From nmav at gnutls.org Mon Jun 2 21:09:54 2008 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 02 Jun 2008 22:09:54 +0300 Subject: [Help-gnutls] How to check if a certificate is revoked In-Reply-To: <20080528200103.GA32595@wile.lambers.home> References: <20080528200103.GA32595@wile.lambers.home> Message-ID: <48444582.2020509@gnutls.org> Martin Lambers wrote: > Hi all, > > how do I check if a certificate is revoked? > > I created a test CA, signed a certificate, revoked it, and created a CRL > file with this information. Please include the CRL that you are talking about. The output of certtool --crl-info should be sufficient. > Then I use gnutls_certificate_set_x509_crl_file() in the client program > to set the CRL file. The function returns 1, as expected. > After calling gnutls_certificate_verify_peers2(), I check if the status > contains GNUTLS_CERT_REVOKED, but this is not the case. Also include the output of -d 2 if you are using gnutls-cli and gnutls-serv. Otherwise increase the verbosity level to 2 and include the output. > Neither openssl s_client nor gnutls-cli seem to support CRL files, so I > was not able to double check that my test setup is correct. Use the --x509crlfile parameter to gnutls-cli and gnutls-serv. regards, Nikos From marlam at marlam.de Tue Jun 3 20:00:54 2008 From: marlam at marlam.de (Martin Lambers) Date: Tue, 3 Jun 2008 20:00:54 +0200 Subject: [Help-gnutls] How to check if a certificate is revoked In-Reply-To: <48444582.2020509@gnutls.org> References: <20080528200103.GA32595@wile.lambers.home> <48444582.2020509@gnutls.org> Message-ID: <20080603180054.GA23809@wile.lambers.home> Hi! On Mon, 02. Jun 2008, 22:09:54 +0300, Nikos Mavrogiannopoulos wrote: > > how do I check if a certificate is revoked? > > > > I created a test CA, signed a certificate, revoked it, and created a CRL > > file with this information. > > Please include the CRL that you are talking about. The output of > certtool --crl-info should be sufficient. > > > Then I use gnutls_certificate_set_x509_crl_file() in the client program > > to set the CRL file. The function returns 1, as expected. > > After calling gnutls_certificate_verify_peers2(), I check if the status > > contains GNUTLS_CERT_REVOKED, but this is not the case. > > Also include the output of -d 2 if you are using gnutls-cli and > gnutls-serv. Otherwise increase the verbosity level to 2 and include the > output. > > > Neither openssl s_client nor gnutls-cli seem to support CRL files, so I > > was not able to double check that my test setup is correct. > > Use the --x509crlfile parameter to gnutls-cli and gnutls-serv. Thanks for your help. Your hints helped me to find a bug in my test application. Now everything works as expected. Thanks! Martin From rgerhards at gmail.com Wed Jun 4 08:52:19 2008 From: rgerhards at gmail.com (Rainer Gerhards) Date: Wed, 4 Jun 2008 08:52:19 +0200 Subject: [Help-gnutls] GnuTLS and valgrind errors Message-ID: Hi, I am now working on sorting the nits out of my syslog/tls implementation. I am now running the app under valgrind [1]. I see a number of valgrind errors, for example this memory leak here: ==22504== 256 bytes in 2 blocks are definitely lost in loss record 14 of 31 ==22504== at 0x4A0739E: malloc (vg_replace_malloc.c:207) ==22504== by 0x304AE328F6: _gnutls_mpi_dprint_lz (in /usr/lib64/libgnutls.so.13.9.1) ==22504== by 0x304AE3E47C: _gnutls_dh_set_peer_public (in /usr/lib64/libgnutls.so.13.9.1) ==22504== by 0x304AE43819: _gnutls_proc_dh_common_server_kx (in /usr/lib64/libgnutls.so.13.9.1) ==22504== by 0x304AE3BB4F: (within /usr/lib64/libgnutls.so.13.9.1) ==22504== by 0x304AE2AF81: _gnutls_recv_server_kx_message (in /usr/lib64/libgnutls.so.13.9.1) ==22504== by 0x304AE273DF: _gnutls_handshake_client (in /usr/lib64/libgnutls.so.13.9.1) ==22504== by 0x304AE27F77: gnutls_handshake (in /usr/lib64/libgnutls.so.13.9.1) ==22504== by 0x7249300: Connect (nsd_gtls.c:1465) ==22504== by 0x5631E92: Connect (netstrm.c:269) ==22504== by 0x40EDDB: TCPSendInit (omfwd.c:302) ==22504== by 0x40F477: doTryResume (omfwd.c:348) I see some more, but the real question is has GnuTLS been checked under a memory debugger? All of what I see may be the result of some wrong API calls by me [always my first line of thought ;)]. Thanks, Rainer [1] http://valgrind.org/ - a very capable memory debugger From simon at josefsson.org Wed Jun 4 10:01:01 2008 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 04 Jun 2008 10:01:01 +0200 Subject: [Help-gnutls] Re: GnuTLS and valgrind errors In-Reply-To: (Rainer Gerhards's message of "Wed, 4 Jun 2008 08:52:19 +0200") References: Message-ID: <87tzg98w8y.fsf@mocca.josefsson.org> "Rainer Gerhards" writes: > Hi, > > I am now working on sorting the nits out of my syslog/tls > implementation. I am now running the app under valgrind [1]. I see a > number of valgrind errors, for example this memory leak here: > > ==22504== 256 bytes in 2 blocks are definitely lost in loss record 14 of 31 > ==22504== at 0x4A0739E: malloc (vg_replace_malloc.c:207) > ==22504== by 0x304AE328F6: _gnutls_mpi_dprint_lz (in > /usr/lib64/libgnutls.so.13.9.1) > ==22504== by 0x304AE3E47C: _gnutls_dh_set_peer_public (in > /usr/lib64/libgnutls.so.13.9.1) > ==22504== by 0x304AE43819: _gnutls_proc_dh_common_server_kx (in > /usr/lib64/libgnutls.so.13.9.1) > ==22504== by 0x304AE3BB4F: (within /usr/lib64/libgnutls.so.13.9.1) > ==22504== by 0x304AE2AF81: _gnutls_recv_server_kx_message (in > /usr/lib64/libgnutls.so.13.9.1) > ==22504== by 0x304AE273DF: _gnutls_handshake_client (in > /usr/lib64/libgnutls.so.13.9.1) > ==22504== by 0x304AE27F77: gnutls_handshake (in > /usr/lib64/libgnutls.so.13.9.1) > ==22504== by 0x7249300: Connect (nsd_gtls.c:1465) > ==22504== by 0x5631E92: Connect (netstrm.c:269) > ==22504== by 0x40EDDB: TCPSendInit (omfwd.c:302) > ==22504== by 0x40F477: doTryResume (omfwd.c:348) > > I see some more, but the real question is has GnuTLS been checked > under a memory debugger? All of what I see may be the result of some > wrong API calls by me [always my first line of thought ;)]. Hi! We do run gnutls under valgrind (see 'make check'), but we haven't had time to fix all memory leaks. It takes time to investigate and track down. Patches are very welcome here, preferably with some discussion so that we can convince ourselves that they are correct. /Simon From bortzmeyer at nic.fr Thu Jun 5 13:57:52 2008 From: bortzmeyer at nic.fr (Stephane Bortzmeyer) Date: Thu, 5 Jun 2008 13:57:52 +0200 Subject: [Help-gnutls] Re: GnuTLS and valgrind errors In-Reply-To: References: Message-ID: <20080605115752.GA1229@nic.fr> On Wed, Jun 04, 2008 at 08:52:19AM +0200, Rainer Gerhards wrote a message of 40 lines which said: > I am now working on sorting the nits out of my syslog/tls > implementation. I am now running the app under valgrind [1]. I see a > number of valgrind errors, Be careful, the next time someone tried to fix a Valgrind error in a TLS implementation, there was nasty results :-) http://bugs.debian.org/363516 http://wiki.debian.org/SSLkeys http://www.fsfe.org/en/fellows/tonnerre/stdout/blind_trust_in_valgrind_the_debian_openssl_vulnerability http://research.swtch.com/2008/05/lessons-from-debianopenssl-fiasco.html From nmav at gnutls.org Thu Jun 5 18:40:51 2008 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 05 Jun 2008 19:40:51 +0300 Subject: [Help-gnutls] Re: GnuTLS and valgrind errors In-Reply-To: <20080605115752.GA1229@nic.fr> References: <20080605115752.GA1229@nic.fr> Message-ID: <48481713.6030006@gnutls.org> Stephane Bortzmeyer wrote: > Be careful, the next time someone tried to fix a Valgrind error in a > TLS implementation, there was nasty results :-) > http://www.fsfe.org/en/fellows/tonnerre/stdout/blind_trust_in_valgrind_the_debian_openssl_vulnerability ^^^^^^^^^^ That one has a funny criticism of gnutls. PS. I won't tell you why it's funny :) From simon at josefsson.org Thu Jun 5 22:02:54 2008 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 05 Jun 2008 22:02:54 +0200 Subject: [Help-gnutls] Re: GnuTLS and valgrind errors In-Reply-To: <87tzg98w8y.fsf@mocca.josefsson.org> (Simon Josefsson's message of "Wed, 04 Jun 2008 10:01:01 +0200") References: <87tzg98w8y.fsf@mocca.josefsson.org> Message-ID: <87r6bb1wgh.fsf@mocca.josefsson.org> Btw, I just wrote a new self-test tests/mini.c that does a TLS handshake without using fork or any other system-specific functions. It should be perfect to use as a starting point to find memory leaks... http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=blob;f=tests/mini.c;hb=HEAD ...however, running valgrind on it right now only prints the 5 "normal" libgcrypt related memory leaks. I also ran kcachegrind on it, but the most time-consuming gnutls function is gnutls_global_deinit which is hardly worth optimizing. The majority of time is spent inside libgcrypt doing mpi operations. I'll try to get time to extend the self-test to test X.509, OpenPGP etc. It would be nice to test through all of the ciphersuites... or even have a big program that calls all functions in gnutls, so we can do automated code-coverage tests. /Simon From simon at josefsson.org Thu Jun 5 22:47:51 2008 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 05 Jun 2008 22:47:51 +0200 Subject: [Help-gnutls] Re: GnuTLS and valgrind errors In-Reply-To: <87r6bb1wgh.fsf@mocca.josefsson.org> (Simon Josefsson's message of "Thu, 05 Jun 2008 22:02:54 +0200") References: <87tzg98w8y.fsf@mocca.josefsson.org> <87r6bb1wgh.fsf@mocca.josefsson.org> Message-ID: <87mylz1udk.fsf@mocca.josefsson.org> I fixed some obvious memory leaks in the self-tests, and now gnutls passes make check (if you supply it the new libgcrypt.supp) with valgrind without memory leaks... at least all self checks except dhepskself. I don't have time to investigate whether the dhepskself implies a memory leak in the library or not, but it is possible. So this means most normal ways to use GnuTLS won't lead to any memory leaks. Of course, if you can trigger any memory leaks, please report it! We'll add a new self test for it, to catch any regressions. /Simon From arekm at maven.pl Sun Jun 15 15:13:00 2008 From: arekm at maven.pl (Arkadiusz Miskiewicz) Date: Sun, 15 Jun 2008 15:13:00 +0200 Subject: [Help-gnutls] multiple "gnutlses" in single binary Message-ID: <200806151513.01277.arekm@maven.pl> Hello, Take a look at this example. There is one program (let be it php interpreter) that is able to load external modules (so modules). Now we have two external modules - curl and postgresql [1]. Assume both curl and postgresql use external libraries (libcurl and libpq) that internally also use gnutls. Both these libraries initialize and deinitialize gnutls on it's own. Separately they work fine. Now it php loads them both at the same time then gnutls initialization happens twice (once called by curl module and second time by postgres module) and the same happens for deinitialization. In openssl for example double deinit causes segfault and is now allowed (a real problem with php + modules btw). How things look in gnutls? I assume init/deinit also can't be called multiple times safely, right? What can be done in such example to correctly handle gnutls requirements for init/deinit? There is only one important thing - the only place where you can do anything is php itself, curl and postgresql module but not in libcurl and libpq libraries. My guess is probably that nothing can be done without altering libcurl and libpq but even with modifications - does gnutls have api that would handle such situation in generic way? Some callbacks maybe... 1. In reality only curl is prepared to be used with gnutls but for sake of this example assume that postgresql module also uses gnutls. -- Arkadiusz Mi?kiewicz PLD/Linux Team arekm / maven.pl http://ftp.pld-linux.org/ From simon at josefsson.org Sun Jun 15 23:59:45 2008 From: simon at josefsson.org (Simon Josefsson) Date: Sun, 15 Jun 2008 23:59:45 +0200 Subject: [Help-gnutls] GnuTLS 2.3.15 - fourth and final (?) release candidate for 2.4.0 Message-ID: <87abhm2wby.fsf@mocca.josefsson.org> Version 2.3.15 will hopefully be the final release candidate for the next stable release v2.4.0. Please test v2.3.15 as if it were a stable release! I'm cc'ing help-gnutls as well, to reach wider audience. Please report problems to gnutls-devel only. See below for the v2.4.0 release notes, comments and suggestions are welcome! This weekend is Midsommar in Sweden, and I'm leaving town on Thursday, thus expect the final 2.4.0 release on Thursday. Here are the compressed sources: http://alpha.gnu.org/gnu/gnutls/gnutls-2.3.15.tar.bz2 ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.3.15.tar.bz2 Here is the Windows binaries: http://josefsson.org/gnutls4win/gnutls-2.3.15.exe http://josefsson.org/gnutls4win/gnutls-2.3.15.zip Thanks to Enrico Tassi, we also have mingw32 *.deb's available: http://josefsson.org/gnutls4win/mingw32-gnutls_2.3.15-1_all.deb What's New ========== Major end-user visible changes compared to the v2.2 branch: * The PSK sub-system has been improved and now supports password derivation and PSK identity hints. The password derivation algorithms support is documented in draft-ietf-netconf-tls-02.txt. * The certtool --inder and --outder has been replaced by --inraw and --outraw. This aligns terminology with OpenPGP, which doesn't use DER encoding. The old parameters will continue to work for some time. * Certtool now confirm passwords and changes permissions of private key files. * The default handshake size limit has been increased to 48kb. It appears as if some valid handshakes are large due to sending many CA certificates. (The earlier limit was 16kb.) * LZO compression is now disabled by default. The main reason is that LZO compression in TLS is not standardized, but license compatiblity issues with minilzo triggered us to make this decision now. * Improvements for cross-compilation to Windows and OpenWRT. * The look of the GTK-DOC manual has been improved. Major developer visible changes compared to the v2.2 branch: * Full OpenPGP support is part of libgnutls, licensed under the LGPL. * New APIs to access the raw X.509 Subject and Issuer DN's and elements from the certificate credentials structure, thanks to Joe Orton. * New APIs to improve working with username/passwords and PSK. * Names of constants to affect certificate printing changed. The constants are used for OpenPGP too, which the names didn't reflect, so the following name change has been made: Old name New name GNUTLS_X509_CRT_FULL GNUTLS_CRT_PRINT_FULL GNUTLS_X509_CRT_ONELINE GNUTLS_CRT_PRINT_ONELINE GNUTLS_X509_CRT_UNSIGNED_FULL GNUTLS_CRT_PRINT_UNSIGNED_FULL The old names will be mapped to the new names for some time. * The function gnutls_openpgp_privkey_get_id has been renamed to gnutls_openpgp_privkey_get_key_id. * Replaced all uses of alloca with malloc and free. * We no longer build with -D_REENTRANT -D_THREAD_SAFE. We have been unable to find a documented rationale for this practice. Of course, many smaller fixes have been made, see the ChangeLog file. API/ABI changes in GnuTLS 2.4 ============================= All OpenPGP functions have been moved from libgnutls-extra to libgnutls, and several new functions have been added (see below). Before making the release, we discussed whether moving functions from libgnutls-extra to libgnutls would require us to increment the ABI version, but the general opinion was that this would not be required. All older functions continue to work the same. We are open to the possibility that this decision will lead to problem on some platform, and if it turns out that the Right Thing should have been to increment the shared library version, we would need to release an update within the 2.4.x branch that increments the shared library version. This release adds the following functions: gnutls_psk_client_get_hint gnutls_psk_set_server_credentials_hint gnutls_psk_netconf_derive_key Used to get/set the PSK identity hint, and derive PSK keys from passwords a'la netconf. gnutls_x509_dn_deinit gnutls_x509_dn_export gnutls_x509_dn_import gnutls_x509_dn_init Used to handle X.509 Certificate DN's directly. gnutls_hex2bin Converts a data buffer to hex. Useful for handling PSK/SRP shared secrets. gnutls_certificate_get_x509_cas gnutls_certificate_get_x509_crls gnutls_certificate_get_openpgp_keyring Functions for direct access to credential elements. gnutls_openpgp_crt_get_auth_subkey gnutls_openpgp_crt_get_key_id gnutls_openpgp_crt_get_pk_dsa_raw gnutls_openpgp_crt_get_pk_rsa_raw gnutls_openpgp_crt_get_preferred_key_id gnutls_openpgp_crt_get_revoked_status gnutls_openpgp_crt_get_subkey_count gnutls_openpgp_crt_get_subkey_creation_time gnutls_openpgp_crt_get_subkey_expiration_time gnutls_openpgp_crt_get_subkey_id gnutls_openpgp_crt_get_subkey_idx gnutls_openpgp_crt_get_subkey_pk_algorithm gnutls_openpgp_crt_get_subkey_pk_dsa_raw gnutls_openpgp_crt_get_subkey_pk_rsa_raw gnutls_openpgp_crt_get_subkey_revoked_status gnutls_openpgp_crt_get_subkey_usage gnutls_openpgp_crt_print gnutls_openpgp_crt_set_preferred_key_id gnutls_openpgp_keyring_get_crt gnutls_openpgp_keyring_get_crt_count gnutls_openpgp_privkey_export gnutls_openpgp_privkey_export_dsa_raw gnutls_openpgp_privkey_export_rsa_raw gnutls_openpgp_privkey_export_subkey_dsa_raw gnutls_openpgp_privkey_export_subkey_rsa_raw gnutls_openpgp_privkey_get_fingerprint gnutls_openpgp_privkey_get_key_id gnutls_openpgp_privkey_get_pk_algorithm gnutls_openpgp_privkey_get_preferred_key_id gnutls_openpgp_privkey_get_revoked_status gnutls_openpgp_privkey_get_subkey_count gnutls_openpgp_privkey_get_subkey_creation_time gnutls_openpgp_privkey_get_subkey_expiration_time gnutls_openpgp_privkey_get_subkey_id gnutls_openpgp_privkey_get_subkey_idx gnutls_openpgp_privkey_get_subkey_pk_algorithm gnutls_openpgp_privkey_get_subkey_revoked_status gnutls_openpgp_privkey_set_preferred_key_id New OpenPGP related functions. The function gnutls_openpgp_crt_get_key_id is the same as the old from gnutls_openpgp_crt_get_id, see above. The release also adds a new header file 'gnutls/crypto.h', however it is currently not used. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From massimo.gaspari at alice.it Wed Jun 18 22:39:40 2008 From: massimo.gaspari at alice.it (Massimo Gaspari) Date: Wed, 18 Jun 2008 22:39:40 +0200 Subject: [Help-gnutls] GnuTLS 2.3.15 - fourth and final (?) release candidate for 2.4.0 In-Reply-To: <87abhm2wby.fsf@mocca.josefsson.org> References: <87abhm2wby.fsf@mocca.josefsson.org> Message-ID: <4859728C.30801@alice.it> Simon Josefsson wrote: > Version 2.3.15 will hopefully be the final release candidate for the > next stable release v2.4.0. Please test v2.3.15 as if it were a stable > release! I'm cc'ing help-gnutls as well, to reach wider audience. > Please report problems to gnutls-devel only. > > See below for the v2.4.0 release notes, comments and suggestions are > welcome! > > This weekend is Midsommar in Sweden, and I'm leaving town on Thursday, > thus expect the final 2.4.0 release on Thursday. > > Here are the compressed sources: > http://alpha.gnu.org/gnu/gnutls/gnutls-2.3.15.tar.bz2 > ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.3.15.tar.bz2 > > I compiled the source with the following configuration libgpg-error 1.6 => ./configure --disable-shared --disable-rpath libgcrypt 1.4.1 => ./configure --disable-shared --enable-random=w32 --disable-dev-random CFLAGS = -O2 gnutls 2.3.15 => ./configure --disable-shared --disable-rpath --disable-cxx --disable-guile MinGW- Gcc 4.2.1 on Windows XP SP2 I just got the following warnings gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -DLOCALEDIR=\"/usr/local/share/locale\" -I../lgl -I../lgl -I../includes -I../includes -I./x509 -I../libextra -I../lib/o penpgp/ -I/usr/local/include -I./opencdk -I../lib/opencdk -I./minitasn1 -pipe -I /usr/local/include -O2 -Wno-pointer-sign -MT gnutls_kx.lo -MD -MP -MF .deps/gnut ls_kx.Tpo -c gnutls_kx.c -o gnutls_kx.o gnutls_kx.c: In function '_gnutls_recv_server_kx_message': gnutls_kx.c:392: warning: implicit declaration of function '_gnutls_session_is_psk' gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -I../includes -I../includes -I../lgl -I ../lgl -I../gl -I../gl -I./cfg -pipe -I/usr/local/include -O2 -Wno-pointer-sign -MT cli-gaa.o -MD -MP -MF .deps/cli-gaa.Tpo -c -o cli-gaa.o cli-gaa.c -MT cli-gaa.o -MD -MP -MF .deps/cli-gaa.Tpo -c -o cli-gaa.o cli-gaa.c mv -f .deps/cli-gaa.Tpo .deps/cli-gaa.Po gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -I../includes -I../includes -I../lgl -I ../lgl -I../gl -I../gl -I./cfg -pipe -I/usr/local/include -O2 -Wno-pointer-sign -MT cli.o -MD -MP -MF .deps/cli.Tpo -c -o cli.o cli.c cli.c: In function 'psk_callback': cli.c:996: warning: passing argument 2 of 'rpl_getline' from incompatible pointe r type cli.c:1015: warning: implicit declaration of function 'gnu_getpass' cli.c:1015: warning: assignment makes pointer from integer without a cast gcc -std=gnu99 -pipe -I/usr/local/include -O2 -Wno-pointer-sign -o gnutls-cli.ex e cli-gaa.o cli.o common.o select.o ../lib/.libs/libgnutls.a -L/usr/local/lib - lz ../gl/.libs/libgnu.a /usr/local/lib/libgcrypt.a /usr/local/lib/libgpg-error.a -lws2_32 -MT psk-gaa.o -MD -MP -MF .deps/psk-gaa.Tpo -c -o psk-gaa.o psk-gaa.c mv -f .deps/psk-gaa.Tpo .deps/psk-gaa.Po -MT psk.o -MD -MP -MF .deps/psk.Tpo -c -o psk.o psk.c psk.c: In function 'main': psk.c:141: warning: implicit declaration of function 'gnu_getpass' psk.c:141: warning: assignment makes pointer from integer without a cast The "make test" ended successfully. No errors. Hope this helps. Max From simon at josefsson.org Thu Jun 19 11:18:38 2008 From: simon at josefsson.org (Simon Josefsson) Date: Thu, 19 Jun 2008 11:18:38 +0200 Subject: [Help-gnutls] GnuTLS 2.4.0 Message-ID: <87r6atn5ox.fsf@mocca.josefsson.org> We are proud to announce a new stable GnuTLS release: Version 2.4.0. GnuTLS is a modern C library that implement the standard network security protocol Transport Layer Security (TLS), for use by network applications. GnuTLS is developed for GNU/Linux, but works on many Unix-like systems and comes with a binary installer for Windows. The core GnuTLS library is distribute under the terms of the GNU Lesser General Public License version 2.1 (or later). The "extra" GnuTLS libraries -- which contains TLS/IA support, LZO compression -- and the OpenSSL compatibility library self tests and command line tools are distributed under the GNU General Public License version 3.0 (or later). The manual is distributed under the GNU Free Documentation License version 1.2 (or later). The project page of the library is available at: http://www.gnutls.org/ http://www.gnu.org/software/gnutls/ http://josefsson.org/gnutls/ What's New ========== Major end-user visible changes compared to the v2.2 branch: * The OpenPGP sub-system has been improved and now supports subkeys. * The PSK sub-system has been improved and now supports password derivation and PSK identity hints. The password derivation algorithms support is documented in draft-ietf-netconf-tls-02.txt. * The certtool --inder and --outder has been replaced by --inraw and --outraw. This aligns terminology with OpenPGP, which doesn't use DER encoding. The old parameters will continue to work for some time. * Certtool now confirm passwords and changes permissions of private key files. * The default handshake size limit has been increased to 48kb. It appears as if some valid handshakes are large due to sending many CA certificates. (The earlier limit was 16kb.) * LZO compression is now disabled by default. The main reason is that LZO compression in TLS is not standardized, but license compatiblity issues with minilzo triggered us to make this decision now. * Improvements for cross-compilation to Windows and OpenWRT. * The look of the GTK-DOC manual has been improved. Major developer visible changes compared to the v2.2 branch: * Full OpenPGP support is part of libgnutls, licensed under the LGPL. * New APIs to access the raw X.509 Subject and Issuer DN's and elements from the certificate credentials structure, thanks to Joe Orton. * New APIs to improve working with username/passwords and PSK. * Names of constants to affect certificate printing changed. The constants are used for OpenPGP too, which the names didn't reflect, so the following name change has been made: Old name New name GNUTLS_X509_CRT_FULL GNUTLS_CRT_PRINT_FULL GNUTLS_X509_CRT_ONELINE GNUTLS_CRT_PRINT_ONELINE GNUTLS_X509_CRT_UNSIGNED_FULL GNUTLS_CRT_PRINT_UNSIGNED_FULL The old names will be mapped to the new names for some time. * The function gnutls_openpgp_privkey_get_id has been renamed to gnutls_openpgp_privkey_get_key_id. A compatibility mapping exists to avoid breaking API backwards compatibility. * Replaced all uses of alloca with malloc and free. * We no longer build with -D_REENTRANT -D_THREAD_SAFE. We have been unable to find a documented rationale for this practice. Of course, many smaller fixes have been made, see the ChangeLog file. API/ABI changes in GnuTLS 2.4 ============================= All OpenPGP related functions have been moved from libgnutls-extra to libgnutls, and several new functions have been added (see below). Before making the release, we discussed whether moving functions from libgnutls-extra to libgnutls would require us to increment the ABI version, but the general opinion was that this would not be required. All older functions continue to work the same. We are open to the possibility that this decision will lead to problem on some platform, and if it turns out that the Right Thing should have been to increment the shared library version, we would need to release an update within the 2.4.x branch that increments the shared library version. This release adds the following functions: gnutls_psk_client_get_hint gnutls_psk_set_server_credentials_hint gnutls_psk_netconf_derive_key Used to get/set the PSK identity hint, and derive PSK keys from passwords a'la netconf. gnutls_x509_dn_deinit gnutls_x509_dn_export gnutls_x509_dn_import gnutls_x509_dn_init Used to handle X.509 Certificate DN's directly. gnutls_hex2bin Converts a data buffer to hex. Useful for handling PSK/SRP shared secrets. gnutls_certificate_get_x509_cas gnutls_certificate_get_x509_crls gnutls_certificate_get_openpgp_keyring Functions for direct access to credential elements. gnutls_openpgp_crt_get_auth_subkey gnutls_openpgp_crt_get_key_id gnutls_openpgp_crt_get_pk_dsa_raw gnutls_openpgp_crt_get_pk_rsa_raw gnutls_openpgp_crt_get_preferred_key_id gnutls_openpgp_crt_get_revoked_status gnutls_openpgp_crt_get_subkey_count gnutls_openpgp_crt_get_subkey_creation_time gnutls_openpgp_crt_get_subkey_expiration_time gnutls_openpgp_crt_get_subkey_fingerprint gnutls_openpgp_crt_get_subkey_id gnutls_openpgp_crt_get_subkey_idx gnutls_openpgp_crt_get_subkey_pk_algorithm gnutls_openpgp_crt_get_subkey_pk_dsa_raw gnutls_openpgp_crt_get_subkey_pk_rsa_raw gnutls_openpgp_crt_get_subkey_revoked_status gnutls_openpgp_crt_get_subkey_usage gnutls_openpgp_crt_print gnutls_openpgp_crt_set_preferred_key_id gnutls_openpgp_keyring_get_crt gnutls_openpgp_keyring_get_crt_count gnutls_openpgp_privkey_export gnutls_openpgp_privkey_export_dsa_raw gnutls_openpgp_privkey_export_rsa_raw gnutls_openpgp_privkey_export_subkey_dsa_raw gnutls_openpgp_privkey_export_subkey_rsa_raw gnutls_openpgp_privkey_get_fingerprint gnutls_openpgp_privkey_get_key_id gnutls_openpgp_privkey_get_pk_algorithm gnutls_openpgp_privkey_get_preferred_key_id gnutls_openpgp_privkey_get_revoked_status gnutls_openpgp_privkey_get_subkey_count gnutls_openpgp_privkey_get_subkey_creation_time gnutls_openpgp_privkey_get_subkey_expiration_time gnutls_openpgp_privkey_get_subkey_fingerprint gnutls_openpgp_privkey_get_subkey_id gnutls_openpgp_privkey_get_subkey_idx gnutls_openpgp_privkey_get_subkey_pk_algorithm gnutls_openpgp_privkey_get_subkey_revoked_status gnutls_openpgp_privkey_set_preferred_key_id New OpenPGP related functions. The function gnutls_openpgp_crt_get_key_id is the same as the old from gnutls_openpgp_crt_get_id, see above. The release also adds a new header file 'gnutls/crypto.h', however it is currently not used. Getting the Software ==================== GnuTLS may be downloaded from one of the mirror sites or direct from . The list of mirrors can be found at . Note, that GnuPG is not available at ftp.gnu.org. Here are the BZIP2 compressed sources (4.8MB): ftp://ftp.gnutls.org/pub/gnutls/gnutls-2.4.0.tar.bz2 http://josefsson.org/gnutls/releases/gnutls-2.4.0.tar.bz2 Here are OpenPGP detached signatures signed using key 0xB565716F: ftp://ftp.gnutls.org/pub/gnutls/gnutls-2.4.0.tar.bz2.sig http://josefsson.org/gnutls/releases/gnutls-2.4.0.tar.bz2.sig Note, that we don't distribute gzip compressed tarballs. In order to check that the version of GnuTLS which you are going to install is an original and unmodified one, you should verify the OpenPGP signature. You can use the command gpg --verify gnutls-2.4.0.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. The signing key can be identified with the following information: pub 1280R/B565716F 2002-05-05 [expires: 2008-06-30] Key fingerprint = 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F uid Simon Josefsson uid Simon Josefsson sub 1280R/4D5D40AE 2002-05-05 [expires: 2008-06-30] The key is available from: http://josefsson.org/key.txt dns:b565716f.josefsson.org?TYPE=CERT Alternatively, after successfully verifying the OpenPGP signature of this announcement, you could verify that the files match the following checksum values. The values are for SHA-1 and SHA-224 respectively: 9bb3be9f2ad67037d3a571bec4fac65e0ffbadbb gnutls-2.4.0.tar.bz2 9dc4435b637a4841a88ec294b8a82841eb257cee4948bc957c1a96d7 gnutls-2.4.0.tar.bz2 Documentation ============= The manual is available online at: http://www.gnu.org/software/gnutls/documentation.html In particular the following formats are available: HTML: http://www.gnu.org/software/gnutls/manual/html_node/index.html PDF: http://www.gnu.org/software/gnutls/manual/gnutls.pdf For developers there is a GnuTLS API reference manual formatted using the GTK-DOC tools: http://www.gnu.org/software/gnutls/reference/gnutls-gnutls.html Community ========= If you need help to use GnuTLS, or want to help others, you are invited to join our help-gnutls mailing list, see: . If you wish to participate in the development of GnuTLS, you are invited to join our gnutls-dev mailing list, see: . Windows installer ================= GnuTLS has been ported to the Windows operating system, and a binary installer is available. The installer contains DLLs for application development, manuals, examples, and source code. The installer consists of libgpg-error 1.6, libgcrypt 1.4.1, libtasn1 1.4, and GnuTLS 2.4.0. For more information about GnuTLS for Windows: http://josefsson.org/gnutls4win/ The Windows binary installer and PGP signature: http://josefsson.org/gnutls4win/gnutls-2.4.0.exe (14MB) http://josefsson.org/gnutls4win/gnutls-2.4.0.exe.sig The checksum values for SHA-1 and SHA-224 are: e704df715ed6cad14c7a6e4350d7557d81de655b gnutls-2.4.0.exe b548c3178f89669d1245b266c7caa834feeea63b142a8871f1185097 gnutls-2.4.0.exe Thanks to Enrico Tassi, we also have mingw32 *.deb's available: http://josefsson.org/gnutls4win/mingw32-gnutls_2.3.15-1_all.deb The checksum values for SHA-1 and SHA-224 are: 3fc1e58fe58ac77c6dc433052685d59400a88559 mingw32-gnutls_2.4.0-1_all.deb 601549a449ce25dc4520c591bad42d833b23f05a8f67cf4fe732f7de mingw32-gnutls_2.4.0-1_all.deb Internationalization ==================== GnuTLS messages have been translated into Dutch, German, Malay, Polish, Swedish, and Vietnamese. We welcome the addition of more translations. Support ======= Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. The GnuTLS service directory is available at: http://www.gnu.org/software/gnutls/commercial.html Happy Hacking, Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: From rgerhards at gmail.com Fri Jun 20 08:16:39 2008 From: rgerhards at gmail.com (Rainer Gerhards) Date: Fri, 20 Jun 2008 08:16:39 +0200 Subject: [Help-gnutls] gnutls_certificate_verify_peers2() / GNUTLS_CERT_INVALID Message-ID: Hi, I receive *just* GUTLS_CERT_INVALID after calling gnutls_certificate_verify_peers2(), no specific error state. Do you have any idea what may cause this? Thanks, Rainer From rgerhards at gmail.com Fri Jun 20 09:06:11 2008 From: rgerhards at gmail.com (Rainer Gerhards) Date: Fri, 20 Jun 2008 09:06:11 +0200 Subject: [Help-gnutls] Re: gnutls_certificate_verify_peers2() / GNUTLS_CERT_INVALID In-Reply-To: References: Message-ID: I dug a bit deeper and the problem seems to manifest here: 5292.506957161:main queue:Reg/w0: GnuTLS handshake succeeded 5292.512077291:main queue:Reg/w0: nsd_gtls.c:1013: gtlsChkPeerAuth: enter 5292.514658306:main queue:Reg/w0: nsd_gtls.c:919: gtlsChkPeerCertValidity: enter 5292.629403970:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: mpi.c:587 5292.671502166:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: gnutls_pk.c:285 5292.672798260:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: verify.c:552 5292.673415581:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: verify.c:642 5292.675380113:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: verify.c:301 5292.741284540:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: dn.c:1212 5292.744965838:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: verify.c:395 5292.751276475:main queue:Reg/w0: GnuTLS returned no specific reason for GNUTLS_CERT_INVALID, certificate status is 2 I used the code I just pulled from the git archive. So the assert in mpi.c is this one here: int _gnutls_x509_read_uint (ASN1_TYPE node, const char *value, unsigned int *ret) { int len, result; opaque *tmpstr; len = 0; result = asn1_read_value (node, value, NULL, &len); if (result != ASN1_MEM_ERROR) { gnutls_assert (); return _gnutls_asn2err (result); } ... but I have to admit that I have no clue what this actually means ;) Help is appreciated. Rainer On Fri, Jun 20, 2008 at 8:16 AM, Rainer Gerhards wrote: > Hi, > > I receive *just* GUTLS_CERT_INVALID after calling > gnutls_certificate_verify_peers2(), no specific error state. Do you > have any idea what may cause this? > > Thanks, > Rainer > From rgerhards at gmail.com Fri Jun 20 10:26:11 2008 From: rgerhards at gmail.com (Rainer Gerhards) Date: Fri, 20 Jun 2008 10:26:11 +0200 Subject: [Help-gnutls] Re: gnutls_certificate_verify_peers2() / GNUTLS_CERT_INVALID In-Reply-To: References: Message-ID: I mangled the names (## in their places) because this is a cert I received from a user: [root at rgf9dev nick]# certtool -i < cert.pem X.509 Certificate Information: Version: 3 Serial Number (hex): 485a73f4 Issuer: C=US,O=###Host,OU=Online,L=##,ST=##,CN=######.com Validity: Not Before: Thu Jun 19 14:57:58 UTC 2008 Not After: Wed Mar 16 14:58:01 UTC 2011 Subject: C=US,O=######,OU=Online,L=######,ST=##,CN=######.com Subject Public Key Algorithm: RSA Modulus (bits 2048): ac:ad:f0:eb:35:6b:9e:41:e9:6a:67:03:ed:2c:12:6e 00:ea:ae:ea:10:2a:bd:52:00:4a:2d:d3:55:77:20:b6 dd:78:97:e3:83:4d:19:f8:64:af:7d:58:e7:b3:bb:92 05:92:0e:38:9b:98:2e:55:44:74:3b:af:24:65:33:f8 42:d6:76:b5:f2:97:dc:8c:e8:b5:ae:a6:1d:17:71:62 16:cc:db:1c:78:ae:a2:53:78:7a:88:3e:b0:85:ce:4f 3b:e9:76:53:db:6f:f4:40:99:24:91:ec:b9:ab:40:76 66:de:21:3e:36:1b:7c:ff:7e:ca:0c:9f:e8:5c:52:84 3d:cb:51:41:db:30:89:c9:0c:95:f1:da:d2:d7:4f:30 73:2b:00:a5:e2:a0:da:27:84:6c:db:03:11:8c:a3:16 3c:2d:48:30:c7:a3:0a:26:ea:68:4a:c2:e8:7e:e0:ae 6a:66:c3:80:d3:38:66:8f:49:37:c8:af:01:10:aa:f0 cf:59:73:55:44:e9:99:ba:a2:9f:3c:42:91:06:02:04 6b:f8:76:da:21:31:66:77:af:64:1b:48:59:62:59:7e 28:bd:4e:99:76:6d:bf:b1:09:78:32:6e:e2:16:4b:67 fc:06:5f:86:e4:18:54:cb:01:5a:5f:74:81:b5:98:5f Exponent: 01:00:01 Extensions: Basic Constraints (critical): Certificate Authority (CA): FALSE Key Purpose (not critical): TLS WWW Client. TLS WWW Server. Subject Alternative Name (not critical): DNSname: ###### Subject Key Identifier (not critical): 504a788c6ac79c390474f2d4ea93178bb851bd3e Authority Key Identifier (not critical): b8ef8b453849432cbee53238e6ec165d75b45b28 Signature Algorithm: RSA-SHA Signature: 57:8d:2c:14:0c:2a:2a:86:35:0d:9c:9e:b0:6e:76:0c 22:6f:6e:bc:0b:db:4f:a1:c5:29:62:60:e4:03:d1:df 10:b0:2f:c2:2d:f3:a0:62:cf:33:7c:cb:ba:67:53:8c 8d:bb:bb:0a:6d:fe:7f:74:e4:2f:ae:2d:e4:77:f5:ad c3:77:c9:76:9a:57:fd:f1:63:b6:dc:b1:2c:fa:3f:5f 96:da:a7:42:2f:36:a0:af:6e:56:1e:30:d1:e5:f3:7b 64:10:22:14:44:05:7b:a2:a6:27:f0:d2:b3:47:3f:74 25:81:f7:7f:91:ca:8c:7b:a0:fe:fe:89:86:6e:d9:45 97:8d:f0:93:5c:0e:d2:fe:11:00:28:92:c8:e6:a3:a8 60:9c:0e:b2:33:90:29:ed:b4:e8:21:73:56:9d:ad:fe c1:04:fe:23:aa:3a:39:ef:e0:39:0e:8a:91:b0:14:7e 41:2b:d1:08:0f:96:a0:5f:11:8a:bf:66:92:1a:b5:12 a3:19:f7:59:1f:ef:8c:59:34:72:49:97:8c:f4:79:f4 e6:3d:5e:b5:b4:5c:96:8f:71:d2:0e:e0:c8:af:55:6f d6:36:ef:3f:89:98:14:38:6d:bf:2f:76:4b:d3:7b:bf 20:d7:48:85:9b:76:60:45:43:be:f8:d4:05:c0:bc:24 Other Information: MD5 fingerprint: 728189e4c0f146e4d302b6a2eb5341e9 SHA-1 fingerprint: 66762b9c21aaef11209125b909ea13c5c96f3b8e Public Key Id: 504a788c6ac79c390474f2d4ea93178bb851bd3e Rainer On Fri, Jun 20, 2008 at 9:58 AM, Nikos Mavrogiannopoulos wrote: > On Fri, Jun 20, 2008 at 10:06 AM, Rainer Gerhards wrote: >> I dug a bit deeper and the problem seems to manifest here: >> >> 5292.506957161:main queue:Reg/w0: GnuTLS handshake succeeded >> 5292.512077291:main queue:Reg/w0: nsd_gtls.c:1013: gtlsChkPeerAuth: enter >> 5292.514658306:main queue:Reg/w0: nsd_gtls.c:919: gtlsChkPeerCertValidity: enter >> 5292.629403970:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: mpi.c:587 >> >> 5292.671502166:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: >> gnutls_pk.c:285 >> >> 5292.672798260:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: verify.c:552 >> >> 5292.673415581:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: verify.c:642 >> >> 5292.675380113:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: verify.c:301 >> >> 5292.741284540:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: dn.c:1212 >> >> 5292.744965838:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: verify.c:395 >> >> 5292.751276475:main queue:Reg/w0: GnuTLS returned no specific reason >> for GNUTLS_CERT_INVALID, certificate status is 2 >> >> I used the code I just pulled from the git archive. So the assert in >> mpi.c is this one here: > > It seems like a value cannot be parsed. What is the output of certtool > in this certificate? > From rgerhards at gmail.com Fri Jun 20 10:40:08 2008 From: rgerhards at gmail.com (Rainer Gerhards) Date: Fri, 20 Jun 2008 10:40:08 +0200 Subject: [Help-gnutls] Re: gnutls_certificate_verify_peers2() / GNUTLS_CERT_INVALID In-Reply-To: References: Message-ID: Some more info: asn1_read_value returns ASN1_ELEMENT_NOT_FOUND. The value in question is "pathLenConstraint", node is a non-NULL value (I put a printf() in _gnutls_x509_read_uint()). Rainer On Fri, Jun 20, 2008 at 10:26 AM, Rainer Gerhards wrote: > I mangled the names (## in their places) because this is a cert I > received from a user: > > [root at rgf9dev nick]# certtool -i < cert.pem > X.509 Certificate Information: > Version: 3 > Serial Number (hex): 485a73f4 > Issuer: C=US,O=###Host,OU=Online,L=##,ST=##,CN=######.com > Validity: > Not Before: Thu Jun 19 14:57:58 UTC 2008 > Not After: Wed Mar 16 14:58:01 UTC 2011 > Subject: C=US,O=######,OU=Online,L=######,ST=##,CN=######.com > Subject Public Key Algorithm: RSA > Modulus (bits 2048): > ac:ad:f0:eb:35:6b:9e:41:e9:6a:67:03:ed:2c:12:6e > 00:ea:ae:ea:10:2a:bd:52:00:4a:2d:d3:55:77:20:b6 > dd:78:97:e3:83:4d:19:f8:64:af:7d:58:e7:b3:bb:92 > 05:92:0e:38:9b:98:2e:55:44:74:3b:af:24:65:33:f8 > 42:d6:76:b5:f2:97:dc:8c:e8:b5:ae:a6:1d:17:71:62 > 16:cc:db:1c:78:ae:a2:53:78:7a:88:3e:b0:85:ce:4f > 3b:e9:76:53:db:6f:f4:40:99:24:91:ec:b9:ab:40:76 > 66:de:21:3e:36:1b:7c:ff:7e:ca:0c:9f:e8:5c:52:84 > 3d:cb:51:41:db:30:89:c9:0c:95:f1:da:d2:d7:4f:30 > 73:2b:00:a5:e2:a0:da:27:84:6c:db:03:11:8c:a3:16 > 3c:2d:48:30:c7:a3:0a:26:ea:68:4a:c2:e8:7e:e0:ae > 6a:66:c3:80:d3:38:66:8f:49:37:c8:af:01:10:aa:f0 > cf:59:73:55:44:e9:99:ba:a2:9f:3c:42:91:06:02:04 > 6b:f8:76:da:21:31:66:77:af:64:1b:48:59:62:59:7e > 28:bd:4e:99:76:6d:bf:b1:09:78:32:6e:e2:16:4b:67 > fc:06:5f:86:e4:18:54:cb:01:5a:5f:74:81:b5:98:5f > Exponent: > 01:00:01 > Extensions: > Basic Constraints (critical): > Certificate Authority (CA): FALSE > Key Purpose (not critical): > TLS WWW Client. > TLS WWW Server. > Subject Alternative Name (not critical): > DNSname: ###### > Subject Key Identifier (not critical): > 504a788c6ac79c390474f2d4ea93178bb851bd3e > Authority Key Identifier (not critical): > b8ef8b453849432cbee53238e6ec165d75b45b28 > Signature Algorithm: RSA-SHA > Signature: > 57:8d:2c:14:0c:2a:2a:86:35:0d:9c:9e:b0:6e:76:0c > 22:6f:6e:bc:0b:db:4f:a1:c5:29:62:60:e4:03:d1:df > 10:b0:2f:c2:2d:f3:a0:62:cf:33:7c:cb:ba:67:53:8c > 8d:bb:bb:0a:6d:fe:7f:74:e4:2f:ae:2d:e4:77:f5:ad > c3:77:c9:76:9a:57:fd:f1:63:b6:dc:b1:2c:fa:3f:5f > 96:da:a7:42:2f:36:a0:af:6e:56:1e:30:d1:e5:f3:7b > 64:10:22:14:44:05:7b:a2:a6:27:f0:d2:b3:47:3f:74 > 25:81:f7:7f:91:ca:8c:7b:a0:fe:fe:89:86:6e:d9:45 > 97:8d:f0:93:5c:0e:d2:fe:11:00:28:92:c8:e6:a3:a8 > 60:9c:0e:b2:33:90:29:ed:b4:e8:21:73:56:9d:ad:fe > c1:04:fe:23:aa:3a:39:ef:e0:39:0e:8a:91:b0:14:7e > 41:2b:d1:08:0f:96:a0:5f:11:8a:bf:66:92:1a:b5:12 > a3:19:f7:59:1f:ef:8c:59:34:72:49:97:8c:f4:79:f4 > e6:3d:5e:b5:b4:5c:96:8f:71:d2:0e:e0:c8:af:55:6f > d6:36:ef:3f:89:98:14:38:6d:bf:2f:76:4b:d3:7b:bf > 20:d7:48:85:9b:76:60:45:43:be:f8:d4:05:c0:bc:24 > Other Information: > MD5 fingerprint: > 728189e4c0f146e4d302b6a2eb5341e9 > SHA-1 fingerprint: > 66762b9c21aaef11209125b909ea13c5c96f3b8e > Public Key Id: > 504a788c6ac79c390474f2d4ea93178bb851bd3e > > > Rainer > > On Fri, Jun 20, 2008 at 9:58 AM, Nikos Mavrogiannopoulos > wrote: >> On Fri, Jun 20, 2008 at 10:06 AM, Rainer Gerhards wrote: >>> I dug a bit deeper and the problem seems to manifest here: >>> >>> 5292.506957161:main queue:Reg/w0: GnuTLS handshake succeeded >>> 5292.512077291:main queue:Reg/w0: nsd_gtls.c:1013: gtlsChkPeerAuth: enter >>> 5292.514658306:main queue:Reg/w0: nsd_gtls.c:919: gtlsChkPeerCertValidity: enter >>> 5292.629403970:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: mpi.c:587 >>> >>> 5292.671502166:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: >>> gnutls_pk.c:285 >>> >>> 5292.672798260:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: verify.c:552 >>> >>> 5292.673415581:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: verify.c:642 >>> >>> 5292.675380113:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: verify.c:301 >>> >>> 5292.741284540:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: dn.c:1212 >>> >>> 5292.744965838:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: verify.c:395 >>> >>> 5292.751276475:main queue:Reg/w0: GnuTLS returned no specific reason >>> for GNUTLS_CERT_INVALID, certificate status is 2 >>> >>> I used the code I just pulled from the git archive. So the assert in >>> mpi.c is this one here: >> >> It seems like a value cannot be parsed. What is the output of certtool >> in this certificate? >> > From rgerhards at gmail.com Fri Jun 20 11:39:10 2008 From: rgerhards at gmail.com (Rainer Gerhards) Date: Fri, 20 Jun 2008 11:39:10 +0200 Subject: [Help-gnutls] Re: gnutls_certificate_verify_peers2() / GNUTLS_CERT_INVALID In-Reply-To: References: Message-ID: Just some more info: the certificate was generated with GnuTLS 2.3.11 on CentOS (in case that helps ;)). Rainer On Fri, Jun 20, 2008 at 10:40 AM, Rainer Gerhards wrote: > Some more info: asn1_read_value returns ASN1_ELEMENT_NOT_FOUND. The > value in question is "pathLenConstraint", node is a non-NULL value (I > put a printf() in _gnutls_x509_read_uint()). > > Rainer > > On Fri, Jun 20, 2008 at 10:26 AM, Rainer Gerhards wrote: >> I mangled the names (## in their places) because this is a cert I >> received from a user: >> >> [root at rgf9dev nick]# certtool -i < cert.pem >> X.509 Certificate Information: >> Version: 3 >> Serial Number (hex): 485a73f4 >> Issuer: C=US,O=###Host,OU=Online,L=##,ST=##,CN=######.com >> Validity: >> Not Before: Thu Jun 19 14:57:58 UTC 2008 >> Not After: Wed Mar 16 14:58:01 UTC 2011 >> Subject: C=US,O=######,OU=Online,L=######,ST=##,CN=######.com >> Subject Public Key Algorithm: RSA >> Modulus (bits 2048): >> ac:ad:f0:eb:35:6b:9e:41:e9:6a:67:03:ed:2c:12:6e >> 00:ea:ae:ea:10:2a:bd:52:00:4a:2d:d3:55:77:20:b6 >> dd:78:97:e3:83:4d:19:f8:64:af:7d:58:e7:b3:bb:92 >> 05:92:0e:38:9b:98:2e:55:44:74:3b:af:24:65:33:f8 >> 42:d6:76:b5:f2:97:dc:8c:e8:b5:ae:a6:1d:17:71:62 >> 16:cc:db:1c:78:ae:a2:53:78:7a:88:3e:b0:85:ce:4f >> 3b:e9:76:53:db:6f:f4:40:99:24:91:ec:b9:ab:40:76 >> 66:de:21:3e:36:1b:7c:ff:7e:ca:0c:9f:e8:5c:52:84 >> 3d:cb:51:41:db:30:89:c9:0c:95:f1:da:d2:d7:4f:30 >> 73:2b:00:a5:e2:a0:da:27:84:6c:db:03:11:8c:a3:16 >> 3c:2d:48:30:c7:a3:0a:26:ea:68:4a:c2:e8:7e:e0:ae >> 6a:66:c3:80:d3:38:66:8f:49:37:c8:af:01:10:aa:f0 >> cf:59:73:55:44:e9:99:ba:a2:9f:3c:42:91:06:02:04 >> 6b:f8:76:da:21:31:66:77:af:64:1b:48:59:62:59:7e >> 28:bd:4e:99:76:6d:bf:b1:09:78:32:6e:e2:16:4b:67 >> fc:06:5f:86:e4:18:54:cb:01:5a:5f:74:81:b5:98:5f >> Exponent: >> 01:00:01 >> Extensions: >> Basic Constraints (critical): >> Certificate Authority (CA): FALSE >> Key Purpose (not critical): >> TLS WWW Client. >> TLS WWW Server. >> Subject Alternative Name (not critical): >> DNSname: ###### >> Subject Key Identifier (not critical): >> 504a788c6ac79c390474f2d4ea93178bb851bd3e >> Authority Key Identifier (not critical): >> b8ef8b453849432cbee53238e6ec165d75b45b28 >> Signature Algorithm: RSA-SHA >> Signature: >> 57:8d:2c:14:0c:2a:2a:86:35:0d:9c:9e:b0:6e:76:0c >> 22:6f:6e:bc:0b:db:4f:a1:c5:29:62:60:e4:03:d1:df >> 10:b0:2f:c2:2d:f3:a0:62:cf:33:7c:cb:ba:67:53:8c >> 8d:bb:bb:0a:6d:fe:7f:74:e4:2f:ae:2d:e4:77:f5:ad >> c3:77:c9:76:9a:57:fd:f1:63:b6:dc:b1:2c:fa:3f:5f >> 96:da:a7:42:2f:36:a0:af:6e:56:1e:30:d1:e5:f3:7b >> 64:10:22:14:44:05:7b:a2:a6:27:f0:d2:b3:47:3f:74 >> 25:81:f7:7f:91:ca:8c:7b:a0:fe:fe:89:86:6e:d9:45 >> 97:8d:f0:93:5c:0e:d2:fe:11:00:28:92:c8:e6:a3:a8 >> 60:9c:0e:b2:33:90:29:ed:b4:e8:21:73:56:9d:ad:fe >> c1:04:fe:23:aa:3a:39:ef:e0:39:0e:8a:91:b0:14:7e >> 41:2b:d1:08:0f:96:a0:5f:11:8a:bf:66:92:1a:b5:12 >> a3:19:f7:59:1f:ef:8c:59:34:72:49:97:8c:f4:79:f4 >> e6:3d:5e:b5:b4:5c:96:8f:71:d2:0e:e0:c8:af:55:6f >> d6:36:ef:3f:89:98:14:38:6d:bf:2f:76:4b:d3:7b:bf >> 20:d7:48:85:9b:76:60:45:43:be:f8:d4:05:c0:bc:24 >> Other Information: >> MD5 fingerprint: >> 728189e4c0f146e4d302b6a2eb5341e9 >> SHA-1 fingerprint: >> 66762b9c21aaef11209125b909ea13c5c96f3b8e >> Public Key Id: >> 504a788c6ac79c390474f2d4ea93178bb851bd3e >> >> >> Rainer >> >> On Fri, Jun 20, 2008 at 9:58 AM, Nikos Mavrogiannopoulos >> wrote: >>> On Fri, Jun 20, 2008 at 10:06 AM, Rainer Gerhards wrote: >>>> I dug a bit deeper and the problem seems to manifest here: >>>> >>>> 5292.506957161:main queue:Reg/w0: GnuTLS handshake succeeded >>>> 5292.512077291:main queue:Reg/w0: nsd_gtls.c:1013: gtlsChkPeerAuth: enter >>>> 5292.514658306:main queue:Reg/w0: nsd_gtls.c:919: gtlsChkPeerCertValidity: enter >>>> 5292.629403970:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: mpi.c:587 >>>> >>>> 5292.671502166:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: >>>> gnutls_pk.c:285 >>>> >>>> 5292.672798260:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: verify.c:552 >>>> >>>> 5292.673415581:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: verify.c:642 >>>> >>>> 5292.675380113:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: verify.c:301 >>>> >>>> 5292.741284540:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: dn.c:1212 >>>> >>>> 5292.744965838:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: verify.c:395 >>>> >>>> 5292.751276475:main queue:Reg/w0: GnuTLS returned no specific reason >>>> for GNUTLS_CERT_INVALID, certificate status is 2 >>>> >>>> I used the code I just pulled from the git archive. So the assert in >>>> mpi.c is this one here: >>> >>> It seems like a value cannot be parsed. What is the output of certtool >>> in this certificate? >>> >> > From nmav at gnutls.org Fri Jun 20 17:54:45 2008 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 20 Jun 2008 18:54:45 +0300 Subject: [Help-gnutls] multiple "gnutlses" in single binary In-Reply-To: <200806151513.01277.arekm@maven.pl> References: <200806151513.01277.arekm@maven.pl> Message-ID: <485BD2C5.4080006@gnutls.org> Arkadiusz Miskiewicz wrote: > Hello, > > Take a look at this example. > > There is one program (let be it php interpreter) that is able to load external > modules (so modules). > Now we have two external modules - curl and postgresql [1]. Assume both curl > and postgresql use external libraries (libcurl and libpq) that internally > also use gnutls. > Both these libraries initialize and deinitialize gnutls on it's own. > Separately they work fine. > Now it php loads them both at the same time then gnutls initialization happens > twice (once called by curl module and second time by postgres module) and the > same happens for deinitialization. In openssl for example double deinit > causes segfault and is now allowed (a real problem with php + modules btw). > How things look in gnutls? I assume init/deinit also can't be called multiple > times safely, right? No there is no problem as long as they are called in a thread safe way. regards, Nikos From nmav at gnutls.org Fri Jun 20 18:03:16 2008 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 20 Jun 2008 19:03:16 +0300 Subject: [Help-gnutls] Re: gnutls_certificate_verify_peers2() / GNUTLS_CERT_INVALID In-Reply-To: References: Message-ID: <485BD4C4.4040602@gnutls.org> Rainer Gerhards wrote: > Just some more info: the certificate was generated with GnuTLS 2.3.11 > on CentOS (in case that helps ;)). And on which version is the read being done? From nickg at chihost.com Fri Jun 20 19:47:36 2008 From: nickg at chihost.com (nickg at chihost.com) Date: Fri, 20 Jun 2008 12:47:36 -0500 (CDT) Subject: [Help-gnutls] Re: gnutls_certificate_verify_peers2() / GNUTLS_CERT_I Message-ID: <52305.99.229.52.139.1213984056.squirrel@www.chihost.com> Yassou Nikos, The Certificate Authority, the client, and the server reading the server are all using GNUTLS 2.3.11 and the CentOS version is 4.6 for all three as well. This problem is also happening on Ubuntu with GnuTLS 2.0.4 and 2.3.11. Any ideas you have are greatly appreciated. F?caristo Poli! Nick From nmav at gnutls.org Sun Jun 22 12:52:35 2008 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 22 Jun 2008 13:52:35 +0300 Subject: [Help-gnutls] Re: gnutls_certificate_verify_peers2() / GNUTLS_CERT_INVALID In-Reply-To: References: Message-ID: <485E2EF3.3060900@gnutls.org> Rainer Gerhards wrote: > Some more info: asn1_read_value returns ASN1_ELEMENT_NOT_FOUND. The > value in question is "pathLenConstraint", node is a non-NULL value (I > put a printf() in _gnutls_x509_read_uint()). >>>> 5292.675380113:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: verify.c:301 >>>> >>>> 5292.741284540:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: dn.c:1212 >>>> >>>> 5292.744965838:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: verify.c:395 >>>> >>>> 5292.751276475:main queue:Reg/w0: GnuTLS returned no specific reason >>>> for GNUTLS_CERT_INVALID, certificate status is 2 As far as I understand here the verification correctly does not succeed because some DN's do not match. If you still think it is a gnutls bug, please send a way for me to reproduce this problem (a chain of certificates that should verify, and the way to produce them). However I'd say to check if the certificate chain is correctly send etc. regards, Nikos From rgerhards at gmail.com Mon Jun 23 08:30:26 2008 From: rgerhards at gmail.com (Rainer Gerhards) Date: Mon, 23 Jun 2008 08:30:26 +0200 Subject: [Help-gnutls] Re: gnutls_certificate_verify_peers2() / GNUTLS_CERT_INVALID In-Reply-To: <485E2EF3.3060900@gnutls.org> References: <485E2EF3.3060900@gnutls.org> Message-ID: Hi Nikos, On Sun, Jun 22, 2008 at 12:52 PM, Nikos Mavrogiannopoulos wrote: > Rainer Gerhards wrote: >> Some more info: asn1_read_value returns ASN1_ELEMENT_NOT_FOUND. The >> value in question is "pathLenConstraint", node is a non-NULL value (I >> put a printf() in _gnutls_x509_read_uint()). > >>>>> 5292.675380113:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: verify.c:301 >>>>> >>>>> 5292.741284540:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: dn.c:1212 >>>>> >>>>> 5292.744965838:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: verify.c:395 >>>>> >>>>> 5292.751276475:main queue:Reg/w0: GnuTLS returned no specific reason >>>>> for GNUTLS_CERT_INVALID, certificate status is 2 > > As far as I understand here the verification correctly does not succeed > because some DN's do not match. Could you elaborate on this? As far as I understood (what may be wrong) there is no inter-dependency between the DNs. Is there some that I have not seen? > If you still think it is a gnutls bug, I am not even sure it is a bug. My initial question was what this may have caused. I am still trying to track down the actual problem cause, but the error message is so generic that I have no clue where I should look at. Everywhere I looked so far I could not find a problem. To make matters worse, certificates generated in some environments (e.g. Fedora 9) seem to work, while ones generated in others (Centos) do not. Certificates are generated according to this guide here (maybe you can spot an error): http://www.rsyslog.com/doc-tls_cert_ca.html http://www.rsyslog.com/doc-tls_cert_machine.html > please send a way for me to reproduce this problem (a chain of > certificates that should verify, and the way to produce them). I hope that Nick can provide certificates he generates - in my environments, it always works (but I can't get Nick's certificates to work). I have seen logs of what he entered during the generation, and it looks exactly like what I did. Also, I do not see any differences in the certs he sent me (and they do not work for me, either). Again, I am not saying there is a bug in GnuTLS. Most probably I am doing something wrong. But I can not find a clue on what it may be... Thanks again, Rainer > However I'd say to check if the certificate chain is correctly send etc. > > regards, > Nikos > From dbreiser at gmail.com Tue Jun 24 04:22:04 2008 From: dbreiser at gmail.com (David Reiser) Date: Mon, 23 Jun 2008 22:22:04 -0400 Subject: [Help-gnutls] problems building 2.4.0 Message-ID: <8FA3A726-268A-4F82-8D4F-99E4842D2B19@gmail.com> I'm trying to build GnuTLS 2.4.0 on a Mac -- OS X 10.5.3, gcc 4.0.1, most dependencies supplied with fink packages. I get: gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -DLOCALEDIR=\"/sw/share/ locale\" -I../lgl -I../lgl -I../includes -I../includes -I./x509 -I../ libextra -I../lib/openpgp/ -I/sw/include -I./opencdk -I../lib/opencdk - I/sw/include -I/sw/include -I/sw/include -g -O2 -Wno-pointer-sign -c gnutls_openpgp.c -fno-common -DPIC -o .libs/gnutls_openpgp.o gnutls_openpgp.c: In function 'gnutls_openpgp_get_key': gnutls_openpgp.c:219: error: 'cdk_keydb_search_t' undeclared (first use in this function) gnutls_openpgp.c:219: error: (Each undeclared identifier is reported only once gnutls_openpgp.c:219: error: for each function it appears in.) gnutls_openpgp.c:219: error: syntax error before 'st' gnutls_openpgp.c:242: error: 'st' undeclared (first use in this function) gnutls_openpgp.c:242: warning: passing argument 2 of 'cdk_keydb_search_start' makes integer from pointer without a cast gnutls_openpgp.c:242: error: incompatible type for argument 3 of 'cdk_keydb_search_start' gnutls_openpgp.c:242: error: too many arguments to function 'cdk_keydb_search_start' gnutls_openpgp.c:244: warning: passing argument 2 of 'cdk_keydb_search' from incompatible pointer type gnutls_openpgp.c:244: error: too many arguments to function 'cdk_keydb_search' gnutls_openpgp.c:246: warning: implicit declaration of function 'cdk_keydb_search_release' make[3]: *** [gnutls_openpgp.lo] Error 1 Suggestions? Dave -- David Reiser dbreiser at gmail.com From simon at josefsson.org Tue Jun 24 11:03:45 2008 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 24 Jun 2008 11:03:45 +0200 Subject: [Help-gnutls] Re: problems building 2.4.0 In-Reply-To: <8FA3A726-268A-4F82-8D4F-99E4842D2B19@gmail.com> (David Reiser's message of "Mon, 23 Jun 2008 22:22:04 -0400") References: <8FA3A726-268A-4F82-8D4F-99E4842D2B19@gmail.com> Message-ID: <87skv3xkzy.fsf@mocca.josefsson.org> David Reiser writes: > I'm trying to build GnuTLS 2.4.0 on a Mac -- OS X 10.5.3, gcc 4.0.1, > most dependencies supplied with fink packages. This seems to be the same problem as in: http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2912 Does the patch in that thread solve the problem for you? Perhaps we should do a 2.4.1 with this fix, but it may be too early to do this now. /Simon > I get: > gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -DLOCALEDIR=\"/sw/share/ > locale\" -I../lgl -I../lgl -I../includes -I../includes -I./x509 -I../ > libextra -I../lib/openpgp/ -I/sw/include -I./opencdk -I../lib/opencdk > - > I/sw/include -I/sw/include -I/sw/include -g -O2 -Wno-pointer-sign -c > gnutls_openpgp.c -fno-common -DPIC -o .libs/gnutls_openpgp.o > gnutls_openpgp.c: In function 'gnutls_openpgp_get_key': > gnutls_openpgp.c:219: error: 'cdk_keydb_search_t' undeclared (first > use in this function) > gnutls_openpgp.c:219: error: (Each undeclared identifier is reported > only once > gnutls_openpgp.c:219: error: for each function it appears in.) > gnutls_openpgp.c:219: error: syntax error before 'st' > gnutls_openpgp.c:242: error: 'st' undeclared (first use in this > function) > gnutls_openpgp.c:242: warning: passing argument 2 of > cdk_keydb_search_start' makes integer from pointer without a cast > gnutls_openpgp.c:242: error: incompatible type for argument 3 of > cdk_keydb_search_start' > gnutls_openpgp.c:242: error: too many arguments to function > cdk_keydb_search_start' > gnutls_openpgp.c:244: warning: passing argument 2 of > cdk_keydb_search' from incompatible pointer type > gnutls_openpgp.c:244: error: too many arguments to function > cdk_keydb_search' > gnutls_openpgp.c:246: warning: implicit declaration of function > cdk_keydb_search_release' > make[3]: *** [gnutls_openpgp.lo] Error 1 > > Suggestions? > > Dave > -- > David Reiser > dbreiser at gmail.com From richih.mailinglist at gmail.com Wed Jun 25 16:46:23 2008 From: richih.mailinglist at gmail.com (Richard Hartmann) Date: Wed, 25 Jun 2008 16:46:23 +0200 Subject: [Help-gnutls] List of supported CipherSuite and CompressionMethod Message-ID: <2d460de70806250746s6dd45a8fg4c9adc8cc2154e58@mail.gmail.com> Hi all, I was wondering if there is a list of all CipherSuite[s] and CompressionMethod[s] supported by GNUTLS. At this point, I would prefer not to go through the code to get an answer, but if you guys would point me at a file name, I would gladly take that, as well :) Additionally, I am wondering if the compression API will likely change at some point as is the case with OpenSSL. Thanks, Richard From simon at josefsson.org Wed Jun 25 17:24:43 2008 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 25 Jun 2008 17:24:43 +0200 Subject: [Help-gnutls] Re: List of supported CipherSuite and CompressionMethod In-Reply-To: <2d460de70806250746s6dd45a8fg4c9adc8cc2154e58@mail.gmail.com> (Richard Hartmann's message of "Wed, 25 Jun 2008 16:46:23 +0200") References: <2d460de70806250746s6dd45a8fg4c9adc8cc2154e58@mail.gmail.com> Message-ID: <8763rxa66c.fsf@mocca.josefsson.org> "Richard Hartmann" writes: > Hi all, > > I was wondering if there is a list of all CipherSuite[s] and > CompressionMethod[s] supported by GNUTLS. At this point, > I would prefer not to go through the code to get an answer, but > if you guys would point me at a file name, I would gladly take > that, as well :) Hi. You can run 'gnutls-cli -l' to check what your particular library/tool can support, but if you want to check the source see: http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=blob;f=lib/gnutls_algorithms.c;hb=HEAD The array with all supported ciphersuites is cs_algorithms. Output from my 'gnutls-cli -l' is below. > Additionally, I am wondering if the compression API will likely > change at some point as is the case with OpenSSL. The compression API is pretty minimal (get names of compression modes, and to enable/disable whether to use it, etc). Looking over the APIs involved, I can say that these functions will continue to work the same for many years the very least. No changes in that area is planned that I know of. Finally, I don't recall any changes in this area as long as I have been involved. LZO compression was disabled in the last release, but it doesn't affect the API, and you probably don't want LZO anyway because it is non-standard. /Simon jas at mocca:~$ gnutls-cli -v gnutls-cli (GnuTLS) 2.4.0 jas at mocca:~$ gnutls-cli -l Cipher suites: TLS_ANON_DH_ARCFOUR_MD5 0x00, 0x18 SSL3.0 TLS_ANON_DH_3DES_EDE_CBC_SHA1 0x00, 0x1b SSL3.0 TLS_ANON_DH_AES_128_CBC_SHA1 0x00, 0x34 SSL3.0 TLS_ANON_DH_AES_256_CBC_SHA1 0x00, 0x3a SSL3.0 TLS_ANON_DH_CAMELLIA_128_CBC_SHA1 0x00, 0x46 TLS1.0 TLS_ANON_DH_CAMELLIA_256_CBC_SHA1 0x00, 0x89 TLS1.0 TLS_PSK_SHA_ARCFOUR_SHA1 0x00, 0x8a TLS1.0 TLS_PSK_SHA_3DES_EDE_CBC_SHA1 0x00, 0x8b TLS1.0 TLS_PSK_SHA_AES_128_CBC_SHA1 0x00, 0x8c TLS1.0 TLS_PSK_SHA_AES_256_CBC_SHA1 0x00, 0x8d TLS1.0 TLS_DHE_PSK_SHA_ARCFOUR_SHA1 0x00, 0x8e TLS1.0 TLS_DHE_PSK_SHA_3DES_EDE_CBC_SHA1 0x00, 0x8f TLS1.0 TLS_DHE_PSK_SHA_AES_128_CBC_SHA1 0x00, 0x90 TLS1.0 TLS_DHE_PSK_SHA_AES_256_CBC_SHA1 0x00, 0x91 TLS1.0 TLS_SRP_SHA_3DES_EDE_CBC_SHA1 0xc0, 0x1a TLS1.0 TLS_SRP_SHA_AES_128_CBC_SHA1 0xc0, 0x1d TLS1.0 TLS_SRP_SHA_AES_256_CBC_SHA1 0xc0, 0x20 TLS1.0 TLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1 0xc0, 0x1c TLS1.0 TLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1 0xc0, 0x1b TLS1.0 TLS_SRP_SHA_DSS_AES_128_CBC_SHA1 0xc0, 0x1f TLS1.0 TLS_SRP_SHA_RSA_AES_128_CBC_SHA1 0xc0, 0x1e TLS1.0 TLS_SRP_SHA_DSS_AES_256_CBC_SHA1 0xc0, 0x22 TLS1.0 TLS_SRP_SHA_RSA_AES_256_CBC_SHA1 0xc0, 0x21 TLS1.0 TLS_DHE_DSS_ARCFOUR_SHA1 0x00, 0x66 TLS1.0 TLS_DHE_DSS_3DES_EDE_CBC_SHA1 0x00, 0x13 SSL3.0 TLS_DHE_DSS_AES_128_CBC_SHA1 0x00, 0x32 SSL3.0 TLS_DHE_DSS_AES_256_CBC_SHA1 0x00, 0x38 SSL3.0 TLS_DHE_DSS_CAMELLIA_128_CBC_SHA1 0x00, 0x44 TLS1.0 TLS_DHE_DSS_CAMELLIA_256_CBC_SHA1 0x00, 0x87 TLS1.0 TLS_DHE_RSA_3DES_EDE_CBC_SHA1 0x00, 0x16 SSL3.0 TLS_DHE_RSA_AES_128_CBC_SHA1 0x00, 0x33 SSL3.0 TLS_DHE_RSA_AES_256_CBC_SHA1 0x00, 0x39 SSL3.0 TLS_DHE_RSA_CAMELLIA_128_CBC_SHA1 0x00, 0x45 TLS1.0 TLS_DHE_RSA_CAMELLIA_256_CBC_SHA1 0x00, 0x88 TLS1.0 TLS_RSA_NULL_MD5 0x00, 0x01 SSL3.0 TLS_RSA_EXPORT_ARCFOUR_40_MD5 0x00, 0x03 SSL3.0 TLS_RSA_ARCFOUR_SHA1 0x00, 0x05 SSL3.0 TLS_RSA_ARCFOUR_MD5 0x00, 0x04 SSL3.0 TLS_RSA_3DES_EDE_CBC_SHA1 0x00, 0x0a SSL3.0 TLS_RSA_AES_128_CBC_SHA1 0x00, 0x2f SSL3.0 TLS_RSA_AES_256_CBC_SHA1 0x00, 0x35 SSL3.0 TLS_RSA_CAMELLIA_128_CBC_SHA1 0x00, 0x41 TLS1.0 TLS_RSA_CAMELLIA_256_CBC_SHA1 0x00, 0x84 TLS1.0 Certificate types: X.509, OPENPGP Protocols: SSL3.0, TLS1.0, TLS1.1, TLS1.2 Ciphers: AES-256-CBC, AES-128-CBC, 3DES-CBC, DES-CBC, ARCFOUR-128, ARCFOUR-40, RC2-40, CAMELLIA-256-CBC, CAMELLIA-128-CBC, NULL MACs: SHA1, MD5, SHA256, SHA384, SHA512, MD2, RIPEMD160, NULL Key exchange algorithms: ANON-DH, RSA, RSA-EXPORT, DHE-RSA, DHE-DSS, SRP-DSS, SRP-RSA, SRP, PSK, DHE-PSK Compression: DEFLATE, NULL jas at mocca:~$ From dbreiser at gmail.com Wed Jun 25 17:51:31 2008 From: dbreiser at gmail.com (David Reiser) Date: Wed, 25 Jun 2008 11:51:31 -0400 Subject: [Help-gnutls] Re: problems building 2.4.0 In-Reply-To: <87skv3xkzy.fsf@mocca.josefsson.org> References: <8FA3A726-268A-4F82-8D4F-99E4842D2B19@gmail.com> <87skv3xkzy.fsf@mocca.josefsson.org> Message-ID: On Jun 24, 2008, at 5:03 AM, Simon Josefsson wrote: > David Reiser writes: > >> I'm trying to build GnuTLS 2.4.0 on a Mac -- OS X 10.5.3, gcc 4.0.1, >> most dependencies supplied with fink packages. > > This seems to be the same problem as in: > > http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2912 > > Does the patch in that thread solve the problem for you? Yes (though I patched Makefile.in instead). Thanks. My googling needs some work, I guess. > > > Perhaps we should do a 2.4.1 with this fix, but it may be too early to > do this now. Now that I have a fix, I can package it this way, so I'm not in a hurry for a new version. Is using an internal opencdk likely to continue? > > > /Simon > >> I get: >> gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -DLOCALEDIR=\"/sw/share/ >> locale\" -I../lgl -I../lgl -I../includes -I../includes -I./x509 -I../ >> libextra -I../lib/openpgp/ -I/sw/include -I./opencdk -I../lib/opencdk >> - >> I/sw/include -I/sw/include -I/sw/include -g -O2 -Wno-pointer-sign -c >> gnutls_openpgp.c -fno-common -DPIC -o .libs/gnutls_openpgp.o >> gnutls_openpgp.c: In function 'gnutls_openpgp_get_key': >> gnutls_openpgp.c:219: error: 'cdk_keydb_search_t' undeclared (first >> use in this function) >> gnutls_openpgp.c:219: error: (Each undeclared identifier is reported >> only once >> gnutls_openpgp.c:219: error: for each function it appears in.) >> gnutls_openpgp.c:219: error: syntax error before 'st' >> gnutls_openpgp.c:242: error: 'st' undeclared (first use in this >> function) >> gnutls_openpgp.c:242: warning: passing argument 2 of >> cdk_keydb_search_start' makes integer from pointer without a cast >> gnutls_openpgp.c:242: error: incompatible type for argument 3 of >> cdk_keydb_search_start' >> gnutls_openpgp.c:242: error: too many arguments to function >> cdk_keydb_search_start' >> gnutls_openpgp.c:244: warning: passing argument 2 of >> cdk_keydb_search' from incompatible pointer type >> gnutls_openpgp.c:244: error: too many arguments to function >> cdk_keydb_search' >> gnutls_openpgp.c:246: warning: implicit declaration of function >> cdk_keydb_search_release' >> make[3]: *** [gnutls_openpgp.lo] Error 1 >> >> Suggestions? >> >> Dave >> -- >> David Reiser >> dbreiser at gmail.com -- David Reiser dbreiser at gmail.com From simon at josefsson.org Wed Jun 25 20:33:03 2008 From: simon at josefsson.org (Simon Josefsson) Date: Wed, 25 Jun 2008 20:33:03 +0200 Subject: [Help-gnutls] Re: problems building 2.4.0 In-Reply-To: (David Reiser's message of "Wed, 25 Jun 2008 11:51:31 -0400") References: <8FA3A726-268A-4F82-8D4F-99E4842D2B19@gmail.com> <87skv3xkzy.fsf@mocca.josefsson.org> Message-ID: <87skv18iw0.fsf@mocca.josefsson.org> David Reiser writes: >> Does the patch in that thread solve the problem for you? > Yes (though I patched Makefile.in instead). ... >> Perhaps we should do a 2.4.1 with this fix, but it may be too early to >> do this now. > > Now that I have a fix, I can package it this way, so I'm not in a > hurry for a new version. Great, I'd rather wait until we have more critical things to fix before doing another 2.4.x release. > Is using an internal opencdk likely to continue? Alas, yes. We don't know how to handle an abstract crypto-layer without bundling it with GnuTLS. Possibly we could create another project which is the crypto provider for all gnutls projects, and gnutls and opencdk could both use them separately. But it is a lot of work. /Simon From nmav at gnutls.org Thu Jun 26 09:41:46 2008 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 26 Jun 2008 10:41:46 +0300 Subject: [Help-gnutls] Re: not permitted to talk to peer, certificate invalid: no specific reason: In-Reply-To: <577465F99B41C842AAFBE9ED71E70ABA3092AE@grfint2.intern.adiscon.com> References: <001c01c8d523$97dc7bc0$c7957340$@com> <48612C1F.7080603@gnutls.org> <00c301c8d623$cd2c2180$67846480$@com> <486279ED.9040207@gnutls.org> <001701c8d6f6$54575e90$fd061bb0$@com> <577465F99B41C842AAFBE9ED71E70ABA3092AE@grfint2.intern.adiscon.com> Message-ID: > PS: as a side-note I wonder why certtool does not detect that the wrong > private key was used - e.g. it could verify the signature after doing > it. Or am I thinking wrong? You are right, there should be a check. I'll add it to the todo list in case someone is interested into implementing it. regards, Nikos From simon at josefsson.org Mon Jun 30 23:36:52 2008 From: simon at josefsson.org (Simon Josefsson) Date: Mon, 30 Jun 2008 23:36:52 +0200 Subject: [Help-gnutls] GnuTLS 2.4.1 Message-ID: <87skuuiozv.fsf@mocca.josefsson.org> We are proud to announce a new stable GnuTLS release: Version 2.4.1. GnuTLS is a modern C library that implement the standard network security protocol Transport Layer Security (TLS), for use by network applications. GnuTLS is developed for GNU/Linux, but works on many Unix-like systems and comes with a binary installer for Windows. The core GnuTLS library is distribute under the terms of the GNU Lesser General Public License version 2.1 (or later). The "extra" GnuTLS libraries -- which contains TLS/IA support, LZO compression -- and the OpenSSL compatibility library self tests and command line tools are distributed under the GNU General Public License version 3.0 (or later). The manual is distributed under the GNU Free Documentation License version 1.2 (or later). The project page of the library is available at: http://www.gnutls.org/ http://www.gnu.org/software/gnutls/ http://josefsson.org/gnutls/ What's New ========== Changes compared to the last stable release version 2.4.1: ** libgnutls: Fix local crash in gnutls_handshake. [GNUTLS-SA-2008-2] If the gnutls_handshake function is called for a normal session, which can happen for re-handshakes, the library would crash because it tried to hash some data using a libgcrypt handle that had been deallocated. Report and tiny patch from Tomas Mraz . Any updates with more details about this vulnerability will be added to ** libgnutls: Fix memory leaks when doing a re-handshake. Reported by Sam Varshavchik in . ** Fix compiler warnings. Reported by Massimo Gaspari in . ** Fix ordering of -I's to avoid opencdk.h conflict with system headers. Reported by Roman Bogorodskiy in . ** srptool: Fix a problem where --verify check does not succeed. Report and tiny patch by Matthias Koenig in . ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded from one of the mirror sites or direct from . The list of mirrors can be found at . Here are the BZIP2 compressed sources (4.8MB): ftp://ftp.gnutls.org/pub/gnutls/gnutls-2.4.1.tar.bz2 http://josefsson.org/gnutls/releases/gnutls-2.4.1.tar.bz2 Here are OpenPGP detached signatures signed using key 0xB565716F: ftp://ftp.gnutls.org/pub/gnutls/gnutls-2.4.1.tar.bz2.sig http://josefsson.org/gnutls/releases/gnutls-2.4.1.tar.bz2.sig Note, that we don't distribute gzip compressed tarballs. In order to check that the version of GnuTLS which you are going to install is an original and unmodified one, you should verify the OpenPGP signature. You can use the command gpg --verify gnutls-2.4.1.tar.bz2.sig This checks whether the signature file matches the source file. You should see a message indicating that the signature is good and made by that signing key. Make sure that you have the right key, either by checking the fingerprint of that key with other sources or by checking that the key has been signed by a trustworthy other key. The signing key can be identified with the following information: pub 1280R/B565716F 2002-05-05 [expires: 2009-04-21] Key fingerprint = 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F uid Simon Josefsson uid Simon Josefsson sub 1280R/4D5D40AE 2002-05-05 [expires: 2009-04-21] The key is available from: http://josefsson.org/key.txt dns:b565716f.josefsson.org?TYPE=CERT Alternatively, after successfully verifying the OpenPGP signature of this announcement, you could verify that the files match the following checksum values. The values are for SHA-1 and SHA-224 respectively: 7a439542e6344d5ccf11a29431a0600e7fe1c735 gnutls-2.4.1.tar.bz2 b38deef0f27412212b02c871e584d3ae9958c8d445de21c5496f2c49 gnutls-2.4.1.tar.bz2 Documentation ============= The manual is available online at: http://www.gnu.org/software/gnutls/documentation.html In particular the following formats are available: HTML: http://www.gnu.org/software/gnutls/manual/html_node/index.html PDF: http://www.gnu.org/software/gnutls/manual/gnutls.pdf For developers there is a GnuTLS API reference manual formatted using the GTK-DOC tools: http://www.gnu.org/software/gnutls/reference/gnutls-gnutls.html Community ========= If you need help to use GnuTLS, or want to help others, you are invited to join our help-gnutls mailing list, see: . If you wish to participate in the development of GnuTLS, you are invited to join our gnutls-dev mailing list, see: . Windows installer ================= GnuTLS has been ported to the Windows operating system, and a binary installer is available. The installer contains DLLs for application development, manuals, examples, and source code. The installer consists of libgpg-error 1.6, libgcrypt 1.4.1, libtasn1 1.4, and GnuTLS 2.4.1. For more information about GnuTLS for Windows: http://josefsson.org/gnutls4win/ The Windows binary installer and PGP signature: http://josefsson.org/gnutls4win/gnutls-2.4.1.exe (14MB) http://josefsson.org/gnutls4win/gnutls-2.4.1.exe.sig The checksum values for SHA-1 and SHA-224 are: a629764717b16f545e0a91f116215df36c5219fe gnutls-2.4.1.exe 0d3cdd14f01d58644045d440ef95fc78ab55de03e605999621b601d7 gnutls-2.4.1.exe Thanks to Enrico Tassi, we also have mingw32 *.deb's available: http://josefsson.org/gnutls4win/mingw32-gnutls_2.4.1-1_all.deb The checksum values for SHA-1 and SHA-224 are: 92a1efe32fe3e3e14807a4b4543e5902ef56389c mingw32-gnutls_2.4.1-1_all.deb a0776c2f5cc3e06d79fc1df3bc58cbf59e2b5ed920c72a6ac53e9139 mingw32-gnutls_2.4.1-1_all.deb Internationalization ==================== GnuTLS messages have been translated into Dutch, German, Malay, Polish, Swedish, and Vietnamese. We welcome the addition of more translations. Support ======= Improving GnuTLS is costly, but you can help! We are looking for organizations that find GnuTLS useful and wish to contribute back. You can contribute by reporting bugs, improve the software, or donate money or equipment. Commercial support contracts for GnuTLS are available, and they help finance continued maintenance. Simon Josefsson Datakonsult, a Stockholm based privately held company, is currently funding GnuTLS maintenance. We are always looking for interesting development projects. See http://josefsson.org/ for more details. The GnuTLS service directory is available at: http://www.gnu.org/software/gnutls/commercial.html Happy Hacking, Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 419 bytes Desc: not available URL: