From simon at josefsson.org Sun Apr 12 12:56:33 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Sun, 12 Apr 2009 12:56:33 +0200
Subject: [Help-gnutls] GnuTLS 2.6.5
Message-ID: <87prfim97i.fsf@mocca.josefsson.org>
We are proud to announce a new stable GnuTLS release: Version 2.6.5.
GnuTLS is a modern C library that implement the standard network
security protocol Transport Layer Security (TLS), for use by network
applications. GnuTLS is developed for GNU/Linux, but works on many
Unix-like systems and comes with a binary installer for Windows.
The GnuTLS library is distributed under the terms of the GNU Lesser
General Public License version 2.1 (or later). The "extra" GnuTLS
library (which contains TLS/IA support, LZO compression and Libgcrypt
FIPS-mode handler), the OpenSSL compatibility library, the self tests
and the command line tools are all distributed under the GNU General
Public License version 3.0 (or later). The manual is distributed under
the GNU Free Documentation License version 1.2 (or later).
The project page of the library is available at:
http://www.gnu.org/software/gnutls/
What's New
==========
Version 2.6.5 is a maintenance release on our stable branch.
** libgnutls: Added %SSL3_RECORD_VERSION priority string that allows to
specify the client hello message record version. Used to overcome buggy
TLS servers. Report by Martin von Gagern.
** GnuTLS no longer uses the libtasn1-config script to find libtasn1.
Libtasn1 0.3.4 or later is required. This is to align with the
upcoming libtasn1 v2.0 release that doesn't have a libtasn1-script.
** API and ABI modifications:
No changes since last version.
Getting the Software
====================
GnuTLS may be downloaded from one of the mirror sites or direct from
. The list of mirrors can be found at
.
Here are the BZIP2 compressed sources (4.9MB):
ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.6.5.tar.bz2
http://ftp.gnu.org/gnu/gnutls/gnutls-2.6.5.tar.bz2
Here are OpenPGP detached signatures signed using key 0xB565716F:
ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.6.5.tar.bz2.sig
http://ftp.gnu.org/gnu/gnutls/gnutls-2.6.5.tar.bz2.sig
Note, that we don't distribute gzip compressed tarballs.
In order to check that the version of GnuTLS which you are going to
install is an original and unmodified one, you should verify the OpenPGP
signature. You can use the command
gpg --verify gnutls-2.6.5.tar.bz2.sig
This checks whether the signature file matches the source file. You
should see a message indicating that the signature is good and made by
that signing key. Make sure that you have the right key, either by
checking the fingerprint of that key with other sources or by checking
that the key has been signed by a trustworthy other key. The signing
key can be identified with the following information:
pub 1280R/B565716F 2002-05-05 [expires: 2010-02-22]
Key fingerprint = 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F
uid Simon Josefsson
uid Simon Josefsson
sub 1280R/4D5D40AE 2002-05-05 [expires: 2009-04-21]
The key is available from:
http://josefsson.org/key.txt
dns:b565716f.josefsson.org?TYPE=CERT
Alternatively, after successfully verifying the OpenPGP signature of
this announcement, you could verify that the files match the following
checksum values. The values are for SHA-1 and SHA-224 respectively:
87d0fd82debee0d644f72fcf404ccd7540c6c71a gnutls-2.6.5.tar.bz2
1787a6eee766a8622b1fc5c94ead3394dea70769dca2143a759e6625 gnutls-2.6.5.tar.bz2
Documentation
=============
The manual is available online at:
http://www.gnu.org/software/gnutls/documentation.html
In particular the following formats are available:
HTML: http://www.gnu.org/software/gnutls/manual/html_node/index.html
PDF: http://www.gnu.org/software/gnutls/manual/gnutls.pdf
For developers there is a GnuTLS API reference manual formatted using
the GTK-DOC tools:
http://www.gnu.org/software/gnutls/reference/gnutls-gnutls.html
Community
=========
If you need help to use GnuTLS, or want to help others, you are invited
to join our help-gnutls mailing list, see:
http://lists.gnu.org/mailman/listinfo/help-gnutls
If you wish to participate in the development of GnuTLS, you are invited
to join our gnutls-dev mailing list, see:
http://lists.gnu.org/mailman/listinfo/gnutls-devel
Windows installer
=================
GnuTLS has been ported to the Windows operating system, and a binary
installer is available. The installer contains DLLs for application
development, manuals, examples, and source code. The installer uses
libgpg-error v1.7, libgcrypt v1.4.4, libtasn1 v1.8, and GnuTLS v2.6.5.
For more information about GnuTLS for Windows:
http://josefsson.org/gnutls4win/
The Windows binary installer and PGP signature:
http://josefsson.org/gnutls4win/gnutls-2.6.5.exe (14MB)
http://josefsson.org/gnutls4win/gnutls-2.6.5.exe.sig
The checksum values for SHA-1 and SHA-224 are:
d50b2b1ede9699f89ffbd1dc43b2656bdfc64d88 gnutls-2.6.5.exe
8603a549ca8d8b8f3b7eaeafedc953d638a45b9772916120b63d73df gnutls-2.6.5.exe
Thanks to Enrico Tassi, we also have mingw32 *.deb's available:
http://josefsson.org/gnutls4win/mingw32-gnutls_2.6.5-1_all.deb
The checksum values for SHA-1 and SHA-224 are:
bac1c1d5873efb8e1c81f2c98a777220bd2e44a2 mingw32-gnutls_2.6.5-1_all.deb
a8470fce811406fe41890f80bc8d1230ba3a56316583a86e287d0bf8 mingw32-gnutls_2.6.5-1_all.deb
Internationalization
====================
GnuTLS messages have been translated into Dutch, French, German,
Malay, Polish, Swedish, and Vietnamese. We welcome the addition of
more translations.
Support
=======
Improving GnuTLS is costly, but you can help! We are looking for
organizations that find GnuTLS useful and wish to contribute back.
You can contribute by reporting bugs, improve the software, or donate
money or equipment.
Commercial support contracts for GnuTLS are available, and they help
finance continued maintenance. Simon Josefsson Datakonsult AB, a
Stockholm based privately held company, is currently funding GnuTLS
maintenance. We are always looking for interesting development
projects. See http://josefsson.org/ for more details.
The GnuTLS service directory is available at:
http://www.gnu.org/software/gnutls/commercial.html
Happy Hacking,
Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 419 bytes
Desc: not available
URL:
From exa.exa at gmail.com Sun Apr 12 14:59:53 2009
From: exa.exa at gmail.com (Miroslav Kratochvil)
Date: Sun, 12 Apr 2009 14:59:53 +0200
Subject: [Help-gnutls] Simple question about performance
Message-ID:
Hi there,
I'm thinking about rewriting one my project from OpenSSL to GnuTLS.
The project is a VPN, and as it basically needs only pretty good raw
transfer speed, I began to concern about some rumors that my little
search returned - those were mostly about the GnuTLS is 30-50% slower
than OpenSSL. Most of those posts was around 3-5 years old, though, so
I'm writing here to ask:
a] Is there really such performance gap? (I don't count
recently-discussed TLS handshake problems, I need only raw
crypting/transfer speeds.)
b] Do we have some kind of real benchmark? like "encrypt 50 megs with
RSA: x,y,z seconds for gnutls/openssl/nss/..."
I'm sorry if bringing this topic up isn't needed and I only got
confused by bad google results; but I would really like someone
comment on this.
Thanks
Mirek Kratochvil
PS. the application I'm planning to rewrite is here:
http://exa.czweb.org/?view=cloudvpn
From simon at josefsson.org Mon Apr 13 19:23:28 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Mon, 13 Apr 2009 19:23:28 +0200
Subject: [Help-gnutls] Libtasn1 2.0
Message-ID: <87d4bgwjqn.fsf@mocca.josefsson.org>
Libtasn1 is a standalone library written in C for manipulating ASN.1
objects including DER/BER encoding and DER/BER decoding. Libtasn1 is
used by GnuTLS to manipulate X.509 objects and by Shishi to handle
Kerberos V5 packets.
Version 2.0 (released 2009-04-13)
- Optimized tree generation.
- ASN1 parser code re-generated using Bison 2.4.1.
- Build with more warning flags. Many compiler warnings fixed.
- Compiled with -fvisibility=hidden by default if supported.
See http://gcc.gnu.org/wiki/Visibility
- The libtasn1-config tool has been removed.
For application developers, please stop using libtasn1-config for
finding libtasn1, use proper autoconf checks or pkg-config instead.
For users that need a libtasn1 that provides a libtasn1-config
script (for use with older applications), use libtasn1 v1.x instead.
Version 1.x is still supported.
Commercial support contracts for Libtasn1 are available, and they help
finance continued maintenance. Simon Josefsson Datakonsult AB, a
Stockholm based privately held company, is currently funding Libtasn1
maintenance. We are always looking for interesting development
projects. See http://josefsson.org/ for more details.
If you need help to use Libtasn1, or want to help others, you are
invited to join the help-gnutls mailing list, see:
.
Homepage:
http://josefsson.org/libtasn1/
Here are the compressed sources (1.6MB):
ftp://ftp.gnu.org/gnu/gnutls/libtasn1-2.0.tar.gz
http://ftp.gnu.org/gnu/gnutls/libtasn1-2.0.tar.gz
Here are GPG detached signatures using key 0xB565716F:
ftp://ftp.gnu.org/gnu/gnutls/libtasn1-2.0.tar.gz.sig
http://ftp.gnu.org/gnu/gnutls/libtasn1-2.0.tar.gz.sig
The software is cryptographically signed by the author using an
OpenPGP key identified by the following information:
pub 1280R/B565716F 2002-05-05 [expires: 2010-02-22]
Key fingerprint = 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F
uid Simon Josefsson
uid Simon Josefsson
sub 1280R/4D5D40AE 2002-05-05 [expires: 2009-04-21]
The key is available from:
http://josefsson.org/key.txt
dns:b565716f.josefsson.org?TYPE=CERT
Here are the SHA-1 and SHA-224 checksums:
56abc5d794a61a65ea921a04129b51f4262f255f libtasn1-2.0.tar.gz
58093cd40850f8792c7c898a031098af5c3036a20bfc5fe2dbc1eec3 libtasn1-2.0.tar.gz
Happy hacking,
Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 419 bytes
Desc: not available
URL:
From simon at josefsson.org Tue Apr 14 02:35:43 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Tue, 14 Apr 2009 02:35:43 +0200
Subject: [Help-gnutls] Re: Simple question about performance
In-Reply-To:
(Miroslav Kratochvil's message of "Sun, 12 Apr 2009 14:59:53 +0200")
References:
Message-ID: <878wm4t6lc.fsf@mocca.josefsson.org>
Miroslav Kratochvil writes:
> Hi there,
>
> I'm thinking about rewriting one my project from OpenSSL to GnuTLS.
> The project is a VPN, and as it basically needs only pretty good raw
> transfer speed, I began to concern about some rumors that my little
> search returned - those were mostly about the GnuTLS is 30-50% slower
> than OpenSSL. Most of those posts was around 3-5 years old, though, so
> I'm writing here to ask:
>
> a] Is there really such performance gap? (I don't count
> recently-discussed TLS handshake problems, I need only raw
> crypting/transfer speeds.)
> b] Do we have some kind of real benchmark? like "encrypt 50 megs with
> RSA: x,y,z seconds for gnutls/openssl/nss/..."
>
> I'm sorry if bringing this topic up isn't needed and I only got
> confused by bad google results; but I would really like someone
> comment on this.
For bulk encryption, you probably want to compare libgcrypt vs openssl
rather than gnutls vs openssl.
I benchmarked mod_gnutls vs mod_ssl under apache, using sieve, some time
ago, even for large files, and the differences weren't significant
(mod_ssl was typically faster but mod_gnutls were faster in some
configurations). One potential problem with mod_gnutls/gnutls was that
it sent each TLS handshake message as a separate TCP packet which may
slow down benchmarks, but it is not clear whether this is significant.
It does not apply to bulk encryption.
I don't recall much feedback about speed issues. There is certainly
room for optimization. If you can provide a good test setup to compare
gnutls vs openssl in an application, I would be interested in optimizing
things. However, the first step before optimization is to do good
benchmarks to illustrate that there is a significant problem. My last
attempt at benchmarking didn't result in any obvious problem so I didn't
proceed in optimizing anything.
/Simon
From simon at josefsson.org Tue Apr 14 02:38:03 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Tue, 14 Apr 2009 02:38:03 +0200
Subject: [Help-gnutls] Re: Odd issue with gnu-tls 2.6.4 running as a
subprocess of emacs-23 on Windows XP
In-Reply-To:
(Iver Odin Kvello's message of "Thu, 26 Mar 2009 23:38:31 +0100")
References:
Message-ID: <874owst6hg.fsf@mocca.josefsson.org>
Iver Odin Kvello writes:
> Hi, I've continued debugging this problem somewhat more, getting
> somewhat confusing results.
>
> The first thing I tried was to remove stdin from the call to select in
> cli.c line 735, instead just reading from stdin unconditionally after
> each select timeouts. This actually helped, a bit - earlier, jabber
> would hang waiting for the server to indicate that authentication
> succeeded, but this change fixed that. It now started hanging a bit
> later on, waiting for session initiation to succeed.
>
> After diverse experiments, I thought of adding a linefeed to each
> message sent. In jabber-conn.el I found that this was already done --
> so I just added *another* linefeed, sending two after each message.
> With my modified copy of cli.c, this actually fixed things, and
> everything worked as it should. I then tried doing this with an
> unmodified cli.c, and to my surprise found that that *didn't* work,
> instead hanging at the session-initiation stage - that is, it actually
> got a bit further than before, but not all the way through.
>
> Obviously the next step would then be to have jabber.el add *five*
> line-feeds after each message. And of course, that works with the
> standard unmodified gnutls-cli.exe.
>
> So I think that there is *some* kind of bug going on with reading from
> stdin when run as a subprocess under windows; not entirely connected
> to but not unaffected by the select()-emulation.
Yes, gnutls 2.6.x and earlier uses a broken emulation of select() which
likely does have problems, and there is also some buffering problems
that can result in CRLF confusion.
Gnutls 2.7.x will fix this, but unfortunately there is a small piece
missing to prevent it from working under Windows right now... this is
probably the biggest remaining issue to fix before 2.8.x so it is a
priority.
/Simon
From exa.exa at gmail.com Tue Apr 14 08:06:53 2009
From: exa.exa at gmail.com (Miroslav Kratochvil)
Date: Tue, 14 Apr 2009 08:06:53 +0200
Subject: [Help-gnutls] Re: Simple question about performance
In-Reply-To: <878wm4t6lc.fsf@mocca.josefsson.org>
References:
<878wm4t6lc.fsf@mocca.josefsson.org>
Message-ID:
Hi,
big thanks for quick response, and, before all, for correcting the
misinformation I had found. Moreover, the connecting speed issue
doesnt really bother me.
>
> I don't recall much feedback about speed issues. ?There is certainly
> room for optimization. ?If you can provide a good test setup to compare
> gnutls vs openssl in an application, I would be interested in optimizing
> things. ?However, the first step before optimization is to do good
> benchmarks to illustrate that there is a significant problem. ?My last
> attempt at benchmarking didn't result in any obvious problem so I didn't
> proceed in optimizing anything.
My thought was to write a libgcrypt alternative of 'openssl speed',
which would be simple and give fair and comparable results. I will
probably post it here when it's ready.
Thanks for response
Mirek Kratochvil
From iverodin at gmail.com Tue Apr 14 09:21:52 2009
From: iverodin at gmail.com (Iver Odin Kvello)
Date: Tue, 14 Apr 2009 09:21:52 +0200
Subject: [Help-gnutls] Re: Odd issue with gnu-tls 2.6.4 running as a
subprocess of emacs-23 on Windows XP
In-Reply-To: <874owst6hg.fsf@mocca.josefsson.org>
References:
<874owst6hg.fsf@mocca.josefsson.org>
Message-ID:
> Yes, gnutls 2.6.x and earlier uses a broken emulation of select() which
> likely does have problems, and there is also some buffering problems
> that can result in CRLF confusion.
>
> Gnutls 2.7.x will fix this, but unfortunately there is a small piece
> missing to prevent it from working under Windows right now... ?this is
> probably the biggest remaining issue to fix before 2.8.x so it is a
> priority.
I debugged the issue a bit more over easter, and found that the hang
is actually in the read from stdin in cli.c when there is no input
ready on stdin. Apparently the select() emulation for normal
filehandles using MsgWaitForMultipleObjects returns stdin as ready no
matter if there is input ready there or not - at least when run like
this. Adding extra newlines seems to fix this by ensuring that there
is some input to be read most of the time, helped along a bit by some
buffering; but of course it will be defeated by bad timing.
I don't know why waitformultipleobjects behaves like this; I don't
really know win32. I was thinking perhaps the easiest way of fixing
this might be to just avoid select() for stdin and just handle stdin
in a dedicated thread on windows, but I haven't tested that yet. Or I
could just wait for 2.8.x :)
Regards,
Iver
From simon at josefsson.org Tue Apr 14 17:45:27 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Tue, 14 Apr 2009 17:45:27 +0200
Subject: [Help-gnutls] Re: Simple question about performance
In-Reply-To:
(Miroslav Kratochvil's message of "Tue, 14 Apr 2009 08:06:53 +0200")
References:
<878wm4t6lc.fsf@mocca.josefsson.org>
Message-ID: <874owrp7c8.fsf@mocca.josefsson.org>
Miroslav Kratochvil writes:
> Hi,
> big thanks for quick response, and, before all, for correcting the
> misinformation I had found. Moreover, the connecting speed issue
> doesnt really bother me.
>
>>
>> I don't recall much feedback about speed issues. ?There is certainly
>> room for optimization. ?If you can provide a good test setup to compare
>> gnutls vs openssl in an application, I would be interested in optimizing
>> things. ?However, the first step before optimization is to do good
>> benchmarks to illustrate that there is a significant problem. ?My last
>> attempt at benchmarking didn't result in any obvious problem so I didn't
>> proceed in optimizing anything.
>
> My thought was to write a libgcrypt alternative of 'openssl speed',
> which would be simple and give fair and comparable results. I will
> probably post it here when it's ready.
Did you see libgcrypt's tests/benchmark? It outputs results like this:
ECB CBC CFB OFB CTR STREAM
--------------- --------------- --------------- --------------- --------------- ---------------
3DES 90ms 100ms 100ms 90ms 100ms 90ms 100ms 90ms 110ms 100ms
CAST5 30ms 40ms 40ms 40ms 40ms 40ms 40ms 40ms 50ms 40ms
...
However I agree a tool that computes more statistics, similar to openssl
speed, would be useful. Maybe it could perform the same computations,
then you can compare the results directly.
gcrypt-speed.c?
/Simon
From simon at josefsson.org Tue Apr 14 17:47:10 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Tue, 14 Apr 2009 17:47:10 +0200
Subject: [Help-gnutls] Re: Odd issue with gnu-tls 2.6.4 running as a
subprocess of emacs-23 on Windows XP
In-Reply-To:
(Iver Odin Kvello's message of "Tue, 14 Apr 2009 09:21:52 +0200")
References:
<874owst6hg.fsf@mocca.josefsson.org>
Message-ID: <87ws9nnsox.fsf@mocca.josefsson.org>
Iver Odin Kvello writes:
>> Yes, gnutls 2.6.x and earlier uses a broken emulation of select() which
>> likely does have problems, and there is also some buffering problems
>> that can result in CRLF confusion.
>>
>> Gnutls 2.7.x will fix this, but unfortunately there is a small piece
>> missing to prevent it from working under Windows right now... ?this is
>> probably the biggest remaining issue to fix before 2.8.x so it is a
>> priority.
>
> I debugged the issue a bit more over easter, and found that the hang
> is actually in the read from stdin in cli.c when there is no input
> ready on stdin. Apparently the select() emulation for normal
> filehandles using MsgWaitForMultipleObjects returns stdin as ready no
> matter if there is input ready there or not - at least when run like
> this. Adding extra newlines seems to fix this by ensuring that there
> is some input to be read most of the time, helped along a bit by some
> buffering; but of course it will be defeated by bad timing.
>
> I don't know why waitformultipleobjects behaves like this; I don't
> really know win32. I was thinking perhaps the easiest way of fixing
> this might be to just avoid select() for stdin and just handle stdin
> in a dedicated thread on windows, but I haven't tested that yet. Or I
> could just wait for 2.8.x :)
The solution in 2.8.x. will be to avoid select() and use poll() instead,
for which there is (allegedly) a more reliable wrapper implementation in
gnulib:
http://git.savannah.gnu.org/cgit/gnulib.git/tree/lib/poll.c
/Simon
From iverodin at gmail.com Wed Apr 15 00:44:24 2009
From: iverodin at gmail.com (Iver Odin Kvello)
Date: Wed, 15 Apr 2009 00:44:24 +0200
Subject: [Help-gnutls] Re: Odd issue with gnu-tls 2.6.4 running as a
subprocess of emacs-23 on Windows XP
In-Reply-To: <87ws9nnsox.fsf@mocca.josefsson.org>
References:
<874owst6hg.fsf@mocca.josefsson.org>
<87ws9nnsox.fsf@mocca.josefsson.org>
Message-ID:
> The solution in 2.8.x. will be to avoid select() and use poll() instead,
> for which there is (allegedly) a more reliable wrapper implementation in
> gnulib:
> http://git.savannah.gnu.org/cgit/gnulib.git/tree/lib/poll.c
I see, that sounds great.
I actually managed to find and fix the bug in select.c (without any
extensive testing of course) - I've attached the patch in case this
could be useful temporarily or something.
I noticed that in select.c, normal handles would get 'translated'
using _get_osfhandle(), but pipes were not. Furthermore, stdin in this
case got an invalid handle error when GetFileType was called on it,
but this error wasn't detected, causing stdin to be treated as an
'uknown handle type' while it should have been a pipe. The result of
_get_osfhandle() called on stdin however *was* a pipe, so I applied
the same code to pipes as were already in place for 'normal'
filehandles, and that did the trick.
Regards, Iver
-------------- next part --------------
A non-text attachment was scrubbed...
Name: select.patch
Type: application/octet-stream
Size: 2409 bytes
Desc: not available
URL:
From dbreiser at gmail.com Thu Apr 16 05:08:43 2009
From: dbreiser at gmail.com (David Reiser)
Date: Wed, 15 Apr 2009 23:08:43 -0400
Subject: [Help-gnutls] build problem for libtasn1 on OS X
Message-ID:
Fink's package of libtasn1 is getting a bit long in the tooth (version
0.3.9), so I figured I'd look into modernizing it. Attempting to build
version 1.2, I get:
make all-recursive
/bin/sh ../../libtool --tag=CC --mode=link gcc -std=gnu99 -
fvisibility=hidden -g -O2 -L/sw/lib -o libgnu.la
libtool: link: ar cru .libs/libgnu.a
ar: no archive members specified
usage: ar -d [-TLsv] archive file ...
ar -m [-TLsv] archive file ...
ar -m [-abiTLsv] position archive file ...
ar -p [-TLsv] archive [file ...]
ar -q [-cTLsv] archive file ...
ar -r [-cuTLsv] archive file ...
ar -r [-abciuTLsv] position archive file ...
ar -t [-TLsv] archive [file ...]
ar -x [-ouTLsv] archive [file ...]
make[5]: *** [libgnu.la] Error 1
make[4]: *** [all-recursive] Error 1
make[3]: *** [all] Error 2
make[2]: *** [all-recursive] Error 1
make[1]: *** [all-recursive] Error 1
make: *** [all] Error 2
one of the libtool experts from fink told me that OS X will not allow
creation of an empty archive. He suspected a gnulib bug, or a problem
with the way gnulib is being used.
Mac OS X 10.5.6, gcc 4.0.1 (Apple's), libtool 2.2.6 or 1.5.26
Suggestions?
Dave
--
David Reiser
dbreiser at gmail.com
From simon at josefsson.org Thu Apr 16 15:35:55 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Thu, 16 Apr 2009 15:35:55 +0200
Subject: [Help-gnutls] Re: build problem for libtasn1 on OS X
In-Reply-To: (David Reiser's
message of "Wed, 15 Apr 2009 23:08:43 -0400")
References:
Message-ID: <878wm0g1qc.fsf@mocca.josefsson.org>
David Reiser writes:
> Fink's package of libtasn1 is getting a bit long in the tooth (version
> 0.3.9), so I figured I'd look into modernizing it. Attempting to build
> version 1.2, I get:
Please try libtasn1 1.8 or 2.0 instead.
/Simon
> make all-recursive
> /bin/sh ../../libtool --tag=CC --mode=link gcc -std=gnu99 -
> fvisibility=hidden -g -O2 -L/sw/lib -o libgnu.la
> libtool: link: ar cru .libs/libgnu.a
> ar: no archive members specified
> usage: ar -d [-TLsv] archive file ...
> ar -m [-TLsv] archive file ...
> ar -m [-abiTLsv] position archive file ...
> ar -p [-TLsv] archive [file ...]
> ar -q [-cTLsv] archive file ...
> ar -r [-cuTLsv] archive file ...
> ar -r [-abciuTLsv] position archive file ...
> ar -t [-TLsv] archive [file ...]
> ar -x [-ouTLsv] archive [file ...]
> make[5]: *** [libgnu.la] Error 1
> make[4]: *** [all-recursive] Error 1
> make[3]: *** [all] Error 2
> make[2]: *** [all-recursive] Error 1
> make[1]: *** [all-recursive] Error 1
> make: *** [all] Error 2
>
> one of the libtool experts from fink told me that OS X will not allow
> creation of an empty archive. He suspected a gnulib bug, or a problem
> with the way gnulib is being used.
>
> Mac OS X 10.5.6, gcc 4.0.1 (Apple's), libtool 2.2.6 or 1.5.26
>
> Suggestions?
>
> Dave
> --
> David Reiser
> dbreiser at gmail.com
From dbreiser at gmail.com Thu Apr 16 16:40:40 2009
From: dbreiser at gmail.com (David Reiser)
Date: Thu, 16 Apr 2009 10:40:40 -0400
Subject: [Help-gnutls] Re: build problem for libtasn1 on OS X
In-Reply-To: <878wm0g1qc.fsf@mocca.josefsson.org>
References:
<878wm0g1qc.fsf@mocca.josefsson.org>
Message-ID: <64202E36-563A-4712-96B4-AA621EBE5237@gmail.com>
On Apr 16, 2009, at 9:35 AM, Simon Josefsson wrote:
> David Reiser writes:
>
>> Fink's package of libtasn1 is getting a bit long in the tooth
>> (version
>> 0.3.9), so I figured I'd look into modernizing it. Attempting to
>> build
>> version 1.2, I get:
>
> Please try libtasn1 1.8 or 2.0 instead.
>
oops. It was 2.0. Looking at the wrong list when writing the email.
> /Simon
>
>> make all-recursive
>> /bin/sh ../../libtool --tag=CC --mode=link gcc -std=gnu99 -
>> fvisibility=hidden -g -O2 -L/sw/lib -o libgnu.la
>> libtool: link: ar cru .libs/libgnu.a
>> ar: no archive members specified
>> usage: ar -d [-TLsv] archive file ...
>> ar -m [-TLsv] archive file ...
>> ar -m [-abiTLsv] position archive file ...
>> ar -p [-TLsv] archive [file ...]
>> ar -q [-cTLsv] archive file ...
>> ar -r [-cuTLsv] archive file ...
>> ar -r [-abciuTLsv] position archive file ...
>> ar -t [-TLsv] archive [file ...]
>> ar -x [-ouTLsv] archive [file ...]
>> make[5]: *** [libgnu.la] Error 1
>> make[4]: *** [all-recursive] Error 1
>> make[3]: *** [all] Error 2
>> make[2]: *** [all-recursive] Error 1
>> make[1]: *** [all-recursive] Error 1
>> make: *** [all] Error 2
>>
>> one of the libtool experts from fink told me that OS X will not allow
>> creation of an empty archive. He suspected a gnulib bug, or a problem
>> with the way gnulib is being used.
>>
>> Mac OS X 10.5.6, gcc 4.0.1 (Apple's), libtool 2.2.6 or 1.5.26
>>
>> Suggestions?
>>
>> Dave
>> --
>> David Reiser
>> dbreiser at gmail.com
--
David Reiser
dbreiser at gmail.com
From simon at josefsson.org Thu Apr 16 17:30:01 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Thu, 16 Apr 2009 17:30:01 +0200
Subject: [Help-gnutls] Re: build problem for libtasn1 on OS X
In-Reply-To: <64202E36-563A-4712-96B4-AA621EBE5237@gmail.com> (David Reiser's
message of "Thu, 16 Apr 2009 10:40:40 -0400")
References:
<878wm0g1qc.fsf@mocca.josefsson.org>
<64202E36-563A-4712-96B4-AA621EBE5237@gmail.com>
Message-ID: <87fxg81urq.fsf@mocca.josefsson.org>
David Reiser writes:
> On Apr 16, 2009, at 9:35 AM, Simon Josefsson wrote:
>
>> David Reiser writes:
>>
>>> Fink's package of libtasn1 is getting a bit long in the tooth
>>> (version
>>> 0.3.9), so I figured I'd look into modernizing it. Attempting to
>>> build
>>> version 1.2, I get:
>>
>> Please try libtasn1 1.8 or 2.0 instead.
>>
>
> oops. It was 2.0. Looking at the wrong list when writing the email.
I was able to reproduce this. Please test this daily snapshot:
http://daily.josefsson.org/libtasn1/libtasn1-20090416.tar.gz
If you can confirm that it solves the problem, I'll release it.
/Simon
From dbreiser at gmail.com Thu Apr 16 19:35:35 2009
From: dbreiser at gmail.com (David Reiser)
Date: Thu, 16 Apr 2009 13:35:35 -0400
Subject: [Help-gnutls] Re: build problem for libtasn1 on OS X
In-Reply-To: <87fxg81urq.fsf@mocca.josefsson.org>
References:
<878wm0g1qc.fsf@mocca.josefsson.org>
<64202E36-563A-4712-96B4-AA621EBE5237@gmail.com>
<87fxg81urq.fsf@mocca.josefsson.org>
Message-ID: <16672F77-ADC3-47D8-BDE3-65FBF0DAB847@gmail.com>
On Apr 16, 2009, at 11:30 AM, Simon Josefsson wrote:
> David Reiser writes:
>
>> On Apr 16, 2009, at 9:35 AM, Simon Josefsson wrote:
>>
>>> David Reiser writes:
>>>
>>>> Fink's package of libtasn1 is getting a bit long in the tooth
>>>> (version
>>>> 0.3.9), so I figured I'd look into modernizing it. Attempting to
>>>> build
>>>> version 1.2, I get:
>>>
>>> Please try libtasn1 1.8 or 2.0 instead.
>>>
>>
>> oops. It was 2.0. Looking at the wrong list when writing the email.
>
> I was able to reproduce this. Please test this daily snapshot:
>
> http://daily.josefsson.org/libtasn1/libtasn1-20090416.tar.gz
>
> If you can confirm that it solves the problem, I'll release it.
>
> /Simon
The snapshot builds successfully. I haven't tested function yet, but
the build problem is gone.
Dave
--
David Reiser
dbreiser at gmail.com
From simon at josefsson.org Thu Apr 16 19:39:59 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Thu, 16 Apr 2009 19:39:59 +0200
Subject: [Help-gnutls] Re: build problem for libtasn1 on OS X
In-Reply-To: <16672F77-ADC3-47D8-BDE3-65FBF0DAB847@gmail.com> (David Reiser's
message of "Thu, 16 Apr 2009 13:35:35 -0400")
References:
<878wm0g1qc.fsf@mocca.josefsson.org>
<64202E36-563A-4712-96B4-AA621EBE5237@gmail.com>
<87fxg81urq.fsf@mocca.josefsson.org>
<16672F77-ADC3-47D8-BDE3-65FBF0DAB847@gmail.com>
Message-ID: <87vdp4zeds.fsf@mocca.josefsson.org>
David Reiser writes:
> The snapshot builds successfully. I haven't tested function yet, but
> the build problem is gone.
Thanks, I'll make a release of it now, the problem probably affects some
other systems as well.
/Simon
From simon at josefsson.org Fri Apr 17 01:22:23 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Fri, 17 Apr 2009 01:22:23 +0200
Subject: [Help-gnutls] Libtasn1 2.1
Message-ID: <87skk8xjyo.fsf@mocca.josefsson.org>
Libtasn1 is a standalone library written in C for manipulating ASN.1
objects including DER/BER encoding and DER/BER decoding. Libtasn1 is
used by GnuTLS to manipulate X.509 objects and by Shishi to handle
Kerberos V5 packets.
Version 2.1 (released 2009-04-17)
- Fix compilation failure on platforms that can't generate empty archives,
e.g., Mac OS X. Reported by David Reiser .
Commercial support contracts for Libtasn1 are available, and they help
finance continued maintenance. Simon Josefsson Datakonsult AB, a
Stockholm based privately held company, is currently funding Libtasn1
maintenance. We are always looking for interesting development
projects. See http://josefsson.org/ for more details.
If you need help to use Libtasn1, or want to help others, you are
invited to join the help-gnutls mailing list, see:
.
Homepage:
http://josefsson.org/libtasn1/
Here are the compressed sources (1.6MB):
ftp://ftp.gnu.org/gnu/gnutls/libtasn1-2.1.tar.gz
http://ftp.gnu.org/gnu/gnutls/libtasn1-2.1.tar.gz
Here are GPG detached signatures using key 0xB565716F:
ftp://ftp.gnu.org/gnu/gnutls/libtasn1-2.1.tar.gz.sig
http://ftp.gnu.org/gnu/gnutls/libtasn1-2.1.tar.gz.sig
The software is cryptographically signed by the author using an
OpenPGP key identified by the following information:
pub 1280R/B565716F 2002-05-05 [expires: 2010-02-22]
Key fingerprint = 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F
uid Simon Josefsson
uid Simon Josefsson
sub 1280R/4D5D40AE 2002-05-05 [expires: 2009-04-21]
The key is available from:
http://josefsson.org/key.txt
dns:b565716f.josefsson.org?TYPE=CERT
Here are the SHA-1 and SHA-224 checksums:
884cc6609d7694a834a767b4b2975d6c5ab0d566 libtasn1-2.1.tar.gz
3e78a2af893cde0eda9820d46077bde6f1a6b083b3cc2ed90df2420d libtasn1-2.1.tar.gz
Happy hacking,
Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 419 bytes
Desc: not available
URL:
From madhu.boddu at tcs.com Mon Apr 20 13:07:32 2009
From: madhu.boddu at tcs.com (Madhu Boddu)
Date: Mon, 20 Apr 2009 16:37:32 +0530
Subject: [Help-gnutls] Re: Welcome to the "Help-gnutls" mailing list
In-Reply-To:
Message-ID:
Madhu Priyanka Boddu
Tata Consultancy Services
Mailto: madhu.boddu at tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty. IT Services
Business Solutions
Outsourcing
____________________________________________
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From exa.exa at gmail.com Mon Apr 20 15:56:47 2009
From: exa.exa at gmail.com (Miroslav Kratochvil)
Date: Mon, 20 Apr 2009 15:56:47 +0200
Subject: [Help-gnutls] Encryption using DSA keys
Message-ID:
Hi everyone,
well, after I solved the problem at [1], I got to real problems problems:
I want gnutls to negotiate encrypted connection using DSA keys. I
realized that I will have to use DHE_DSS algorithm, but I have no idea
how to generate a certificate for one. Googling failed, and
documentation says only that "DHE_DSS uses DSA keys in certificates."
In OpenSSL world (from where I'm migrating) it was easy, one just
appended "-dsa" to key generating parameters, and it was done.
Nevertheless; with gnutls and --dsa option; I'm getting error -89
(Public key signature verification has failed.). RSA alternative
(--rsa with the same commands) works ok.
So, is there any tutorial or howto on generating suitable DSA keys for
use with encryption? Ideally with a complete certtool script for
generating one selfsigned CA keypair and other that-ca-signed keypair.
If I'm totally wrong and using DSA for encryption is lame, and
therefore it doesn't and won't ever work, please tell me ;)
Thanks in advance
Mirek Kratochvil
-----
[1] is gnutls-devel thread, can be seen at gmane:
http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3488
From simon at josefsson.org Mon Apr 20 16:14:15 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Mon, 20 Apr 2009 16:14:15 +0200
Subject: [Help-gnutls] Re: Encryption using DSA keys
In-Reply-To:
(Miroslav Kratochvil's message of "Mon, 20 Apr 2009 15:56:47 +0200")
References:
Message-ID: <87r5znza2w.fsf@mocca.josefsson.org>
Miroslav Kratochvil writes:
> Hi everyone,
>
> well, after I solved the problem at [1], I got to real problems problems:
>
> I want gnutls to negotiate encrypted connection using DSA keys. I
> realized that I will have to use DHE_DSS algorithm, but I have no idea
> how to generate a certificate for one. Googling failed, and
> documentation says only that "DHE_DSS uses DSA keys in certificates."
>
> In OpenSSL world (from where I'm migrating) it was easy, one just
> appended "-dsa" to key generating parameters, and it was done.
> Nevertheless; with gnutls and --dsa option; I'm getting error -89
> (Public key signature verification has failed.). RSA alternative
> (--rsa with the same commands) works ok.
>
> So, is there any tutorial or howto on generating suitable DSA keys for
> use with encryption? Ideally with a complete certtool script for
> generating one selfsigned CA keypair and other that-ca-signed keypair.
Check the manual:
http://www.gnu.org/software/gnutls/manual/html_node/Invoking-certtool.html
Generating a certificate using those instructions seems to work fine
here, see log below.
You are right that the manual doesn't give an example for DSA keys, so I
added one:
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=7ffeba022859b2b9d909bc3fb8a89057a309ae06
Can you explain exactly what you did to get the -89 error?
/Simon
jas at mocca:~$ certtool --generate-privkey --outfile key.pem --dsa
Generating a 2048 bit DSA private key...
jas at mocca:~$ cat key.pem
-----BEGIN DSA PRIVATE KEY-----
MIIDGQIBAAKCAQEAw8xAilE8wNbdQZJVRGpOjEYdibjT3N5vpDMmsqf4unH1Mlht
w/ZPmkUs5vww+XpTCs64QKfJmBSmoXFAFJMiKm8J8yacnd7PdYBmSFIizZJ9S+BJ
SDY+SAb0lz9F/De/jJNZg9cIAtpcD7oDduoD9pS/rI74JFpwO8v48BuQYnuBb+0y
h95rKGkFSy2yEgQcRjb8H+utddMV57U/w9j80NGJABYevEpzIFttnREpdoXmEk9j
5aqg/eh33fCXXsknhVEq/onojmswXE3zUfyGOxcuTzhaUWU9edN9c28+RusBJFsH
u9E9VJEeNYd2zj4/vxixQZtVRbzfNJuVlXZlOQIDAQABAoIBAEJQysdOTopt+9B6
tKCQdPwzv0tnK3LSb/OoU4INPERB1q9vnfXSVhHFPjkZz6if0sKFU4iqi7ATxoBF
sFOHpfnDVBZjzIX38kI08++oyhrgc8mgNJHdtWiF2o/joVuUsi71tUrfKNp2hNna
wdOj3SXGKclTPx5o9zx5kF4ap+OConIh9t1q1cNntF+slzGh2X8FIJQOV20NrSrm
nsi3O6uLzu6Mg+9j2d9kLF8tph9JhtbV88BsoQVAALwpXsWYEQ4/7FVZfYPr2HNM
sGbm7SKMsYNaDTUB6608Tt6kPUh1b7E8OD2UtE/abtqnM7SW+1Uop8E98ePYPBG+
pYVyc3UCgYEAxYo5RbY5gP9zszToGFNM6/X1wNUsWp5QDFA4qKiy9ZExAhTDnxtL
KIbVHW509LuQnDWES+XmM3KmjIPdKHSb2pgGqCwSShd4xbdUfsy+XDuWCPcsQG+M
geZSZNtYT6a3Y72vWEZrFO71jNaHi2NZrVvY8ekrWY1lc6S7DKBzB0MCgYEA/b4M
Hl9JGQEv0axXQl4jEVlBRVXO+t/ZXyM2Z0wp+s6QCm1LhuhJJXLmWhumSE19eER3
eNmB9SPRIy6Ar96ZfxebMJaLGZZQEpCGT+5CZXIWc9liZZK9W1ef6UkztUOAeyy0
010Hv8kMhryRJtOvpbogv1uxd3YGV/HI5o7949M=
-----END DSA PRIVATE KEY-----
jas at mocca:~$ certtool --generate-certificate --load-privkey key.pem --outfile cert.pem --load-ca-certificate ~/src/www-gnutls/test-credentials/x509-ca.pem --load-ca-privkey ~/src/www-gnutls/test-credentials/x509-ca-key.pem
Generating a signed certificate...
Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
Country name (2 chars): SE
Organization name:
Organizational unit name:
Locality name:
State or province name:
Common name: foo.bar.com
UID:
This field should not be used in new certificates.
E-mail:
Enter the certificate's serial number in decimal (default: 1240236605):
Activation/Expiration time.
The certificate will expire in (days):
The certificate will expire in (days): 180
Extensions.
Does the certificate belong to an authority? (y/N):
Is this a TLS web client certificate? (y/N): y
Is this also a TLS web server certificate? (y/N): y
Enter the dnsName of the subject of the certificate: foo.bar.com
Enter the dnsName of the subject of the certificate:
X.509 Certificate Information:
Version: 3
Serial Number (hex): 49ec823d
Validity:
Not Before: Mon Apr 20 14:10:06 UTC 2009
Not After: Sat Oct 17 14:10:08 UTC 2009
Subject: C=SE,CN=foo.bar.com
Subject Public Key Algorithm: DSA
Public key (bits 1024):
c5:8a:39:45:b6:39:80:ff:73:b3:34:e8:18:53:4c:eb
f5:f5:c0:d5:2c:5a:9e:50:0c:50:38:a8:a8:b2:f5:91
31:02:14:c3:9f:1b:4b:28:86:d5:1d:6e:74:f4:bb:90
9c:35:84:4b:e5:e6:33:72:a6:8c:83:dd:28:74:9b:da
98:06:a8:2c:12:4a:17:78:c5:b7:54:7e:cc:be:5c:3b
96:08:f7:2c:40:6f:8c:81:e6:52:64:db:58:4f:a6:b7
63:bd:af:58:46:6b:14:ee:f5:8c:d6:87:8b:63:59:ad
5b:d8:f1:e9:2b:59:8d:65:73:a4:bb:0c:a0:73:07:43
P:
c3:cc:40:8a:51:3c:c0:d6:dd:41:92:55:44:6a:4e:8c
46:1d:89:b8:d3:dc:de:6f:a4:33:26:b2:a7:f8:ba:71
f5:32:58:6d:c3:f6:4f:9a:45:2c:e6:fc:30:f9:7a:53
0a:ce:b8:40:a7:c9:98:14:a6:a1:71:40:14:93:22:2a
6f:09:f3:26:9c:9d:de:cf:75:80:66:48:52:22:cd:92
7d:4b:e0:49:48:36:3e:48:06:f4:97:3f:45:fc:37:bf
8c:93:59:83:d7:08:02:da:5c:0f:ba:03:76:ea:03:f6
94:bf:ac:8e:f8:24:5a:70:3b:cb:f8:f0:1b:90:62:7b
81:6f:ed:32:87:de:6b:28:69:05:4b:2d:b2:12:04:1c
46:36:fc:1f:eb:ad:75:d3:15:e7:b5:3f:c3:d8:fc:d0
d1:89:00:16:1e:bc:4a:73:20:5b:6d:9d:11:29:76:85
e6:12:4f:63:e5:aa:a0:fd:e8:77:dd:f0:97:5e:c9:27
85:51:2a:fe:89:e8:8e:6b:30:5c:4d:f3:51:fc:86:3b
17:2e:4f:38:5a:51:65:3d:79:d3:7d:73:6f:3e:46:eb
01:24:5b:07:bb:d1:3d:54:91:1e:35:87:76:ce:3e:3f
bf:18:b1:41:9b:55:45:bc:df:34:9b:95:95:76:65:39
Q:
01:00:01
G:
42:50:ca:c7:4e:4e:8a:6d:fb:d0:7a:b4:a0:90:74:fc
33:bf:4b:67:2b:72:d2:6f:f3:a8:53:82:0d:3c:44:41
d6:af:6f:9d:f5:d2:56:11:c5:3e:39:19:cf:a8:9f:d2
c2:85:53:88:aa:8b:b0:13:c6:80:45:b0:53:87:a5:f9
c3:54:16:63:cc:85:f7:f2:42:34:f3:ef:a8:ca:1a:e0
73:c9:a0:34:91:dd:b5:68:85:da:8f:e3:a1:5b:94:b2
2e:f5:b5:4a:df:28:da:76:84:d9:da:c1:d3:a3:dd:25
c6:29:c9:53:3f:1e:68:f7:3c:79:90:5e:1a:a7:e3:82
a2:72:21:f6:dd:6a:d5:c3:67:b4:5f:ac:97:31:a1:d9
7f:05:20:94:0e:57:6d:0d:ad:2a:e6:9e:c8:b7:3b:ab
8b:ce:ee:8c:83:ef:63:d9:df:64:2c:5f:2d:a6:1f:49
86:d6:d5:f3:c0:6c:a1:05:40:00:bc:29:5e:c5:98:11
0e:3f:ec:55:59:7d:83:eb:d8:73:4c:b0:66:e6:ed:22
8c:b1:83:5a:0d:35:01:eb:ad:3c:4e:de:a4:3d:48:75
6f:b1:3c:38:3d:94:b4:4f:da:6e:da:a7:33:b4:96:fb
55:28:a7:c1:3d:f1:e3:d8:3c:11:be:a5:85:72:73:75
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): FALSE
Key Purpose (not critical):
TLS WWW Client.
TLS WWW Server.
Subject Alternative Name (not critical):
DNSname: foo.bar.com
Key Usage (critical):
Digital signature.
Subject Key Identifier (not critical):
e9e00d4ee9ccf3c9ecd6ca2aa988077628a0d75f
Authority Key Identifier (not critical):
e93c1cfbad926ee606a4562ca2e1c05327c8f295
Other Information:
Public Key Id:
e9e00d4ee9ccf3c9ecd6ca2aa988077628a0d75f
Is the above information ok? (Y/N): y
Signing certificate...
jas at mocca:~$ certtool -v
certtool (GnuTLS) 2.6.5
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Written by Nikos Mavrogiannopoulos and Simon Josefsson.
jas at mocca:~$
From exa.exa at gmail.com Mon Apr 20 17:25:19 2009
From: exa.exa at gmail.com (Miroslav Kratochvil)
Date: Mon, 20 Apr 2009 17:25:19 +0200
Subject: [Help-gnutls] Re: some crashes on using DSA keys
In-Reply-To:
References:
<87vdozzayo.fsf@mocca.josefsson.org>
<87myabz9vx.fsf@mocca.josefsson.org>
Message-ID:
First, sorry again for sending this to Simon twice, I havent been
using mailinglists for a while. :(
> It would be great if you could try to reproduce the problem using only
> gnutls-cli and gnutls-serv.
...
> Please see if you can make an unmodified 2.6.5 server crash.
ok, good news
gnutls-serv and gnutls-cli from 2.6.5 are affected too, but it shots
down only the misconfigured gnutls-cli. gnutls-serv only throws
message:
Error: A TLS packet with unexpected length was received.
I'm gonna fixed-client&unfixed-server combination in few minutes, hope
it doesn't die.
I'm posting the keys used to do this below. If you want full output of
crashed gnutls-cli, please tell me.
I run it this way:
gnutls-serv --x509cafile ca.crt --dhparams dh1024.pem --x509dsakeyfile
ssl.key --x509dsacertfile ssl.crt ?--require-cert
and
gnutls-cli --x509cafile ca.crt --x509keyfile c.key --x509certfile
c.crt ?localhost -p 5556
Keys are:
c.crt
-----BEGIN CERTIFICATE-----
MIIFJjCCBBCgAwIBAgIESeyRtTALBgkqhkiG9w0BAQUwVzELMAkGA1UEBhMCQ1ox
DjAMBgNVBAoTBXByYWhhMQswCQYDVQQLEwJuZTENMAsGA1UEBxMEdm9sZTEOMAwG
A1UECBMFbmV2aW0xDDAKBgNVBAMTA2V4YTAeFw0wOTA0MjAxNTE2MDdaFw0wOTEw
MTcxNTE2MTBaMFMxCzAJBgNVBAYTAkNaMQwwCgYDVQQKEwNhc2QxDDAKBgNVBAsT
A2FzZDEMMAoGA1UEBxMDYXNkMQwwCgYDVQQIEwNhc2QxDDAKBgNVBAMTA2FzZDCC
AqMwggIYBgcqhkjOOAQBMIICCwKCAQDEN3nB6G8hSwKVdDRwZBJHO2S4bvcfAcd7
gR8Sdk8UzPhTidThYPuKvRUZFwSnicAeuudQdXDcE6wH1R1FdwpQ5frSkzcaduZJ
1AGnoc+FFC/zzUqopB7H1W6Ucb0gWn+5z/hdtY/zgJMyAgBULe6WxJVWXElOLWpB
BJA34mbhw2fhncjcj+k3pUZXbxfbYGUUP174Zr9Dz2nbQ2j/rTXhoLb4GmgPvbYS
KC/YZjBFKVsLVt+swsPJU4duA8ezlQ8YjgL2Yg7UR0lhzXRvaqoT15aw76vnF576
n/sAS+oua4psgO05dd4/430XqLX4uxOcCQ9vaWoTcYHm6bxPWrObAgMBAAECgf9d
ghKEVkCfnR+eGcLjzMzpJWTagAdEv5RRRzeHlNobD5NIPGc3AQDfHTzwuAd/0CW+
f1O9BDrEpptVIDrS3+gKpY7iy0V3VzJn/KDNQk+jG/u+NBdgRtZkZVJNa+a1hGta
IcI65kuzv5JmQo3lj/4j24tPnKtSllIMqiAQgdSFwcPJkN9nTvGUG6/Uf4pUE3xg
CwKV3Ow0NLJZuLE31ekqHpzls1XNEdsv2vbiq9FdjrSq44c7ThRfTkXZxIV8lXKI
UPzYZ2mb94O3QFufY9rpB9L0z/cLmHmzO1b6mzvDP2rXZYReZb/AQxozTEyv07Qy
5yFoypuh+3y1gaYs7XEDgYQAAoGA08QKPf1foRPElVoKzAs19O3iONMdhPBlrw5Y
j+9GgUjqyc6n4YOYV+TNdXyKJdJIZd7qgxVfgQVhRHgF8WQatREkdxyCyPXxSi9w
bltPBp2Fg00rvnaGjJCbo38DeWuDkkkDhMurLFnxp1r2+ndvDxGpyXSsow4hcmQc
cbw6K1WjgYAwfjAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggr
BgEFBQcDATAPBgNVHQ8BAf8EBQMDB4AAMB0GA1UdDgQWBBQAC0nawvJC+1JatXiY
NDyIcJh/djAfBgNVHSMEGDAWgBTZbe4eoATyPzAYVtkaOaB4Dcl57zALBgkqhkiG
9w0BAQUDggEBAHaNN88xcVgOyT1o1n20aSv7ntZ2ZVKxn9JbtiLJg/06Ie7qk7/I
RMn240dwvI5fP6rWwdPRtMV7F3ccWp4L/ACedrTZuisz/m9vDPfZ/BVECP9EKZ7p
NPXxXGIpC4Mlb613apVYEEmKHQvbFER+2TyXduhk6SVeeIDmO+ksSigWgG6SsbDG
hs8vNR5ZrFeIvUXnj1tSdSbEcq8ItWXrEzSl3bI5L9wePBmL1VOEB1UphU5pn+sy
R68ywzb4aFE4eWcPeazI5r/JwfBQXlkeli27ZdOOoZcZ28CwziT9XENlasPEr2aq
RypSk+e2p22ntOqDt/tlaYtcdcGwe/ZGeNw=
-----END CERTIFICATE-----
c.key
-----BEGIN DSA PRIVATE KEY-----
MIIDFwIBAAKCAQEAxDd5wehvIUsClXQ0cGQSRztkuG73HwHHe4EfEnZPFMz4U4nU
4WD7ir0VGRcEp4nAHrrnUHVw3BOsB9UdRXcKUOX60pM3GnbmSdQBp6HPhRQv881K
qKQex9VulHG9IFp/uc/4XbWP84CTMgIAVC3ulsSVVlxJTi1qQQSQN+Jm4cNn4Z3I
3I/pN6VGV28X22BlFD9e+Ga/Q89p20No/6014aC2+BpoD722Eigv2GYwRSlbC1bf
rMLDyVOHbgPHs5UPGI4C9mIO1EdJYc10b2qqE9eWsO+r5xee+p/7AEvqLmuKbIDt
OXXeP+N9F6i1+LsTnAkPb2lqE3GB5um8T1qzmwIDAQABAoH/XYIShFZAn50fnhnC
48zM6SVk2oAHRL+UUUc3h5TaGw+TSDxnNwEA3x088LgHf9Alvn9TvQQ6xKabVSA6
0t/oCqWO4stFd1cyZ/ygzUJPoxv7vjQXYEbWZGVSTWvmtYRrWiHCOuZLs7+SZkKN
5Y/+I9uLT5yrUpZSDKogEIHUhcHDyZDfZ07xlBuv1H+KVBN8YAsCldzsNDSyWbix
N9XpKh6c5bNVzRHbL9r24qvRXY60quOHO04UX05F2cSFfJVyiFD82Gdpm/eDt0Bb
n2Pa6QfS9M/3C5h5sztW+ps7wz9q12WEXmW/wEMaM0xMr9O0MuchaMqboft8tYGm
LO1xAoGBANPECj39X6ETxJVaCswLNfTt4jjTHYTwZa8OWI/vRoFI6snOp+GDmFfk
zXV8iiXSSGXe6oMVX4EFYUR4BfFkGrURJHccgsj18UovcG5bTwadhYNNK752hoyQ
m6N/A3lrg5JJA4TLqyxZ8ada9vp3bw8Rqcl0rKMOIXJkHHG8OitVAoGBAO0z9uD3
/TFLo0gzj5WenCOpc2wr2PLXVw2RSS85QsNI6MEPnAFMWHKfRW1DcaWmjN+3xBT+
jqxcUW6ywk1iJHUQTS0V5yAR/7RSVHnAs9D+9DT9tWdxfRgWsmwL40YFC0N+HCGT
vduNykYT/DlwPpuRfg7EWAUU3GYw+rQo/8Mv
-----END DSA PRIVATE KEY-----
ca.crt
-----BEGIN CERTIFICATE-----
MIIDfTCCAmegAwIBAgIESew9qDALBgkqhkiG9w0BAQUwVzELMAkGA1UEBhMCQ1ox
DjAMBgNVBAoTBXByYWhhMQswCQYDVQQLEwJuZTENMAsGA1UEBxMEdm9sZTEOMAwG
A1UECBMFbmV2aW0xDDAKBgNVBAMTA2V4YTAeFw0wOTA0MjAwOTE3MzBaFw0xOTA0
MTgwOTE3MzRaMFcxCzAJBgNVBAYTAkNaMQ4wDAYDVQQKEwVwcmFoYTELMAkGA1UE
CxMCbmUxDTALBgNVBAcTBHZvbGUxDjAMBgNVBAgTBW5ldmltMQwwCgYDVQQDEwNl
eGEwggEfMAsGCSqGSIb3DQEBAQOCAQ4AMIIBCQKCAQCiqkB7quCFmp0nNCpuZRpT
2sZNoEb6zyu9WLzs6tU6y7af+zIj6nIS1x7URuWwcAsmCrceUEStIuBbMpkpeqxI
U5gzwFuVZKOn9/LcuvX2xTHqzDXyY7R3V+neQgJCS8nYF2jQm/QjzqKqzMDo/2Is
RLm7SJGhZc8A87W6VWPEqQSsqzSNIZKevmQj+fCjEebF0qtsImMLZbHQEmmlgEtH
zbavtqt8rB6saIPdw10XUMja+1yJipaxTm74z6C19C/hX3xROH91wtGXLsJgBI9a
UrdBdRVJtgIOoNfoP/TgnhU01a7Hb4vXf8s7pkUy86bJVzIhqL4+n0Q9DFXDuYAV
AgMBAAGjWDBWMA8GA1UdEwEB/wQFMAMBAf8wEwYDVR0lBAwwCgYIKwYBBQUHAwgw
DwYDVR0PAQH/BAUDAwcGADAdBgNVHQ4EFgQU2W3uHqAE8j8wGFbZGjmgeA3Jee8w
CwYJKoZIhvcNAQEFA4IBAQCJOZQO8yzDXrGUIUhcmxT5Q29/iftxsKGHtGJ/ywmQ
rNFKdM0xWAP08B+kp/CviHrRe8AD1qOzT7NOxFq5R9jdLWGWpxTx78nZ/AqoI06Z
K95cAPwlY38s9I5v/naNYWSLvJBjD+cCRzvtoYodG0a7alNDXVXgELevw/M0WQ0m
bBcgJ4uIv6sF8LwDnf9imkGuT7T6n0ltepQ24SdNDjKJUwIisl3MC69bd8SeRqNQ
bi9nWTQWgJ9CqzENoKsL5gyQ6IcedKgIujTwq9CXESFWMu6yrRS8lE3xBuaUu42S
pvvCRa6KORJmR0Kf3efGoTf3E7kB/SAuVafoLAI2qDDy
-----END CERTIFICATE-----
ca.key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAoqpAe6rghZqdJzQqbmUaU9rGTaBG+s8rvVi87OrVOsu2n/sy
I+pyEtce1EblsHALJgq3HlBErSLgWzKZKXqsSFOYM8BblWSjp/fy3Lr19sUx6sw1
8mO0d1fp3kICQkvJ2Bdo0Jv0I86iqszA6P9iLES5u0iRoWXPAPO1ulVjxKkErKs0
jSGSnr5kI/nwoxHmxdKrbCJjC2Wx0BJppYBLR822r7arfKwerGiD3cNdF1DI2vtc
iYqWsU5u+M+gtfQv4V98UTh/dcLRly7CYASPWlK3QXUVSbYCDqDX6D/04J4VNNWu
x2+L13/LO6ZFMvOmyVcyIai+Pp9EPQxVw7mAFQIDAQABAoIBAAvnEFPcQ5STJTe2
qfos/LmxEvygI0F8AlPXF+/wGQ011dWsAFW/dHxrcE6RJ4J7GF2+v/qAXh4bJLaX
o7x0xQF/2G3FAA6U8CK80nETXycg88+eBL6JTC3FaZABXX/zYsAkql9FYh5yotWD
qQQDl+/sUXjiTQG13OlRa/VIBUZhB97aQDkG9HvB2zZGspRNAvX/npBdZ2TK1vJm
SDgJV+M8VRyxj77IK8b93OU3ve9TqFD6W2htjeY1FdkLKbRKNRCWGdfr8RnwWSOt
K7A6htSvRJsjeqirxusb83gY41JGYJ6MSW4RHgNlN9ChX4NikyUp42w7Omb5quLU
wpOxb7ECgYEAx4Pw3PP7csIvzMUt84LPd8PX3CJayjNUOrzVi354VTgtW9dD4vDE
+wMFBfJ+KJBUOSD3uFTFbuSEglOIo3UVLSRu/bHqxWNzO3RCqefnf7fmKJjqTESu
6DnXPV3OLwcWsg2H9Ny3WiWnsCzRGuBStkYIozxtXuj3lwHKrdLDitkCgYEA0LeM
dIRmZcF5Nn/EEa2/T2Cmnux3nWys0x88nwlLEXFHj0sUdU2wZDheWK4IQolpG+Cg
umX925ufnXifHKwLAaDFVoDi9XeHSbCqTsrK+x+8e70rljeje5UOAqLEp6cY/wKi
XeRIx1q1y69Ysb4chTnt+6hd54E2TDvjpx3GgZ0CgYEAwW4HrQ/WLnJZyVs5q6ac
4e47by7XesW82Z2OI0mf/G8Uer//DxyCvSE2U4fADC+xmBmAUXPOXi6q0XePN3oh
57w05z0A8hHy/CdBIly1MjvmpmFqdjr4oCjDprk1Vp62wDUiJKGAGaP8KW+p4zas
ug63/Rpupt+SexK/nzqBXjECgYEAyGyJttXxUqOAV4JHcMaM4JeqSRBAKO7T4wSq
/Pk6mexS0FpDsgVBbmvmxXeRPPug8IE7NuN76+e8VcYf3LOk+hI9jbzEtPzr8Cpy
0KjSVGX8ZEKa2WxiU+klhAhzmZ7PVQpdipYOAUmtK4QdQsmRr6maS0A5tHaTAo+8
I51nIs0CgYAJ84MewGdo7VH4me2oEF7EQRySoov7RzQAI3JJ/0aBi6T64CKGxCJk
CHrDfnCjH2qyYPT+QuvphzMoE8kgObhd49PwuXV+0uHFMfy+mNMZUpagolsz1i03
BdROt5J6ekwOvF0TuBusCM3uV7JHqQ1Apadru7bMz/piYGgAJfudxA==
-----END RSA PRIVATE KEY-----
dh1024.pem
Generator: 05
Prime: ad:a9:66:71:7a:34:72:ee:e2:5b:93:f4
? ? ? ?1e:21:2b:9d:67:86:52:47:f6:b0:3f:78
? ? ? ?88:31:44:ff:24:74:54:c7:1f:56:e7:c2
? ? ? ?0f:88:66:ae:91:ea:c4:14:c3:16:35:91
? ? ? ?66:5b:5a:80:e1:fd:5e:52:54:00:b2:43
? ? ? ?83:1c:a1:e4:8e:a8:e4:dd:87:0d:7c:f6
? ? ? ?88:7e:4b:5b:0d:5a:1e:ed:7b:ca:5e:9d
? ? ? ?22:71:9a:1b:86:24:aa:b0:84:98:14:2e
? ? ? ?0d:33:b6:94:77:a9:d0:07:02:0c:53:04
? ? ? ?6e:8a:07:d3:6a:32:2a:32:3f:23:0f:42
? ? ? ?4d:63:79:57:48:c8:05:a7
-----BEGIN DH PARAMETERS-----
MIGHAoGBAK2pZnF6NHLu4luT9B4hK51nhlJH9rA/eIgxRP8kdFTHH1bnwg+IZq6R
6sQUwxY1kWZbWoDh/V5SVACyQ4McoeSOqOTdhw189oh+S1sNWh7te8penSJxmhuG
JKqwhJgULg0ztpR3qdAHAgxTBG6KB9NqMioyPyMPQk1jeVdIyAWnAgEF
-----END DH PARAMETERS-----
ssl.crt
-----BEGIN CERTIFICATE-----
MIIFLDCCBBagAwIBAgIESexK4DALBgkqhkiG9w0BAQUwVzELMAkGA1UEBhMCQ1ox
DjAMBgNVBAoTBXByYWhhMQswCQYDVQQLEwJuZTENMAsGA1UEBxMEdm9sZTEOMAwG
A1UECBMFbmV2aW0xDDAKBgNVBAMTA2V4YTAeFw0wOTA0MjAxMDEzNTNaFw0xOTA0
MTgxMDEzNTdaMFcxCzAJBgNVBAYTAkNaMQwwCgYDVQQKEwNCbGUxDTALBgNVBAsT
BFNtcnQxDjAMBgNVBAcTBUt0ZXJhMQ4wDAYDVQQIEwVCbGlqZTELMAkGA1UEAxMC
TmUwggKlMIICGgYHKoZIzjgEATCCAg0CggEAygAmvvWeV4auzm9ZFG1+omVlyVqH
elM0qqJ717DdaKoJlIiCAgwsg7r+zpz4ekncShy0UxRm2yElW6p90Otx9QrCWTpv
jP6wHiTptk/vUEDSQ6/Zlqax7mI946XfoIxx3JCavVzBvNgUQAOai6BpjJ4a9ZVL
BdP2gSldt9XJ4CTuSdosBBjrCwTWn1oaZWFsXt6bgZdyZiZvAVizpDDkrV0RH6Fo
6PqfLAn3hyoesM5SeAllHba6cGibyXxsuocwwjwynq3Y1W4SIZomh63OYNWBh6uY
+9pYrdJsYtkQxhJwDSGg9yhyL3agmx2OmOD8S7we6r3j8/D8XJgW6rszTwIDAQAB
AoIBAANXfbMBCzqPDtgTCk06A0znRbs1of7v3qb7NlzhUl7Hf8F5gXUZNtwco6SC
MklYbKpWAtTkOVAv7zDiB2AFoezLRCw67EEcrlTOIlOsZNzvnzFH30Vy9bsBqXZy
3KbVfyvswUwxFNkHIuagNW+3Gqfp4a/lMi8jGSiv3E4M3ZPorcW1qiv5i/UZX3wB
rphD9dLKwgdTwmtyz+hp/zFKwtThIuhb2qZKbYZzMqI6d4FhLufcvvXFrZ3LoTEd
sprZ3fZI1M7IdvsGTZLnHQ4Bws32hPNSaA7/b3yxK3wfBZRs8+92LYE3kiGojylN
REsD8PXH5epas5+bS8A3RL284AkDgYQAAoGA3a5KHeltiQKAE2nO4zFZirFmG5Oe
e4Z84oRWjz3NujAy7B8OaZmSBQbXe8XdS67/bIHO+ULzStGEjQqs8xaev90rzJ/H
Y5q4G5SbwCo9AB+a99waDV+H06CdcH2aWzuphx88VgkoNTTjT/rsgUUw6i9GOTd0
CaM8UhirdOSRRCWjgYAwfjAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUF
BwMCBggrBgEFBQcDATAPBgNVHQ8BAf8EBQMDB4AAMB0GA1UdDgQWBBRdOw6fAlG3
powcRYMbekXDEG0QGjAfBgNVHSMEGDAWgBTZbe4eoATyPzAYVtkaOaB4Dcl57zAL
BgkqhkiG9w0BAQUDggEBAC1ErfpfBUAKsdBCDUaQmqzoiMQ5Bm6jX7vzht7HG0Bq
MA89SOrr09tTMkEIkab3LN+pCs2cSRRtHRNBk+tzn+cyq4VptFnV+EhpB32YCLro
SnfYD0eclv3yO2GnzP6tADDuHWyOq0bSYOxcnUZuEe7X/rl7Zj8meiE48i9jNQYD
lX0YayTBR1eYbtNEaZASUvrFO4JkBZlTjXR/qNRjj1SidVLfAayZtct40usEH+9V
EgpmZmtIqCPsmF8f3KVEcxwz7xwAtjI820qCRzFUmgboZ65jm3IWr4CibIgjlhs7
tzclPT9WeIZdeP7QWlFmhjbiY5yFfjCiyvlf3mechow=
-----END CERTIFICATE-----
ssl.key
-----BEGIN DSA PRIVATE KEY-----
MIIDGQIBAAKCAQEAygAmvvWeV4auzm9ZFG1+omVlyVqHelM0qqJ717DdaKoJlIiC
Agwsg7r+zpz4ekncShy0UxRm2yElW6p90Otx9QrCWTpvjP6wHiTptk/vUEDSQ6/Z
lqax7mI946XfoIxx3JCavVzBvNgUQAOai6BpjJ4a9ZVLBdP2gSldt9XJ4CTuSdos
BBjrCwTWn1oaZWFsXt6bgZdyZiZvAVizpDDkrV0RH6Fo6PqfLAn3hyoesM5SeAll
Hba6cGibyXxsuocwwjwynq3Y1W4SIZomh63OYNWBh6uY+9pYrdJsYtkQxhJwDSGg
9yhyL3agmx2OmOD8S7we6r3j8/D8XJgW6rszTwIDAQABAoIBAANXfbMBCzqPDtgT
Ck06A0znRbs1of7v3qb7NlzhUl7Hf8F5gXUZNtwco6SCMklYbKpWAtTkOVAv7zDi
B2AFoezLRCw67EEcrlTOIlOsZNzvnzFH30Vy9bsBqXZy3KbVfyvswUwxFNkHIuag
NW+3Gqfp4a/lMi8jGSiv3E4M3ZPorcW1qiv5i/UZX3wBrphD9dLKwgdTwmtyz+hp
/zFKwtThIuhb2qZKbYZzMqI6d4FhLufcvvXFrZ3LoTEdsprZ3fZI1M7IdvsGTZLn
HQ4Bws32hPNSaA7/b3yxK3wfBZRs8+92LYE3kiGojylNREsD8PXH5epas5+bS8A3
RL284AkCgYEA3a5KHeltiQKAE2nO4zFZirFmG5Oee4Z84oRWjz3NujAy7B8OaZmS
BQbXe8XdS67/bIHO+ULzStGEjQqs8xaev90rzJ/HY5q4G5SbwCo9AB+a99waDV+H
06CdcH2aWzuphx88VgkoNTTjT/rsgUUw6i9GOTd0CaM8UhirdOSRRCUCgYEA6UXj
26jtOpcysQhn5FaDxpUbjvlPHO8k6FUUXnbVCl4BKEkSW5kzeL1ezog65RUyPKdm
SXKgQcvWRXF76GRgAiqgUI1/tSYyKXTjljiyZZPjYhZB1hTcxVcZROHFvskLXmsn
UcdCdUM7POtFT/Cy3Nx1ZvyTYqwCH0Jomvx6pWM=
-----END DSA PRIVATE KEY-----
From exa.exa at gmail.com Tue Apr 21 16:34:53 2009
From: exa.exa at gmail.com (Miroslav Kratochvil)
Date: Tue, 21 Apr 2009 16:34:53 +0200
Subject: [Help-gnutls] Re: Encryption using DSA keys
In-Reply-To: <87r5znza2w.fsf@mocca.josefsson.org>
References:
<87r5znza2w.fsf@mocca.josefsson.org>
Message-ID:
Thanks for adding the key generation documentation and showing me an
example, but I still have no luck.
If anyone could generate a CA, then sign DSA key with it, and then
connect gnutls-cli and gnutls-serv using that key verified by CA...
would he please post a complete command sentence needed to achieve it?
Because all my attempts still fail on the same error:
For each failed client attempt, server says:
......
|<7>| READ: -1 returned from 5, errno=11 gerrno=0
|<2>| ASSERT: gnutls_buffers.c:360
|<2>| ASSERT: gnutls_buffers.c:1151
|<2>| ASSERT: gnutls_handshake.c:1045
|<7>| READ: -1 returned from 5, errno=104 gerrno=0
|<2>| ASSERT: gnutls_buffers.c:368
|<2>| ASSERT: gnutls_buffers.c:623
|<2>| ASSERT: gnutls_record.c:909
|<2>| ASSERT: gnutls_buffers.c:1151
|<2>| ASSERT: gnutls_handshake.c:1045
|<2>| ASSERT: gnutls_handshake.c:2647
|<6>| BUF[HSK]: Cleared Data from buffer
Error in handshake
Error: A TLS packet with unexpected length was received.
|<4>| REC: Sending Alert[2|22] - Record overflow
|<4>| REC[64c780]: Sending Packet[5] Alert(21) with length: 2
|<2>| ASSERT: gnutls_cipher.c:204
|<7>| WRITE: Will write 7 bytes to 5.
|<2>| ASSERT: gnutls_buffers.c:834
|<2>| ASSERT: gnutls_record.c:461
|<2>| ASSERT: gnutls_record.c:262
....
And client dies on:
....
|<7>| RB: Have 5 bytes into buffer. Adding 279 bytes.
|<7>| RB: Requested 284 bytes
|<2>| ASSERT: gnutls_cipher.c:204
|<4>| REC[64aaa0]: Decrypted Packet[2] Handshake(22) with length: 279
|<6>| BUF[HSK]: Inserted 279 bytes of Data(22)
|<6>| BUF[REC][HD]: Read 1 bytes of Data(22)
|<6>| BUF[REC][HD]: Read 3 bytes of Data(22)
|<3>| HSK[64aaa0]: SERVER KEY EXCHANGE was received [279 bytes]
|<6>| BUF[REC][HD]: Read 275 bytes of Data(22)
|<6>| BUF[HSK]: Peeked 1941 bytes of Data
|<6>| BUF[HSK]: Emptied buffer
|<6>| BUF[HSK]: Inserted 4 bytes of Data
|<6>| BUF[HSK]: Inserted 275 bytes of Data
|<2>| ASSERT: pk-libgcrypt.c:519
|<2>| ASSERT: gnutls_pk.c:515
|<2>| ASSERT: gnutls_sig.c:347
|<2>| ASSERT: gnutls_sig.c:506
|<2>| ASSERT: auth_dhe.c:232
|<2>| ASSERT: gnutls_kx.c:415
|<2>| ASSERT: gnutls_handshake.c:2386
|<6>| BUF[HSK]: Cleared Data from buffer
*** Fatal error: Public key signature verification has failed.
*** Handshake has failed
GNUTLS ERROR: Public key signature verification has failed.
On Mon, Apr 20, 2009 at 4:14 PM, Simon Josefsson wrote:
> Miroslav Kratochvil writes:
>
>> Hi everyone,
>>
>> well, after I solved the problem at [1], I got to real problems problems:
>>
>> I want gnutls to negotiate encrypted connection using DSA keys. I
>> realized that I will have to use DHE_DSS algorithm, but I have no idea
>> how to generate a certificate for one. Googling failed, and
>> documentation says only that "DHE_DSS uses DSA keys in certificates."
>>
>> In OpenSSL world (from where I'm migrating) it was easy, one just
>> appended "-dsa" to key generating parameters, and it was done.
>> Nevertheless; with gnutls and --dsa option; I'm getting error -89
>> (Public key signature verification has failed.). RSA alternative
>> (--rsa with the same commands) works ok.
>>
>> So, is there any tutorial or howto on generating suitable DSA keys for
>> use with encryption? Ideally with a complete certtool script for
>> generating one selfsigned CA keypair and other that-ca-signed keypair.
>
> Check the manual:
>
> http://www.gnu.org/software/gnutls/manual/html_node/Invoking-certtool.html
>
> Generating a certificate using those instructions seems to work fine
> here, see log below.
>
> You are right that the manual doesn't give an example for DSA keys, so I
> added one:
>
> http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=7ffeba022859b2b9d909bc3fb8a89057a309ae06
>
> Can you explain exactly what you did to get the -89 error?
>
> /Simon
>
> jas at mocca:~$ certtool --generate-privkey --outfile key.pem --dsa
> Generating a 2048 bit DSA private key...
> jas at mocca:~$ cat key.pem
> -----BEGIN DSA PRIVATE KEY-----
> MIIDGQIBAAKCAQEAw8xAilE8wNbdQZJVRGpOjEYdibjT3N5vpDMmsqf4unH1Mlht
> w/ZPmkUs5vww+XpTCs64QKfJmBSmoXFAFJMiKm8J8yacnd7PdYBmSFIizZJ9S+BJ
> SDY+SAb0lz9F/De/jJNZg9cIAtpcD7oDduoD9pS/rI74JFpwO8v48BuQYnuBb+0y
> h95rKGkFSy2yEgQcRjb8H+utddMV57U/w9j80NGJABYevEpzIFttnREpdoXmEk9j
> 5aqg/eh33fCXXsknhVEq/onojmswXE3zUfyGOxcuTzhaUWU9edN9c28+RusBJFsH
> u9E9VJEeNYd2zj4/vxixQZtVRbzfNJuVlXZlOQIDAQABAoIBAEJQysdOTopt+9B6
> tKCQdPwzv0tnK3LSb/OoU4INPERB1q9vnfXSVhHFPjkZz6if0sKFU4iqi7ATxoBF
> sFOHpfnDVBZjzIX38kI08++oyhrgc8mgNJHdtWiF2o/joVuUsi71tUrfKNp2hNna
> wdOj3SXGKclTPx5o9zx5kF4ap+OConIh9t1q1cNntF+slzGh2X8FIJQOV20NrSrm
> nsi3O6uLzu6Mg+9j2d9kLF8tph9JhtbV88BsoQVAALwpXsWYEQ4/7FVZfYPr2HNM
> sGbm7SKMsYNaDTUB6608Tt6kPUh1b7E8OD2UtE/abtqnM7SW+1Uop8E98ePYPBG+
> pYVyc3UCgYEAxYo5RbY5gP9zszToGFNM6/X1wNUsWp5QDFA4qKiy9ZExAhTDnxtL
> KIbVHW509LuQnDWES+XmM3KmjIPdKHSb2pgGqCwSShd4xbdUfsy+XDuWCPcsQG+M
> geZSZNtYT6a3Y72vWEZrFO71jNaHi2NZrVvY8ekrWY1lc6S7DKBzB0MCgYEA/b4M
> Hl9JGQEv0axXQl4jEVlBRVXO+t/ZXyM2Z0wp+s6QCm1LhuhJJXLmWhumSE19eER3
> eNmB9SPRIy6Ar96ZfxebMJaLGZZQEpCGT+5CZXIWc9liZZK9W1ef6UkztUOAeyy0
> 010Hv8kMhryRJtOvpbogv1uxd3YGV/HI5o7949M=
> -----END DSA PRIVATE KEY-----
> jas at mocca:~$ certtool --generate-certificate --load-privkey key.pem --outfile cert.pem --load-ca-certificate ~/src/www-gnutls/test-credentials/x509-ca.pem --load-ca-privkey ~/src/www-gnutls/test-credentials/x509-ca-key.pem
> Generating a signed certificate...
> Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
> Country name (2 chars): SE
> Organization name:
> Organizational unit name:
> Locality name:
> State or province name:
> Common name: foo.bar.com
> UID:
> This field should not be used in new certificates.
> E-mail:
> Enter the certificate's serial number in decimal (default: 1240236605):
>
>
> Activation/Expiration time.
> The certificate will expire in (days):
> The certificate will expire in (days): 180
>
>
> Extensions.
> Does the certificate belong to an authority? (y/N):
> Is this a TLS web client certificate? (y/N): y
> Is this also a TLS web server certificate? (y/N): y
> Enter the dnsName of the subject of the certificate: foo.bar.com
> Enter the dnsName of the subject of the certificate:
> X.509 Certificate Information:
> ? ? ? ?Version: 3
> ? ? ? ?Serial Number (hex): 49ec823d
> ? ? ? ?Validity:
> ? ? ? ? ? ? ? ?Not Before: Mon Apr 20 14:10:06 UTC 2009
> ? ? ? ? ? ? ? ?Not After: Sat Oct 17 14:10:08 UTC 2009
> ? ? ? ?Subject: C=SE,CN=foo.bar.com
> ? ? ? ?Subject Public Key Algorithm: DSA
> ? ? ? ? ? ? ? ?Public key (bits 1024):
> ? ? ? ? ? ? ? ? ? ? ? ?c5:8a:39:45:b6:39:80:ff:73:b3:34:e8:18:53:4c:eb
> ? ? ? ? ? ? ? ? ? ? ? ?f5:f5:c0:d5:2c:5a:9e:50:0c:50:38:a8:a8:b2:f5:91
> ? ? ? ? ? ? ? ? ? ? ? ?31:02:14:c3:9f:1b:4b:28:86:d5:1d:6e:74:f4:bb:90
> ? ? ? ? ? ? ? ? ? ? ? ?9c:35:84:4b:e5:e6:33:72:a6:8c:83:dd:28:74:9b:da
> ? ? ? ? ? ? ? ? ? ? ? ?98:06:a8:2c:12:4a:17:78:c5:b7:54:7e:cc:be:5c:3b
> ? ? ? ? ? ? ? ? ? ? ? ?96:08:f7:2c:40:6f:8c:81:e6:52:64:db:58:4f:a6:b7
> ? ? ? ? ? ? ? ? ? ? ? ?63:bd:af:58:46:6b:14:ee:f5:8c:d6:87:8b:63:59:ad
> ? ? ? ? ? ? ? ? ? ? ? ?5b:d8:f1:e9:2b:59:8d:65:73:a4:bb:0c:a0:73:07:43
> ? ? ? ? ? ? ? ?P:
> ? ? ? ? ? ? ? ? ? ? ? ?c3:cc:40:8a:51:3c:c0:d6:dd:41:92:55:44:6a:4e:8c
> ? ? ? ? ? ? ? ? ? ? ? ?46:1d:89:b8:d3:dc:de:6f:a4:33:26:b2:a7:f8:ba:71
> ? ? ? ? ? ? ? ? ? ? ? ?f5:32:58:6d:c3:f6:4f:9a:45:2c:e6:fc:30:f9:7a:53
> ? ? ? ? ? ? ? ? ? ? ? ?0a:ce:b8:40:a7:c9:98:14:a6:a1:71:40:14:93:22:2a
> ? ? ? ? ? ? ? ? ? ? ? ?6f:09:f3:26:9c:9d:de:cf:75:80:66:48:52:22:cd:92
> ? ? ? ? ? ? ? ? ? ? ? ?7d:4b:e0:49:48:36:3e:48:06:f4:97:3f:45:fc:37:bf
> ? ? ? ? ? ? ? ? ? ? ? ?8c:93:59:83:d7:08:02:da:5c:0f:ba:03:76:ea:03:f6
> ? ? ? ? ? ? ? ? ? ? ? ?94:bf:ac:8e:f8:24:5a:70:3b:cb:f8:f0:1b:90:62:7b
> ? ? ? ? ? ? ? ? ? ? ? ?81:6f:ed:32:87:de:6b:28:69:05:4b:2d:b2:12:04:1c
> ? ? ? ? ? ? ? ? ? ? ? ?46:36:fc:1f:eb:ad:75:d3:15:e7:b5:3f:c3:d8:fc:d0
> ? ? ? ? ? ? ? ? ? ? ? ?d1:89:00:16:1e:bc:4a:73:20:5b:6d:9d:11:29:76:85
> ? ? ? ? ? ? ? ? ? ? ? ?e6:12:4f:63:e5:aa:a0:fd:e8:77:dd:f0:97:5e:c9:27
> ? ? ? ? ? ? ? ? ? ? ? ?85:51:2a:fe:89:e8:8e:6b:30:5c:4d:f3:51:fc:86:3b
> ? ? ? ? ? ? ? ? ? ? ? ?17:2e:4f:38:5a:51:65:3d:79:d3:7d:73:6f:3e:46:eb
> ? ? ? ? ? ? ? ? ? ? ? ?01:24:5b:07:bb:d1:3d:54:91:1e:35:87:76:ce:3e:3f
> ? ? ? ? ? ? ? ? ? ? ? ?bf:18:b1:41:9b:55:45:bc:df:34:9b:95:95:76:65:39
> ? ? ? ? ? ? ? ?Q:
> ? ? ? ? ? ? ? ? ? ? ? ?01:00:01
> ? ? ? ? ? ? ? ?G:
> ? ? ? ? ? ? ? ? ? ? ? ?42:50:ca:c7:4e:4e:8a:6d:fb:d0:7a:b4:a0:90:74:fc
> ? ? ? ? ? ? ? ? ? ? ? ?33:bf:4b:67:2b:72:d2:6f:f3:a8:53:82:0d:3c:44:41
> ? ? ? ? ? ? ? ? ? ? ? ?d6:af:6f:9d:f5:d2:56:11:c5:3e:39:19:cf:a8:9f:d2
> ? ? ? ? ? ? ? ? ? ? ? ?c2:85:53:88:aa:8b:b0:13:c6:80:45:b0:53:87:a5:f9
> ? ? ? ? ? ? ? ? ? ? ? ?c3:54:16:63:cc:85:f7:f2:42:34:f3:ef:a8:ca:1a:e0
> ? ? ? ? ? ? ? ? ? ? ? ?73:c9:a0:34:91:dd:b5:68:85:da:8f:e3:a1:5b:94:b2
> ? ? ? ? ? ? ? ? ? ? ? ?2e:f5:b5:4a:df:28:da:76:84:d9:da:c1:d3:a3:dd:25
> ? ? ? ? ? ? ? ? ? ? ? ?c6:29:c9:53:3f:1e:68:f7:3c:79:90:5e:1a:a7:e3:82
> ? ? ? ? ? ? ? ? ? ? ? ?a2:72:21:f6:dd:6a:d5:c3:67:b4:5f:ac:97:31:a1:d9
> ? ? ? ? ? ? ? ? ? ? ? ?7f:05:20:94:0e:57:6d:0d:ad:2a:e6:9e:c8:b7:3b:ab
> ? ? ? ? ? ? ? ? ? ? ? ?8b:ce:ee:8c:83:ef:63:d9:df:64:2c:5f:2d:a6:1f:49
> ? ? ? ? ? ? ? ? ? ? ? ?86:d6:d5:f3:c0:6c:a1:05:40:00:bc:29:5e:c5:98:11
> ? ? ? ? ? ? ? ? ? ? ? ?0e:3f:ec:55:59:7d:83:eb:d8:73:4c:b0:66:e6:ed:22
> ? ? ? ? ? ? ? ? ? ? ? ?8c:b1:83:5a:0d:35:01:eb:ad:3c:4e:de:a4:3d:48:75
> ? ? ? ? ? ? ? ? ? ? ? ?6f:b1:3c:38:3d:94:b4:4f:da:6e:da:a7:33:b4:96:fb
> ? ? ? ? ? ? ? ? ? ? ? ?55:28:a7:c1:3d:f1:e3:d8:3c:11:be:a5:85:72:73:75
> ? ? ? ?Extensions:
> ? ? ? ? ? ? ? ?Basic Constraints (critical):
> ? ? ? ? ? ? ? ? ? ? ? ?Certificate Authority (CA): FALSE
> ? ? ? ? ? ? ? ?Key Purpose (not critical):
> ? ? ? ? ? ? ? ? ? ? ? ?TLS WWW Client.
> ? ? ? ? ? ? ? ? ? ? ? ?TLS WWW Server.
> ? ? ? ? ? ? ? ?Subject Alternative Name (not critical):
> ? ? ? ? ? ? ? ? ? ? ? ?DNSname: foo.bar.com
> ? ? ? ? ? ? ? ?Key Usage (critical):
> ? ? ? ? ? ? ? ? ? ? ? ?Digital signature.
> ? ? ? ? ? ? ? ?Subject Key Identifier (not critical):
> ? ? ? ? ? ? ? ? ? ? ? ?e9e00d4ee9ccf3c9ecd6ca2aa988077628a0d75f
> ? ? ? ? ? ? ? ?Authority Key Identifier (not critical):
> ? ? ? ? ? ? ? ? ? ? ? ?e93c1cfbad926ee606a4562ca2e1c05327c8f295
> Other Information:
> ? ? ? ?Public Key Id:
> ? ? ? ? ? ? ? ?e9e00d4ee9ccf3c9ecd6ca2aa988077628a0d75f
>
> Is the above information ok? (Y/N): y
>
>
> Signing certificate...
> jas at mocca:~$ certtool -v
> certtool (GnuTLS) 2.6.5
> Copyright (C) 2008 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
>
> Written by Nikos Mavrogiannopoulos and Simon Josefsson.
> jas at mocca:~$
>
From madhu.boddu at tcs.com Wed Apr 22 07:39:26 2009
From: madhu.boddu at tcs.com (madhubodd)
Date: Tue, 21 Apr 2009 22:39:26 -0700 (PDT)
Subject: [Help-gnutls] (very urgent) Need Help for server communication with
GNUTLS in c# windows
Message-ID: <23134237.post@talk.nabble.com>
I downloaded GNUTLS2.7.3
I copied the dlls
libgnutls-26.dll,libgnutls-extra-26.dll,libgnutls-openssl26.dll,libgpg-error-0.dll,libtasn1-3.dll
I generated libgnutls.lib internal obj file also.
Now i need to write code for socket communication with Gnu Tls for windows
environment..
Needed help regarding the syntax.
Also what name spaces i need to write..
Please kindly help
--
View this message in context: http://www.nabble.com/%28very-urgent%29-Need-Help-for-server-communication-with-GNUTLS-in-c--windows-tp23134237p23134237.html
Sent from the Gnu - TLS mailing list archive at Nabble.com.
From simon at josefsson.org Wed Apr 22 13:23:30 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Wed, 22 Apr 2009 13:23:30 +0200
Subject: [Help-gnutls] Re: (very urgent) Need Help for server communication
with GNUTLS in c# windows
In-Reply-To: <23134237.post@talk.nabble.com> (madhubodd's message of "Tue, 21
Apr 2009 22:39:26 -0700 (PDT)")
References: <23134237.post@talk.nabble.com>
Message-ID: <87mya9aq4t.fsf@mocca.josefsson.org>
madhubodd writes:
> I downloaded GNUTLS2.7.3
> I copied the dlls
> libgnutls-26.dll,libgnutls-extra-26.dll,libgnutls-openssl26.dll,libgpg-error-0.dll,libtasn1-3.dll
> I generated libgnutls.lib internal obj file also.
>
> Now i need to write code for socket communication with Gnu Tls for windows
> environment..
> Needed help regarding the syntax.
See the examples in the manual, for example:
http://www.gnu.org/software/gnutls/manual/html_node/Simple-client-example-with-X_002e509-certificate-support.html
> Also what name spaces i need to write..
Name spaces? GnuTLS is a C library. There is a C++ library and header
file gnutlsxx.h but alas it isn't documented, so if you want to use it,
you need to look in the header file and source code.
/Simon
From simon at josefsson.org Mon Apr 27 13:06:53 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Mon, 27 Apr 2009 13:06:53 +0200
Subject: [Help-gnutls] Re: (very urgent) Need Help for server communication
with GNUTLS in c# windows
In-Reply-To:
(Madhu Boddu's message of "Mon, 27 Apr 2009 11:59:49 +0530")
References:
Message-ID: <87d4ayfj8y.fsf@mocca.josefsson.org>
Madhu Boddu writes:
> Hi Simon,
>
> Thank you very much for the link u had given. But actually i was trying
> the code in c#. Even I tried with converters also but i couldnt.
> Could you help me in getting the code in c#.
Hi Madhu. Oh, sorry about that. I'm not aware of any documentation on
using GnuTLS in C#, anyone else? You should be able to follow generic
instructions on using C libraries in C#, though, if you can find
documentation on that.
/Simon
From simon at josefsson.org Wed Apr 29 10:54:53 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Wed, 29 Apr 2009 10:54:53 +0200
Subject: [Help-gnutls] Re: Libtasn1 2.1
In-Reply-To: <1240993763.8756.25.camel@par> (Jeff Cai's message of "Wed, 29
Apr 2009 16:29:23 +0800")
References: <87skk8xjyo.fsf@mocca.josefsson.org> <1240993763.8756.25.camel@par>
Message-ID: <87iqkn4z6q.fsf@mocca.josefsson.org>
Jeff Cai writes:
> I found that lib/ASN1.c is licensed under GPL v3, is that correct? I
> don't think a LGPLv2 library comes from a GPL v3 source file.
That file is generated by GNU Bison from the LGPLv2+ lib/ASN1.y, and
there is license exception:
/* As a special exception, you may create a larger work that contains
part or all of the Bison parser skeleton and distribute that work
under terms of your choice, so long as that work isn't itself a
parser generator using the skeleton or a modified version thereof
as a parser skeleton. Alternatively, if you modify or redistribute
the parser skeleton itself, you may (at your option) remove this
special exception, which will cause the skeleton and the resulting
Bison output files to be licensed under the GNU General Public
License without this special exception.
This special exception was added by the Free Software Foundation in
version 2.2 of Bison. */
As far as I understand, it is fine to use Bison generated output in a
LGPLv2 project. But you may want to ask the FSF or a lawyer for further
clarification or an authoritative answer.
/Simon
From simon at josefsson.org Thu Apr 30 12:36:07 2009
From: simon at josefsson.org (Simon Josefsson)
Date: Thu, 30 Apr 2009 12:36:07 +0200
Subject: [Help-gnutls] GnuTLS 2.6.6 - Security Release
Message-ID: <87hc0677jc.fsf@mocca.josefsson.org>
We are proud to announce a new stable GnuTLS release: Version 2.6.6.
GnuTLS is a modern C library that implement the standard network
security protocol Transport Layer Security (TLS), for use by network
applications. GnuTLS is developed for GNU/Linux, but works on many
Unix-like systems and comes with a binary installer for Windows.
The GnuTLS library is distributed under the terms of the GNU Lesser
General Public License version 2.1 (or later). The "extra" GnuTLS
library (which contains TLS/IA support, LZO compression and Libgcrypt
FIPS-mode handler), the OpenSSL compatibility library, the self tests
and the command line tools are all distributed under the GNU General
Public License version 3.0 (or later). The manual is distributed under
the GNU Free Documentation License version 1.2 (or later).
The project page of the library is available at:
http://www.gnu.org/software/gnutls/
What's New
==========
Version 2.6.6 is a maintenance and security release on our stable
branch.
** libgnutls: Corrected double free on signature verification failure.
Reported by Miroslav Kratochvil . See the advisory
for more details. [GNUTLS-SA-2009-1] [CVE-2009-1415]
** libgnutls: Fix DSA key generation.
Noticed when investigating the previous GNUTLS-SA-2009-1 problem. All
DSA keys generated using GnuTLS 2.6.x are corrupt. See the advisory
for more details. [GNUTLS-SA-2009-2] [CVE-2009-1416]
** libgnutls: Check expiration/activation time on untrusted certificates.
Reported by Romain Francoise . Before the
library did not check activation/expiration times on certificates, and
was documented as not doing so. We have realized that many
applications that use libgnutls, including gnutls-cli, fail to perform
proper checks. Implementing similar logic in all applications leads
to code duplication. Hence, we decided to check whether the current
time (as reported by the time function) is within the
activation/expiration period of certificates when verifying untrusted
certificates.
This changes the semantics of gnutls_x509_crt_list_verify, which in
turn is used by gnutls_certificate_verify_peers and
gnutls_certificate_verify_peers2. We add two new
gnutls_certificate_status_t codes for reporting the new error
condition, GNUTLS_CERT_NOT_ACTIVATED and GNUTLS_CERT_EXPIRED. We also
add a new gnutls_certificate_verify_flags flag,
GNUTLS_VERIFY_DISABLE_TIME_CHECKS, that can be used to disable the new
behaviour.
More details about the vulnerabilities will be posted at
.
** gnutls-cli, gnutls-cli-debug: Fix AIX build problem.
Reported by LAUPRETRE Fran?ois (P) in
.
** tests: Fix linking of tests/openpgp/keyring self-test.
Reported by Daniel Black in .
** API and ABI modifications:
gnutls_x509_crt_list_verify: CHANGED, checks activation/expiration times.
gnutls_certificate_verify_peers: Likewise.
gnutls_certificate_verify_peers2: Likewise.
GNUTLS_CERT_NOT_ACTIVATED: ADDED.
GNUTLS_CERT_EXPIRED: ADDED.
GNUTLS_VERIFY_DISABLE_TIME_CHECKS: ADDED.
Getting the Software
====================
GnuTLS may be downloaded from one of the mirror sites or direct from
. The list of mirrors can be found at
.
Here are the BZIP2 compressed sources (4.9MB):
ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.6.6.tar.bz2
http://ftp.gnu.org/gnu/gnutls/gnutls-2.6.6.tar.bz2
Here are OpenPGP detached signatures signed using key 0xB565716F:
ftp://ftp.gnu.org/gnu/gnutls/gnutls-2.6.6.tar.bz2.sig
http://ftp.gnu.org/gnu/gnutls/gnutls-2.6.6.tar.bz2.sig
Note, that we don't distribute gzip compressed tarballs.
In order to check that the version of GnuTLS which you are going to
install is an original and unmodified one, you should verify the OpenPGP
signature. You can use the command
gpg --verify gnutls-2.6.6.tar.bz2.sig
This checks whether the signature file matches the source file. You
should see a message indicating that the signature is good and made by
that signing key. Make sure that you have the right key, either by
checking the fingerprint of that key with other sources or by checking
that the key has been signed by a trustworthy other key. The signing
key can be identified with the following information:
pub 1280R/B565716F 2002-05-05 [expires: 2010-04-21]
Key fingerprint = 0424 D4EE 81A0 E3D1 19C6 F835 EDA2 1E94 B565 716F
uid Simon Josefsson
uid Simon Josefsson
sub 1280R/4D5D40AE 2002-05-05 [expires: 2010-04-21]
The key is available from:
http://josefsson.org/key.txt
dns:b565716f.josefsson.org?TYPE=CERT
Alternatively, after successfully verifying the OpenPGP signature of
this announcement, you could verify that the files match the following
checksum values. The values are for SHA-1 and SHA-224 respectively:
d1693e611aa7270f14bc500bd56ef529ffcb1703 gnutls-2.6.6.tar.bz2
5e5bc180293b0854b7e8c27a5eb55f172579b346fba61b2d4b0b0c61 gnutls-2.6.6.tar.bz2
Documentation
=============
The manual is available online at:
http://www.gnu.org/software/gnutls/documentation.html
In particular the following formats are available:
HTML: http://www.gnu.org/software/gnutls/manual/html_node/index.html
PDF: http://www.gnu.org/software/gnutls/manual/gnutls.pdf
For developers there is a GnuTLS API reference manual formatted using
the GTK-DOC tools:
http://www.gnu.org/software/gnutls/reference/gnutls-gnutls.html
Community
=========
If you need help to use GnuTLS, or want to help others, you are invited
to join our help-gnutls mailing list, see:
http://lists.gnu.org/mailman/listinfo/help-gnutls
If you wish to participate in the development of GnuTLS, you are invited
to join our gnutls-dev mailing list, see:
http://lists.gnu.org/mailman/listinfo/gnutls-devel
Windows installer
=================
GnuTLS has been ported to the Windows operating system, and a binary
installer is available. The installer contains DLLs for application
development, manuals, examples, and source code. The installer uses
libgpg-error v1.7, libgcrypt v1.4.4, libtasn1 v2.1, and GnuTLS v2.6.6.
For more information about GnuTLS for Windows:
http://josefsson.org/gnutls4win/
The Windows binary installer and PGP signature:
http://josefsson.org/gnutls4win/gnutls-2.6.6.exe (14MB)
http://josefsson.org/gnutls4win/gnutls-2.6.6.exe.sig
The checksum values for SHA-1 and SHA-224 are:
8a86a846cbdc16b6c21442c706854a5c02416336 gnutls-2.6.6.exe
555afa0c1524d8ad05a12384e1bd1b09da720b03058f0089dc812cfc gnutls-2.6.6.exe
Thanks to Enrico Tassi, we also have mingw32 *.deb's available:
http://josefsson.org/gnutls4win/mingw32-gnutls_2.6.6-1_all.deb
The checksum values for SHA-1 and SHA-224 are:
b141f97c196d408bf12b8a58ede6bda8fb291be6 mingw32-gnutls_2.6.6-1_all.deb
541e2fca8248460b419e2224a138b292020de1724c86c77b9478da93 mingw32-gnutls_2.6.6-1_all.deb
Internationalization
====================
GnuTLS messages have been translated into Dutch, French, German,
Malay, Polish, Swedish, and Vietnamese. We welcome the addition of
more translations.
Support
=======
Improving GnuTLS is costly, but you can help! We are looking for
organizations that find GnuTLS useful and wish to contribute back.
You can contribute by reporting bugs, improve the software, or donate
money or equipment.
Commercial support contracts for GnuTLS are available, and they help
finance continued maintenance. Simon Josefsson Datakonsult AB, a
Stockholm based privately held company, is currently funding GnuTLS
maintenance. We are always looking for interesting development
projects. See http://josefsson.org/ for more details.
The GnuTLS service directory is available at:
http://www.gnu.org/software/gnutls/commercial.html
Happy Hacking,
Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 419 bytes
Desc: not available
URL: