From simon at josefsson.org Mon Mar 5 08:37:10 2007 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 05 Mar 2007 08:37:10 +0100 Subject: [Help-gnutls] GnuTLS and Google Summer of Code 2007 Message-ID: <87irdgp2e1.fsf@latte.josefsson.org> Hi! GnuTLS will try to participate in the Google Summer of Code, see: http://www.gnu.org/software/soc-projects/guidelines.html http://code.google.com/soc/ Right now we are collecting ideas for projects, the ideas from 2006 are : 1. Datagram TLS support. RFC 4347 describe a UDP version of TLS. 2. Support for the elliptic curves ciphersuites as an alternative authentication method. comment: I think I saw some patches for libgcrypt about this quite recently, which could be a basis for this work. 3. Redesign and rewrite libtasn1 (asn.1 parser library). The new implementation must be efficient and easy to extend with new types and encoding rules (say BER and DER). 4. Write a crypto backend to perform (symmetric and assymetric de/encryption, hash and MAC, key generation, random number generation). It should be able to utilize libgcrypt and other free libraries, such as libtomcrypt, and should be extendable for hardware drivers. I can immediately add some ideas: 5. Work on integrating support for some of the newer TLS extensions, which can include better TLS 1.2 support. 6. Integrate the NIST X.509 self-tests and make sure we pass them. This could be an important step for FIPS certification of GnuTLS. 7. OpenPGP related improvements? I'd appreciate suggestions for other ideas that might attract good people. If you want to propose something and work on it as a student, let me know. /Simon From simon at josefsson.org Mon Mar 5 13:41:36 2007 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 05 Mar 2007 13:41:36 +0100 Subject: [Help-gnutls] Re: SMTP TLS & Thunderbird In-Reply-To: (David Given's message of "Sat\, 10 Feb 2007 17\:07\:54 +0000") References: <87zm7qbhkz.fsf@latte.josefsson.org> <87lkj99m08.fsf@latte.josefsson.org> Message-ID: <87hcszooan.fsf@latte.josefsson.org> David Given writes: > Simon Josefsson wrote: > [...] >> Many programs refuse to work if the server doesn't have a X.509 >> certificate, so yes, I'm afraid you'll have to add that to your >> server, or modify a lot of clients. > > It's all working now, thanks. Although I will admit that setting all the code > up was not pretty --- the documentation's very hazy on what the various > functions return if something goes wrong (such as not being able to read the > keyfiles), and I've found that in order to make it fall back on anonymous > authentication if the keys don't work I have to call gnutls_kx_set_priority(), > which surprises me as the documentation swears blind that it's ignored on servers. It is clear that both code and documentation is sub-optimal here. Below is how I will proceed to attempt to improve things. * Encourage more applications to just use gnutls_set_default_priority(). One part of achieving that is to make all examples use it, and avoid any specific calls to gnutls_*_set_priority. Such uses are not future-proof, and should really not be part of the examples, since it isn't good practice. It is better if the library picks sane defaults. * Fix gnutls_set_default_priority to have sane defaults. For example, right now it doesn't even include TLS 1.0! However, that bug was introduced in the 1.7 series, so no major harm... Here are the default priorities I believe all applications should use. Any comments? I think the only questionable one may be to exclude GNUTLS_KX_ANON_DH since it isn't safe against mitm's, but neither is X.509 without verifying the certificates. However, deployment suggests that we shouldn't include it, so I didn't. Possibly AES256 should be the default, I dunno. I would have liked to remove ARCFOUR_128, but it is so widely used that it isn't possible. Perhaps it should be disabled for TLS >= 1.1 connections. static const int protocol_priority[] = { GNUTLS_TLS1_2, GNUTLS_TLS1_1, GNUTLS_TLS1_0, GNUTLS_SSL3, 0 }; static const int kx_priority[] = { GNUTLS_KX_DHE_PSK, GNUTLS_KX_PSK, GNUTLS_KX_SRP_RSA, GNUTLS_KX_SRP_DSS, GNUTLS_KX_SRP, GNUTLS_KX_DHE_RSA, GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, /* GNUTLS_KX_ANON_DH: Man-in-the-middle prone, don't add! * GNUTLS_KX_RSA_EXPORT: Deprecated, don't add! */ 0 }; static const int cipher_priority[] = { GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR_128, /* GNUTLS_CIPHER_ARCFOUR_40: Insecure, don't add! */ 0 }; static const int comp_priority[] = { /* GNUTLS_COMP_LZO: Not standardized, don't add! */ GNUTLS_COMP_DEFLATE, GNUTLS_COMP_NULL, 0 }; static const int mac_priority[] = { GNUTLS_MAC_SHA1, GNUTLS_MAC_MD5, 0 }; * Verify that handshake logic removes unnecessary ciphersuites before sending them. For example, there's no point in sending a SRP ciphersuite if there is no SRP callback set. I believe the code is correct in most places here, but it needs to be verified. * Make gnutls-cli and gnutls-serv use the new best practice. Right now, it has its own set of priority lists. It would be better to avoid that, and only use the library priorities. Comments welcome! /Simon From simon at josefsson.org Mon Mar 5 16:20:54 2007 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 05 Mar 2007 16:20:54 +0100 Subject: [Help-gnutls] gnutls-cli with compression against secure.cacert.org Message-ID: <87hcszemy1.fsf@latte.josefsson.org> I tried to talk with secure.cacert.org using my cacert key/certificate, but it doesn't seem to work reliably unless I disable compression. The typical errors is: jas at mocca:~/src/gnutls/src$ ./gnutls-cli secure.cacert.org --x509keyfile ~/self/certs/cacert.key --x509certfile ~/self/certs/cacert.pem --x509cafile ~/self/certs/cacert-ca.pem Processed 1 CA certificate(s). Processed 1 client certificates... Processed 1 client X.509 certificates... Resolving 'secure.cacert.org'... Connecting to '91.112.11.212:443'... *** Fatal error: A TLS fatal alert has been received. *** Received alert [20]: Bad record MAC *** Handshake has failed GNUTLS ERROR: A TLS fatal alert has been received. jas at mocca:~/src/gnutls/src$ The workaround is of course to add '--comp null'. If anyone has time to debug this, that would be useful. /Simon From simon at josefsson.org Wed Mar 7 12:07:23 2007 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 07 Mar 2007 12:07:23 +0100 Subject: [Help-gnutls] Re: SMTP TLS & Thunderbird In-Reply-To: <87hcszooan.fsf@latte.josefsson.org> (Simon Josefsson's message of "Mon\, 05 Mar 2007 13\:41\:36 +0100") References: <87zm7qbhkz.fsf@latte.josefsson.org> <87lkj99m08.fsf@latte.josefsson.org> <87hcszooan.fsf@latte.josefsson.org> Message-ID: <87mz2pl3bo.fsf@latte.josefsson.org> Simon Josefsson writes: > static const int cipher_priority[] = { > GNUTLS_CIPHER_AES_128_CBC, > GNUTLS_CIPHER_AES_256_CBC, > GNUTLS_CIPHER_3DES_CBC, > GNUTLS_CIPHER_ARCFOUR_128, > /* GNUTLS_CIPHER_ARCFOUR_40: Insecure, don't add! */ > 0 > }; It was suggested to alter this into: static const int cipher_priority[] = { GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_ARCFOUR_128, /* GNUTLS_CIPHER_ARCFOUR_40: Insecure, don't add! */ 0 }; And this has been installed in CVS. /Simon From simon at josefsson.org Wed Mar 7 17:11:47 2007 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 07 Mar 2007 17:11:47 +0100 Subject: [Help-gnutls] Libtasn1 0.3.9 Message-ID: <87abypnid8.fsf@mocca.josefsson.org> First release from GIT instead of CVS... released some days ago, but I forgot to send this announcement. Libtasn1 is a standalone library written in C for manipulating ASN.1 objects including DER/BER encoding and DER/BER decoding. Libtasn1 is used by GnuTLS to manipulate X.509 objects and by Shishi to handle Kerberos V5 packets. Version 0.3.9 (released 2007-03-02) - In generated code, config.h is pulled in if HAVE_CONFIG_H. - Development changes: changed from CVS to GIT as an experiment. I push my changes to . - Autoconf 2.61 and automake 1.10 is required. Commercial support contracts for Libtasn1 are available, and they help finance continued maintenance. Simon Josefsson Datakonsult, a Stockholm based privately held company, is currently funding Libtasn1 maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. If you need help to use Libtasn1, or want to help others, you are invited to join our help-gnutls mailing list, see: . Homepage: http://josefsson.org/libtasn1/ Manual in many formats: http://josefsson.org/gnutls/manual/libtasn1/ Here are the compressed sources (1.3MB): ftp://ftp.gnutls.org/pub/gnutls/libtasn1/libtasn1-0.3.9.tar.gz http://josefsson.org/gnutls/releases/libtasn1/libtasn1-0.3.9.tar.gz Here are GPG detached signatures using key 0xB565716F: ftp://ftp.gnutls.org/pub/gnutls/libtasn1/libtasn1-0.3.9.tar.gz.sig http://josefsson.org/gnutls/releases/libtasn1/libtasn1-0.3.9.tar.gz.sig The software is cryptographically signed by the author using an OpenPGP key identified by the following information: pub 1280R/B565716F 2002-05-05 [expires: 2008-06-30] Key fingerprint = 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F uid Simon Josefsson uid Simon Josefsson sub 1280R/4D5D40AE 2002-05-05 [expires: 2008-06-30] sub 1024R/09CC4670 2006-03-18 [expires: 2007-04-22] sub 1024R/AABB1F7B 2006-03-18 [expires: 2007-04-22] sub 1024R/A14C401A 2006-03-18 [expires: 2007-04-22] The key is available from: http://josefsson.org/key.txt dns:b565716f.josefsson.org?TYPE=CERT Here are the SHA-1 and SHA-224 checksums: 952173c518c09438d6a0c975d173977cc651911e libtasn1-0.3.9.tar.gz cebc4146bb226a07f1ef71a99689ba464f8c0811 libtasn1-0.3.9.tar.gz.sig 77007a5050818567fa29aab3776519e0523f82c091bbb5910096a7ec libtasn1-0.3.9.tar.gz dcbdb5e27d6647c0b181b4bc560fdc9acd2542866d7a98c090f1f81d libtasn1-0.3.9.tar.gz.sig Enjoy, Fabio, Nikos and Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From dev001 at pas-world.com Mon Mar 12 13:06:25 2007 From: dev001 at pas-world.com (devel) Date: Mon, 12 Mar 2007 12:06:25 +0000 Subject: [Help-gnutls] Error making certificate Message-ID: <1173701185.5591.9.camel@localhost.localdomain> Hello, I am trying to use certtool to make certificate, like another times. But this time, with another version of gnutls and other arch, my script do not work. Here is de problem: > certtool -p > new-user.key Work > certtool -q --outfile new-user.csr --load-privkey new-user.key --password $PASS fail, response of system after input parameters: > set_dn: ASN1 parser: Element was not found. Any suggestion? -- -- Devel in Precio http://www.pas-world.com From simon at josefsson.org Mon Mar 12 13:40:38 2007 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 12 Mar 2007 13:40:38 +0100 Subject: [Help-gnutls] Re: Error making certificate In-Reply-To: <1173701185.5591.9.camel@localhost.localdomain> (devel's message of "Mon\, 12 Mar 2007 12\:06\:25 +0000") References: <1173701185.5591.9.camel@localhost.localdomain> Message-ID: <877itmhby1.fsf@mocca.josefsson.org> devel writes: > Hello, I am trying to use certtool to make certificate, like another > times. > But this time, with another version of gnutls and other arch, my script > do not work. Here is de problem: > > >> certtool -p > new-user.key > > Work >> certtool -q --outfile new-user.csr --load-privkey new-user.key --password $PASS > > fail, response of system after input parameters: > >> set_dn: ASN1 parser: Element was not found. > > Any suggestion? Can you send me the CSR that trigger the problem? Which version of GnuTLS are you using, and which version of GnuTLS worked before for you? It sounds as if the CSR doesn't contain some field which certtool need to have. /Simon From dev001 at pas-world.com Mon Mar 12 16:22:04 2007 From: dev001 at pas-world.com (devel) Date: Mon, 12 Mar 2007 15:22:04 +0000 Subject: [Help-gnutls] Re: Error making certificate In-Reply-To: <877itmhby1.fsf@mocca.josefsson.org> References: <1173701185.5591.9.camel@localhost.localdomain> <877itmhby1.fsf@mocca.josefsson.org> Message-ID: <1173712924.5591.23.camel@localhost.localdomain> certtool (GnuTLS) 1.6.1 linux x64 > certtool -q --outfile new-user.csr Certificate request data input in a shell, certtool ask for it. El lun, 12-03-2007 a las 13:40 +0100, Simon Josefsson escribi?: > devel writes: > > > Hello, I am trying to use certtool to make certificate, like another > > times. > > But this time, with another version of gnutls and other arch, my script > > do not work. Here is de problem: > > > > > >> certtool -p > new-user.key > > > > Work > >> certtool -q --outfile new-user.csr --load-privkey new-user.key --password $PASS > > > > fail, response of system after input parameters: > > > >> set_dn: ASN1 parser: Element was not found. > > > > Any suggestion? > > Can you send me the CSR that trigger the problem? Which version of > GnuTLS are you using, and which version of GnuTLS worked before for > you? > > It sounds as if the CSR doesn't contain some field which certtool need > to have. > > /Simon -- -- Devel in Precio http://www.pas-world.com From simon at josefsson.org Mon Mar 12 16:52:14 2007 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 12 Mar 2007 16:52:14 +0100 Subject: [Help-gnutls] Re: Error making certificate In-Reply-To: <1173712924.5591.23.camel@localhost.localdomain> (devel's message of "Mon\, 12 Mar 2007 15\:22\:04 +0000") References: <1173701185.5591.9.camel@localhost.localdomain> <877itmhby1.fsf@mocca.josefsson.org> <1173712924.5591.23.camel@localhost.localdomain> Message-ID: <873b4afoi9.fsf@mocca.josefsson.org> devel writes: > certtool (GnuTLS) 1.6.1 > linux x64 > > >> certtool -q --outfile new-user.csr > Certificate request data input in a shell, certtool ask for it. Thanks! I can reproduce it. It seems pkix_asn1_tab.c wasn't re-generated after fixing the following problem in 1.6.1: ** Encode UID fields in DN's as DirectoryString. Before GnuTLS encoded and parsed UID fields as IA5String. This was incorrect, it should have used DirectoryString. Now it will use DirectoryString for the UID field, but for backwards compatibility it will also accept IA5String UID's. Reported by Max Kellermann . I have fixed this in CVS for the 1.6.x branch: ** Regenerate the PKIX ASN.1 syntax tree. For some reason, after changing the ASN.1 type of ldap-UID in the last release, the generated C file built from the ASN.1 schema was not refreshed. This can cause problems when reading/writing UID components inside X.500 Distinguished Names. Reported by devel . Please test tomorrow's daily build and tell me if it solves the problem for you, and I can release 1.6.2. Btw, if anyone wants something in 1.6.2, now would be the time to ask for it. /Simon > > > > > El lun, 12-03-2007 a las 13:40 +0100, Simon Josefsson escribi?: >> devel writes: >> >> > Hello, I am trying to use certtool to make certificate, like another >> > times. >> > But this time, with another version of gnutls and other arch, my script >> > do not work. Here is de problem: >> > >> > >> >> certtool -p > new-user.key >> > >> > Work >> >> certtool -q --outfile new-user.csr --load-privkey new-user.key --password $PASS >> > >> > fail, response of system after input parameters: >> > >> >> set_dn: ASN1 parser: Element was not found. >> > >> > Any suggestion? >> >> Can you send me the CSR that trigger the problem? Which version of >> GnuTLS are you using, and which version of GnuTLS worked before for >> you? >> >> It sounds as if the CSR doesn't contain some field which certtool need >> to have. >> >> /Simon > -- > -- > Devel in Precio http://www.pas-world.com From fweimer at bfk.de Wed Mar 14 11:03:31 2007 From: fweimer at bfk.de (Florian Weimer) Date: Wed, 14 Mar 2007 11:03:31 +0100 Subject: [Help-gnutls] gnutls_x509_crt_set_version documentation suggestion Message-ID: <82r6rsqgzw.fsf@mid.bfk.de> It might be a good idea to add the following information to the documentation for gnutls_x509_crt_set_version: To create well-formed certificates, you must specify version 3 if you use any certificate extensions. Extensions are created by functions such as gnutls_x509_crt_set_subject_alternative_name or gnutls_x509_crt_set_key_usage. (I don't know if GNUTLS supports the v2 extensions.) GNUTLS doesn't check if a v1 certificate contains any extensions, but other X.509 implementations do. If you ever run into the "no more data allowed for version 1 certificate" error message (or, alternatively, "java.lang.Object cannot be cast to gnu.java.security.OID"), you know where to look. -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra?e 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 From dev001 at pas-world.com Wed Mar 14 19:45:38 2007 From: dev001 at pas-world.com (devel) Date: Wed, 14 Mar 2007 18:45:38 +0000 Subject: [Help-gnutls] Re: Error making certificate In-Reply-To: <873b4afoi9.fsf@mocca.josefsson.org> References: <1173701185.5591.9.camel@localhost.localdomain> <877itmhby1.fsf@mocca.josefsson.org> <1173712924.5591.23.camel@localhost.localdomain> <873b4afoi9.fsf@mocca.josefsson.org> Message-ID: <1173897938.11282.5.camel@localhost.localdomain> Where I can find 1.6.2 ? El lun, 12-03-2007 a las 16:52 +0100, Simon Josefsson escribi?: > devel writes: > > > certtool (GnuTLS) 1.6.1 > > linux x64 > > > > > >> certtool -q --outfile new-user.csr > > Certificate request data input in a shell, certtool ask for it. > > Thanks! I can reproduce it. It seems pkix_asn1_tab.c wasn't > re-generated after fixing the following problem in 1.6.1: > > ** Encode UID fields in DN's as DirectoryString. Before GnuTLS > encoded and parsed UID fields as IA5String. This was incorrect, it > should have used DirectoryString. Now it will use DirectoryString > for the UID field, but for backwards compatibility it will also > accept IA5String UID's. Reported by Max Kellermann > . > > I have fixed this in CVS for the 1.6.x branch: > > ** Regenerate the PKIX ASN.1 syntax tree. For some reason, after > changing the ASN.1 type of ldap-UID in the last release, the > generated C file built from the ASN.1 schema was not refreshed. This > can cause problems when reading/writing UID components inside X.500 > Distinguished Names. Reported by devel . > > Please test tomorrow's daily build and tell me if it solves the > problem for you, and I can release 1.6.2. > > Btw, if anyone wants something in 1.6.2, now would be the time to ask > for it. > > /Simon > > > > > > > > > > > El lun, 12-03-2007 a las 13:40 +0100, Simon Josefsson escribi?: > >> devel writes: > >> > >> > Hello, I am trying to use certtool to make certificate, like another > >> > times. > >> > But this time, with another version of gnutls and other arch, my script > >> > do not work. Here is de problem: > >> > > >> > > >> >> certtool -p > new-user.key > >> > > >> > Work > >> >> certtool -q --outfile new-user.csr --load-privkey new-user.key --password $PASS > >> > > >> > fail, response of system after input parameters: > >> > > >> >> set_dn: ASN1 parser: Element was not found. > >> > > >> > Any suggestion? > >> > >> Can you send me the CSR that trigger the problem? Which version of > >> GnuTLS are you using, and which version of GnuTLS worked before for > >> you? > >> > >> It sounds as if the CSR doesn't contain some field which certtool need > >> to have. > >> > >> /Simon > > -- > > -- > > Devel in Precio http://www.pas-world.com -- -- Devel in Precio http://www.pas-world.com From m at tthias.eu Wed Mar 14 20:26:02 2007 From: m at tthias.eu (Matthias Wimmer) Date: Wed, 14 Mar 2007 20:26:02 +0100 Subject: [Help-gnutls] Certificate verification when using OpenPGP certificates Message-ID: <45F84C4A.4010408@tthias.eu> Hi! Is there any example or documentation how to do certificate verification, if the peer used an OpenPGP key to authenticate? The OpenPGP example distributed with GnuTLS (ex-serv-pgp.c) does not do any verification. I guess that I have to use gnutls_certificate_verify_peers2() first and if that succeeds, all that is left to do is to check if the OpenPGP key contains one ID that matches what I expect the peer to be. Do I have to check anything else? E.g. expiration of the key (as I would have to do with X.509 certificates, but there does not seem to be a function for that) or the self signature of the key (I'd expect that this might already been done by gnutls_certificate_verify_peers2())? Matthias From m at tthias.eu Wed Mar 14 20:28:17 2007 From: m at tthias.eu (Matthias Wimmer) Date: Wed, 14 Mar 2007 20:28:17 +0100 Subject: [Help-gnutls] Certificate verification when using OpenPGP certificates Message-ID: <45F84CD1.3070707@tthias.eu> Hi! Is there any example or documentation how to do certificate verification, if the peer used an OpenPGP key to authenticate? The OpenPGP example distributed with GnuTLS (ex-serv-pgp.c) does not do any verification. I guess that I have to use gnutls_certificate_verify_peers2() first and if that succeeds, all that is left to do is to check if the OpenPGP key contains one ID that matches what I expect the peer to be. Do I have to check anything else? E.g. expiration of the key (as I would have to do with X.509 certificates, but there does not seem to be a function for that) or the self signature of the key (I'd expect that this might already been done by gnutls_certificate_verify_peers2())? Matthias From simon at josefsson.org Thu Mar 15 12:18:55 2007 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 15 Mar 2007 12:18:55 +0100 Subject: [Help-gnutls] Re: Error making certificate In-Reply-To: <1173897938.11282.5.camel@localhost.localdomain> (devel's message of "Wed\, 14 Mar 2007 18\:45\:38 +0000") References: <1173701185.5591.9.camel@localhost.localdomain> <877itmhby1.fsf@mocca.josefsson.org> <1173712924.5591.23.camel@localhost.localdomain> <873b4afoi9.fsf@mocca.josefsson.org> <1173897938.11282.5.camel@localhost.localdomain> Message-ID: <8764923gbk.fsf@mocca.josefsson.org> devel writes: > Where I can find 1.6.2 ? Try the daily build first: http://josefsson.org/daily/gnutls-1.6/gnutls-1.6-20070315.tar.gz If it works for you, I'll release it as 1.6.2. Thanks, Simon > > El lun, 12-03-2007 a las 16:52 +0100, Simon Josefsson escribi?: >> devel writes: >> >> > certtool (GnuTLS) 1.6.1 >> > linux x64 >> > >> > >> >> certtool -q --outfile new-user.csr >> > Certificate request data input in a shell, certtool ask for it. >> >> Thanks! I can reproduce it. It seems pkix_asn1_tab.c wasn't >> re-generated after fixing the following problem in 1.6.1: >> >> ** Encode UID fields in DN's as DirectoryString. Before GnuTLS >> encoded and parsed UID fields as IA5String. This was incorrect, it >> should have used DirectoryString. Now it will use DirectoryString >> for the UID field, but for backwards compatibility it will also >> accept IA5String UID's. Reported by Max Kellermann >> . >> >> I have fixed this in CVS for the 1.6.x branch: >> >> ** Regenerate the PKIX ASN.1 syntax tree. For some reason, after >> changing the ASN.1 type of ldap-UID in the last release, the >> generated C file built from the ASN.1 schema was not refreshed. This >> can cause problems when reading/writing UID components inside X.500 >> Distinguished Names. Reported by devel . >> >> Please test tomorrow's daily build and tell me if it solves the >> problem for you, and I can release 1.6.2. >> >> Btw, if anyone wants something in 1.6.2, now would be the time to ask >> for it. >> >> /Simon >> >> > >> > >> > >> > >> > El lun, 12-03-2007 a las 13:40 +0100, Simon Josefsson escribi?: >> >> devel writes: >> >> >> >> > Hello, I am trying to use certtool to make certificate, like another >> >> > times. >> >> > But this time, with another version of gnutls and other arch, my script >> >> > do not work. Here is de problem: >> >> > >> >> > >> >> >> certtool -p > new-user.key >> >> > >> >> > Work >> >> >> certtool -q --outfile new-user.csr --load-privkey new-user.key --password $PASS >> >> > >> >> > fail, response of system after input parameters: >> >> > >> >> >> set_dn: ASN1 parser: Element was not found. >> >> > >> >> > Any suggestion? >> >> >> >> Can you send me the CSR that trigger the problem? Which version of >> >> GnuTLS are you using, and which version of GnuTLS worked before for >> >> you? >> >> >> >> It sounds as if the CSR doesn't contain some field which certtool need >> >> to have. >> >> >> >> /Simon >> > -- >> > -- >> > Devel in Precio http://www.pas-world.com > -- > -- > Devel in Precio http://www.pas-world.com From simon at josefsson.org Thu Mar 15 12:29:58 2007 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 15 Mar 2007 12:29:58 +0100 Subject: [Help-gnutls] Re: gnutls_x509_crt_set_version documentation suggestion In-Reply-To: <82r6rsqgzw.fsf@mid.bfk.de> (Florian Weimer's message of "Wed\, 14 Mar 2007 11\:03\:31 +0100") References: <82r6rsqgzw.fsf@mid.bfk.de> Message-ID: <87y7ly218p.fsf@mocca.josefsson.org> Florian Weimer writes: > It might be a good idea to add the following information to the > documentation for gnutls_x509_crt_set_version: > > To create well-formed certificates, you must specify version 3 if > you use any certificate extensions. Extensions are created by > functions such as gnutls_x509_crt_set_subject_alternative_name or > gnutls_x509_crt_set_key_usage. Added. > (I don't know if GNUTLS supports the v2 extensions.) I'm not familiar with v2 certificates... It might be possible to create them using the GnuTLS API's. > GNUTLS doesn't check if a v1 certificate contains any extensions, but > other X.509 implementations do. I've added checking this to the TODO list: - Chain verifications. ... - Reject extensions in v1 certificates. /Simon From simon at josefsson.org Thu Mar 15 12:40:49 2007 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 15 Mar 2007 12:40:49 +0100 Subject: [Help-gnutls] Re: Certificate verification when using OpenPGP certificates In-Reply-To: <45F84C4A.4010408@tthias.eu> (Matthias Wimmer's message of "Wed\, 14 Mar 2007 20\:26\:02 +0100") References: <45F84C4A.4010408@tthias.eu> Message-ID: <87r6rq20qm.fsf@mocca.josefsson.org> Matthias Wimmer writes: > Hi! > > Is there any example or documentation how to do certificate > verification, if the peer used an OpenPGP key to authenticate? The > OpenPGP example distributed with GnuTLS (ex-serv-pgp.c) does not do > any verification. > > I guess that I have to use gnutls_certificate_verify_peers2() first > and if that succeeds, all that is left to do is to check if the > OpenPGP key contains one ID that matches what I expect the peer to be. > Do I have to check anything else? E.g. expiration of the key (as I > would have to do with X.509 certificates, but there does not seem to > be a function for that) or the self signature of the key (I'd expect > that this might already been done by > gnutls_certificate_verify_peers2())? I don't really know. The draft-ietf-tls-openpgp-keys-11.txt document says: Considerations about the use of the web of trust or identity and certificate verification procedure are outside the scope of this document. These are considered issues to be handled by the application layer protocols. So it doesn't give much guidance. gnutls_certificate_verify_peers2, via _gnutls_openpgp_verify_key, do check signatures against keyring/trustdb, and self signature, but nothing else as far as I can tell. The code for gnutls-serv, see print_openpgp_info src/common.c, suggests several checks. Identity check: if (gnutls_openpgp_key_check_hostname (crt, hostname) == 0) { printf (" # The hostname in the key does NOT match '%s'.\n", hostname); } else { printf (" # The hostname in the key matches '%s'.\n", hostname); } Expiration check: activet = gnutls_openpgp_key_get_creation_time (crt); expiret = gnutls_openpgp_key_get_expiration_time (crt); printf (" # Key was created at: %s", my_ctime (&activet)); printf (" # Key expires: "); if (expiret != 0) printf ("%s", my_ctime (&expiret)); else printf ("Never\n"); Possibly we could add an API to GnuTLS to check these things too. It seems error prone that every application need to do the same kind of checks. Maybe even gnutls_certificate_verify_peers2 should do this. /Simon From dev001 at pas-world.com Thu Mar 15 22:32:09 2007 From: dev001 at pas-world.com (devel) Date: Thu, 15 Mar 2007 21:32:09 +0000 Subject: [Help-gnutls] Re: Error making certificate In-Reply-To: <8764923gbk.fsf@mocca.josefsson.org> References: <1173701185.5591.9.camel@localhost.localdomain> <877itmhby1.fsf@mocca.josefsson.org> <1173712924.5591.23.camel@localhost.localdomain> <873b4afoi9.fsf@mocca.josefsson.org> <1173897938.11282.5.camel@localhost.localdomain> <8764923gbk.fsf@mocca.josefsson.org> Message-ID: <1173994329.16240.7.camel@localhost.localdomain> Well, now seems to work. -> Key, csr, crt, .p12 But I can not import client certificates in any mail client. Import .p12 without any problem, and CA certificate, but I can not see the client certificate to sign mail, client certificate, and encryption certificate to select it. The test scripts: To make CA > certtool -p --bits 2048 > ca.key > echo "Key ready / Llave generada" > > # Use --load-request or --infile ? > certtool -s --outfile ca.crt --load-privkey ca.key > echo "CA Generated / Peticion de certificado generada" > certtool -i --infile ca.crt > > To make client: > PASS="gnutls" > certtool -p > new-user.key > #echo "Client Key Ready" > > # Use --load-request or --infile ? > > certtool -q --outfile new-user.csr --load-privkey new-user.key --password $PASS > echo "CSR Ready" > > certtool -q --outfile new-user.csr --to-p12 --load-privkey new-user.key --password $PASS > > certtool -c --load-request new-user.csr --outfile new-user.crt --load-ca-certificate ca.crt --load-ca-privkey ca.key --load-privkey new-user.key --password $PASS > echo "CRT Ready" > > certtool --load-certificate new-user.crt --load-privkey new-user.key --to-p12 --outder --outfile new-user2.p12 > echo "P12 Ready" > > certtool --p12-info --infile new-user.p12 --inder --password $PASS Anyone works with mail sign certificate in any mail client? El jue, 15-03-2007 a las 12:18 +0100, Simon Josefsson escribi?: > devel writes: > > > Where I can find 1.6.2 ? > > Try the daily build first: > > http://josefsson.org/daily/gnutls-1.6/gnutls-1.6-20070315.tar.gz > > If it works for you, I'll release it as 1.6.2. > > Thanks, > Simon > > > > > El lun, 12-03-2007 a las 16:52 +0100, Simon Josefsson escribi?: > >> devel writes: > >> > >> > certtool (GnuTLS) 1.6.1 > >> > linux x64 > >> > > >> > > >> >> certtool -q --outfile new-user.csr > >> > Certificate request data input in a shell, certtool ask for it. > >> > >> Thanks! I can reproduce it. It seems pkix_asn1_tab.c wasn't > >> re-generated after fixing the following problem in 1.6.1: > >> > >> ** Encode UID fields in DN's as DirectoryString. Before GnuTLS > >> encoded and parsed UID fields as IA5String. This was incorrect, it > >> should have used DirectoryString. Now it will use DirectoryString > >> for the UID field, but for backwards compatibility it will also > >> accept IA5String UID's. Reported by Max Kellermann > >> . > >> > >> I have fixed this in CVS for the 1.6.x branch: > >> > >> ** Regenerate the PKIX ASN.1 syntax tree. For some reason, after > >> changing the ASN.1 type of ldap-UID in the last release, the > >> generated C file built from the ASN.1 schema was not refreshed. This > >> can cause problems when reading/writing UID components inside X.500 > >> Distinguished Names. Reported by devel . > >> > >> Please test tomorrow's daily build and tell me if it solves the > >> problem for you, and I can release 1.6.2. > >> > >> Btw, if anyone wants something in 1.6.2, now would be the time to ask > >> for it. > >> > >> /Simon > >> > >> > > >> > > >> > > >> > > >> > El lun, 12-03-2007 a las 13:40 +0100, Simon Josefsson escribi?: > >> >> devel writes: > >> >> > >> >> > Hello, I am trying to use certtool to make certificate, like another > >> >> > times. > >> >> > But this time, with another version of gnutls and other arch, my script > >> >> > do not work. Here is de problem: > >> >> > > >> >> > > >> >> >> certtool -p > new-user.key > >> >> > > >> >> > Work > >> >> >> certtool -q --outfile new-user.csr --load-privkey new-user.key --password $PASS > >> >> > > >> >> > fail, response of system after input parameters: > >> >> > > >> >> >> set_dn: ASN1 parser: Element was not found. > >> >> > > >> >> > Any suggestion? > >> >> > >> >> Can you send me the CSR that trigger the problem? Which version of > >> >> GnuTLS are you using, and which version of GnuTLS worked before for > >> >> you? > >> >> > >> >> It sounds as if the CSR doesn't contain some field which certtool need > >> >> to have. > >> >> > >> >> /Simon > >> > -- > >> > -- > >> > Devel in Precio http://www.pas-world.com > > -- > > -- > > Devel in Precio http://www.pas-world.com -- -- Devel in Precio http://www.pas-world.com From vsteiss at web.de Mon Mar 19 01:15:19 2007 From: vsteiss at web.de (=?iso-8859-15?Q?Volker_Stei=DF?=) Date: Mon, 19 Mar 2007 01:15:19 +0100 Subject: [Help-gnutls] verify signed data Message-ID: <893140447@web.de> Hello everybody, I am on a project using public-private-key methods and just tried using GnuTLS for this. I am stuck at this point and hope someone can help me out: First I created a public private key (it's long ago, so I cant tell you how I did it exactly). I have created a signature with gnutls_x509_privkey_sign_data(PRIV_KEY), converted it to readable text with gnutls_hex_encode() and stored the result (Data + Signature) into a file. Now I want to verify the created data: I read the data and the signature, decode the signature with gnutls_hex_decode() and try to verify it with gnutls_x509_privkey_verify_data(PUB_KEY). But here I get return code 0, which means no success. Verification overview: >>>> - somecode init_gnutls () ... gnutls_hex_decode (&temp, signature.data, &signature.size) ... gnutls_x509_privkey_init (&key) gnutls_x509_privkey_import (key, &key_datum, GNUTLS_X509_FMT_PEM) result = gnutls_x509_privkey_verify_data (key, flags, &uid, &signature) //result = 0 ... <<<< - end of somecode Btw: What I realize at "gnutls_hex_decode (&temp, signature.data, &signature.size)" is that temp.size is 512 bytes and signature.size also is 512. Am I wrong when I say: It should be smaller after decoding? Thanks in advance and Regards Volker _____________________________________________________________________ Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! http://smartsurfer.web.de/?mc=100071&distributionid=000000000066 From simon at josefsson.org Mon Mar 19 10:03:43 2007 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 19 Mar 2007 10:03:43 +0100 Subject: [Help-gnutls] Re: verify signed data In-Reply-To: <893140447@web.de> ("Volker =?iso-8859-1?Q?Stei=DF=22's?= message of "Mon\, 19 Mar 2007 01\:15\:19 +0100") References: <893140447@web.de> Message-ID: <87aby9wqog.fsf@mocca.josefsson.org> Volker Stei? writes: > Hello everybody, > > I am on a project using public-private-key methods and just tried using GnuTLS for this. > I am stuck at this point and hope someone can help me out: > First I created a public private key (it's long ago, so I cant tell you how I did it exactly). > I have created a signature with gnutls_x509_privkey_sign_data(PRIV_KEY), converted it to readable text with gnutls_hex_encode() and stored the result (Data + Signature) into a file. > Now I want to verify the created data: I read the data and the signature, decode the signature with gnutls_hex_decode() and try to verify it with gnutls_x509_privkey_verify_data(PUB_KEY). But here I get return code 0, which means no success. > > Verification overview: >>>>> - somecode > init_gnutls () > ... > gnutls_hex_decode (&temp, signature.data, &signature.size) > ... > gnutls_x509_privkey_init (&key) > gnutls_x509_privkey_import (key, &key_datum, GNUTLS_X509_FMT_PEM) > result = gnutls_x509_privkey_verify_data (key, flags, &uid, &signature) > //result = 0 > ... > <<<< - end of somecode > > > Btw: What I realize at "gnutls_hex_decode (&temp, signature.data, &signature.size)" is that temp.size is 512 bytes and signature.size also is 512. Am I wrong when I say: It should be smaller after decoding? Did you check errors from all functions? Hex decoding a 512 byte string should not give another 512 byte string. Did you allocate a signature.data buffer before calling gnutls_hex_decode? Btw, if you aren't sure that you must use these functions, you probably want to use a higher-layer message signature format instead of low-level sign/verify primitives. Standard formats for this is OpenPGP (try GnuPG) and CMS/SMIME (try gpgsm). /Simon From vsteiss at web.de Mon Mar 19 16:50:19 2007 From: vsteiss at web.de (vsteiss at web.de) Date: Mon, 19 Mar 2007 16:50:19 +0100 Subject: [Help-gnutls] Re: verify signed data [solved] Message-ID: <894049683@web.de> > -----Urspr?ngliche Nachricht----- > Von: Simon Josefsson > Gesendet: 19.03.07 10:03:57 > An: Volker Stei? > CC: help-gnutls at gnu.org > Betreff: Re: verify signed data > Volker Stei? writes: > > > Hello everybody, > > > > I am on a project using public-private-key methods and just tried using GnuTLS for this. > > I am stuck at this point and hope someone can help me out: > > First I created a public private key (it's long ago, so I cant tell you how I did it exactly). > > I have created a signature with gnutls_x509_privkey_sign_data(PRIV_KEY), converted it to readable text with gnutls_hex_encode() and stored the result (Data + Signature) into a file. > > Now I want to verify the created data: I read the data and the signature, decode the signature with gnutls_hex_decode() and try to verify it with gnutls_x509_privkey_verify_data(PUB_KEY). But here I get return code 0, which means no success. > > > > Verification overview: > >>>>> - somecode > > init_gnutls () > > ... > > gnutls_hex_decode (&temp, signature.data, &signature.size) > > ... > > gnutls_x509_privkey_init (&key) > > gnutls_x509_privkey_import (key, &key_datum, GNUTLS_X509_FMT_PEM) > > result = gnutls_x509_privkey_verify_data (key, flags, &uid, &signature) > > //result = 0 > > ... > > <<<< - end of somecode > > > > > > Btw: What I realize at "gnutls_hex_decode (&temp, signature.data, &signature.size)" is that temp.size is 512 bytes and signature.size also is 512. Am I wrong when I say: It should be smaller after decoding? > > Did you check errors from all functions? Hex decoding a 512 byte > string should not give another 512 byte string. Did you allocate a > signature.data buffer before calling gnutls_hex_decode? > > Btw, if you aren't sure that you must use these functions, you > probably want to use a higher-layer message signature format instead > of low-level sign/verify primitives. Standard formats for this is > OpenPGP (try GnuPG) and CMS/SMIME (try gpgsm). > > /Simon > Thanks for reply, I just found out that neither gnutls_hex_decode() nor gnutls_hex_encode() reset the result_size. My work arround for now is to set the size after enoding or decoding to the correct value. Cheers Volker _____________________________________________________________________ Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! http://smartsurfer.web.de/?mc=100071&distributionid=000000000066 From dev001 at pas-world.com Mon Mar 19 19:05:04 2007 From: dev001 at pas-world.com (devel) Date: Mon, 19 Mar 2007 18:05:04 +0000 Subject: [Help-gnutls] Re: Error making certificate [solved] In-Reply-To: <1173994329.16240.7.camel@localhost.localdomain> References: <1173701185.5591.9.camel@localhost.localdomain> <877itmhby1.fsf@mocca.josefsson.org> <1173712924.5591.23.camel@localhost.localdomain> <873b4afoi9.fsf@mocca.josefsson.org> <1173897938.11282.5.camel@localhost.localdomain> <8764923gbk.fsf@mocca.josefsson.org> <1173994329.16240.7.camel@localhost.localdomain> Message-ID: <1174327504.4399.6.camel@localhost.localdomain> El jue, 15-03-2007 a las 21:32 +0000, devel escribi?: > > certtool -p --bits 2048 > ca.key > Anyone works with mail sign certificate in any mail client? Response: Email clients do not support CA with 2048, only 1024. Thanks. -- -- Devel in Precio http://www.pas-world.com From simon at josefsson.org Sun Mar 25 07:20:37 2007 From: simon at josefsson.org (Simon Josefsson) Date: Sun, 25 Mar 2007 07:20:37 +0200 Subject: [Help-gnutls] Re: GnuTLS and Google Summer of Code 2007 In-Reply-To: <87irdgp2e1.fsf@latte.josefsson.org> (Simon Josefsson's message of "Mon\, 05 Mar 2007 08\:37\:10 +0100") References: <87irdgp2e1.fsf@latte.josefsson.org> Message-ID: <874po9lx0a.fsf@mocca.josefsson.org> Hi! The deadline for student applications for the Google Summer of Code is tomorrow. So if you have an GnuTLS idea that you want to implement, and want to get paid for it, now would be a good time to write and send in proposals... Note that you don't have to pick one of the projects below, they are just ideas. Explain your idea well and the GNU mentors will review it. /Simon Simon Josefsson writes: > Hi! GnuTLS will try to participate in the Google Summer of Code, see: > > http://www.gnu.org/software/soc-projects/guidelines.html > http://code.google.com/soc/ > > Right now we are collecting ideas for projects, the ideas from 2006 > are : > > 1. Datagram TLS support. RFC 4347 describe a UDP version of TLS. > > 2. Support for the elliptic curves ciphersuites as an alternative > authentication method. > > comment: I think I saw some patches for libgcrypt about this > quite recently, which could be a basis for this work. > > 3. Redesign and rewrite libtasn1 (asn.1 parser library). The new > implementation must be efficient and easy to extend with new > types and encoding rules (say BER and DER). > > 4. Write a crypto backend to perform (symmetric and assymetric > de/encryption, hash and MAC, key generation, random number > generation). It should be able to utilize libgcrypt and other > free libraries, such as libtomcrypt, and should be extendable > for hardware drivers. > > I can immediately add some ideas: > > 5. Work on integrating support for some of the newer TLS > extensions, which can include better TLS 1.2 support. > > 6. Integrate the NIST X.509 self-tests and make sure we pass them. > This could be an important step for FIPS certification of > GnuTLS. > > 7. OpenPGP related improvements? > > I'd appreciate suggestions for other ideas that might attract good > people. > > If you want to propose something and work on it as a student, let me > know. > > /Simon From lasse-private-2007 at plastictree.net Tue Mar 27 12:24:22 2007 From: lasse-private-2007 at plastictree.net (Lasse Kliemann) Date: Tue, 27 Mar 2007 12:24:22 +0200 Subject: [Help-gnutls] virtual hosting with gnutls-serv? Message-ID: <20070327102422.GF2731@enterprise.starfleet> Greetings, RFC 4346 (and 4366) allows virtual hosting with HTTPS via the extension described in Section 3.1. Is there any way to use this feature with gnutls-serv, i.e., serving multiple hosts on one IP address with gnutls-serv? If not yet, is there any such feature planned? Or could you recommend an alternative web server which does have this feature implemented already? I understand that there exists mod_gnutls for Apache, but on its homepage there is a big fat warning not to use it for production. Thanks for any advice, Lasse -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From simon at josefsson.org Tue Mar 27 16:18:48 2007 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 27 Mar 2007 16:18:48 +0200 Subject: [Help-gnutls] Re: virtual hosting with gnutls-serv? In-Reply-To: <20070327102422.GF2731@enterprise.starfleet> (Lasse Kliemann's message of "Tue\, 27 Mar 2007 12\:24\:22 +0200") References: <20070327102422.GF2731@enterprise.starfleet> Message-ID: <87r6razs53.fsf@mocca.josefsson.org> Lasse Kliemann writes: > Greetings, > > RFC 4346 (and 4366) allows virtual hosting with HTTPS via the extension > described in Section 3.1. Is there any way to use this feature with > gnutls-serv, i.e., serving multiple hosts on one IP address with gnutls-serv? > > If not yet, is there any such feature planned? Or could you recommend an > alternative web server which does have this feature implemented already? I > understand that there exists mod_gnutls for Apache, but on its homepage there > is a big fat warning not to use it for production. Hi! As you probably noticed, gnutls-serv is not a typical web server, but it does "support" server_name: if the client provides a server name indication, it will be displayed on the generated HTTP output. The limitation with gnutls-serv is that its HTTP output is rather fixed, it can't show HTML from files. If you want to hack on gnutls-serv, you could build a simple web server out of it, but it really wasn't designed for that kind of use and I wouldn't recommend this except as a learning experiment. I know that Nikos worked on Hydra: http://hydra.hellug.gr/ Hydra support virtual hosting, however Hydra is not actively maintained any more. Getting mod_gnutls running would be a really cool thing, so maybe you'd like to tinker with it and see if it works. It may be easier to get it to work than to get Hydra to work... at least you'll be building on the stability of the rest of Apache. If you hurry, you could submit a Google Summer of Code project to work on mod_gnutls, I'll mentor it! :) (The GSOC deadline was extended until today.) Working on mod_gnutls is something I've wanted to do for some time, but have had paying work that has had priority. /Simon From simon at josefsson.org Tue Mar 27 16:28:40 2007 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 27 Mar 2007 16:28:40 +0200 Subject: [Help-gnutls] Re: virtual hosting with gnutls-serv? In-Reply-To: <87r6razs53.fsf@mocca.josefsson.org> (Simon Josefsson's message of "Tue\, 27 Mar 2007 16\:18\:48 +0200") References: <20070327102422.GF2731@enterprise.starfleet> <87r6razs53.fsf@mocca.josefsson.org> Message-ID: <87lkhizron.fsf@mocca.josefsson.org> I searched a little, and found Cherokee: http://www.cherokee-project.com/ There are Debian packages for it, and it seems to be using GnuTLS. I don't know if it supports HTTPS virtual hosting. You could search the source for 'gnutls_server_name_get'. /Simon From lasse-private-2007 at plastictree.net Tue Mar 27 18:49:19 2007 From: lasse-private-2007 at plastictree.net (Lasse Kliemann) Date: Tue, 27 Mar 2007 18:49:19 +0200 Subject: [Help-gnutls] Re: virtual hosting with gnutls-serv? In-Reply-To: <87lkhizron.fsf@mocca.josefsson.org> References: <20070327102422.GF2731@enterprise.starfleet> <87r6razs53.fsf@mocca.josefsson.org> <87lkhizron.fsf@mocca.josefsson.org> Message-ID: <20070327164919.GA8747@enterprise.starfleet> * Simon Josefsson writes: > I searched a little, and found Cherokee: > > http://www.cherokee-project.com/ > > There are Debian packages for it, and it seems to be using GnuTLS. > > I don't know if it supports HTTPS virtual hosting. You could search > the source for 'gnutls_server_name_get'. It does not look good. I gave it a try though, and it is promising that one obviously is allowed to use SSLCertificateFile and friends inside of a virtual host definition. However, the server seems to always use the certificate of the default server, meaning that it serves files from the DocumentRoot given in the virtual host definition, but with the wrong host key. I could not get the SVN version running due to autoconf errors. Hydra is next, however the comments on its homepage are not too promising. Lasse -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From simon at josefsson.org Tue Mar 27 19:14:22 2007 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 27 Mar 2007 19:14:22 +0200 Subject: [Help-gnutls] Re: virtual hosting with gnutls-serv? In-Reply-To: <20070327164919.GA8747@enterprise.starfleet> (Lasse Kliemann's message of "Tue\, 27 Mar 2007 18\:49\:19 +0200") References: <20070327102422.GF2731@enterprise.starfleet> <87r6razs53.fsf@mocca.josefsson.org> <87lkhizron.fsf@mocca.josefsson.org> <20070327164919.GA8747@enterprise.starfleet> Message-ID: <87wt12wqvl.fsf@mocca.josefsson.org> "Lasse Kliemann" writes: > * Simon Josefsson writes: >> I searched a little, and found Cherokee: >> >> http://www.cherokee-project.com/ >> >> There are Debian packages for it, and it seems to be using GnuTLS. >> >> I don't know if it supports HTTPS virtual hosting. You could search >> the source for 'gnutls_server_name_get'. > > It does not look good. > > I gave it a try though, and it is promising that one obviously is > allowed to use SSLCertificateFile and friends inside of a virtual > host definition. However, the server seems to always use the > certificate of the default server, meaning that it serves files > from the DocumentRoot given in the virtual host definition, but > with the wrong host key. > > I could not get the SVN version running due to autoconf errors. Ok. Good to know. > Hydra is next, however the comments on its homepage are not too > promising. Let us know how it works. Investigating how well mod_gnutls works would also be quite good. I haven't built/tested it because I haven't my own apache build running, and I'm not that familiar with apache... Perhaps you'd like to do it. :) /Simon From lasse-private-2007 at plastictree.net Wed Mar 28 11:16:00 2007 From: lasse-private-2007 at plastictree.net (Lasse Kliemann) Date: Wed, 28 Mar 2007 11:16:00 +0200 Subject: [Help-gnutls] Re: virtual hosting with gnutls-serv? In-Reply-To: <87wt12wqvl.fsf@mocca.josefsson.org> References: <20070327102422.GF2731@enterprise.starfleet> <87r6razs53.fsf@mocca.josefsson.org> <87lkhizron.fsf@mocca.josefsson.org> <20070327164919.GA8747@enterprise.starfleet> <87wt12wqvl.fsf@mocca.josefsson.org> Message-ID: <20070328091600.GB2651@enterprise.starfleet> * Simon Josefsson schreibt: > "Lasse Kliemann" writes: > > > * Simon Josefsson writes: > >> I searched a little, and found Cherokee: > >> > >> http://www.cherokee-project.com/ > >> > >> There are Debian packages for it, and it seems to be using GnuTLS. > >> > >> I don't know if it supports HTTPS virtual hosting. You could search > >> the source for 'gnutls_server_name_get'. [...] > > Hydra is next, however the comments on its homepage are not too > > promising. > > Let us know how it works. 'gnutls_server_name_get' occurs once in the source, in a file called cgi_ssl.c. I do not think that this is what I am looking for. The manual page does not mention encryption at all. > Investigating how well mod_gnutls works would also be quite good. I > haven't built/tested it because I haven't my own apache build running, > and I'm not that familiar with apache... Perhaps you'd like to do > it. :) I do not like Apache because of its code size and complexity. In fact, I got by completely without it until now. I used UCSPI implementations and the Fnord web server instead. If mod_gnutls was released for production use by its author, I would take it as a good reason to ditch my aversion against Apache. But it is not. Even if it works, I will feel uneasy with it, because its author says that one should not use it if one "truly cares about making the web server secure". I wrote to the Cherokee mailing list today desribing my experiences from yesterday. Maybe something can be done there. Otherwise I will code my own UCSPI-like implementation some day. Lasse -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: