X.509 credential and assign it >> to the session. > > Thanks. I was rather hoping to do without --- having to create a self-signed > certificate adds quite a lot of complexity to my install procedure --- but if > I have to... Many programs refuse to work if the server doesn't have a X.509 certificate, so yes, I'm afraid you'll have to add that to your server, or modify a lot of clients. > Incidentally, creating a private key with certtool takes several minutes. > Doing the same with openssl req appears to be more or less instant. Is this > normal? Yes. Certtool calls gcry_pk_genkey in libgcrypt, and it will read from /dev/random which often blocks waiting for more entropy. I really think it should be possible to do things faster, but the Linux kernel people appear to neglect to replace the current broken /dev/random code with something faster and more secure. A strace shows that OpenSSL uses /dev/urandom (and store state in ~/.rnd) for generating private keys. That device doesn't block, and may return data with little entropy. If you run 'openssl genrsa -rand file:/dev/random' it is also quite slow. /Simon From simon at josefsson.org Thu Feb 8 08:11:52 2007 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 08 Feb 2007 08:11:52 +0100 Subject: [Help-gnutls] Re: Verifying subjectAltNames In-Reply-To: <45CA4468.6020704@tthias.eu> (Matthias Wimmer's message of "Wed\, 07 Feb 2007 22\:28\:08 +0100") References: <45B958D7.6000007@tthias.eu> <87y7npdcmm.fsf@latte.josefsson.org> <45BA6C88.2080201@tthias.eu> <87ps8xbo8o.fsf@latte.josefsson.org> <45BE5ABF.6020005@tthias.eu> <45CA4468.6020704@tthias.eu> Message-ID: <87hctx9l8n.fsf@latte.josefsson.org> Matthias Wimmer writes: > Hi Simon! > > > I now implemented checking of id-on-xmppAddr in the RFC 3920 server > using libtasn1 directly (to be compatible with existing versions of > GnuTLS). Hi Matthias! Ok. > But I am still interested in having direct id-on-xmppAddr support in > GnuTLS, so I continued thinking about an interface: I don't think that > our initial idea would be working. (Having one or two functions > returning the OID for an otherName and its content.) > This won't work, as I think we cannot know the content of the > otherName.value part. In case of id-on-xmppAddr it is an UTF8String, > but I guess it might also use other string representations. So we will > still be only able to return known types of otherName. Right? My idea was to extract the raw bytes in the 'value' field of the otherName, and let the caller figure out how to interpret it. If the caller knows about the OID, that should be simple. This should work well for you, since for id-on-xmppAddr you could use the raw string as the UTF-8 string directly. However... > So if I am not wrong, we should be able to just extend > gnutls_x509_subject_alt_name_t to be able to represent id-on-xmppAddr > and report the new value back in > gnutls_x509_crt_get_subject_alt_name(). ...yes, I think we should do this. I have a partial implementation working now, but I could use a sample certificate with a id-on-xmppAddr to finish it. Could you send me one? I'll try to figure out how to create such a certificate using certtool as well... My current idea is that gnutls_x509_crt_get_subject_alt_name() can parse "virtual" SAN's, identified by: typedef enum gnutls_x509_subject_alt_name_t { GNUTLS_SAN_DNSNAME = 1, GNUTLS_SAN_RFC822NAME, GNUTLS_SAN_URI, GNUTLS_SAN_IPADDRESS, GNUTLS_SAN_OTHERNAME, /* The following are "virtual" subject alternative name types, in that they are represented by an otherName value and an OID. */ GNUTLS_SAN_XMPP = 1000 } gnutls_x509_subject_alt_name_t; So if it finds an "otherName" which it understands (currently only XMPP), it should return GNUTLS_SAN_XMPP, otherwise it will return GNUTLS_SAN_OTHERNAME and the "value" data. I have one new API that will return the otherName OID, to handle non-supported otherName's. That should make it possible for others to use GnuTLS APIs instead of having to use libtasn1 directly, for other unsupported SAN's. /Simon From simon at josefsson.org Thu Feb 8 08:27:04 2007 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 08 Feb 2007 08:27:04 +0100 Subject: [Help-gnutls] Re: Verifying subjectAltNames In-Reply-To: <87hctx9l8n.fsf@latte.josefsson.org> (Simon Josefsson's message of "Thu\, 08 Feb 2007 08\:11\:52 +0100") References: <45B958D7.6000007@tthias.eu> <87y7npdcmm.fsf@latte.josefsson.org> <45BA6C88.2080201@tthias.eu> <87ps8xbo8o.fsf@latte.josefsson.org> <45BE5ABF.6020005@tthias.eu> <45CA4468.6020704@tthias.eu> <87hctx9l8n.fsf@latte.josefsson.org> Message-ID: <87d54l9kjb.fsf@latte.josefsson.org> Simon Josefsson writes: > ...yes, I think we should do this. I have a partial implementation > working now, but I could use a sample certificate with a > id-on-xmppAddr to finish it. Could you send me one? I'll try to > figure out how to create such a certificate using certtool as well... No need, I figured enough of the XMPP protocol to get gnutls-cli to STARTTLS to it, so I got jabber.org's certificate. This should be implemented soon. /Simon From simon at josefsson.org Thu Feb 8 09:43:07 2007 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 08 Feb 2007 09:43:07 +0100 Subject: [Help-gnutls] Re: Verifying subjectAltNames In-Reply-To: <87d54l9kjb.fsf@latte.josefsson.org> (Simon Josefsson's message of "Thu\, 08 Feb 2007 08\:27\:04 +0100") References: <45B958D7.6000007@tthias.eu> <87y7npdcmm.fsf@latte.josefsson.org> <45BA6C88.2080201@tthias.eu> <87ps8xbo8o.fsf@latte.josefsson.org> <45BE5ABF.6020005@tthias.eu> <45CA4468.6020704@tthias.eu> <87hctx9l8n.fsf@latte.josefsson.org> <87d54l9kjb.fsf@latte.josefsson.org> Message-ID: <878xf99h0k.fsf@latte.josefsson.org> Simon Josefsson writes: > Simon Josefsson writes: > >> ...yes, I think we should do this. I have a partial implementation >> working now, but I could use a sample certificate with a >> id-on-xmppAddr to finish it. Could you send me one? I'll try to >> figure out how to create such a certificate using certtool as well... > > No need, I figured enough of the XMPP protocol to get gnutls-cli to > STARTTLS to it, so I got jabber.org's certificate. This should be > implemented soon. Ok, we now have generic support for otherName's in SAN, and specific support for XMPP. The NEWS entry is: ** Support for 'otherName' Subject Alternative Names. The existing API gnutls_x509_crt_get_subject_alt_name may now return the new type GNUTLS_SAN_OTHERNAME together with the otherName value. To find out the otherName OID (necessary for proper parsing of the value), use the new API gnutls_x509_crt_get_subject_alt_othername_oid. For known OIDs, gnutls_x509_crt_get_subject_alt_othername_oid will return "virtual" SAN values, e.g., GNUTLS_SAN_OTHERNAME_XMPP to simplify OID matching. Suggested by Matthias Wimmer . ** Certtool can print otherName SAN values for certificates. For known otherName OIDs (currently only id-on-xmppAddr as defined by RFC 3920), it will also print the name. ... ** API and ABI modifications: gnutls_x509_crt_get_subject_alt_othername_oid: ADD. GNUTLS_SAN_OTHERNAME: ADD, new gnutls_x509_subject_alt_name_t element. GNUTLS_SAN_OTHERNAME_XMPP: ADD, new gnutls_x509_subject_alt_name_t element. For the jabber.org certificate, certtool in CVS prints: X.509 Extensions: Subject Alternative name: otherName: DER: 0c0a6a61626265722e6f7267 ASCII: ..jabber.org OID: 1.3.6.1.5.5.7.8.5 (id-on-xmppAddr) DNSname: jabber.org DNSname: *.jabber.org ... I'm not sure whether the 0c0a should have been stripped or not. Possibly libtasn1 should have done that. It looks like length fields (first 0c includes second length field and the final zero, second 0a give length of the string without final zero). Feedback on that would be appreciated. I suspect the lengths are specific to UTF8String, so gnutls_x509_crt_get_subject_alt_name probably shouldn't mess with it. But I'm not sure. If it helps, we can provide a decoding-function for UTF8String if you like, though. I slightly changed the API since earlier e-mails, so that gnutls_x509_crt_get_subject_alt_name doesn't return the GNUTLS_SAN_OTHERNAME_* types. It was easier to implement and will be easier to use too. Let me know if this looks good for you, and I'll release 1.7.6. /Simon From dellanna at csp.it Thu Feb 8 10:50:27 2007 From: dellanna at csp.it (dellanna at csp.it) Date: Thu, 8 Feb 2007 10:50:27 +0100 Subject: [Help-gnutls] manual GnuTLS In-Reply-To: <87tzxy9ceq.fsf@latte.josefsson.org> References: <87sldovkfx.fsf@latte.josefsson.org> <1170418623.45c32bbf0d773@csa.csp.it> <87k5z0vgm7.fsf@latte.josefsson.org> <1170431003.45c35c1b29a34@csa.csp.it> <87tzxzg4yz.fsf@latte.josefsson.org> <1170841081.45c99df937538@csa.csp.it> <87ps8mb82b.fsf@latte.josefsson.org> <1170855697.45c9d7118c6d4@csa.csp.it> <877iuuawq2.fsf@latte.josefsson.org> <1170860360.45c9e94832994@csa.csp.it> <873b5iatbw.fsf@latte.josefsson.org> <1170864162.45c9f822ee08e@csa.csp.it> <87tzxy9ceq.fsf@latte.josefsson.org> Message-ID: <1170928227.45caf26307302@csa.csp.it> Hi all, in manual gnutls, subsection 7.4.3 there is an example "Echo server with OpenPGP". I see this example but it use certificate X.509 and not pgp keys. Is it an error in the title? Simone. ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From dellanna at csp.it Thu Feb 8 12:12:26 2007 From: dellanna at csp.it (dellanna at csp.it) Date: Thu, 8 Feb 2007 12:12:26 +0100 Subject: [Help-gnutls] gnutls/extra.h In-Reply-To: <878xf99h0k.fsf@latte.josefsson.org> References: <45B958D7.6000007@tthias.eu> <87y7npdcmm.fsf@latte.josefsson.org> <45BA6C88.2080201@tthias.eu> <87ps8xbo8o.fsf@latte.josefsson.org> <45BE5ABF.6020005@tthias.eu> <45CA4468.6020704@tthias.eu> <87hctx9l8n.fsf@latte.josefsson.org> <87d54l9kjb.fsf@latte.josefsson.org> <878xf99h0k.fsf@latte.josefsson.org> Message-ID: <1170933146.45cb059ae8528@csa.csp.it> Hi all, can someone send me package gnutls/extra.h? If I run cc -o ex-serv-pgp ex-serv-pgp.c -I/usr/lib/ -L/usr/lib/ -lgnutls it return /tmp/ccAoyU22.o: In function `main':ex-serv-pgp.c:(.text+0x100): undefined reference to `gnutls_certificate_set_openpgp_keyring_file' This function in gnutls\extra.h. Isn't it istalled by default with gnutls? Simone. ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From smurf at smurf.noris.de Thu Feb 8 12:17:35 2007 From: smurf at smurf.noris.de (Matthias Urlichs) Date: Thu, 8 Feb 2007 12:17:35 +0100 Subject: [Help-gnutls] gnutls/extra.h In-Reply-To: <1170933146.45cb059ae8528@csa.csp.it> References: <45B958D7.6000007@tthias.eu> <87y7npdcmm.fsf@latte.josefsson.org> <45BA6C88.2080201@tthias.eu> <87ps8xbo8o.fsf@latte.josefsson.org> <45BE5ABF.6020005@tthias.eu> <45CA4468.6020704@tthias.eu> <87hctx9l8n.fsf@latte.josefsson.org> <87d54l9kjb.fsf@latte.josefsson.org> <878xf99h0k.fsf@latte.josefsson.org> <1170933146.45cb059ae8528@csa.csp.it> Message-ID: <20070208111735.GP25410@kiste.smurf.noris.de> Hi, dellanna at csp.it: > can someone send me package gnutls/extra.h? No. ;-) > If I run > cc -o ex-serv-pgp ex-serv-pgp.c -I/usr/lib/ -L/usr/lib/ -lgnutls The -I and -L option are superfluous. You need -lgnutls-extra. > > This function in gnutls\extra.h. Isn't it istalled by default with gnutls? > gnutls/extra.h doesn't contain any functions. It does contain a few function *prototypes*, but that's not the same thing. -- Matthias Urlichs | {M:U} IT Design @ m-u-it.de | smurf at smurf.noris.de Disclaimer: The quote was selected randomly. Really. | http://smurf.noris.de - - Promising costs nothing, it's the delivering that kills you. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From simon at josefsson.org Thu Feb 8 15:44:09 2007 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 08 Feb 2007 15:44:09 +0100 Subject: [Help-gnutls] Re: manual GnuTLS In-Reply-To: <1170928227.45caf26307302@csa.csp.it> (dellanna@csp.it's message of "Thu\, 8 Feb 2007 10\:50\:27 +0100") References: <87sldovkfx.fsf@latte.josefsson.org> <1170418623.45c32bbf0d773@csa.csp.it> <87k5z0vgm7.fsf@latte.josefsson.org> <1170431003.45c35c1b29a34@csa.csp.it> <87tzxzg4yz.fsf@latte.josefsson.org> <1170841081.45c99df937538@csa.csp.it> <87ps8mb82b.fsf@latte.josefsson.org> <1170855697.45c9d7118c6d4@csa.csp.it> <877iuuawq2.fsf@latte.josefsson.org> <1170860360.45c9e94832994@csa.csp.it> <873b5iatbw.fsf@latte.josefsson.org> <1170864162.45c9f822ee08e@csa.csp.it> <87tzxy9ceq.fsf@latte.josefsson.org> <1170928227.45caf26307302@csa.csp.it> Message-ID: <874ppwaeva.fsf@latte.josefsson.org> dellanna at csp.it writes: > Hi all, > in manual gnutls, subsection 7.4.3 there is an example "Echo server with > OpenPGP". > I see this example but it use certificate X.509 and not pgp keys. Is it an error > in the title? Where are you looking? It does use pgp keys, see: http://www.gnu.org/software/gnutls/manual/html_node/Echo-Server-with-OpenPGP-authentication.html /Simon From simon at josefsson.org Thu Feb 8 15:46:33 2007 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 08 Feb 2007 15:46:33 +0100 Subject: [Help-gnutls] Re: gnutls/extra.h In-Reply-To: <1170933146.45cb059ae8528@csa.csp.it> (dellanna@csp.it's message of "Thu\, 8 Feb 2007 12\:12\:26 +0100") References: <45B958D7.6000007@tthias.eu> <87y7npdcmm.fsf@latte.josefsson.org> <45BA6C88.2080201@tthias.eu> <87ps8xbo8o.fsf@latte.josefsson.org> <45BE5ABF.6020005@tthias.eu> <45CA4468.6020704@tthias.eu> <87hctx9l8n.fsf@latte.josefsson.org> <87d54l9kjb.fsf@latte.josefsson.org> <878xf99h0k.fsf@latte.josefsson.org> <1170933146.45cb059ae8528@csa.csp.it> Message-ID: <87zm7o906u.fsf@latte.josefsson.org> dellanna at csp.it writes: > Hi all, > can someone send me package gnutls/extra.h? > If I run > cc -o ex-serv-pgp ex-serv-pgp.c -I/usr/lib/ -L/usr/lib/ -lgnutls > it return > > /tmp/ccAoyU22.o: In function `main':ex-serv-pgp.c:(.text+0x100): undefined > reference to `gnutls_certificate_set_openpgp_keyring_file' > > This function in gnutls\extra.h. Isn't it istalled by default with gnutls? You need to read the manual more carefully. The OpenPGP support is in the libgnutls-extra library, so you'll need to link to it too: cc -o ex-serv-pgp ex-serv-pgp.c -lgnutls -lgnutls-extra /Simon From simon at josefsson.org Thu Feb 8 21:54:13 2007 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 08 Feb 2007 21:54:13 +0100 Subject: [Help-gnutls] Re: manual GnuTLS In-Reply-To: <1170946974.45cb3b9ea8b72@csa.csp.it> (dellanna@csp.it's message of "Thu\, 8 Feb 2007 16\:02\:54 +0100") References: <87sldovkfx.fsf@latte.josefsson.org> <1170418623.45c32bbf0d773@csa.csp.it> <87k5z0vgm7.fsf@latte.josefsson.org> <1170431003.45c35c1b29a34@csa.csp.it> <87tzxzg4yz.fsf@latte.josefsson.org> <1170841081.45c99df937538@csa.csp.it> <87ps8mb82b.fsf@latte.josefsson.org> <1170855697.45c9d7118c6d4@csa.csp.it> <877iuuawq2.fsf@latte.josefsson.org> <1170860360.45c9e94832994@csa.csp.it> <873b5iatbw.fsf@latte.josefsson.org> <1170864162.45c9f822ee08e@csa.csp.it> <87tzxy9ceq.fsf@latte.josefsson.org> <1170928227.45caf26307302@csa.csp.it> <874ppwaeva.fsf@latte.josefsson.org> <1170946974.45cb3b9ea8b72@csa.csp.it> Message-ID: <87r6t08j62.fsf@latte.josefsson.org> dellanna at csp.it writes: > Hi, > thank you for the correct link. > In the pdf version that I send you as attachment, there is an error. > I think it is an error of "writing" because pag 68 there is the following row: > > gnutls_certificate_credentials_t x509_cred; > > and in the same page there is: > > gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred). Yes, you are right, and that was fixed some time ago. You can get the latest manual from . There has been many improvements since the version you appear to be using, so I recommend to upgrade to avoid these kind of problems. /Simon > Simone. > > > Scrive Simon Josefsson : > >> dellanna at csp.it writes: >> >> > Hi all, >> > in manual gnutls, subsection 7.4.3 there is an example "Echo server with >> > OpenPGP". >> > I see this example but it use certificate X.509 and not pgp keys. Is it an >> error >> > in the title? >> >> Where are you looking? It does use pgp keys, see: >> >> > http://www.gnu.org/software/gnutls/manual/html_node/Echo-Server-with-OpenPGP-authentication.html >> >> /Simon >> >> > > > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. From dellanna at csp.it Fri Feb 9 14:44:19 2007 From: dellanna at csp.it (dellanna at csp.it) Date: Fri, 9 Feb 2007 14:44:19 +0100 Subject: [Help-gnutls] ex-serv-pgp In-Reply-To: <87r6t08j62.fsf@latte.josefsson.org> References: <87sldovkfx.fsf@latte.josefsson.org> <1170418623.45c32bbf0d773@csa.csp.it> <87k5z0vgm7.fsf@latte.josefsson.org> <1170431003.45c35c1b29a34@csa.csp.it> <87tzxzg4yz.fsf@latte.josefsson.org> <1170841081.45c99df937538@csa.csp.it> <87ps8mb82b.fsf@latte.josefsson.org> <1170855697.45c9d7118c6d4@csa.csp.it> <877iuuawq2.fsf@latte.josefsson.org> <1170860360.45c9e94832994@csa.csp.it> <873b5iatbw.fsf@latte.josefsson.org> <1170864162.45c9f822ee08e@csa.csp.it> <87tzxy9ceq.fsf@latte.josefsson.org> <1170928227.45caf26307302@csa.csp.it> <874ppwaeva.fsf@latte.josefsson.org> <1170946974.45cb3b9ea8b72@csa.csp.it> <87r6t08j62.fsf@latte.josefsson.org> Message-ID: <1171028659.45cc7ab380d42@csa.csp.it> Hi all, I tried to test the example in manual "Echo Server with OpenPGP" (subsection 7.4.3). It work correctly on server side; infact it return "Echo Server ready. Listening to port '5556' ", But on client side I used gnutls-client. The problem is the following: 1. if I run gnutls-cli -p 5556 hostname on server side was returned "handshake failed" 2. If I run gnutls-cli -p 5556 hostname -s was returned the same error. I think this error was occur because the server wait to receive pgp key, isn't it? I'm not very familiar with gnutls-cli; how can I use it to test authentication-pgp? If I use "man gnutls-cli" it return the manual but it is vey short :). Simone. ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From simon at josefsson.org Fri Feb 9 14:49:42 2007 From: simon at josefsson.org (Simon Josefsson) Date: Fri, 09 Feb 2007 14:49:42 +0100 Subject: [Help-gnutls] Re: ex-serv-pgp In-Reply-To: <1171028659.45cc7ab380d42@csa.csp.it> (dellanna@csp.it's message of "Fri\, 9 Feb 2007 14\:44\:19 +0100") References: <87sldovkfx.fsf@latte.josefsson.org> <1170418623.45c32bbf0d773@csa.csp.it> <87k5z0vgm7.fsf@latte.josefsson.org> <1170431003.45c35c1b29a34@csa.csp.it> <87tzxzg4yz.fsf@latte.josefsson.org> <1170841081.45c99df937538@csa.csp.it> <87ps8mb82b.fsf@latte.josefsson.org> <1170855697.45c9d7118c6d4@csa.csp.it> <877iuuawq2.fsf@latte.josefsson.org> <1170860360.45c9e94832994@csa.csp.it> <873b5iatbw.fsf@latte.josefsson.org> <1170864162.45c9f822ee08e@csa.csp.it> <87tzxy9ceq.fsf@latte.josefsson.org> <1170928227.45caf26307302@csa.csp.it> <874ppwaeva.fsf@latte.josefsson.org> <1170946974.45cb3b9ea8b72@csa.csp.it> <87r6t08j62.fsf@latte.josefsson.org> <1171028659.45cc7ab380d42@csa.csp.it> Message-ID: <87odo34f0p.fsf@latte.josefsson.org> dellanna at csp.it writes: > Hi all, > I tried to test the example in manual "Echo Server with OpenPGP" (subsection > 7.4.3). > It work correctly on server side; infact it return "Echo Server ready. Listening > to port '5556' ", > But on client side I used gnutls-client. The problem is the following: > 1. if I run gnutls-cli -p 5556 hostname on server side was returned "handshake > failed" > 2. If I run gnutls-cli -p 5556 hostname -s was returned the same error. > > I think this error was occur because the server wait to receive pgp key, isn't > it? > > I'm not very familiar with gnutls-cli; how can I use it to test > authentication-pgp? > If I use "man gnutls-cli" it return the manual but it is vey short :). Are you still using gnutls 1.4.4? Run 'gnutls-cli --version' to find out. If so, I think you'll need to upgrade, there has been several OpenPGP related fixes since that release. I don't provide unpaid support for old versions. Btw, you can test whether your gnutls-cli is OK or not by pointing it at test.gnutls.org. With the latest release, the following works: $ gnutls-cli -p 5556 test.gnutls.org Resolving 'test.gnutls.org'... Connecting to '217.13.230.178:5556'... - Successfully sent 0 certificate(s) to server. - Certificate type: OpenPGP # The hostname in the key matches 'test.gnutls.org'. # Key was created at: Tue Feb 6 16:27:20 CET 2007 # Key expires: Never # PGP Key version: 4 # PGP Key public key algorithm: DSA (1024 bits) # PGP Key fingerprint: 59:6B:97:17:CB:98:9A:14:25:FE:AD:1C:AE:5F:AD:3E:5D:1D:14:D8 # NAME: test.gnutls.org - Peer's key is valid - Could not find a signer of the peer's key - Version: TLS 1.2 - Key Exchange: DHE DSS - Cipher: AES 256 CBC - MAC: SHA - Compression: LZO - Handshake was completed - Simple Client Mode: /Simon From dellanna at csp.it Fri Feb 9 15:03:33 2007 From: dellanna at csp.it (dellanna at csp.it) Date: Fri, 9 Feb 2007 15:03:33 +0100 Subject: [Help-gnutls] Re: ex-serv-pgp In-Reply-To: <87odo34f0p.fsf@latte.josefsson.org> References: <87sldovkfx.fsf@latte.josefsson.org> <1170418623.45c32bbf0d773@csa.csp.it> <87k5z0vgm7.fsf@latte.josefsson.org> <1170431003.45c35c1b29a34@csa.csp.it> <87tzxzg4yz.fsf@latte.josefsson.org> <1170841081.45c99df937538@csa.csp.it> <87ps8mb82b.fsf@latte.josefsson.org> <1170855697.45c9d7118c6d4@csa.csp.it> <877iuuawq2.fsf@latte.josefsson.org> <1170860360.45c9e94832994@csa.csp.it> <873b5iatbw.fsf@latte.josefsson.org> <1170864162.45c9f822ee08e@csa.csp.it> <87tzxy9ceq.fsf@latte.josefsson.org> <1170928227.45caf26307302@csa.csp.it> <874ppwaeva.fsf@latte.josefsson.org> <1170946974.45cb3b9ea8b72@csa.csp.it> <87r6t08j62.fsf@latte.josefsson.org> <1171028659.45cc7ab380d42@csa.csp.it> <87odo34f0p.fsf@latte.josefsson.org> Message-ID: <1171029813.45cc7f358ea00@csa.csp.it> Ok, the version of my gnutls-client is 1.2.9 and the output of test is the following: resolving 'test.gnutls.org'... Connecting to '217.13.230.178:5556'... - Successfully sent 0 certificate(s) to server. - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: # The hostname in the certificate matches 'test.gnutls.org'. # valid since: Tue Feb 6 14:02:11 CET 2007 # expires at: Wed Feb 6 14:02:11 CET 2008 # fingerprint: CB:4A:00:E0:65:A5:C3:9D:E0:5D:AB:CF:3A:2C:82:74 # Subject's DN: O=GnuTLS test server,CN=test.gnutls.org # Issuer's DN: CN=GnuTLS test CA - Peer's certificate issuer is unknown - Peer's certificate is NOT trusted - Version: TLS 1.1 - Key Exchange: DHE RSA - Cipher: AES 256 CBC - MAC: SHA - Compression: DEFLATE - Handshake was completed - Simple Client Mode: As you can see, It don't support OpenPGP. Can you send me link of latest version of gnutls-cli, please? Simone. Scrive Simon Josefsson : > dellanna at csp.it writes: > > > Hi all, > > I tried to test the example in manual "Echo Server with OpenPGP" > (subsection > > 7.4.3). > > It work correctly on server side; infact it return "Echo Server ready. > Listening > > to port '5556' ", > > But on client side I used gnutls-client. The problem is the following: > > 1. if I run gnutls-cli -p 5556 hostname on server side was returned > "handshake > > failed" > > 2. If I run gnutls-cli -p 5556 hostname -s was returned the same error. > > > > I think this error was occur because the server wait to receive pgp key, > isn't > > it? > > > > I'm not very familiar with gnutls-cli; how can I use it to test > > authentication-pgp? > > If I use "man gnutls-cli" it return the manual but it is vey short :). > > Are you still using gnutls 1.4.4? Run 'gnutls-cli --version' to find > out. If so, I think you'll need to upgrade, there has been several > OpenPGP related fixes since that release. I don't provide unpaid > support for old versions. > > Btw, you can test whether your gnutls-cli is OK or not by pointing it > at test.gnutls.org. With the latest release, the following works: > > $ gnutls-cli -p 5556 test.gnutls.org > Resolving 'test.gnutls.org'... > Connecting to '217.13.230.178:5556'... > - Successfully sent 0 certificate(s) to server. > - Certificate type: OpenPGP > # The hostname in the key matches 'test.gnutls.org'. > # Key was created at: Tue Feb 6 16:27:20 CET 2007 > # Key expires: Never > # PGP Key version: 4 > # PGP Key public key algorithm: DSA (1024 bits) > # PGP Key fingerprint: > 59:6B:97:17:CB:98:9A:14:25:FE:AD:1C:AE:5F:AD:3E:5D:1D:14:D8 > # NAME: test.gnutls.org > > - Peer's key is valid > - Could not find a signer of the peer's key > - Version: TLS 1.2 > - Key Exchange: DHE DSS > - Cipher: AES 256 CBC > - MAC: SHA > - Compression: LZO > - Handshake was completed > > - Simple Client Mode: > > /Simon > > ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From simon at josefsson.org Fri Feb 9 15:14:26 2007 From: simon at josefsson.org (Simon Josefsson) Date: Fri, 09 Feb 2007 15:14:26 +0100 Subject: [Help-gnutls] Re: ex-serv-pgp In-Reply-To: <1171029813.45cc7f358ea00@csa.csp.it> (dellanna@csp.it's message of "Fri\, 9 Feb 2007 15\:03\:33 +0100") References: <87sldovkfx.fsf@latte.josefsson.org> <1170418623.45c32bbf0d773@csa.csp.it> <87k5z0vgm7.fsf@latte.josefsson.org> <1170431003.45c35c1b29a34@csa.csp.it> <87tzxzg4yz.fsf@latte.josefsson.org> <1170841081.45c99df937538@csa.csp.it> <87ps8mb82b.fsf@latte.josefsson.org> <1170855697.45c9d7118c6d4@csa.csp.it> <877iuuawq2.fsf@latte.josefsson.org> <1170860360.45c9e94832994@csa.csp.it> <873b5iatbw.fsf@latte.josefsson.org> <1170864162.45c9f822ee08e@csa.csp.it> <87tzxy9ceq.fsf@latte.josefsson.org> <1170928227.45caf26307302@csa.csp.it> <874ppwaeva.fsf@latte.josefsson.org> <1170946974.45cb3b9ea8b72@csa.csp.it> <87r6t08j62.fsf@latte.josefsson.org> <1171028659.45cc7ab380d42@csa.csp.it> <87odo34f0p.fsf@latte.josefsson.org> <1171029813.45cc7f358ea00@csa.csp.it> Message-ID: <87k5yr4dvh.fsf@latte.josefsson.org> dellanna at csp.it writes: > Ok, > the version of my gnutls-client is 1.2.9 and the output of test is the > following: ... Try starting it with '--ctypes openpgp'. However, I suspect it is too old. > As you can see, It don't support OpenPGP. Can you send me link of > latest version of gnutls-cli, please? See . /Simon From simon at josefsson.org Fri Feb 9 15:17:31 2007 From: simon at josefsson.org (Simon Josefsson) Date: Fri, 09 Feb 2007 15:17:31 +0100 Subject: [Help-gnutls] Re: ex-serv-pgp In-Reply-To: <87k5yr4dvh.fsf@latte.josefsson.org> (Simon Josefsson's message of "Fri\, 09 Feb 2007 15\:14\:26 +0100") References: <1170418623.45c32bbf0d773@csa.csp.it> <87k5z0vgm7.fsf@latte.josefsson.org> <1170431003.45c35c1b29a34@csa.csp.it> <87tzxzg4yz.fsf@latte.josefsson.org> <1170841081.45c99df937538@csa.csp.it> <87ps8mb82b.fsf@latte.josefsson.org> <1170855697.45c9d7118c6d4@csa.csp.it> <877iuuawq2.fsf@latte.josefsson.org> <1170860360.45c9e94832994@csa.csp.it> <873b5iatbw.fsf@latte.josefsson.org> <1170864162.45c9f822ee08e@csa.csp.it> <87tzxy9ceq.fsf@latte.josefsson.org> <1170928227.45caf26307302@csa.csp.it> <874ppwaeva.fsf@latte.josefsson.org> <1170946974.45cb3b9ea8b72@csa.csp.it> <87r6t08j62.fsf@latte.josefsson.org> <1171028659.45cc7ab380d42@csa.csp.it> <87odo34f0p.fsf@latte.josefsson.org> <1171029813.45cc7f358ea00@csa.csp.it> <87k5yr4dvh.fsf@latte.josefsson.org> Message-ID: <87fy9f4dqc.fsf@latte.josefsson.org> Simon Josefsson writes: >> As you can see, It don't support OpenPGP. Can you send me link of >> latest version of gnutls-cli, please? > > See . Btw, for better OpenPGP support, you will need the latest development branch. Get it from: ftp://ftp.gnutls.org/pub/gnutls/devel /Simon From dellanna at csp.it Fri Feb 9 16:06:12 2007 From: dellanna at csp.it (dellanna at csp.it) Date: Fri, 9 Feb 2007 16:06:12 +0100 Subject: [Help-gnutls] Re: ex-serv-pgp In-Reply-To: <87fy9f4dqc.fsf@latte.josefsson.org> References: <1170418623.45c32bbf0d773@csa.csp.it> <87k5z0vgm7.fsf@latte.josefsson.org> <1170431003.45c35c1b29a34@csa.csp.it> <87tzxzg4yz.fsf@latte.josefsson.org> <1170841081.45c99df937538@csa.csp.it> <87ps8mb82b.fsf@latte.josefsson.org> <1170855697.45c9d7118c6d4@csa.csp.it> <877iuuawq2.fsf@latte.josefsson.org> <1170860360.45c9e94832994@csa.csp.it> <873b5iatbw.fsf@latte.josefsson.org> <1170864162.45c9f822ee08e@csa.csp.it> <87tzxy9ceq.fsf@latte.josefsson.org> <1170928227.45caf26307302@csa.csp.it> <874ppwaeva.fsf@latte.josefsson.org> <1170946974.45cb3b9ea8b72@csa.csp.it> <87r6t08j62.fsf@latte.josefsson.org> <1171028659.45cc7ab380d42@csa.csp.it> <87odo34f0p.fsf@latte.josefsson.org> <1171029813.45cc7f358ea00@csa.csp.it> <87k5yr4dvh.fsf@latte.josefsson.org> <87fy9f4dqc.fsf@latte.josefsson.org> Message-ID: <1171033572.45cc8de40fbc5@csa.csp.it> Scrive Simon Josefsson : > Btw, for better OpenPGP support, you will need the latest development > branch. Get it from: > > ftp://ftp.gnutls.org/pub/gnutls/devel > > /Simon > > I installed the new version of gnutls, but the problem that it was returned is the same. Any advise? P.S. What means "Simple Client Mode"? Simone ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From dg at cowlark.com Sat Feb 10 18:07:54 2007 From: dg at cowlark.com (David Given) Date: Sat, 10 Feb 2007 17:07:54 +0000 Subject: [Help-gnutls] Re: SMTP TLS & Thunderbird In-Reply-To: <87lkj99m08.fsf@latte.josefsson.org> References: <87zm7qbhkz.fsf@latte.josefsson.org> <87lkj99m08.fsf@latte.josefsson.org> Message-ID: Simon Josefsson wrote: [...] > Many programs refuse to work if the server doesn't have a X.509 > certificate, so yes, I'm afraid you'll have to add that to your > server, or modify a lot of clients. It's all working now, thanks. Although I will admit that setting all the code up was not pretty --- the documentation's very hazy on what the various functions return if something goes wrong (such as not being able to read the keyfiles), and I've found that in order to make it fall back on anonymous authentication if the keys don't work I have to call gnutls_kx_set_priority(), which surprises me as the documentation swears blind that it's ignored on servers. Incidentally, my various early blundering attempts managed to get a number of things wrong, which caused gnutls-cli to fall over good and hard. Is this important? -- ??? ?????????????? ??? http://www.cowlark.com ??????????????????? ? "I have always wished for my computer to be as easy to use as my ? telephone; my wish has come true because I can no longer figure out how to ? use my telephone." --- Bjarne Stroustrup -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature URL: From simon at josefsson.org Mon Feb 12 10:03:14 2007 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 12 Feb 2007 10:03:14 +0100 Subject: [Help-gnutls] Re: SMTP TLS & Thunderbird In-Reply-To: (David Given's message of "Sat\, 10 Feb 2007 17\:07\:54 +0000") References: <87zm7qbhkz.fsf@latte.josefsson.org> <87lkj99m08.fsf@latte.josefsson.org> Message-ID: <87zm7j3fzh.fsf@latte.josefsson.org> David Given writes: > Simon Josefsson wrote: > [...] >> Many programs refuse to work if the server doesn't have a X.509 >> certificate, so yes, I'm afraid you'll have to add that to your >> server, or modify a lot of clients. > > It's all working now, thanks. Although I will admit that setting all the code > up was not pretty --- the documentation's very hazy on what the various > functions return if something goes wrong (such as not being able to read the > keyfiles) This kind of feedback is very important, could you please describe in more detail what documentation lead you wrong, and what mistakes you did? The documentation isn't perfect, but in order to know where to spend time improving it, it is useful to know where the weakest parts are. > and I've found that in order to make it fall back on anonymous > authentication if the keys don't work I have to call > gnutls_kx_set_priority(), which surprises me as the documentation > swears blind that it's ignored on servers. Hm, the documentation for that function says: * Note that the priority is set on the client. The server does * not use the algorithm's priority except for disabling * algorithms that were not specified. I suspect that is what happened. Did you call gnutls_set_default_priority() first, and thought it would be sufficient to get ANON to work? It isn't, if you want ANON to work, you must call gnutls_kx_set_priority(). The default cipher suite list doesn't include ANON, so the server will disable that KX unless you manually added it. Hm. I'd agree that you don't really get the full picture from that docstring... I have had similar problems recently -- SRP/PSK isn't used unless you set them early in gnutls_kx_set_priority. It would be better if SRP/PSK was the first default KX's, and they disabled themselves unless there were SRP/PSK credentials available. I think that would better match the preferred logic by most applications. Few programs will prefer ANON cipher suites if it set a valid and working SRP/PSK credential. I think the current logic is both sub-optimal and under-documented. It would be better if gnutls_set_default_priority() enabled more ciphers by default (e.g., PSK/SRP and maybe ANON), and that other parts of GnuTLS disable them if there aren't credentials available. In any case, the documentation should make it clear that you need to tinker with gnutls_*_set_priority to enable certain functionality. > Incidentally, my various early blundering attempts managed to get a number of > things wrong, which caused gnutls-cli to fall over good and hard. Is this > important? Yes, anything that fails hard is a serious bug. Please let me know! /Simon From dellanna at csp.it Mon Feb 12 11:26:58 2007 From: dellanna at csp.it (dellanna at csp.it) Date: Mon, 12 Feb 2007 11:26:58 +0100 Subject: [Help-gnutls] gnutls open pgp In-Reply-To: <87zm7j3fzh.fsf@latte.josefsson.org> References: <87zm7qbhkz.fsf@latte.josefsson.org> <87lkj99m08.fsf@latte.josefsson.org> <87zm7j3fzh.fsf@latte.josefsson.org> Message-ID: <1171276018.45d040f22852e@csa.csp.it> Hi all, can someone tell me where I can find one client with pgp autentication to test "Echo Server with OpenPGP authentication"? (example pag 68 of manual). This example: 1. Prepare the TLS connection; 2. It's in waiting to accept the OpenPGP certyificate. Isn't it? It is necessary the client application that: 1. Connect on server using TLS connection; 2. Provide one certificate OpenPGP. Is correct this scenario? Simone. ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From simon at josefsson.org Mon Feb 12 11:30:31 2007 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 12 Feb 2007 11:30:31 +0100 Subject: [Help-gnutls] Re: ex-serv-pgp In-Reply-To: <1171033572.45cc8de40fbc5@csa.csp.it> (dellanna@csp.it's message of "Fri\, 9 Feb 2007 16\:06\:12 +0100") References: <1170431003.45c35c1b29a34@csa.csp.it> <87tzxzg4yz.fsf@latte.josefsson.org> <1170841081.45c99df937538@csa.csp.it> <87ps8mb82b.fsf@latte.josefsson.org> <1170855697.45c9d7118c6d4@csa.csp.it> <877iuuawq2.fsf@latte.josefsson.org> <1170860360.45c9e94832994@csa.csp.it> <873b5iatbw.fsf@latte.josefsson.org> <1170864162.45c9f822ee08e@csa.csp.it> <87tzxy9ceq.fsf@latte.josefsson.org> <1170928227.45caf26307302@csa.csp.it> <874ppwaeva.fsf@latte.josefsson.org> <1170946974.45cb3b9ea8b72@csa.csp.it> <87r6t08j62.fsf@latte.josefsson.org> <1171028659.45cc7ab380d42@csa.csp.it> <87odo34f0p.fsf@latte.josefsson.org> <1171029813.45cc7f358ea00@csa.csp.it> <87k5yr4dvh.fsf@latte.josefsson.org> <87fy9f4dqc.fsf@latte.josefsson.org> <1171033572.45cc8de40fbc5@csa.csp.it> Message-ID: <87abzj3by0.fsf@latte.josefsson.org> dellanna at csp.it writes: > Scrive Simon Josefsson : > >> Btw, for better OpenPGP support, you will need the latest development >> branch. Get it from: >> >> ftp://ftp.gnutls.org/pub/gnutls/devel >> >> /Simon >> >> > > I installed the new version of gnutls, but the problem that it was returned is > the same. > Any advise? Are you sure you are using the new gnutls-cli and not the old? Try this: $ gnutls-cli --version gnutls-cli (GnuTLS) 1.7.6 $ gnutls-cli --port 5556 test.gnutls.org Resolving 'test.gnutls.org'... Connecting to '217.13.230.178:5556'... - Successfully sent 0 certificate(s) to server. - Certificate type: OpenPGP # The hostname in the key matches 'test.gnutls.org'. # Key was created at: Tue Feb 6 16:27:20 CET 2007 # Key expires: Never # PGP Key version: 4 # PGP Key public key algorithm: DSA (1024 bits) # PGP Key fingerprint: 59:6B:97:17:CB:98:9A:14:25:FE:AD:1C:AE:5F:AD:3E:5D:1D:14:D8 # NAME: test.gnutls.org - Peer's key is valid - Could not find a signer of the peer's key - Version: TLS 1.2 - Key Exchange: DHE DSS - Cipher: AES 256 CBC - MAC: SHA - Compression: LZO - Handshake was completed - Simple Client Mode: > P.S. What means "Simple Client Mode"? It means that what you type into the client on stdin is sent to the server, and what is received from the server is printed on stdout. /Simon From dellanna at csp.it Mon Feb 12 11:45:30 2007 From: dellanna at csp.it (dellanna at csp.it) Date: Mon, 12 Feb 2007 11:45:30 +0100 Subject: [Help-gnutls] Re: ex-serv-pgp In-Reply-To: <87abzj3by0.fsf@latte.josefsson.org> References: <1170431003.45c35c1b29a34@csa.csp.it> <87tzxzg4yz.fsf@latte.josefsson.org> <1170841081.45c99df937538@csa.csp.it> <87ps8mb82b.fsf@latte.josefsson.org> <1170855697.45c9d7118c6d4@csa.csp.it> <877iuuawq2.fsf@latte.josefsson.org> <1170860360.45c9e94832994@csa.csp.it> <873b5iatbw.fsf@latte.josefsson.org> <1170864162.45c9f822ee08e@csa.csp.it> <87tzxy9ceq.fsf@latte.josefsson.org> <1170928227.45caf26307302@csa.csp.it> <874ppwaeva.fsf@latte.josefsson.org> <1170946974.45cb3b9ea8b72@csa.csp.it> <87r6t08j62.fsf@latte.josefsson.org> <1171028659.45cc7ab380d42@csa.csp.it> <87odo34f0p.fsf@latte.josefsson.org> <1171029813.45cc7f358ea00@csa.csp.it> <87k5yr4dvh.fsf@latte.josefsson.org> <87fy9f4dqc.fsf@latte.josefsson.org> <1171033572.45cc8de40fbc5@csa.csp.it> <87abzj3by0.fsf@latte.josefsson.org> Message-ID: <1171277130.45d0454a3d194@csa.csp.it> Yes, I'm using 1.7.5 version because if I run gnutls-cli --version the output is: gnutls-cli (GnuTLS) 1.7.5. But if I run gnutls-cli --port 5556 test.gnutls.org it return the following error: global_init_extra: The GnuTLS library version does not match the GnuTLS-extra library version. Resolving 'test.gnutls.org'... Connecting to '217.13.230.178:5556'... *** Fatal error: The initialization of GnuTLS-extra has failed. *** Handshake has failed GNUTLS ERROR: The initialization of GnuTLS-extra has failed. The problem is GnuTLS-extra? Simone. Scrive Simon Josefsson : > Are you sure you are using the new gnutls-cli and not the old? Try > this: > > $ gnutls-cli --version > gnutls-cli (GnuTLS) 1.7.6 > $ gnutls-cli --port 5556 test.gnutls.org > Resolving 'test.gnutls.org'... > Connecting to '217.13.230.178:5556'... > - Successfully sent 0 certificate(s) to server. > - Certificate type: OpenPGP > # The hostname in the key matches 'test.gnutls.org'. > # Key was created at: Tue Feb 6 16:27:20 CET 2007 > # Key expires: Never > # PGP Key version: 4 > # PGP Key public key algorithm: DSA (1024 bits) > # PGP Key fingerprint: > 59:6B:97:17:CB:98:9A:14:25:FE:AD:1C:AE:5F:AD:3E:5D:1D:14:D8 > # NAME: test.gnutls.org > > - Peer's key is valid > - Could not find a signer of the peer's key > - Version: TLS 1.2 > - Key Exchange: DHE DSS > - Cipher: AES 256 CBC > - MAC: SHA > - Compression: LZO > - Handshake was completed > > - Simple Client Mode: > > > P.S. What means "Simple Client Mode"? > > It means that what you type into the client on stdin is sent to the > server, and what is received from the server is printed on stdout. > > /Simon > > ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From simon at josefsson.org Mon Feb 12 11:49:19 2007 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 12 Feb 2007 11:49:19 +0100 Subject: [Help-gnutls] Re: ex-serv-pgp In-Reply-To: <1171277130.45d0454a3d194@csa.csp.it> (dellanna@csp.it's message of "Mon\, 12 Feb 2007 11\:45\:30 +0100") References: <1170841081.45c99df937538@csa.csp.it> <87ps8mb82b.fsf@latte.josefsson.org> <1170855697.45c9d7118c6d4@csa.csp.it> <877iuuawq2.fsf@latte.josefsson.org> <1170860360.45c9e94832994@csa.csp.it> <873b5iatbw.fsf@latte.josefsson.org> <1170864162.45c9f822ee08e@csa.csp.it> <87tzxy9ceq.fsf@latte.josefsson.org> <1170928227.45caf26307302@csa.csp.it> <874ppwaeva.fsf@latte.josefsson.org> <1170946974.45cb3b9ea8b72@csa.csp.it> <87r6t08j62.fsf@latte.josefsson.org> <1171028659.45cc7ab380d42@csa.csp.it> <87odo34f0p.fsf@latte.josefsson.org> <1171029813.45cc7f358ea00@csa.csp.it> <87k5yr4dvh.fsf@latte.josefsson.org> <87fy9f4dqc.fsf@latte.josefsson.org> <1171033572.45cc8de40fbc5@csa.csp.it> <87abzj3by0.fsf@latte.josefsson.org> <1171277130.45d0454a3d194@csa.csp.it> Message-ID: <87lkj3irbk.fsf@latte.josefsson.org> dellanna at csp.it writes: > Yes, > I'm using 1.7.5 version because if I run gnutls-cli --version the output is: > gnutls-cli (GnuTLS) 1.7.5. > But if I run gnutls-cli --port 5556 test.gnutls.org it return the following > error: > > global_init_extra: The GnuTLS library version does not match the GnuTLS-extra > library version. > Resolving 'test.gnutls.org'... > Connecting to '217.13.230.178:5556'... > *** Fatal error: The initialization of GnuTLS-extra has failed. > *** Handshake has failed > GNUTLS ERROR: The initialization of GnuTLS-extra has failed. > > The problem is GnuTLS-extra? Yes, it seems your installation is broken. Did you type 'make install' in the top-level GnuTLS build directory? Do you have libgnutls.so* and libgnutls-extra.so* in $prefix/lib? What does 'ldd $prefix/bin/gnutls-cli' output? /Simon From dellanna at csp.it Mon Feb 12 12:15:26 2007 From: dellanna at csp.it (dellanna at csp.it) Date: Mon, 12 Feb 2007 12:15:26 +0100 Subject: [Help-gnutls] Re: ex-serv-pgp In-Reply-To: <87lkj3irbk.fsf@latte.josefsson.org> References: <1170841081.45c99df937538@csa.csp.it> <87ps8mb82b.fsf@latte.josefsson.org> <1170855697.45c9d7118c6d4@csa.csp.it> <877iuuawq2.fsf@latte.josefsson.org> <1170860360.45c9e94832994@csa.csp.it> <873b5iatbw.fsf@latte.josefsson.org> <1170864162.45c9f822ee08e@csa.csp.it> <87tzxy9ceq.fsf@latte.josefsson.org> <1170928227.45caf26307302@csa.csp.it> <874ppwaeva.fsf@latte.josefsson.org> <1170946974.45cb3b9ea8b72@csa.csp.it> <87r6t08j62.fsf@latte.josefsson.org> <1171028659.45cc7ab380d42@csa.csp.it> <87odo34f0p.fsf@latte.josefsson.org> <1171029813.45cc7f358ea00@csa.csp.it> <87k5yr4dvh.fsf@latte.josefsson.org> <87fy9f4dqc.fsf@latte.josefsson.org> <1171033572.45cc8de40fbc5@csa.csp.it> <87abzj3by0.fsf@latte.josefsson.org> <1171277130.45d0454a3d194@csa.csp.it> <87lkj3irbk.fsf@latte.josefsson.org> Message-ID: <1171278926.45d04c4ea5c55@csa.csp.it> Scrive Simon Josefsson : > Yes, it seems your installation is broken. Did you type 'make > install' in the top-level GnuTLS build directory? Yes, I type: 1. ./configure 2. make 3. make install >Do you have libgnutls.so* and libgnutls-extra.so* in $prefix/lib? No, there isn't. >What does 'ldd $prefix/bin/gnutls-cli' output? There isn't bin folder in gnutls directory. > /Simon > > Simone ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From simon at josefsson.org Mon Feb 12 12:27:40 2007 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 12 Feb 2007 12:27:40 +0100 Subject: [Help-gnutls] Re: ex-serv-pgp In-Reply-To: <1171278926.45d04c4ea5c55@csa.csp.it> (dellanna@csp.it's message of "Mon\, 12 Feb 2007 12\:15\:26 +0100") References: <1170855697.45c9d7118c6d4@csa.csp.it> <877iuuawq2.fsf@latte.josefsson.org> <1170860360.45c9e94832994@csa.csp.it> <873b5iatbw.fsf@latte.josefsson.org> <1170864162.45c9f822ee08e@csa.csp.it> <87tzxy9ceq.fsf@latte.josefsson.org> <1170928227.45caf26307302@csa.csp.it> <874ppwaeva.fsf@latte.josefsson.org> <1170946974.45cb3b9ea8b72@csa.csp.it> <87r6t08j62.fsf@latte.josefsson.org> <1171028659.45cc7ab380d42@csa.csp.it> <87odo34f0p.fsf@latte.josefsson.org> <1171029813.45cc7f358ea00@csa.csp.it> <87k5yr4dvh.fsf@latte.josefsson.org> <87fy9f4dqc.fsf@latte.josefsson.org> <1171033572.45cc8de40fbc5@csa.csp.it> <87abzj3by0.fsf@latte.josefsson.org> <1171277130.45d0454a3d194@csa.csp.it> <87lkj3irbk.fsf@latte.josefsson.org> <1171278926.45d04c4ea5c55@csa.csp.it> Message-ID: <87ejovipjn.fsf@latte.josefsson.org> dellanna at csp.it writes: > Scrive Simon Josefsson : > >> Yes, it seems your installation is broken. Did you type 'make >> install' in the top-level GnuTLS build directory? > > Yes, I type: > 1. ./configure > 2. make > 3. make install Ok, good. No error messages? >>Do you have libgnutls.so* and libgnutls-extra.so* in $prefix/lib? > > No, there isn't. > >>What does 'ldd $prefix/bin/gnutls-cli' output? > > There isn't bin folder in gnutls directory. $prefix means where you installed GnuTLS. If you don't specify --prefix, it will be /usr/local. So look in that directory for the libraries. /Simon From dellanna at csp.it Mon Feb 12 13:18:34 2007 From: dellanna at csp.it (dellanna at csp.it) Date: Mon, 12 Feb 2007 13:18:34 +0100 Subject: [Help-gnutls] Re: ex-serv-pgp In-Reply-To: <87ejovipjn.fsf@latte.josefsson.org> References: <1170855697.45c9d7118c6d4@csa.csp.it> <877iuuawq2.fsf@latte.josefsson.org> <1170860360.45c9e94832994@csa.csp.it> <873b5iatbw.fsf@latte.josefsson.org> <1170864162.45c9f822ee08e@csa.csp.it> <87tzxy9ceq.fsf@latte.josefsson.org> <1170928227.45caf26307302@csa.csp.it> <874ppwaeva.fsf@latte.josefsson.org> <1170946974.45cb3b9ea8b72@csa.csp.it> <87r6t08j62.fsf@latte.josefsson.org> <1171028659.45cc7ab380d42@csa.csp.it> <87odo34f0p.fsf@latte.josefsson.org> <1171029813.45cc7f358ea00@csa.csp.it> <87k5yr4dvh.fsf@latte.josefsson.org> <87fy9f4dqc.fsf@latte.josefsson.org> <1171033572.45cc8de40fbc5@csa.csp.it> <87abzj3by0.fsf@latte.josefsson.org> <1171277130.45d0454a3d194@csa.csp.it> <87lkj3irbk.fsf@latte.josefsson.org> <1171278926.45d04c4ea5c55@csa.csp.it> <87ejovipjn.fsf@latte.josefsson.org> Message-ID: <1171282714.45d05b1a4b713@csa.csp.it> Scrive Simon Josefsson : > dellanna at csp.it writes: > > > Scrive Simon Josefsson : > > > >> Yes, it seems your installation is broken. Did you type 'make > >> install' in the top-level GnuTLS build directory? > > > > Yes, I type: > > 1. ./configure > > 2. make > > 3. make install > > Ok, good. No error messages? No, there isn't message error. > >>Do you have libgnutls.so* and libgnutls-extra.so* in $prefix/lib? Ok, in usr/local/lib/ I have libgnutls.so libgnutls.so.13 libgnutls.so.13.4.3 libgnutls-extra.a libgnutls-extra.la libgnutls-extra.so libgnutls-extra.so.13 libgnutls-extra.so.13.4.3 > >>What does 'ldd $prefix/bin/gnutls-cli' output? It return the following output: linux-gate.so.1 => (0xffffe000) libgnutls.so.13 => /usr/local/lib/libgnutls.so.13 (0xb7ef6000) libgnutls-extra.so.13 => /usr/local/lib/libgnutls-extra.so.13 (0xb7ee2000) libopencdk.so.8 => /usr/lib/libopencdk.so.8 (0xb7eb3000) libgcrypt.so.11 => /usr/lib/libgcrypt.so.11 (0xb7e67000) libgpg-error.so.0 => /usr/lib/libgpg-error.so.0 (0xb7e63000) libz.so.1 => /usr/lib/libz.so.1 (0xb7e4f000) libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7d20000) libnsl.so.1 => /lib/tls/i686/cmov/libnsl.so.1 (0xb7d0a000) libgnutls.so.12 => /usr/lib/libgnutls.so.12 (0xb7ca1000) /lib/ld-linux.so.2 (0xb7f8d000) libtasn1.so.2 => /usr/lib/libtasn1.so.2 (0xb7c91000) > /Simon > > ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From smurf at smurf.noris.de Mon Feb 12 13:54:05 2007 From: smurf at smurf.noris.de (Matthias Urlichs) Date: Mon, 12 Feb 2007 13:54:05 +0100 Subject: [Help-gnutls] Re: ex-serv-pgp In-Reply-To: <1171282714.45d05b1a4b713@csa.csp.it> References: <1171029813.45cc7f358ea00@csa.csp.it> <87k5yr4dvh.fsf@latte.josefsson.org> <87fy9f4dqc.fsf@latte.josefsson.org> <1171033572.45cc8de40fbc5@csa.csp.it> <87abzj3by0.fsf@latte.josefsson.org> <1171277130.45d0454a3d194@csa.csp.it> <87lkj3irbk.fsf@latte.josefsson.org> <1171278926.45d04c4ea5c55@csa.csp.it> <87ejovipjn.fsf@latte.josefsson.org> <1171282714.45d05b1a4b713@csa.csp.it> Message-ID: <20070212125405.GA26115@kiste.smurf.noris.de> Hi, dellanna at csp.it: > > >>What does 'ldd $prefix/bin/gnutls-cli' output? For the record: Please use "ldd -r". it resolves all symbols and thus is able to find more problems than a plan "ldd". > linux-gate.so.1 => (0xffffe000) > libgnutls.so.13 => /usr/local/lib/libgnutls.so.13 (0xb7ef6000) > libgnutls-extra.so.13 => /usr/local/lib/libgnutls-extra.so.13 > (0xb7ee2000) > libgnutls.so.12 => /usr/lib/libgnutls.so.12 (0xb7ca1000) Ugh. That may be a problem. I don't know if your Linux distribution uses versioned symbols for their libgnutls (Debian does). To find out, do $ objdump -p /usr/lib/libgnutls.so.12 $ objdump -p /usr/local/lib/libgnutls.so.13 and look for the section that says "Version definitions". If either one (or, worse, both) is not versioned, that's your problem. Otherwise (i.e. if they're both versioned), make sure that you didn't compile against your local gnutls installation but linked against the public one (or vice versa). -- Matthias Urlichs | {M:U} IT Design @ m-u-it.de | smurf at smurf.noris.de Disclaimer: The quote was selected randomly. Really. | http://smurf.noris.de - - There was an old voyeur named Zeke, Who liked to hide in the closet and peek, Then jump out with loud cries of "Aha!" and "Surprise!" And point out your flaws in technique. From dellanna at csp.it Mon Feb 12 14:36:04 2007 From: dellanna at csp.it (dellanna at csp.it) Date: Mon, 12 Feb 2007 14:36:04 +0100 Subject: [Help-gnutls] Re: ex-serv-pgp In-Reply-To: <20070212125405.GA26115@kiste.smurf.noris.de> References: <1171029813.45cc7f358ea00@csa.csp.it> <87k5yr4dvh.fsf@latte.josefsson.org> <87fy9f4dqc.fsf@latte.josefsson.org> <1171033572.45cc8de40fbc5@csa.csp.it> <87abzj3by0.fsf@latte.josefsson.org> <1171277130.45d0454a3d194@csa.csp.it> <87lkj3irbk.fsf@latte.josefsson.org> <1171278926.45d04c4ea5c55@csa.csp.it> <87ejovipjn.fsf@latte.josefsson.org> <1171282714.45d05b1a4b713@csa.csp.it> <20070212125405.GA26115@kiste.smurf.noris.de> Message-ID: <1171287364.45d06d440a54a@csa.csp.it> Hi, Scrive Matthias Urlichs : > Hi, > For the record: Please use "ldd -r". it resolves all symbols and thus > is able to find more problems than a plan "ldd". With ldd-r it return the same output: linux-gate.so.1 => (0xffffe000) libgnutls.so.13 => /usr/local/lib/libgnutls.so.13 (0xb7f0e000) libgnutls-extra.so.13 => /usr/local/lib/libgnutls-extra.so.13 (0xb7efa000) libopencdk.so.8 => /usr/lib/libopencdk.so.8 (0xb7ecb000) libgcrypt.so.11 => /usr/lib/libgcrypt.so.11 (0xb7e7f000) libgpg-error.so.0 => /usr/lib/libgpg-error.so.0 (0xb7e7b000) libz.so.1 => /usr/lib/libz.so.1 (0xb7e67000) libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7d38000) libnsl.so.1 => /lib/tls/i686/cmov/libnsl.so.1 (0xb7d22000) libgnutls.so.12 => /usr/lib/libgnutls.so.12 (0xb7cb9000) /lib/ld-linux.so.2 (0xb7fa5000) libtasn1.so.2 => /usr/lib/libtasn1.so.2 (0xb7ca9000) > > linux-gate.so.1 => (0xffffe000) > > libgnutls.so.13 => /usr/local/lib/libgnutls.so.13 (0xb7ef6000) > > libgnutls-extra.so.13 => /usr/local/lib/libgnutls-extra.so.13 > > (0xb7ee2000) > > libgnutls.so.12 => /usr/lib/libgnutls.so.12 (0xb7ca1000) > > Ugh. That may be a problem. > > I don't know if your Linux distribution uses versioned symbols for their > libgnutls (Debian does). To find out, do > > $ objdump -p /usr/lib/libgnutls.so.12 > $ objdump -p /usr/local/lib/libgnutls.so.13 > > and look for the section that says "Version definitions". I use Ubuntu 6.06 and if I run objdump -p /usr/lib/libgnutls.so.12 it return the following output in section "Version definitions" : Version definitions: 1 0x01 0x0ebdb882 libgnutls.so.12 2 0x00 0x091de682 GNUTLS_1_2 And if I run objdump -p /usr/local/lib/libgnutls.so.13 I see in the same section: Version definitions: 1 0x01 0x0ebdb883 libgnutls.so.13 2 0x00 0x091de683 GNUTLS_1_3 This seems correct... What is your version of gnutls-cli? Simone. ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From simon at josefsson.org Mon Feb 12 14:54:11 2007 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 12 Feb 2007 14:54:11 +0100 Subject: [Help-gnutls] Re: Verifying subjectAltNames In-Reply-To: <45CF89DA.7070804@tthias.eu> (Matthias Wimmer's message of "Sun\, 11 Feb 2007 22\:25\:46 +0100") References: <45B958D7.6000007@tthias.eu> <87y7npdcmm.fsf@latte.josefsson.org> <45BA6C88.2080201@tthias.eu> <87ps8xbo8o.fsf@latte.josefsson.org> <45BE5ABF.6020005@tthias.eu> <45CA4468.6020704@tthias.eu> <87hctx9l8n.fsf@latte.josefsson.org> <87d54l9kjb.fsf@latte.josefsson.org> <878xf99h0k.fsf@latte.josefsson.org> <45CF89DA.7070804@tthias.eu> Message-ID: <87zm7jh470.fsf@latte.josefsson.org> Matthias Wimmer writes: > A okay, I did not read this paragraph at the first time. I think it > should be stripped as it is also stripped when non-otherName values > are returned. I agree, and I have changed this. Data for known otherName OID's should now be decoded. In the future, it won't be possible to decode all data, I think, since they may be structured, but we'll handle that problem when it comes to it. This data happened to be non-structured. 'certtool -i' on the jabber.org XMPP certificate will now say: Subject Alternative Name (not critical): XMPP Address: jabber.org DNSname: jabber.org DNSname: *.jabber.org Which seems quite nice. The relevant code is in lib/x509/output.c: err = gnutls_x509_crt_get_subject_alt_name (cert, san_idx, buffer, &size, NULL); if (err < 0) ... switch (err) { ... case GNUTLS_SAN_OTHERNAME: ... err = gnutls_x509_crt_get_subject_alt_othername_oid (cert, san_idx, oid, &oidsize); if (err < 0) ... if (err == GNUTLS_SAN_OTHERNAME_XMPP) addf (str, "\t\t\tXMPP Address: %.*s\n", size, buffer); else { addf (str, "\t\t\totherName OID: %.*s\n", oidsize, oid); addf (str, "\t\t\totherName DER: "); hexprint (str, buffer, size); addf (str, "\n\t\t\totherName ASCII: "); asciiprint (str, buffer, size); addf (str, "\n"); } /Simon From m at tthias.eu Mon Feb 12 15:06:22 2007 From: m at tthias.eu (Matthias Wimmer) Date: Mon, 12 Feb 2007 15:06:22 +0100 Subject: [Help-gnutls] Re: Verifying subjectAltNames In-Reply-To: <87zm7jh470.fsf@latte.josefsson.org> References: <45B958D7.6000007@tthias.eu> <87y7npdcmm.fsf@latte.josefsson.org> <45BA6C88.2080201@tthias.eu> <87ps8xbo8o.fsf@latte.josefsson.org> <45BE5ABF.6020005@tthias.eu> <45CA4468.6020704@tthias.eu> <87hctx9l8n.fsf@latte.josefsson.org> <87d54l9kjb.fsf@latte.josefsson.org> <878xf99h0k.fsf@latte.josefsson.org> <45CF89DA.7070804@tthias.eu> <87zm7jh470.fsf@latte.josefsson.org> Message-ID: <45D0745E.9010203@tthias.eu> Simon Josefsson schrieb: > Matthias Wimmer writes: > > >> A okay, I did not read this paragraph at the first time. I think it >> should be stripped as it is also stripped when non-otherName values >> are returned. >> > > I agree, and I have changed this. Data for known otherName OID's > should now be decoded. In the future, it won't be possible to decode > all data, I think, since they may be structured, but we'll handle that > problem when it comes to it. This data happened to be non-structured. > > 'certtool -i' on the jabber.org XMPP certificate will now say: > > Subject Alternative Name (not critical): > XMPP Address: jabber.org > DNSname: jabber.org > DNSname: *.jabber.org > Yes that's better and looks okay now. :-) Matthias From simon at josefsson.org Mon Feb 12 15:32:00 2007 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 12 Feb 2007 15:32:00 +0100 Subject: [Help-gnutls] Re: ex-serv-pgp In-Reply-To: <1171287364.45d06d440a54a@csa.csp.it> (dellanna@csp.it's message of "Mon\, 12 Feb 2007 14\:36\:04 +0100") References: <1171029813.45cc7f358ea00@csa.csp.it> <87k5yr4dvh.fsf@latte.josefsson.org> <87fy9f4dqc.fsf@latte.josefsson.org> <1171033572.45cc8de40fbc5@csa.csp.it> <87abzj3by0.fsf@latte.josefsson.org> <1171277130.45d0454a3d194@csa.csp.it> <87lkj3irbk.fsf@latte.josefsson.org> <1171278926.45d04c4ea5c55@csa.csp.it> <87ejovipjn.fsf@latte.josefsson.org> <1171282714.45d05b1a4b713@csa.csp.it> <20070212125405.GA26115@kiste.smurf.noris.de> <1171287364.45d06d440a54a@csa.csp.it> Message-ID: <87bqjzv44f.fsf@latte.josefsson.org> dellanna at csp.it writes: > libgnutls.so.13 => /usr/local/lib/libgnutls.so.13 (0xb7f0e000) > libgnutls-extra.so.13 => /usr/local/lib/libgnutls-extra.so.13 ... > libgnutls.so.12 => /usr/lib/libgnutls.so.12 (0xb7cb9000) Linking to both libgnutls is likely what is causing you problems. I don't understand how this could have happened, though. I have a /usr/lib/libgnutls.so.12 on my system, but it isn't pulled into newly built GnuTLS binaries. Anyone has any ideas how this could happen? You can debug this further by looking exactly at which commands are used to link the binaries, there could be some bug there... /Simon From simon at josefsson.org Mon Feb 12 16:08:38 2007 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 12 Feb 2007 16:08:38 +0100 Subject: [Help-gnutls] Re: ex-serv-pgp In-Reply-To: <1171292727.45d0823741981@csa.csp.it> (dellanna@csp.it's message of "Mon\, 12 Feb 2007 16\:05\:27 +0100") References: <1171029813.45cc7f358ea00@csa.csp.it> <87k5yr4dvh.fsf@latte.josefsson.org> <87fy9f4dqc.fsf@latte.josefsson.org> <1171033572.45cc8de40fbc5@csa.csp.it> <87abzj3by0.fsf@latte.josefsson.org> <1171277130.45d0454a3d194@csa.csp.it> <87lkj3irbk.fsf@latte.josefsson.org> <1171278926.45d04c4ea5c55@csa.csp.it> <87ejovipjn.fsf@latte.josefsson.org> <1171282714.45d05b1a4b713@csa.csp.it> <20070212125405.GA26115@kiste.smurf.noris.de> <1171287364.45d06d440a54a@csa.csp.it> <87bqjzv44f.fsf@latte.josefsson.org> <1171292727.45d0823741981@csa.csp.it> Message-ID: <873b5bv2fd.fsf@latte.josefsson.org> dellanna at csp.it writes: > I tried to download the gnutls 1.6 version, but it has some problem in the > installation time. > In this version if I run ./configure is OK, but when I run make it return "no > targets specified and no makefile found. Stop." > Why? The procedure of installation isn't the same of 1.7 version? Yes, the procedures are the same. GnuTLS 1.6.x and 1.7.x are quite similar, although for OpenPGP support, you'll want 1.7.x. I think that either your gnutls archive was corrupt, or ./configure failed to create the Makefile. Did ./configure exit with an error message? /Simon > Simone. > > > > Scrive Simon Josefsson : > >> dellanna at csp.it writes: >> >> > libgnutls.so.13 => /usr/local/lib/libgnutls.so.13 (0xb7f0e000) >> > libgnutls-extra.so.13 => /usr/local/lib/libgnutls-extra.so.13 >> .. >> > libgnutls.so.12 => /usr/lib/libgnutls.so.12 (0xb7cb9000) >> >> Linking to both libgnutls is likely what is causing you problems. I >> don't understand how this could have happened, though. I have a >> /usr/lib/libgnutls.so.12 on my system, but it isn't pulled into newly >> built GnuTLS binaries. Anyone has any ideas how this could happen? >> >> You can debug this further by looking exactly at which commands are >> used to link the binaries, there could be some bug there... >> >> /Simon >> >> > > > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. From smurf at smurf.noris.de Mon Feb 12 16:12:58 2007 From: smurf at smurf.noris.de (Matthias Urlichs) Date: Mon, 12 Feb 2007 16:12:58 +0100 Subject: [Help-gnutls] Re: ex-serv-pgp In-Reply-To: <87bqjzv44f.fsf@latte.josefsson.org> References: <1171033572.45cc8de40fbc5@csa.csp.it> <87abzj3by0.fsf@latte.josefsson.org> <1171277130.45d0454a3d194@csa.csp.it> <87lkj3irbk.fsf@latte.josefsson.org> <1171278926.45d04c4ea5c55@csa.csp.it> <87ejovipjn.fsf@latte.josefsson.org> <1171282714.45d05b1a4b713@csa.csp.it> <20070212125405.GA26115@kiste.smurf.noris.de> <1171287364.45d06d440a54a@csa.csp.it> <87bqjzv44f.fsf@latte.josefsson.org> Message-ID: <20070212151258.GB26115@kiste.smurf.noris.de> Hi, Simon Josefsson: > Linking to both libgnutls is likely what is causing you problems. Not if they're both versioned. (That's why I asked.) -- Matthias Urlichs | {M:U} IT Design @ m-u-it.de | smurf at smurf.noris.de Disclaimer: The quote was selected randomly. Really. | http://smurf.noris.de - - A lady whose name is Tirelli Has tits made of dynamite jelli. If you take on this dare, You must fondle with care. (The detonator's south of her belli.) From dg at cowlark.com Mon Feb 12 23:08:51 2007 From: dg at cowlark.com (David Given) Date: Mon, 12 Feb 2007 22:08:51 +0000 Subject: [Help-gnutls] Re: SMTP TLS & Thunderbird In-Reply-To: <87zm7j3fzh.fsf@latte.josefsson.org> References: <87zm7qbhkz.fsf@latte.josefsson.org> <87lkj99m08.fsf@latte.josefsson.org> <87zm7j3fzh.fsf@latte.josefsson.org> Message-ID: Simon Josefsson wrote: [...] > This kind of feedback is very important, could you please describe in > more detail what documentation lead you wrong, and what mistakes you > did? The documentation isn't perfect, but in order to know where to > spend time improving it, it is useful to know where the weakest parts > are. Well, the main issue with gnutls_certificate_set_x509_key_file() is that the documentation doesn't describe what error codes get returned if the key files couldn't be opened, or even that the return value is an error code at all: I eventually figured it out by calling the function with a bogus filename and inspecting the result (-64). The function index is very hard to use, too. That function is described in 'Core functions' instead of 'X.509 certificate functions', which is where I would expect it to be. You may want to consider having a unified index instead of (or as well as) dividing it into multiple pages. [...] > * Note that the priority is set on the client. The server does > * not use the algorithm's priority except for disabling > * algorithms that were not specified. [...] > The default cipher suite list > doesn't include ANON, so the server will disable that KX unless you > manually added it. [...] > Hm. I'd agree that you don't really get the full picture from that > docstring... Yes, the docs strongly imply that all algorithms are enabled by default (which makes sense). [...] >> Incidentally, my various early blundering attempts managed to get a number of >> things wrong, which caused gnutls-cli to fall over good and hard. Is this >> important? > > Yes, anything that fails hard is a serious bug. Please let me know! The simplest thing I did to make it go wrong was to accidentally pass an anonymous credentials structure to credentials_set() with CRD_CERTIFICATE. That caused both ends to segfault. Unfortunately I don't have the logs any more, but gnutls-cli did produce a number of assertion failures before it died. -- ??? ?????????????? ??? http://www.cowlark.com ??????????????????? ? "I have always wished for my computer to be as easy to use as my ? telephone; my wish has come true because I can no longer figure out how to ? use my telephone." --- Bjarne Stroustrup -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature URL: From dellanna at csp.it Tue Feb 13 10:28:09 2007 From: dellanna at csp.it (dellanna at csp.it) Date: Tue, 13 Feb 2007 10:28:09 +0100 Subject: [Help-gnutls] some experience In-Reply-To: <873b5bv2fd.fsf@latte.josefsson.org> References: <1171029813.45cc7f358ea00@csa.csp.it> <87k5yr4dvh.fsf@latte.josefsson.org> <87fy9f4dqc.fsf@latte.josefsson.org> <1171033572.45cc8de40fbc5@csa.csp.it> <87abzj3by0.fsf@latte.josefsson.org> <1171277130.45d0454a3d194@csa.csp.it> <87lkj3irbk.fsf@latte.josefsson.org> <1171278926.45d04c4ea5c55@csa.csp.it> <87ejovipjn.fsf@latte.josefsson.org> <1171282714.45d05b1a4b713@csa.csp.it> <20070212125405.GA26115@kiste.smurf.noris.de> <1171287364.45d06d440a54a@csa.csp.it> <87bqjzv44f.fsf@latte.josefsson.org> <1171292727.45d0823741981@csa.csp.it> <873b5bv2fd.fsf@latte.josefsson.org> Message-ID: <1171358889.45d184a9d7ad6@csa.csp.it> Hi, Scrive Simon Josefsson : > Yes, the procedures are the same. GnuTLS 1.6.x and 1.7.x are quite > similar, although for OpenPGP support, you'll want 1.7.x. 1.7.0 support OpenPGP? In this version if I run gnutls-cli --port 5556 test.gnutls.org it return: global_init_extra: The GnuTLS library version does not match the GnuTLS-extra library version. Resolving 'test.gnutls.org'... Connecting to '217.13.230.178:5556'... - Successfully sent 0 certificate(s) to server. - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: # The hostname in the certificate matches 'test.gnutls.org'. # valid since: Tue Feb 6 14:02:11 CET 2007 # expires at: Wed Feb 6 14:02:11 CET 2008 # fingerprint: CB:4A:00:E0:65:A5:C3:9D:E0:5D:AB:CF:3A:2C:82:74 # Subject's DN: O=GnuTLS test server,CN=test.gnutls.org # Issuer's DN: CN=GnuTLS test CA - Peer's certificate issuer is unknown - Peer's certificate is NOT trusted - Version: TLS 1.1 - Key Exchange: DHE RSA - Cipher: AES 256 CBC - MAC: SHA - Compression: DEFLATE - Handshake was completed - Simple Client Mode: Is correct this output? > I think that either your gnutls archive was corrupt, or ./configure > failed to create the Makefile. Did ./configure exit with an error > message? Yes, I resolved this problem for versions 1.6.0 and 1.7.0. But the problem remains for 1.7.5 version. There isn't error message. > /Simon ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From dellanna at csp.it Tue Feb 13 11:51:59 2007 From: dellanna at csp.it (dellanna at csp.it) Date: Tue, 13 Feb 2007 11:51:59 +0100 Subject: [Help-gnutls] again ex-serv-pgp In-Reply-To: <20070212151258.GB26115@kiste.smurf.noris.de> References: <1171033572.45cc8de40fbc5@csa.csp.it> <87abzj3by0.fsf@latte.josefsson.org> <1171277130.45d0454a3d194@csa.csp.it> <87lkj3irbk.fsf@latte.josefsson.org> <1171278926.45d04c4ea5c55@csa.csp.it> <87ejovipjn.fsf@latte.josefsson.org> <1171282714.45d05b1a4b713@csa.csp.it> <20070212125405.GA26115@kiste.smurf.noris.de> <1171287364.45d06d440a54a@csa.csp.it> <87bqjzv44f.fsf@latte.josefsson.org> <20070212151258.GB26115@kiste.smurf.noris.de> Message-ID: <1171363919.45d1984f18456@csa.csp.it> Hi, excuse me, but the example "ex-serv-pgp" is correct? I tried to install gnutls-cli 1.7.6 version in windows machine... this operation was completed successfully. 1. I run ex-serv-pgp on ubuntu machine. The application work correctly because it return : Echo Server ready. Listening to port '5556'. 2. When I run on windows machine (on the same LAN) gnutls-cli --port 5556 hostname_OF_Linux_Machine it return the following output: Resolving "hostname" Connecting to '194.116.9.92:5556' ***Fatal error: A TLS packet with unexpected length was received. Handshake has failed GNUTLS ERROR: A TLS packet with unexpected lenght was received. 3. On server side (Linux Machine with ex-serv-pgp running) the output is: -connection from 194.116.9.26, port 2638 *** Handshake has failed (Could not negotiate a supported cipher suite.) What is the problem? I think I blunder something with gnutls-cli (on client side). Simone. ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From simon at josefsson.org Tue Feb 13 17:13:54 2007 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 13 Feb 2007 17:13:54 +0100 Subject: [Help-gnutls] NIST X.509 self tests Message-ID: <87bqjyf325.fsf@latte.josefsson.org> I spent today to run the GnuTLS X.509 certificate chain validator on NIST's self tests, and thought I'd share some of the findings. First, it should be noted that all of these tests where done using 'certtool --verify-chain' which is not the same verifier that is used by GnuTLS when you verify server certificates in TLS. We should probably merge these verifiers eventually. I expect that large parts of the verifiers are similar. I started with the old tests from . They are installed in CVS into tests/x509paths. Running './chain' in that directory should test all chains. We do fail some of the self tests, here are my notes: Chain 13-14,65: We probably should not fail fatally, although this is not a real problem. Chain 15-18: We should succeed, the reason we don't is that we use memcmp for DN comparisons. Chain 19: I don't understand why this test should fail? The chain seems fine to me. Chain 28-29: We fail to check keyCertSign (non-)critical key usage in intermediate certificates. XXX Chain 31-32: The CRL is issued by a issuer without CRLSign (non-)critical keyCertSign. We don't check the CRL, so this is not a real problem. Chain 54-63: We don't check path length constraints properly. XXX I then started with NIST's current self tests, . They are installed in CVS into tests/nist-pkits/. You can run ./pkits in that directory to run the simple tests, which just check the parser for all files. The script "pkits_test" will build NIST's tool to generate HTML for tests. It will start a Glade interface, and you should type e.g. 'foo.html' and then 'Generate tables'. Since GnuTLS supports DSA, you should typically click on 'DSA signature verification' too. The interface invokes the script "gnutls_test_entry" which verifies certificates chains, after building them using the script "build-chain". Since building NIST's tool require some non-standard stuff, I made one run and stored the output in CVS too. You can access it from: http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/*checkout*/gnutls/tests/nist-pkits/gnutls-nist-tests.html?root=GNU+TLS+Library We again fail some tests, notably are the same as in the NIST's old test suite, i.e. the keyCertSign and pathLenConstraint related ones. One new set of failures are due to lack of support for policies. Some failures are date-related, and I'm not sure they are important. I don't have resources to make GnuTLS pass these self tests, so this is a request for volunteers that want to work on improving the X.509 validator. If anyone knows of other X.509 self tests, that would be useful. /Simon From dellanna at csp.it Wed Feb 14 14:52:28 2007 From: dellanna at csp.it (dellanna at csp.it) Date: Wed, 14 Feb 2007 14:52:28 +0100 Subject: [Help-gnutls] TLS In-Reply-To: <1171363919.45d1984f18456@csa.csp.it> References: <1171033572.45cc8de40fbc5@csa.csp.it> <87abzj3by0.fsf@latte.josefsson.org> <1171277130.45d0454a3d194@csa.csp.it> <87lkj3irbk.fsf@latte.josefsson.org> <1171278926.45d04c4ea5c55@csa.csp.it> <87ejovipjn.fsf@latte.josefsson.org> <1171282714.45d05b1a4b713@csa.csp.it> <20070212125405.GA26115@kiste.smurf.noris.de> <1171287364.45d06d440a54a@csa.csp.it> <87bqjzv44f.fsf@latte.josefsson.org> <20070212151258.GB26115@kiste.smurf.noris.de> <1171363919.45d1984f18456@csa.csp.it> Message-ID: <1171461148.45d3141cd1b7f@csa.csp.it> Hi all, I don't know if my email was delivered correctly and I rewrite my problem. I tried to install gnutls-cli 1.7.6 version in windows machine... this operation was completed successfully. But 1. I run ex-serv-pgp on ubuntu machine. The application work correctly because it return: Echo Server ready. Listening to port '5556'. 2. When I run on windows machine (on the same LAN) gnutls-cli --port 5556 hostname_OF_Linux_Machine it return the following output: Resolving "hostname" Connecting to '194.116.9.92:5556' ***Fatal error: A TLS packet with unexpected length was received. Handshake has failed GNUTLS ERROR: A TLS packet with unexpected lenght was received. 3. On server side (Linux Machine with ex-serv-pgp running) the output is: -connection from 194.116.9.26, port 2638 *** Handshake has failed (Could not negotiate a supported cipher suite.) 4. If I run on windows machine gnutls-cli-debug --port 5556 hostname_OF_Linux_Machine it return the following output: Resolving "hostname" Connecting to '194.116.9.92:5556' Checking for TLS 1.1 support ...no Checking fallback from TLS 1.1 to... failed Checking for TLS 1.0 support ...no Checking for SSL 3.0 support ...no Server does not support none of SSL 3.0, TLS 1.0 and TLS 1.1 Can someone help me? This error occurs in all example used in manual gnutls. This is very strange because examples using TLS, isn't it? Simone. ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From dellanna at csp.it Wed Feb 14 14:57:38 2007 From: dellanna at csp.it (dellanna at csp.it) Date: Wed, 14 Feb 2007 14:57:38 +0100 Subject: [Help-gnutls] TLS In-Reply-To: <1171461148.45d3141cd1b7f@csa.csp.it> References: <1171033572.45cc8de40fbc5@csa.csp.it> <87abzj3by0.fsf@latte.josefsson.org> <1171277130.45d0454a3d194@csa.csp.it> <87lkj3irbk.fsf@latte.josefsson.org> <1171278926.45d04c4ea5c55@csa.csp.it> <87ejovipjn.fsf@latte.josefsson.org> <1171282714.45d05b1a4b713@csa.csp.it> <20070212125405.GA26115@kiste.smurf.noris.de> <1171287364.45d06d440a54a@csa.csp.it> <87bqjzv44f.fsf@latte.josefsson.org> <20070212151258.GB26115@kiste.smurf.noris.de> <1171363919.45d1984f18456@csa.csp.it> <1171461148.45d3141cd1b7f@csa.csp.it> Message-ID: <1171461458.45d315523a88b@csa.csp.it> Hi all, I don't know if my email was delivered correctly and I rewrite my problem. I tried to install gnutls-cli 1.7.6 version in windows machine... this operation was completed successfully. But 1. I run ex-serv-pgp on ubuntu machine. The application work correctly because it return: Echo Server ready. Listening to port '5556'. 2. When I run on windows machine (on the same LAN) gnutls-cli --port 5556 hostname_OF_Linux_Machine it return the following output: Resolving "hostname" Connecting to '194.116.9.92:5556' ***Fatal error: A TLS packet with unexpected length was received. Handshake has failed GNUTLS ERROR: A TLS packet with unexpected lenght was received. 3. On server side (Linux Machine with ex-serv-pgp running) the output is: -connection from 194.116.9.26, port 2638 *** Handshake has failed (Could not negotiate a supported cipher suite.) 4. If I run on windows machine gnutls-cli-debug --port 5556 hostname_OF_Linux_Machine it return the following output: Resolving "hostname" Connecting to '194.116.9.92:5556' Checking for TLS 1.1 support ...no Checking fallback from TLS 1.1 to... failed Checking for TLS 1.0 support ...no Checking for SSL 3.0 support ...no Server does not support none of SSL 3.0, TLS 1.0 and TLS 1.1 Can someone help me? This error occurs in all example used in manual gnutls. This is very strange because examples using TLS, isn't it? Simone. ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From markus.hager at exgate.tek.com Wed Feb 14 16:15:42 2007 From: markus.hager at exgate.tek.com (markus.hager at exgate.tek.com) Date: Wed, 14 Feb 2007 16:15:42 +0100 Subject: [Help-gnutls] Memory leak Message-ID: <5893BF2B56D1D34A8D6FEFE23DDDDB0B0218E9BE@eu-berl-m51.global.tektronix.net> Hi we've encountered memory problems with GNUTLS and I wonder if someone else has experienced similar trouble. We wrapped GNUTLS 1.4.4 it in a 'memory manager'. That means we force GNUTLS to use our memory functions. What we find is that not all memory blocks that are allocated by GNUTLS are freed. We are loosing approx. 65 byte on client and 200 on server side per handshake. The following is the sequence in which we call the gnutls_functions: gnutls_global_set_mem_functions (alloc, alloc, NULL, realloc, free) gnutls_global_init gnutls_init gnutls_handshake gnutls_deinit gnutls_global_deinit We don't use any functionality to store (resume) session. So GNUTLS is supposed to free all memory allocated during a handshake in gnutls_deinit, isn't it? Well, in our case it doesn't. With every handshake more and more memory gets lost. Is there a mistake in our handling of the library or is there a problem in the GNUTLS implementation? Thanks for your answers. Regards Markus -------------- next part -------------- An HTML attachment was scrubbed... URL: From simon at josefsson.org Wed Feb 21 11:22:48 2007 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 21 Feb 2007 11:22:48 +0100 Subject: [Help-gnutls] Re: some experience In-Reply-To: <1171358889.45d184a9d7ad6@csa.csp.it> (dellanna@csp.it's message of "Tue\, 13 Feb 2007 10\:28\:09 +0100") References: <1171029813.45cc7f358ea00@csa.csp.it> <87k5yr4dvh.fsf@latte.josefsson.org> <87fy9f4dqc.fsf@latte.josefsson.org> <1171033572.45cc8de40fbc5@csa.csp.it> <87abzj3by0.fsf@latte.josefsson.org> <1171277130.45d0454a3d194@csa.csp.it> <87lkj3irbk.fsf@latte.josefsson.org> <1171278926.45d04c4ea5c55@csa.csp.it> <87ejovipjn.fsf@latte.josefsson.org> <1171282714.45d05b1a4b713@csa.csp.it> <20070212125405.GA26115@kiste.smurf.noris.de> <1171287364.45d06d440a54a@csa.csp.it> <87bqjzv44f.fsf@latte.josefsson.org> <1171292727.45d0823741981@csa.csp.it> <873b5bv2fd.fsf@latte.josefsson.org> <1171358889.45d184a9d7ad6@csa.csp.it> Message-ID: <87bqjnolmv.fsf@latte.josefsson.org> dellanna at csp.it writes: > Hi, > > Scrive Simon Josefsson : > >> Yes, the procedures are the same. GnuTLS 1.6.x and 1.7.x are quite >> similar, although for OpenPGP support, you'll want 1.7.x. > > 1.7.0 support OpenPGP? Yes. > In this version if I run gnutls-cli --port 5556 test.gnutls.org it return: > > global_init_extra: The GnuTLS library version does not match the GnuTLS-extra > library version. This indicate there was a problem when GnuTLS was installed -- it is using the wrong libgnutls-extra library. That has to be solved first. > Is correct this output? Nope. The server should send its OpenPGP server key instead of the X.509 certificate, if you are using a correctly installed recent GnuTLS version. >> I think that either your gnutls archive was corrupt, or ./configure >> failed to create the Makefile. Did ./configure exit with an error >> message? > > Yes, I resolved this problem for versions 1.6.0 and 1.7.0. But the problem > remains for 1.7.5 version. > There isn't error message. Can you reproduce this with a clean build of GnuTLS 1.7.6? It seems for some reason, your different GnuTLS installations seems to confuse each other. /Simon From simon at josefsson.org Wed Feb 21 11:34:47 2007 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 21 Feb 2007 11:34:47 +0100 Subject: [Help-gnutls] Re: TLS In-Reply-To: <1171461458.45d315523a88b@csa.csp.it> (dellanna@csp.it's message of "Wed\, 14 Feb 2007 14\:57\:38 +0100") References: <1171033572.45cc8de40fbc5@csa.csp.it> <87abzj3by0.fsf@latte.josefsson.org> <1171277130.45d0454a3d194@csa.csp.it> <87lkj3irbk.fsf@latte.josefsson.org> <1171278926.45d04c4ea5c55@csa.csp.it> <87ejovipjn.fsf@latte.josefsson.org> <1171282714.45d05b1a4b713@csa.csp.it> <20070212125405.GA26115@kiste.smurf.noris.de> <1171287364.45d06d440a54a@csa.csp.it> <87bqjzv44f.fsf@latte.josefsson.org> <20070212151258.GB26115@kiste.smurf.noris.de> <1171363919.45d1984f18456@csa.csp.it> <1171461148.45d3141cd1b7f@csa.csp.it> <1171461458.45d315523a88b@csa.csp.it> Message-ID: <874ppfol2w.fsf@latte.josefsson.org> dellanna at csp.it writes: > Hi all, > I don't know if my email was delivered correctly and I rewrite my problem. > I tried to install gnutls-cli 1.7.6 version in windows machine... this operation > was completed successfully. > But > 1. I run ex-serv-pgp on ubuntu machine. The application work correctly because > it return: > > Echo Server ready. Listening to port '5556'. Did you read the source of the example? You need to have a OpenPGP private key and public key in the appropriate files. Otherwise, the server will have no credentials, and clients won't be able to talk to it. > 2. When I run on windows machine (on the same LAN) gnutls-cli --port 5556 > hostname_OF_Linux_Machine it return the following output: > Resolving "hostname" > Connecting to '194.116.9.92:5556' > ***Fatal error: A TLS packet with unexpected length was received. > Handshake has failed > GNUTLS ERROR: A TLS packet with unexpected lenght was received. > > 3. On server side (Linux Machine with ex-serv-pgp running) the output is: > > -connection from 194.116.9.26, port 2638 > *** Handshake has failed (Could not negotiate a supported cipher suite.) This seems to be consistent with missing credentials. > 4. If I run on windows machine gnutls-cli-debug --port 5556 > hostname_OF_Linux_Machine it return the following output: > Resolving "hostname" > Connecting to '194.116.9.92:5556' > Checking for TLS 1.1 support ...no > Checking fallback from TLS 1.1 to... failed > Checking for TLS 1.0 support ...no > Checking for SSL 3.0 support ...no > Server does not support none of SSL 3.0, TLS 1.0 and TLS 1.1 > Can someone help me? > > This error occurs in all example used in manual gnutls. > This is very strange because examples using TLS, isn't it? Yes, but if gnutls-cli-debug fails to handshake with the server, it will report that the server doesn't support TLS at all. This happens when the server doesn't have any credentials and doesn't support anonymous key exchanges. I agree that the output of gnutls-cli-debug is confusing here. I have added a TODO item: - Make gnutls-cli-debug exit with better error messages if the handshake fails, rather than saying that the server doesn't support TLS. /Simon From kyle at pbx.org Thu Feb 22 07:52:26 2007 From: kyle at pbx.org (kyle cronan) Date: Wed, 21 Feb 2007 22:52:26 -0800 Subject: [Help-gnutls] client hello refused Message-ID: Hello, My question is about how to debug the situation where the TLS server closes the connection right after the client hello message is sent (gnutls 1.4.5). I didn't have much luck searching the list archives for hello! Looking at what's in an SSL/TLS hello, perhaps cipher_suites, compression_methods and client_version are candidates for causing trouble? I believe I tried all the different client versions using --protocols, and I see from gnutls_handshake.c that the extensions are only sent if we're using a TLS version, not SSL3. So it shouldn't be a protocol extension that's causing the problem either. That just leaves ciphers and compression methods. But wouldn't I get an error like "could not negotiate a supported cipher suite"? Have servers been known to just close the connection without giving a handshake failure? Unfortunately the server software is some unknown black box type stuff. It does work with openssl s_client though (0.9.7a), even when I select various single ciphers with the -cipher option. Thanks, Kyle Cronan From kyle at pbx.org Thu Feb 22 08:23:20 2007 From: kyle at pbx.org (kyle cronan) Date: Wed, 21 Feb 2007 23:23:20 -0800 Subject: [Help-gnutls] Re: client hello refused In-Reply-To: References: Message-ID: It works with --comp NULL. I hadn't tried that one by itself, since I didn't think the server would punish me just for offering. Hopefully someone will find this helpful some day! Kyle On 2/21/07, kyle cronan wrote: > Hello, > > My question is about how to debug the situation where the TLS server > closes the connection right after the client hello message is sent > (gnutls 1.4.5). I didn't have much luck searching the list archives > for hello! > > Looking at what's in an SSL/TLS hello, perhaps cipher_suites, > compression_methods and client_version are candidates for causing > trouble? I believe I tried all the different client versions using > --protocols, and I see from gnutls_handshake.c that the extensions are > only sent if we're using a TLS version, not SSL3. So it shouldn't be > a protocol extension that's causing the problem either. That just > leaves ciphers and compression methods. But wouldn't I get an error > like "could not negotiate a supported cipher suite"? Have servers > been known to just close the connection without giving a handshake > failure? > > Unfortunately the server software is some unknown black box type > stuff. It does work with openssl s_client though (0.9.7a), even when > I select various single ciphers with the -cipher option. > > Thanks, > Kyle Cronan > > From simon at josefsson.org Thu Feb 22 09:21:07 2007 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 22 Feb 2007 09:21:07 +0100 Subject: [Help-gnutls] Re: client hello refused In-Reply-To: (kyle cronan's message of "Wed\, 21 Feb 2007 23\:23\:20 -0800") References: Message-ID: <87odnmli18.fsf@latte.josefsson.org> Thanks for the report. Unfortunately, servers are known to close connections or do strange things when they get unsupported extensions. For reference, could you try with '--comp DEFLATE'? GnuTLS supports a non-standard compression mechanism LZO. However, the DEFLATE mechanism is standardized. /Simon "kyle cronan" writes: > It works with --comp NULL. I hadn't tried that one by itself, since I > didn't think the server would punish me just for offering. Hopefully > someone will find this helpful some day! > > Kyle > > On 2/21/07, kyle cronan wrote: >> Hello, >> >> My question is about how to debug the situation where the TLS server >> closes the connection right after the client hello message is sent >> (gnutls 1.4.5). I didn't have much luck searching the list archives >> for hello! >> >> Looking at what's in an SSL/TLS hello, perhaps cipher_suites, >> compression_methods and client_version are candidates for causing >> trouble? I believe I tried all the different client versions using >> --protocols, and I see from gnutls_handshake.c that the extensions are >> only sent if we're using a TLS version, not SSL3. So it shouldn't be >> a protocol extension that's causing the problem either. That just >> leaves ciphers and compression methods. But wouldn't I get an error >> like "could not negotiate a supported cipher suite"? Have servers >> been known to just close the connection without giving a handshake >> failure? >> >> Unfortunately the server software is some unknown black box type >> stuff. It does work with openssl s_client though (0.9.7a), even when >> I select various single ciphers with the -cipher option. >> >> Thanks, >> Kyle Cronan >> >> From kyle at pbx.org Fri Feb 23 01:50:40 2007 From: kyle at pbx.org (kyle cronan) Date: Thu, 22 Feb 2007 16:50:40 -0800 Subject: [Help-gnutls] Re: client hello refused In-Reply-To: <87odnmli18.fsf@latte.josefsson.org> References: <87odnmli18.fsf@latte.josefsson.org> Message-ID: Nope, it only works with --comp NULL. Even --comp NULL DEFLATE doesn't work. Perhaps because the server is SSL3 only. Kyle On 2/22/07, Simon Josefsson wrote: > Thanks for the report. Unfortunately, servers are known to close > connections or do strange things when they get unsupported extensions. > > For reference, could you try with '--comp DEFLATE'? GnuTLS supports a > non-standard compression mechanism LZO. However, the DEFLATE > mechanism is standardized. > > /Simon > > "kyle cronan" writes: > > > It works with --comp NULL. I hadn't tried that one by itself, since I > > didn't think the server would punish me just for offering. Hopefully > > someone will find this helpful some day! > > > > Kyle > > > > On 2/21/07, kyle cronan wrote: > >> Hello, > >> > >> My question is about how to debug the situation where the TLS server > >> closes the connection right after the client hello message is sent > >> (gnutls 1.4.5). I didn't have much luck searching the list archives > >> for hello! > >> > >> Looking at what's in an SSL/TLS hello, perhaps cipher_suites, > >> compression_methods and client_version are candidates for causing > >> trouble? I believe I tried all the different client versions using > >> --protocols, and I see from gnutls_handshake.c that the extensions are > >> only sent if we're using a TLS version, not SSL3. So it shouldn't be > >> a protocol extension that's causing the problem either. That just > >> leaves ciphers and compression methods. But wouldn't I get an error > >> like "could not negotiate a supported cipher suite"? Have servers > >> been known to just close the connection without giving a handshake > >> failure? > >> > >> Unfortunately the server software is some unknown black box type > >> stuff. It does work with openssl s_client though (0.9.7a), even when > >> I select various single ciphers with the -cipher option. > >> > >> Thanks, > >> Kyle Cronan > >> > >> > From simon at josefsson.org Fri Feb 23 07:46:08 2007 From: simon at josefsson.org (Simon Josefsson) Date: Fri, 23 Feb 2007 07:46:08 +0100 Subject: [Help-gnutls] Re: client hello refused In-Reply-To: (kyle cronan's message of "Thu\, 22 Feb 2007 16\:50\:40 -0800") References: <87odnmli18.fsf@latte.josefsson.org> Message-ID: <87ejohid73.fsf@latte.josefsson.org> "kyle cronan" writes: > Nope, it only works with --comp NULL. Even --comp NULL DEFLATE > doesn't work. Perhaps because the server is SSL3 only. Compression is supported by SSLv3, but servers were buggy back then too. /Simon