From danut_12 at yahoo.com Wed Aug 1 14:44:05 2012 From: danut_12 at yahoo.com (slobozian daniel) Date: Wed, 1 Aug 2012 13:44:05 +0100 (BST) Subject: GNUTLS partial build Message-ID: <1343825045.86185.YahooMailNeo@web29504.mail.ird.yahoo.com> Hello, I have a question concerning the GNUTLS build settings. I want to use only AES, RSA, SHA1 and MD5 algorithmes for the project i am working in. Therefor i was searching if there is a way to compile GNUTLS with the needed algorithmes in the output and nothing else. Thank you in advance for your help Daniel Slobozian -------------- next part -------------- An HTML attachment was scrubbed... URL: From r.korthaus at sirrix.com Fri Aug 3 14:39:29 2012 From: r.korthaus at sirrix.com (=?ISO-8859-15?Q?Ren=E9_Korthaus?=) Date: Fri, 3 Aug 2012 14:39:29 +0200 Subject: Importing a PKCS#1 RSAPublicKey structure into a gnutls_pubkey_t Message-ID: <501BC681.3010005@sirrix.com> Hello list, I have a smartcard that gives me a PKCS#1 RSAPublicKey structure of the public key on the card and I need to generate a X.509 SubjectPublicKeyInfo structure from it. I already have a C++ wrapper class that uses gnutls_pubkey_export to generate the SubjectPublicKeyInfo structure. The question is how to import the RSAPublicKey structure right. As there seems to be no direct way to import from PCKS#1 I tried the following approach, which failed: 1) Use gnutls_rsa_params_import_pkcs1 to import PKCS1 structure into rsa_params structure 2) Use gnutls_rsa_params_export_raw to export modulus and exponent 3) Use gnutls_pubkey_import_rsa_raw to finally import modulus and exponent into gnutls_pubkey_t The call to gnutls_rsa_params_import_pkcs1 fails with a GNUTLS_E_ASN1_DER_ERROR. The data can be viewed fine from within an ASN1 viewer. Questions: * Is there an onbvious way to import PKCS#1 RSAPublicKey into a gnutls_pubkey_t structure? * From my short look into the code of gnutls_rsa_params_import_pkcs1, it seems that it calls gnutls_x509_privkey_import which uses _gnutls_privkey_decode_pkcs1_rsa_key to import a _private key_ from a _RSAPrivateKey_ structure although it according to doc "should contain a PKCS1 RSAPublicKey structure PEM or DER encoded". Of course this fails in my case, as what I hand over is a RSAPublicKey structure, not a RSAPrivatekey. What's wrong here? Please CC me when answering, as I am not on the list. Thx. Best regards, Ren? -- Sirrix AG security technologies - http://www.sirrix.com Ren? Korthaus eMail: r.korthaus at sirrix.com Tel +49(681) 959 86-163 Fax +49(681) 959 86-5163 PGP Key ID 0x688EF9C8 Fingerprint 1FB6 2405 51C4 79DB C008 D1D2 C2E0 1A14 688E F9C8 Vorstand: Ammar Alkassar (Vors.), Christian St?ble, Markus Bernhammer Vorsitzender des Aufsichtsrates: Harald St?ber Sitz der Gesellschaft: Homburg/Saar, HRB 3857 Amtsgericht Saarbr?cken This message may contain confidential and/or privileged information. If you are not the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. -------------- next part -------------- An HTML attachment was scrubbed... URL: From nmav at gnutls.org Sat Aug 4 21:14:33 2012 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sat, 04 Aug 2012 21:14:33 +0200 Subject: gnutls 3.0.22 Message-ID: <501D7499.2020507@gnutls.org> Hello, I've just released gnutls 3.0.22. This is a bug-fix release on the current stable branch. * Version 3.0.22 (released 2012-08-04) ** libgnutls: gnutls_certificate_set_x509_system_trust() is now supported on OpenBSD. ** libgnutls: When verifying a certificate chain make sure it is chain. If the chain is wronly interrupted at some point then truncate it, and only try to verify the correct part. Patch by David Woodhouse ** libgnutls: Restored the behavior of gnutls_x509_privkey_import_pkcs8() which now may (again) accept a NULL password. ** certtool: Allow the user to choose the hash algorithm when signing certificate request or certificate revocation list. ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded from one of the GNU mirror sites or directly >From . The list of GNU mirrors can be found at and a list of GnuTLS mirrors can be found at . Here are the XZ compressed sources: ftp://ftp.gnu.org/gnu/gnutls/gnutls-3.0.22.tar.xz http://ftp.gnu.org/gnu/gnutls/gnutls-3.0.22.tar.xz ftp://ftp.gnutls.org/pub/gnutls/gnutls-3.0.22.tar.xz Here are the LZIP compressed sources: ftp://ftp.gnu.org/gnu/gnutls/gnutls-3.0.22.tar.lz http://ftp.gnu.org/gnu/gnutls/gnutls-3.0.22.tar.lz ftp://ftp.gnutls.org/pub/gnutls/gnutls-3.0.22.tar.lz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnu.org/gnu/gnutls/gnutls-3.0.22.tar.xz.sig http://ftp.gnu.org/gnu/gnutls/gnutls-3.0.22.tar.xz.sig ftp://ftp.gnutls.org/pub/gnutls/gnutls-3.0.22.tar.xz.sig ftp://ftp.gnu.org/gnu/gnutls/gnutls-3.0.22.tar.lz.sig http://ftp.gnu.org/gnu/gnutls/gnutls-3.0.22.tar.lz.sig ftp://ftp.gnutls.org/pub/gnutls/gnutls-3.0.22.tar.lz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From nmav at gnutls.org Sat Aug 4 22:31:40 2012 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sat, 04 Aug 2012 22:31:40 +0200 Subject: Importing a PKCS#1 RSAPublicKey structure into a gnutls_pubkey_t In-Reply-To: <501BC681.3010005@sirrix.com> References: <501BC681.3010005@sirrix.com> Message-ID: <501D86AC.8030305@gnutls.org> On 08/03/2012 02:39 PM, Ren? Korthaus wrote: > Hello list, > > I have a smartcard that gives me a PKCS#1 RSAPublicKey structure of the > public key on the card and I need to generate a X.509 > SubjectPublicKeyInfo structure from it. I already have a C++ wrapper > class that uses gnutls_pubkey_export to generate the > SubjectPublicKeyInfo structure. The question is how to import the > RSAPublicKey structure right. There is no exported function in gnutls that can read the RSAPublicKey structure. gnutls_rsa_params_t reads the private key not the public (the documentation has a typo which I just fixed). You can read this DER structure by using libtasn1. Check lib/x509/key_decode.c, and the function _gnutls_x509_read_rsa_pubkey(). After extracting the values you can import them using gnutls_pubkey_import_rsa_raw(). regards, Nikos From nmav at gnutls.org Sun Aug 5 12:38:40 2012 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 05 Aug 2012 12:38:40 +0200 Subject: gnutls 3.1.0 pre-release Message-ID: <501E4D30.6090901@gnutls.org> Hello, One of the next few weeks I plan to release gnutls 3.1.0. This includes quite some changes comparing to 3.0.x, the most prominent being: * Dependence on nettle for RSA PKCS #1 1.5 operations. * Support for TPM keys (if trousers is available). The former means that we save quite some code by not reimplementing this stuff in gnutls. The TPM support means that you can use your TPM chip to secure your private key similarly to a smart-card. Keys are referred to by using a (for now custom) URL-like format that looks like: tpmkey:uuid=58ad734b-bde6-45c7-89d8-756a55ad1891;storage=user tpmkey:file=/path/to/tpmkey.pem I've put some pre-release versions at alpha.gnu.org. Please try them and feel free to report any issues you encounter or any other comments. ftp://alpha.gnu.org/gnu/gnutls/gnutls-3.1.0pre0.tar.lz ftp://alpha.gnu.org/gnu/gnutls/gnutls-3.1.0pre0.tar.xz ftp://alpha.gnu.org/gnu/gnutls/gnutls-3.1.0pre0.tar.lz.sig ftp://alpha.gnu.org/gnu/gnutls/gnutls-3.1.0pre0.tar.xz.sig A more detailed changelog follows. * Version 3.1.0pre0 (released 2012-08-05) ** libgnutls: Added direct support for TPM as a cryptographic module in gnutls/tpm.h. ** libgnutls: requires libnettle 2.5. ** libgnutls: Use the PKCS #1 1.5 encoding provided by nettle (2.5) for encryption and signatures. ** libgnutls: Added GNUTLS_CERT_SIGNATURE_FAILURE to differentiate between generic errors and signature verification errors in the verification functions. ** libgnutls: Added gnutls_pkcs12_simple_parse() as a helper function to simplify parsing in most PKCS #12 use cases. ** libgnutls: gnutls_certificate_set_x509_simple_pkcs12_file() adds the whole certificate chain (if any) to the credentials structure, instead of only the end-user certificate. ** libgnutls: Key import functions such as gnutls_pkcs12_simple_parse() and gnutls_x509_privkey_import_pkcs8(), return consistently GNUTLS_E_DECRYPTION_FAILED if the input structure is encrypted but no password was provided. ** libgnutlsxx: Added session::set_transport_vec_push_function. Patch by Alexandre Bique. ** tpmtool: Added. It is a tool to generate private keys in the TPM. ** gnutls-cli: --benchmark-tls was split to --benchmark-tls-kx and --benchmark-tls-ciphers ** certtool: generated PKCS #12 structures may hold more than one private key. Patch by Lucas Fisher. ** certtool: Added option --null-password to generate/decrypt keys that use a NULL password (in schemas that distinguish between NULL an empty passwords). ** minitasn1: Upgraded to libtasn1 version 2.13. ** API and ABI modifications: GNUTLS_CERT_SIGNATURE_FAILURE: Added GNUTLS_CAMELLIA_192_CBC: Added GNUTLS_PKCS_NULL_PASSWORD: Added gnutls_url_is_supported: Added gnutls_pkcs11_obj_list_import_url2: Added gnutls_pkcs11_obj_set_pin_function: Added gnutls_pkcs11_privkey_set_pin_function: Added gnutls_pkcs11_get_pin_function: Added gnutls_privkey_import_tpm_raw: Added gnutls_privkey_import_tpm_url: Added gnutls_privkey_import_pkcs11_url: Added gnutls_privkey_import_openpgp_raw: Added gnutls_privkey_import_x509_raw: Added gnutls_privkey_import_ext2: Added gnutls_privkey_import_url: Added gnutls_privkey_set_pin_function: Added gnutls_tpm_privkey_generate: Added gnutls_tpm_key_list_deinit: Added gnutls_tpm_key_list_get_url: Added gnutls_tpm_get_registered: Added gnutls_tpm_privkey_delete: Added gnutls_pubkey_import_tpm_raw: Added gnutls_pubkey_import_tpm_url: Added gnutls_pubkey_import_url: Added gnutls_pubkey_verify_hash2: Added gnutls_pubkey_set_pin_function: Added gnutls_x509_privkey_import2: Added gnutls_x509_privkey_import_openssl: Added gnutls_x509_crt_set_pin_function: Added gnutls_load_file: Added gnutls_pkcs12_simple_parse: Added gnutls_certificate_set_x509_system_trust: Added gnutls_certificate_set_pin_function: Added gnutls_x509_trust_list_add_system_trust: Added gnutls_x509_trust_list_add_trust_file: Added gnutls_x509_trust_list_add_trust_mem: Added gnutls_pk_to_sign: Added gnutls_pubkey_verify_hash: Deprecated (use gnutls_pubkey_verify_hash2) gnutls_pubkey_verify_data: Deprecated (use gnutls_pubkey_verify_data2) regards, Nikos From r.korthaus at sirrix.com Tue Aug 7 09:11:23 2012 From: r.korthaus at sirrix.com (=?ISO-8859-1?Q?Ren=E9_Korthaus?=) Date: Tue, 7 Aug 2012 09:11:23 +0200 Subject: Importing a PKCS#1 RSAPublicKey structure into a gnutls_pubkey_t In-Reply-To: <501D86AC.8030305@gnutls.org> References: <501BC681.3010005@sirrix.com> <501D86AC.8030305@gnutls.org> Message-ID: <5020BF9B.1010905@sirrix.com> Thanks for the clarification. Then is there a reason that gnutls offers no method to import a PKCS#1 RSAPublicKey structure - given that it is a standard format and almost all smartcards speak it plus RSAPublicKey is very similar to RSAPrivateKey and gnutls can already decode RSAPrivateKey structures with _gnutls_privkey_decode_pkcs1_rsa_key. From the code I've seen it should be fairly easy to implement and would make us very happy. :) Regards, Ren? Am 04.08.2012 22:31, schrieb Nikos Mavrogiannopoulos: > On 08/03/2012 02:39 PM, Ren? Korthaus wrote: > >> Hello list, >> >> I have a smartcard that gives me a PKCS#1 RSAPublicKey structure of the >> public key on the card and I need to generate a X.509 >> SubjectPublicKeyInfo structure from it. I already have a C++ wrapper >> class that uses gnutls_pubkey_export to generate the >> SubjectPublicKeyInfo structure. The question is how to import the >> RSAPublicKey structure right. > > There is no exported function in gnutls that can read the RSAPublicKey > structure. gnutls_rsa_params_t reads the private key not the public (the > documentation has a typo which I just fixed). > > You can read this DER structure by using libtasn1. Check > lib/x509/key_decode.c, and the function _gnutls_x509_read_rsa_pubkey(). > After extracting the values you can import them using > gnutls_pubkey_import_rsa_raw(). > > regards, > Nikos -- Sirrix AG security technologies - http://www.sirrix.com Ren? Korthaus eMail: r.korthaus at sirrix.com Tel +49(681) 959 86-163 Fax +49(681) 959 86-5163 PGP Key ID 0x688EF9C8 Fingerprint 1FB6 2405 51C4 79DB C008 D1D2 C2E0 1A14 688E F9C8 Vorstand: Ammar Alkassar (Vors.), Christian St?ble, Markus Bernhammer Vorsitzender des Aufsichtsrates: Harald St?ber Sitz der Gesellschaft: Homburg/Saar, HRB 3857 Amtsgericht Saarbr?cken This message may contain confidential and/or privileged information. If you are not the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. From kristian.fiskerstrand at sumptuouscapital.com Wed Aug 8 02:24:38 2012 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Wed, 08 Aug 2012 02:24:38 +0200 Subject: Error in handshake - Error: Could not negotiate a supported cipher suite. Message-ID: <5021B1C6.9030102@sumptuouscapital.com> Hi, I'm trying to set up mod_gnutls on apache to use OpenPGP key for a TLS session but I'm having some trouble getting gnutls set up correctly for a handshake. If I'm not too mistaken alert(21) indicate a decryption error - any hints for how I should debug this? What I have so far is - using gnutls-serv and gnutls-cli - the following; Version information: alpha ~ # gnutls-serv -v gnutls-serv (GnuTLS) 2.12.20 Invocation of serv: gnutls-serv \ -p 18000 \ -g \ --http \ --priority NORMAL:+ANON-DH \ --pgpcertfile /etc/apache2/conf/sks-keyservers.net.pub.asc \ --pgpkeyfile /etc/apache2/conf/ss/sks-keyservers.net.sec.asc \ --pgpsubkey 19EA3DAE12200409 Where the keyset is generated with the following properties, and the secret key has no passphrase --------------- pub 4096R/BD7B1BE43776D70C created: 2012-08-08 expires: 2014-08-08 usage: CA trust: ultimate validity: ultimate sub 4096R/19EA3DAE12200409 created: 2012-08-08 expires: 2014-08-08 usage: E [ultimate] (1). sks-keyservers.net And the files are exported using gpg2 --homedir . -a --export 3776D70C gpg2 --homedir . -a --export-secret-keys 3776D70C and stored in ASCII armored format: alpha ~ # head -1 /etc/apache2/conf/sks-keyservers.net.pub.asc -----BEGIN PGP PUBLIC KEY BLOCK----- alpha ~ # head -1 /etc/apache2/conf/ss/sks-keyservers.net.sec.asc -----BEGIN PGP PRIVATE KEY BLOCK----- This results in alpha ss # gnutls-serv -p 18000 -g --http --priority NORMAL:+ANON-DH --pgpcertfile /etc/apache2/conf/sks-keyservers.net.pub.asc --pgpkeyfile /etc/apache2/conf/ss/sks-keyservers.net.sec.asc --pgpsubkey 19EA3DAE12200409 Generating temporary RSA parameters. Please wait... Generating Diffie-Hellman parameters [768]. Please wait... HTTP Server listening on IPv4 0.0.0.0 port 18000...done HTTP Server listening on IPv6 :: port 18000...bind() failed: Address already in use * Accepted connection from IPv4 127.0.0.1 port 35976 on Wed Aug 8 02:16:48 2012 Error in handshake Error: Could not negotiate a supported cipher suite. [ ... repeated for multiple attempts ...] gnutls-cli-debug on its side reports alpha ~ # gnutls-cli-debug -d 10 -p 18000 127.0.0.1 Resolving '127.0.0.1'... Connecting to '127.0.0.1:18000'... |<4>| REC[0x61d280]: Allocating epoch #0 |<2>| ASSERT: gnutls_constate.c:695 |<4>| REC[0x61d280]: Allocating epoch #1 |<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1 |<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_ARCFOUR_SHA1 |<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_ARCFOUR_MD5 |<3>| HSK[0x61d280]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1 |<3>| HSK[0x61d280]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1 |<3>| HSK[0x61d280]: Removing ciphersuite: ANON_DH_3DES_EDE_CBC_SHA1 |<3>| HSK[0x61d280]: Removing ciphersuite: ANON_DH_ARCFOUR_MD5 |<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_EXPORT_ARCFOUR_40_MD5 |<3>| HSK[0x61d280]: CLIENT HELLO was sent [57 bytes] |<6>| BUF[HSK]: Inserted 57 bytes of Data |<7>| HWRITE: enqueued 57. Total 57 bytes. |<7>| HWRITE FLUSH: 57 bytes in buffer. |<4>| REC[0x61d280]: Sending Packet[0] Handshake(22) with length: 57 |<7>| WRITE: enqueued 62 bytes for 0x4. Total 62 bytes. |<4>| REC[0x61d280]: Sent Packet[1] Handshake(22) with length: 62 |<7>| HWRITE: wrote 57 bytes, 0 bytes left. |<7>| WRITE FLUSH: 62 bytes in buffer. |<7>| WRITE: wrote 62 bytes, 0 bytes left. |<7>| READ: Got 5 bytes from 0x4 |<7>| READ: read 5 bytes from 0x4 |<7>| RB: Have 0 bytes into buffer. Adding 5 bytes. |<7>| RB: Requested 5 bytes |<4>| REC[0x61d280]: Expected Packet[0] Handshake(22) with length: 1 |<4>| REC[0x61d280]: Received Packet[0] Alert(21) with length: 2 |<7>| READ: Got 2 bytes from 0x4 |<7>| READ: read 2 bytes from 0x4 |<7>| RB: Have 5 bytes into buffer. Adding 2 bytes. |<7>| RB: Requested 7 bytes |<4>| REC[0x61d280]: Decrypted Packet[0] Alert(21) with length: 2 |<4>| REC[0x61d280]: Alert[2|40] - Handshake failed - was received |<2>| ASSERT: gnutls_record.c:726 |<2>| ASSERT: gnutls_record.c:1122 |<2>| ASSERT: gnutls_handshake.c:2762 |<6>| BUF[HSK]: Cleared Data from buffer Checking for SSL 3.0 support... no |<6>| BUF[HSK]: Cleared Data from buffer |<4>| REC[0x61d280]: Epoch #0 freed |<4>| REC[0x61d280]: Epoch #1 freed |<4>| REC[0x61d280]: Allocating epoch #0 |<2>| ASSERT: gnutls_constate.c:695 |<4>| REC[0x61d280]: Allocating epoch #1 |<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1 |<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1 |<3>| HSK[0x61d280]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1 |<3>| HSK[0x61d280]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1 |<3>| HSK[0x61d280]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1 |<3>| HSK[0x61d280]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1 |<3>| HSK[0x61d280]: Removing ciphersuite: ANON_DH_3DES_EDE_CBC_SHA1 |<3>| HSK[0x61d280]: Removing ciphersuite: ANON_DH_AES_128_CBC_SHA1 |<2>| EXT[0x61d280]: Sending extension SAFE RENEGOTIATION (1 bytes) |<3>| HSK[0x61d280]: CLIENT HELLO was sent [62 bytes] |<6>| BUF[HSK]: Inserted 62 bytes of Data |<7>| HWRITE: enqueued 62. Total 62 bytes. |<7>| HWRITE FLUSH: 62 bytes in buffer. |<4>| REC[0x61d280]: Sending Packet[0] Handshake(22) with length: 62 |<7>| WRITE: enqueued 67 bytes for 0x4. Total 67 bytes. |<4>| REC[0x61d280]: Sent Packet[1] Handshake(22) with length: 67 |<7>| HWRITE: wrote 62 bytes, 0 bytes left. |<7>| WRITE FLUSH: 67 bytes in buffer. |<7>| WRITE: wrote 67 bytes, 0 bytes left. |<7>| READ: Got 5 bytes from 0x4 |<7>| READ: read 5 bytes from 0x4 |<7>| RB: Have 0 bytes into buffer. Adding 5 bytes. |<7>| RB: Requested 5 bytes |<4>| REC[0x61d280]: Expected Packet[0] Handshake(22) with length: 1 |<4>| REC[0x61d280]: Received Packet[0] Alert(21) with length: 2 |<7>| READ: Got 2 bytes from 0x4 |<7>| READ: read 2 bytes from 0x4 |<7>| RB: Have 5 bytes into buffer. Adding 2 bytes. |<7>| RB: Requested 7 bytes |<4>| REC[0x61d280]: Decrypted Packet[0] Alert(21) with length: 2 |<4>| REC[0x61d280]: Alert[2|40] - Handshake failed - was received |<2>| ASSERT: gnutls_record.c:726 |<2>| ASSERT: gnutls_record.c:1122 |<2>| ASSERT: gnutls_handshake.c:2762 |<6>| BUF[HSK]: Cleared Data from buffer Checking whether %COMPAT is required... yes |<6>| BUF[HSK]: Cleared Data from buffer |<4>| REC[0x61d280]: Epoch #0 freed |<4>| REC[0x61d280]: Epoch #1 freed |<4>| REC[0x61d280]: Allocating epoch #0 |<2>| ASSERT: gnutls_constate.c:695 |<4>| REC[0x61d280]: Allocating epoch #1 |<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1 |<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_ARCFOUR_SHA1 |<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_ARCFOUR_MD5 |<3>| HSK[0x61d280]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1 |<3>| HSK[0x61d280]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1 |<3>| HSK[0x61d280]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1 |<3>| HSK[0x61d280]: Removing ciphersuite: ANON_DH_3DES_EDE_CBC_SHA1 |<3>| HSK[0x61d280]: Removing ciphersuite: ANON_DH_ARCFOUR_MD5 |<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_EXPORT_ARCFOUR_40_MD5 |<2>| EXT[0x61d280]: Sending extension SAFE RENEGOTIATION (1 bytes) |<3>| HSK[0x61d280]: CLIENT HELLO was sent [64 bytes] |<6>| BUF[HSK]: Inserted 64 bytes of Data |<7>| HWRITE: enqueued 64. Total 64 bytes. |<7>| HWRITE FLUSH: 64 bytes in buffer. |<4>| REC[0x61d280]: Sending Packet[0] Handshake(22) with length: 64 |<7>| WRITE: enqueued 69 bytes for 0x4. Total 69 bytes. |<4>| REC[0x61d280]: Sent Packet[1] Handshake(22) with length: 69 |<7>| HWRITE: wrote 64 bytes, 0 bytes left. |<7>| WRITE FLUSH: 69 bytes in buffer. |<7>| WRITE: wrote 69 bytes, 0 bytes left. |<7>| READ: Got 5 bytes from 0x4 |<7>| READ: read 5 bytes from 0x4 |<7>| RB: Have 0 bytes into buffer. Adding 5 bytes. |<7>| RB: Requested 5 bytes |<4>| REC[0x61d280]: Expected Packet[0] Handshake(22) with length: 1 |<4>| REC[0x61d280]: Received Packet[0] Alert(21) with length: 2 |<7>| READ: Got 2 bytes from 0x4 |<7>| READ: read 2 bytes from 0x4 |<7>| RB: Have 5 bytes into buffer. Adding 2 bytes. |<7>| RB: Requested 7 bytes |<4>| REC[0x61d280]: Decrypted Packet[0] Alert(21) with length: 2 |<4>| REC[0x61d280]: Alert[2|40] - Handshake failed - was received |<2>| ASSERT: gnutls_record.c:726 |<2>| ASSERT: gnutls_record.c:1122 |<2>| ASSERT: gnutls_handshake.c:2762 |<6>| BUF[HSK]: Cleared Data from buffer Checking for TLS 1.0 support... no |<6>| BUF[HSK]: Cleared Data from buffer |<4>| REC[0x61d280]: Epoch #0 freed |<4>| REC[0x61d280]: Epoch #1 freed |<4>| REC[0x61d280]: Allocating epoch #0 |<2>| ASSERT: gnutls_constate.c:695 |<4>| REC[0x61d280]: Allocating epoch #1 |<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1 |<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_ARCFOUR_SHA1 |<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_ARCFOUR_MD5 |<3>| HSK[0x61d280]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1 |<3>| HSK[0x61d280]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1 |<3>| HSK[0x61d280]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1 |<3>| HSK[0x61d280]: Removing ciphersuite: ANON_DH_3DES_EDE_CBC_SHA1 |<3>| HSK[0x61d280]: Removing ciphersuite: ANON_DH_ARCFOUR_MD5 |<2>| EXT[0x61d280]: Sending extension SAFE RENEGOTIATION (1 bytes) |<3>| HSK[0x61d280]: CLIENT HELLO was sent [62 bytes] |<6>| BUF[HSK]: Inserted 62 bytes of Data |<7>| HWRITE: enqueued 62. Total 62 bytes. |<7>| HWRITE FLUSH: 62 bytes in buffer. |<4>| REC[0x61d280]: Sending Packet[0] Handshake(22) with length: 62 |<7>| WRITE: enqueued 67 bytes for 0x4. Total 67 bytes. |<4>| REC[0x61d280]: Sent Packet[1] Handshake(22) with length: 67 |<7>| HWRITE: wrote 62 bytes, 0 bytes left. |<7>| WRITE FLUSH: 67 bytes in buffer. |<7>| WRITE: wrote 67 bytes, 0 bytes left. |<7>| READ: Got 5 bytes from 0x4 |<7>| READ: read 5 bytes from 0x4 |<7>| RB: Have 0 bytes into buffer. Adding 5 bytes. |<7>| RB: Requested 5 bytes |<4>| REC[0x61d280]: Expected Packet[0] Handshake(22) with length: 1 |<4>| REC[0x61d280]: Received Packet[0] Alert(21) with length: 2 |<7>| READ: Got 2 bytes from 0x4 |<7>| READ: read 2 bytes from 0x4 |<7>| RB: Have 5 bytes into buffer. Adding 2 bytes. |<7>| RB: Requested 7 bytes |<4>| REC[0x61d280]: Decrypted Packet[0] Alert(21) with length: 2 |<4>| REC[0x61d280]: Alert[2|40] - Handshake failed - was received |<2>| ASSERT: gnutls_record.c:726 |<2>| ASSERT: gnutls_record.c:1122 |<2>| ASSERT: gnutls_handshake.c:2762 |<6>| BUF[HSK]: Cleared Data from buffer Checking for TLS 1.1 support... no |<6>| BUF[HSK]: Cleared Data from buffer |<4>| REC[0x61d280]: Epoch #0 freed |<4>| REC[0x61d280]: Epoch #1 freed |<4>| REC[0x61d280]: Allocating epoch #0 |<2>| ASSERT: gnutls_constate.c:695 |<4>| REC[0x61d280]: Allocating epoch #1 |<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1 |<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_ARCFOUR_SHA1 |<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_ARCFOUR_MD5 |<3>| HSK[0x61d280]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1 |<3>| HSK[0x61d280]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1 |<3>| HSK[0x61d280]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1 |<3>| HSK[0x61d280]: Removing ciphersuite: ANON_DH_3DES_EDE_CBC_SHA1 |<3>| HSK[0x61d280]: Removing ciphersuite: ANON_DH_ARCFOUR_MD5 |<2>| EXT[0x61d280]: Sending extension SAFE RENEGOTIATION (1 bytes) |<3>| HSK[0x61d280]: CLIENT HELLO was sent [62 bytes] |<6>| BUF[HSK]: Inserted 62 bytes of Data |<7>| HWRITE: enqueued 62. Total 62 bytes. |<7>| HWRITE FLUSH: 62 bytes in buffer. |<4>| REC[0x61d280]: Sending Packet[0] Handshake(22) with length: 62 |<7>| WRITE: enqueued 67 bytes for 0x4. Total 67 bytes. |<4>| REC[0x61d280]: Sent Packet[1] Handshake(22) with length: 67 |<7>| HWRITE: wrote 62 bytes, 0 bytes left. |<7>| WRITE FLUSH: 67 bytes in buffer. |<7>| WRITE: wrote 67 bytes, 0 bytes left. |<7>| READ: Got 5 bytes from 0x4 |<7>| READ: read 5 bytes from 0x4 |<7>| RB: Have 0 bytes into buffer. Adding 5 bytes. |<7>| RB: Requested 5 bytes |<4>| REC[0x61d280]: Expected Packet[0] Handshake(22) with length: 1 |<4>| REC[0x61d280]: Received Packet[0] Alert(21) with length: 2 |<7>| READ: Got 2 bytes from 0x4 |<7>| READ: read 2 bytes from 0x4 |<7>| RB: Have 5 bytes into buffer. Adding 2 bytes. |<7>| RB: Requested 7 bytes |<4>| REC[0x61d280]: Decrypted Packet[0] Alert(21) with length: 2 |<4>| REC[0x61d280]: Alert[2|40] - Handshake failed - was received |<2>| ASSERT: gnutls_record.c:726 |<2>| ASSERT: gnutls_record.c:1122 |<2>| ASSERT: gnutls_handshake.c:2762 |<6>| BUF[HSK]: Cleared Data from buffer Checking fallback from TLS 1.1 to... failed |<6>| BUF[HSK]: Cleared Data from buffer |<4>| REC[0x61d280]: Epoch #0 freed |<4>| REC[0x61d280]: Epoch #1 freed |<4>| REC[0x61d280]: Allocating epoch #0 |<2>| ASSERT: gnutls_constate.c:695 |<4>| REC[0x61d280]: Allocating epoch #1 |<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1 |<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_ARCFOUR_SHA1 |<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_ARCFOUR_MD5 |<3>| HSK[0x61d280]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1 |<3>| HSK[0x61d280]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1 |<3>| HSK[0x61d280]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1 |<3>| HSK[0x61d280]: Removing ciphersuite: ANON_DH_3DES_EDE_CBC_SHA1 |<3>| HSK[0x61d280]: Removing ciphersuite: ANON_DH_ARCFOUR_MD5 |<2>| EXT[0x61d280]: Sending extension SAFE RENEGOTIATION (1 bytes) |<3>| HSK[0x61d280]: CLIENT HELLO was sent [62 bytes] |<6>| BUF[HSK]: Inserted 62 bytes of Data |<7>| HWRITE: enqueued 62. Total 62 bytes. |<7>| HWRITE FLUSH: 62 bytes in buffer. |<4>| REC[0x61d280]: Sending Packet[0] Handshake(22) with length: 62 |<7>| WRITE: enqueued 67 bytes for 0x4. Total 67 bytes. |<4>| REC[0x61d280]: Sent Packet[1] Handshake(22) with length: 67 |<7>| HWRITE: wrote 62 bytes, 0 bytes left. |<7>| WRITE FLUSH: 67 bytes in buffer. |<7>| WRITE: wrote 67 bytes, 0 bytes left. |<7>| READ: Got 5 bytes from 0x4 |<7>| READ: read 5 bytes from 0x4 |<7>| RB: Have 0 bytes into buffer. Adding 5 bytes. |<7>| RB: Requested 5 bytes |<4>| REC[0x61d280]: Expected Packet[0] Handshake(22) with length: 1 |<4>| REC[0x61d280]: Received Packet[0] Alert(21) with length: 2 |<7>| READ: Got 2 bytes from 0x4 |<7>| READ: read 2 bytes from 0x4 |<7>| RB: Have 5 bytes into buffer. Adding 2 bytes. |<7>| RB: Requested 7 bytes |<4>| REC[0x61d280]: Decrypted Packet[0] Alert(21) with length: 2 |<4>| REC[0x61d280]: Alert[2|40] - Handshake failed - was received |<2>| ASSERT: gnutls_record.c:726 |<2>| ASSERT: gnutls_record.c:1122 |<2>| ASSERT: gnutls_handshake.c:2762 |<6>| BUF[HSK]: Cleared Data from buffer Checking for TLS 1.2 support... no |<6>| BUF[HSK]: Cleared Data from buffer |<4>| REC[0x61d280]: Epoch #0 freed |<4>| REC[0x61d280]: Epoch #1 freed |<4>| REC[0x61d280]: Allocating epoch #0 |<2>| ASSERT: gnutls_constate.c:695 |<4>| REC[0x61d280]: Allocating epoch #1 |<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1 |<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_ARCFOUR_SHA1 |<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_ARCFOUR_MD5 |<3>| HSK[0x61d280]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1 |<3>| HSK[0x61d280]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1 |<3>| HSK[0x61d280]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1 |<3>| HSK[0x61d280]: Removing ciphersuite: ANON_DH_3DES_EDE_CBC_SHA1 |<3>| HSK[0x61d280]: Removing ciphersuite: ANON_DH_ARCFOUR_MD5 |<3>| HSK[0x61d280]: Keeping ciphersuite: RSA_EXPORT_ARCFOUR_40_MD5 |<2>| EXT[0x61d280]: Sending extension SAFE RENEGOTIATION (1 bytes) |<3>| HSK[0x61d280]: CLIENT HELLO was sent [64 bytes] |<6>| BUF[HSK]: Inserted 64 bytes of Data |<7>| HWRITE: enqueued 64. Total 64 bytes. |<7>| HWRITE FLUSH: 64 bytes in buffer. |<4>| REC[0x61d280]: Sending Packet[0] Handshake(22) with length: 64 |<7>| WRITE: enqueued 69 bytes for 0x4. Total 69 bytes. |<4>| REC[0x61d280]: Sent Packet[1] Handshake(22) with length: 69 |<7>| HWRITE: wrote 64 bytes, 0 bytes left. |<7>| WRITE FLUSH: 69 bytes in buffer. |<7>| WRITE: wrote 69 bytes, 0 bytes left. |<7>| READ: Got 5 bytes from 0x4 |<7>| READ: read 5 bytes from 0x4 |<7>| RB: Have 0 bytes into buffer. Adding 5 bytes. |<7>| RB: Requested 5 bytes |<4>| REC[0x61d280]: Expected Packet[0] Handshake(22) with length: 1 |<4>| REC[0x61d280]: Received Packet[0] Alert(21) with length: 2 |<7>| READ: Got 2 bytes from 0x4 |<7>| READ: read 2 bytes from 0x4 |<7>| RB: Have 5 bytes into buffer. Adding 2 bytes. |<7>| RB: Requested 7 bytes |<4>| REC[0x61d280]: Decrypted Packet[0] Alert(21) with length: 2 |<4>| REC[0x61d280]: Alert[2|40] - Handshake failed - was received |<2>| ASSERT: gnutls_record.c:726 |<2>| ASSERT: gnutls_record.c:1122 |<2>| ASSERT: gnutls_handshake.c:2762 |<6>| BUF[HSK]: Cleared Data from buffer Checking whether we need to disable TLS 1.0... yes |<6>| BUF[HSK]: Cleared Data from buffer |<4>| REC[0x61d280]: Epoch #0 freed |<4>| REC[0x61d280]: Epoch #1 freed Server does not support any of SSL 3.0, TLS 1.0 and TLS 1.1 -- ---------------------------- Kristian Fiskerstrand http://www.sumptuouscapital.com Twitter: @krifisk ---------------------------- Docendo discimus We learn by teaching ---------------------------- This email was digitally signed using the OpenPGP standard. If you want to read more about this The book: Sending Emails - The Safe Way: An introduction to OpenPGP security is now available in both Amazon Kindle and Paperback format at http://www.amazon.com/dp/B006RSG1S4/ ---------------------------- Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 900 bytes Desc: OpenPGP digital signature URL: From nmav at gnutls.org Wed Aug 8 15:10:51 2012 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 8 Aug 2012 15:10:51 +0200 Subject: Error in handshake - Error: Could not negotiate a supported cipher suite. In-Reply-To: <5021B1C6.9030102@sumptuouscapital.com> References: <5021B1C6.9030102@sumptuouscapital.com> Message-ID: On Wed, Aug 8, 2012 at 2:24 AM, Kristian Fiskerstrand wrote: > Hi, > I'm trying to set up mod_gnutls on apache to use OpenPGP key for a TLS > session but I'm having some trouble getting gnutls set up correctly for > a handshake. If I'm not too mistaken alert(21) indicate a decryption > error - any hints for how I should debug this? > What I have so far is - using gnutls-serv and gnutls-cli - the following; [...] > --priority NORMAL:+ANON-DH \ Shouldn't you enable openpgp support as well? You can do that by adding +CTYPE-OPENPGP. regards, Nikos From daniel.otte at rub.de Wed Aug 8 18:51:11 2012 From: daniel.otte at rub.de (Daniel Otte) Date: 8 Aug 2012 18:51:11 +0200 Subject: testing error cases of tls implementation Message-ID: <502298FF.4050306@rub.de> Hello, I'm currently implementing an TLS1.2 server for embedded devices (which are too small for gnutls or openssl and all the others). For testing I'm using gnutls (especially gnutls-cli) to get the communication working and this currently works. My problem is that I would like to test all the error cases (those where the other side does not follow rfc5246). Many things can go wrong there (wrong behavior, security leaks, memory leaks, ...) and I want to find as much of my programming errors by testing as possible. You get this E-Mail from me since I hope you have experience and maybe also code which could be used. regards, Daniel -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: OpenPGP digital signature URL: From nmav at gnutls.org Thu Aug 9 12:28:54 2012 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 9 Aug 2012 12:28:54 +0200 Subject: testing error cases of tls implementation In-Reply-To: <502298FF.4050306@rub.de> References: <502298FF.4050306@rub.de> Message-ID: On Wed, Aug 8, 2012 at 6:51 PM, Daniel Otte wrote: > Hello, > I'm currently implementing an TLS1.2 server for embedded devices (which are too > small for gnutls or openssl and all the others). > For testing I'm using gnutls (especially gnutls-cli) to get the communication > working and this currently works. > My problem is that I would like to test all the error cases (those where the > other side does not follow rfc5246). Many things can go wrong there (wrong > behavior, security leaks, memory leaks, ...) and I want to find as much of my > programming errors by testing as possible. Have you checked gnutls-cli-debug? regards, Nikos From nmav at gnutls.org Thu Aug 9 14:49:13 2012 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 9 Aug 2012 14:49:13 +0200 Subject: Importing a PKCS#1 RSAPublicKey structure into a gnutls_pubkey_t In-Reply-To: <5020BF9B.1010905@sirrix.com> References: <501BC681.3010005@sirrix.com> <501D86AC.8030305@gnutls.org> <5020BF9B.1010905@sirrix.com> Message-ID: On Tue, Aug 7, 2012 at 9:11 AM, Ren? Korthaus wrote: > Thanks for the clarification. Then is there a reason that gnutls offers no > method to import a PKCS#1 RSAPublicKey structure - given that it is a > standard format and almost all smartcards speak it plus RSAPublicKey is very > similar to RSAPrivateKey and gnutls can already decode RSAPrivateKey > structures with _gnutls_privkey_decode_pkcs1_rsa_key. From the code I've > seen it should be fairly easy to implement and would make us very happy. :) The problem is that RSAPublicKey structure is RSA specific. GnuTLS supports the generic SubjectPublicKeyInfo structure for public keys which may contain RSA, DSA, or ECDSA keys. If however you provide a simple patch that reads the structure for an gnutls_pubkey_t, I'll be happy to include it in the 3.1 release. regards, Nikos From kristian.fiskerstrand at sumptuouscapital.com Thu Aug 9 21:24:03 2012 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Thu, 09 Aug 2012 21:24:03 +0200 Subject: Error in handshake - Error: Could not negotiate a supported cipher suite. In-Reply-To: References: <5021B1C6.9030102@sumptuouscapital.com> Message-ID: <50240E53.3000501@sumptuouscapital.com> On 08/08/2012 03:10 PM, Nikos Mavrogiannopoulos wrote: > On Wed, Aug 8, 2012 at 2:24 AM, Kristian Fiskerstrand > wrote: >> Hi, >> I'm trying to set up mod_gnutls on apache to use OpenPGP key for a TLS >> session but I'm having some trouble getting gnutls set up correctly for >> a handshake. If I'm not too mistaken alert(21) indicate a decryption >> error - any hints for how I should debug this? >> What I have so far is - using gnutls-serv and gnutls-cli - the following; > [...] >> --priority NORMAL:+ANON-DH \ > > Shouldn't you enable openpgp support as well? You can do that by adding > +CTYPE-OPENPGP. > > regards, > Nikos > Hi Nikos, Thank you for the response and sorry for my late reply, got a bit pre-occupied for a while there. I adjusted the command to gnutls-serv \ -p 18000 \ -g \ --http \ --priority NORMAL:+CTYPE-OPENPGP:+ANON-DH \ --pgpcertfile /etc/apache2/conf/sks-keyservers.net.pub.asc \ --pgpkeyfile /etc/apache2/conf/ss/sks-keyservers.net.sec.asc \ --pgpsubkey 19EA3DAE12200409 but I still get the same error .. I also tried to generate dh info by certtool --generate-dh-params and putting the params in a dh file to run gnutls-serv \ -p 18000 \ --dhparams /root/dh \ --http \ --priority NORMAL:+CTYPE-OPENPGP:+ANON-DH \ --pgpcertfile /etc/apache2/conf/sks-keyservers.net.pub.asc \ --pgpkeyfile /etc/apache2/conf/ss/sks-keyservers.net.sec.asc \ --pgpsubkey 19EA3DAE12200409 with the same result. Any other hints? -- ---------------------------- Kristian Fiskerstrand http://www.sumptuouscapital.com Twitter: @krifisk ---------------------------- Nil desperandum Never give up ---------------------------- This email was digitally signed using the OpenPGP standard. If you want to read more about this The book: Sending Emails - The Safe Way: An introduction to OpenPGP security is now available in both Amazon Kindle and Paperback format at http://www.amazon.com/dp/B006RSG1S4/ ---------------------------- Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 900 bytes Desc: OpenPGP digital signature URL: From nmav at gnutls.org Fri Aug 10 09:45:50 2012 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 10 Aug 2012 09:45:50 +0200 Subject: Error in handshake - Error: Could not negotiate a supported cipher suite. In-Reply-To: <50240E53.3000501@sumptuouscapital.com> References: <5021B1C6.9030102@sumptuouscapital.com> <50240E53.3000501@sumptuouscapital.com> Message-ID: <5024BC2E.7090402@gnutls.org> On 08/09/2012 09:24 PM, Kristian Fiskerstrand wrote: > On 08/08/2012 03:10 PM, Nikos Mavrogiannopoulos wrote: >> On Wed, Aug 8, 2012 at 2:24 AM, Kristian Fiskerstrand >> wrote: >>> Hi, >>> I'm trying to set up mod_gnutls on apache to use OpenPGP key for a TLS >>> session but I'm having some trouble getting gnutls set up correctly for >>> a handshake. If I'm not too mistaken alert(21) indicate a decryption >>> error - any hints for how I should debug this? >>> What I have so far is - using gnutls-serv and gnutls-cli - the following; >> [...] >>> --priority NORMAL:+ANON-DH \ >> >> Shouldn't you enable openpgp support as well? You can do that by adding >> +CTYPE-OPENPGP. > Thank you for the response and sorry for my late reply, got a bit > pre-occupied for a while there. > I adjusted the command to > gnutls-serv \ > -p 18000 \ > -g \ > --http \ > --priority NORMAL:+CTYPE-OPENPGP:+ANON-DH \ > --pgpcertfile /etc/apache2/conf/sks-keyservers.net.pub.asc \ > --pgpkeyfile /etc/apache2/conf/ss/sks-keyservers.net.sec.asc \ > --pgpsubkey 19EA3DAE12200409 > but I still get the same error .. Did you add the same priority string to the client as well? If I try the doc/credentials/gnutls-http-serv script with a client that has the CTYPE-OPENPGP enabled it works. regards, Nikos -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 554 bytes Desc: OpenPGP digital signature URL: From kristian.fiskerstrand at sumptuouscapital.com Fri Aug 10 14:27:26 2012 From: kristian.fiskerstrand at sumptuouscapital.com (Kristian Fiskerstrand) Date: Fri, 10 Aug 2012 14:27:26 +0200 Subject: [Solved] Re: Error in handshake - Error: Could not negotiate a supported cipher suite. In-Reply-To: <5024BC2E.7090402@gnutls.org> References: <5021B1C6.9030102@sumptuouscapital.com> <50240E53.3000501@sumptuouscapital.com> <5024BC2E.7090402@gnutls.org> Message-ID: <5024FE2E.5040206@sumptuouscapital.com> On 08/10/2012 09:45 AM, Nikos Mavrogiannopoulos wrote: > On 08/09/2012 09:24 PM, Kristian Fiskerstrand wrote: > ... > Did you add the same priority string to the client as well? If I try the > doc/credentials/gnutls-http-serv script with a client that has the > CTYPE-OPENPGP enabled it works. Thank you for the help Nikos, my problems were unrelated to gnutls -- ---------------------------- Kristian Fiskerstrand http://www.sumptuouscapital.com Twitter: @krifisk ---------------------------- Primum ego, tum ego, deinde ego First I, then I, thereafter I. ---------------------------- This email was digitally signed using the OpenPGP standard. If you want to read more about this The book: Sending Emails - The Safe Way: An introduction to OpenPGP security is now available in both Amazon Kindle and Paperback format at http://www.amazon.com/dp/B006RSG1S4/ ---------------------------- Public PGP key 0xE3EDFAE3 at http://www.sumptuouscapital.com/pgp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 900 bytes Desc: OpenPGP digital signature URL: From latze at angry-red-pla.net Fri Aug 10 17:49:55 2012 From: latze at angry-red-pla.net (Carolin Latze) Date: Fri, 10 Aug 2012 17:49:55 +0200 Subject: GnuTLS without nettle on Ubuntu 12.04 Message-ID: <50252DA3.2060202@angry-red-pla.net> Hi all, I moved to Ubuntu 12.04. which comes with libnettle 2.4.x. When I try to install GnuTLS from GIT checkout, it asks for libnettle 2.5. Are the changes that major or could I easily run it with 2.4.x too? Regards Carolin From nmav at gnutls.org Fri Aug 10 18:02:22 2012 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 10 Aug 2012 18:02:22 +0200 Subject: GnuTLS without nettle on Ubuntu 12.04 In-Reply-To: <50252DA3.2060202@angry-red-pla.net> References: <50252DA3.2060202@angry-red-pla.net> Message-ID: <5025308E.7090201@gnutls.org> On 08/10/2012 05:49 PM, Carolin Latze wrote: > Hi all, > > I moved to Ubuntu 12.04. which comes with libnettle 2.4.x. When I try to > install GnuTLS from GIT checkout, it asks for libnettle 2.5. Are the > changes that major or could I easily run it with 2.4.x too? Unfortunately no, the master branch (gnutls 3.1.0) requires nettle 2.5. regards, Nikos From nmav at gnutls.org Wed Aug 15 22:50:47 2012 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 15 Aug 2012 22:50:47 +0200 Subject: gnutls 3.1.0 Message-ID: <502C0BA7.7090302@gnutls.org> Hello, I've just released gnutls 3.1.0. This is release is a major feature update on gnutls 3.0.x, but is fully binary and source compatible with it. The main addition are support for the TPM module to store cryptographic keys, and simplified functions to access encrypted structures. * Version 3.1.0 (released 2012-08-15) ** libgnutls: Added direct support for TPM as a cryptographic module in gnutls/tpm.h. TPM keys can be used in functions accepting files using URLs of the following types: tpmkey:file=/path/to/file tpmkey:uuid=7f468c16-cb7f-11e1-824d-b3a4f4b20343;storage=user ** libgnutls: Priority string level keywords can be combined. For example the string "SECURE256:+SUITEB128" is now allowed. ** libgnutls: requires libnettle 2.5. ** libgnutls: Use the PKCS #1 1.5 encoding provided by nettle (2.5) for encryption and signatures. ** libgnutls: Added GNUTLS_CERT_SIGNATURE_FAILURE to differentiate between generic errors and signature verification errors in the verification functions. ** libgnutls: Added gnutls_pkcs12_simple_parse() as a helper function to simplify parsing in most PKCS #12 use cases. ** libgnutls: gnutls_certificate_set_x509_simple_pkcs12_file() adds the whole certificate chain (if any) to the credentials structure, instead of only the end-user certificate. ** libgnutls: Key import functions such as gnutls_pkcs12_simple_parse() and gnutls_x509_privkey_import_pkcs8(), return consistently GNUTLS_E_DECRYPTION_FAILED if the input structure is encrypted but no password was provided. ** libgnutls: Added gnutls_handshake_set_timeout() a function that allows to set the maximum time spent in a handshake. ** libgnutlsxx: Added session::set_transport_vec_push_function. Patch by Alexandre Bique. ** tpmtool: Added. It is a tool to generate private keys in the TPM. ** gnutls-cli: --benchmark-tls was split to --benchmark-tls-kx and --benchmark-tls-ciphers ** certtool: generated PKCS #12 structures may hold more than one private key. Patch by Lucas Fisher. ** certtool: Added option --null-password to generate/decrypt keys that use a NULL password (in schemas that distinguish between NULL an empty passwords). ** minitasn1: Upgraded to libtasn1 version 2.13. ** API and ABI modifications: GNUTLS_CERT_SIGNATURE_FAILURE: Added GNUTLS_CAMELLIA_192_CBC: Added GNUTLS_PKCS_NULL_PASSWORD: Added gnutls_url_is_supported: Added gnutls_pkcs11_obj_list_import_url2: Added gnutls_pkcs11_obj_set_pin_function: Added gnutls_pkcs11_privkey_set_pin_function: Added gnutls_pkcs11_get_pin_function: Added gnutls_privkey_import_tpm_raw: Added gnutls_privkey_import_tpm_url: Added gnutls_privkey_import_pkcs11_url: Added gnutls_privkey_import_openpgp_raw: Added gnutls_privkey_import_x509_raw: Added gnutls_privkey_import_ext2: Added gnutls_privkey_import_url: Added gnutls_privkey_set_pin_function: Added gnutls_tpm_privkey_generate: Added gnutls_tpm_key_list_deinit: Added gnutls_tpm_key_list_get_url: Added gnutls_tpm_get_registered: Added gnutls_tpm_privkey_delete: Added gnutls_pubkey_import_tpm_raw: Added gnutls_pubkey_import_tpm_url: Added gnutls_pubkey_import_url: Added gnutls_pubkey_verify_hash2: Added gnutls_pubkey_set_pin_function: Added gnutls_x509_privkey_import2: Added gnutls_x509_privkey_import_openssl: Added gnutls_x509_crt_set_pin_function: Added gnutls_load_file: Added gnutls_pkcs12_simple_parse: Added gnutls_certificate_set_x509_system_trust: Added gnutls_certificate_set_pin_function: Added gnutls_x509_trust_list_add_system_trust: Added gnutls_x509_trust_list_add_trust_file: Added gnutls_x509_trust_list_add_trust_mem: Added gnutls_pk_to_sign: Added gnutls_handshake_set_timeout: Added gnutls_pubkey_verify_hash: Deprecated (use gnutls_pubkey_verify_hash2) gnutls_pubkey_verify_data: Deprecated (use gnutls_pubkey_verify_data2) Getting the Software ==================== GnuTLS may be downloaded from one of the GNU mirror sites or directly >From . The list of GNU mirrors can be found at and a list of GnuTLS mirrors can be found at . Here are the XZ compressed sources: ftp://ftp.gnu.org/gnu/gnutls/gnutls-3.1.0.tar.xz http://ftp.gnu.org/gnu/gnutls/gnutls-3.1.0.tar.xz ftp://ftp.gnutls.org/pub/gnutls/gnutls-3.1.0.tar.xz Here are the LZIP compressed sources: ftp://ftp.gnu.org/gnu/gnutls/gnutls-3.1.0.tar.lz http://ftp.gnu.org/gnu/gnutls/gnutls-3.1.0.tar.lz ftp://ftp.gnutls.org/pub/gnutls/gnutls-3.1.0.tar.lz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnu.org/gnu/gnutls/gnutls-3.1.0.tar.xz.sig http://ftp.gnu.org/gnu/gnutls/gnutls-3.1.0.tar.xz.sig ftp://ftp.gnutls.org/pub/gnutls/gnutls-3.1.0.tar.xz.sig ftp://ftp.gnu.org/gnu/gnutls/gnutls-3.1.0.tar.lz.sig http://ftp.gnu.org/gnu/gnutls/gnutls-3.1.0.tar.lz.sig ftp://ftp.gnutls.org/pub/gnutls/gnutls-3.1.0.tar.lz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From r.korthaus at sirrix.com Thu Aug 16 14:11:10 2012 From: r.korthaus at sirrix.com (=?UTF-8?B?UmVuw6kgS29ydGhhdXM=?=) Date: Thu, 16 Aug 2012 14:11:10 +0200 Subject: Importing a PKCS#1 RSAPublicKey structure into a gnutls_pubkey_t In-Reply-To: References: <501BC681.3010005@sirrix.com> <501D86AC.8030305@gnutls.org> <5020BF9B.1010905@sirrix.com> Message-ID: <502CE35E.1040903@sirrix.com> Am 09.08.2012 14:49, schrieb Nikos Mavrogiannopoulos: > On Tue, Aug 7, 2012 at 9:11 AM, Ren? Korthaus wrote: >> Thanks for the clarification. Then is there a reason that gnutls offers no >> method to import a PKCS#1 RSAPublicKey structure - given that it is a >> standard format and almost all smartcards speak it plus RSAPublicKey is very >> similar to RSAPrivateKey and gnutls can already decode RSAPrivateKey >> structures with _gnutls_privkey_decode_pkcs1_rsa_key. From the code I've >> seen it should be fairly easy to implement and would make us very happy. :) > The problem is that RSAPublicKey structure is RSA specific. GnuTLS > supports the generic SubjectPublicKeyInfo structure for public keys > which may contain RSA, DSA, or ECDSA keys. If however you provide a > simple patch that reads the structure for an gnutls_pubkey_t, I'll be > happy to include it in the 3.1 release. Sorry for the delay, we are very buse ATM. I'll be happy to provide a patch. Let me see what I can do in the next few days. Best, Ren? > > regards, > Nikos -- Sirrix AG security technologies - http://www.sirrix.com Ren? Korthaus eMail: r.korthaus at sirrix.com Tel +49(681) 959 86-163 Fax +49(681) 959 86-5163 PGP Key ID 0x688EF9C8 Fingerprint 1FB6 2405 51C4 79DB C008 D1D2 C2E0 1A14 688E F9C8 Vorstand: Ammar Alkassar (Vors.), Christian St?ble, Markus Bernhammer Vorsitzender des Aufsichtsrates: Harald St?ber Sitz der Gesellschaft: Homburg/Saar, HRB 3857 Amtsgericht Saarbr?cken This message may contain confidential and/or privileged information. If you are not the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. From latze at angry-red-pla.net Fri Aug 17 15:10:58 2012 From: latze at angry-red-pla.net (Carolin Latze) Date: Fri, 17 Aug 2012 15:10:58 +0200 Subject: GnuTLS without nettle on Ubuntu 12.04 In-Reply-To: <5025308E.7090201@gnutls.org> References: <50252DA3.2060202@angry-red-pla.net> <5025308E.7090201@gnutls.org> Message-ID: <502E42E2.1050905@angry-red-pla.net> On 08/10/2012 06:02 PM, Nikos Mavrogiannopoulos wrote: > On 08/10/2012 05:49 PM, Carolin Latze wrote: > >> Hi all, >> >> I moved to Ubuntu 12.04. which comes with libnettle 2.4.x. When I try to >> install GnuTLS from GIT checkout, it asks for libnettle 2.5. Are the >> changes that major or could I easily run it with 2.4.x too? > > Unfortunately no, the master branch (gnutls 3.1.0) requires nettle 2.5. > Since I have to set up a new system then anyways, which Linux do you use in which version? I tried Debian wheezy and Ubuntu 12.04 for the moment and both come with nettle 2.4.x. Regards Carolin From latze at angry-red-pla.net Fri Aug 17 15:23:17 2012 From: latze at angry-red-pla.net (Carolin Latze) Date: Fri, 17 Aug 2012 15:23:17 +0200 Subject: GnuTLS without nettle on Ubuntu 12.04 In-Reply-To: <0M8W004GGIA1T360@mailout2.samsung.com> References: <0M8W004GGIA1T360@mailout2.samsung.com> Message-ID: <502E45C5.9040802@angry-red-pla.net> On 08/17/2012 03:17 PM, Sarat Chandra Addepalli wrote: > Samsung Enterprise Portal mySingle > > Hi Carolin, > > On 08/10/2012 06:02 PM, Nikos Mavrogiannopoulos wrote: > > On 08/10/2012 05:49 PM, Carolin Latze wrote: > > > >> Hi all, > >> > >> I moved to Ubuntu 12.04. which comes with libnettle 2.4.x. When I > try to > >> install GnuTLS from GIT checkout, it asks for libnettle 2.5. Are the > >> changes that major or could I easily run it with 2.4.x too? > > > > Unfortunately no, the master branch (gnutls 3.1.0) requires nettle 2.5. > > > > >Since I have to set up a new system then anyways, which Linux do you use > >in which version? I tried Debian wheezy and Ubuntu 12.04 for the moment > >and both come with nettle 2.4.x. > > shouldn't something like simply downloading nettle 2.5 (from git or > whatever is its scm tool) > > and installing it suffice? I fail to see why you woul have to revamp > your OS... > Oh lol, it is Friday hm. You are right. -------------- next part -------------- An HTML attachment was scrubbed... URL: From superuser at gmail.com Fri Aug 17 21:06:05 2012 From: superuser at gmail.com (Murray S. Kucherawy) Date: Fri, 17 Aug 2012 12:06:05 -0700 Subject: Question about gnutls_global_set_log_function() Message-ID: I'm writing a multithreaded application that could be doing RSA signature generations and/or validations in parallel. Right now gnutls_global_set_log_function() allows me to specify an error reporting function, but in theory any thread could call it. It would be helpful to receive something thread-specific in the function I provide to gnutls_global_set_log_function() so that, for example, a buffer could be assigned per thread to receive this information. As it stands right now I have to do something like a pthread_key to get thread-specific storage from the underlying threading implementation. Not having that dependency would be desirable. Being able to add gnutls_set_thread_specific() that stores a thread-specific pointer would be helpful, and then that could be done inside my global log function to take thread-specific action. Thanks for any help here. -MSK From tk at giga.or.at Fri Aug 17 21:31:42 2012 From: tk at giga.or.at (Thomas Klausner) Date: Fri, 17 Aug 2012 21:31:42 +0200 Subject: upgrading from 2 to 3: gnutls_certificate_get_x509_c{a,rl}s Message-ID: <20120817193142.GF24913@danbala.tuwien.ac.at> Hi! First off: I know nothing about gnutls except what I can google together. I'm looking at compiling freeDiameter-1.1.2 on my system, which has gnutls-3.0.22 installed. It doesn't compile because of ../libfdcore/libfdcore.so.1.1.2: undefined reference to `gnutls_certificate_get_x509_crls' ../libfdcore/libfdcore.so.1.1.2: undefined reference to `gnutls_certificate_get_x509_cas' I found http://www.gnu.org/software/gnutls/manual/html_node/Upgrading-from-previous-versions.html which says: gnutls_certificate_get_x509_crls, gnutls_certificate_get_x509_cas: Removed to allow updating the internal structures. Replaced by gnutls_certificate_get_issuer. The code looks like this: GNUTLS_TRACE( gnutls_certificate_get_x509_cas (fd_g_config->cnf_sec_data.credentials, &CA_list, (unsigned int *) &CA_list_length) ); GNUTLS_TRACE( gnutls_certificate_get_x509_crls (fd_g_config->cnf_sec_data.credentials, &CRL_list, (unsigned int *) &CRL_list_length) ); CHECK_GNUTLS_DO( gnutls_x509_crt_list_verify(certs, cert_max, CA_list, CA_list_length, CRL_list, CRL_list_length, 0, &verify), { TRACE_DEBUG(INFO, "Failed to verify the local certificate '%s' against local credentials. Please check your certificate is valid.", fd_g_config->cnf_sec_data.cert_file); return EINVAL; } ); I don't see how I can replace gnutls_certificate_get_x509_cas and gnutls_certificate_get_x509_crls with gnutls_certificate_get_issuer here because gnutls_x509_crt_list_verify needs CA_list and CRL_list filled out by the two functions. Please advise. If we come up with a fix, the next question will be what you recommend on keeping code backwards compatible with gnutls-2. Thanks, Thomas From nmav at gnutls.org Sat Aug 18 09:03:32 2012 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sat, 18 Aug 2012 09:03:32 +0200 Subject: upgrading from 2 to 3: gnutls_certificate_get_x509_c{a,rl}s In-Reply-To: <20120817193142.GF24913@danbala.tuwien.ac.at> References: <20120817193142.GF24913@danbala.tuwien.ac.at> Message-ID: <502F3E44.70602@gnutls.org> On 08/17/2012 09:31 PM, Thomas Klausner wrote: > Hi! > > First off: I know nothing about gnutls except what I can google > together. I'm looking at compiling freeDiameter-1.1.2 on my system, > which has gnutls-3.0.22 installed. > It doesn't compile because of > ../libfdcore/libfdcore.so.1.1.2: undefined reference to `gnutls_certificate_get_x509_crls' > ../libfdcore/libfdcore.so.1.1.2: undefined reference to `gnutls_certificate_get_x509_cas' > I found > http://www.gnu.org/software/gnutls/manual/html_node/Upgrading-from-previous-versions.html > which says: > gnutls_certificate_get_x509_crls, gnutls_certificate_get_x509_cas: > Removed to allow updating the internal structures. Replaced by > gnutls_certificate_get_issuer. Indeed. The above functions are no longer available. > The code looks like this: > > GNUTLS_TRACE( gnutls_certificate_get_x509_cas (fd_g_config->cnf_sec_data.credentials, &CA_list, (unsigned int *) &CA_list_length) ); > GNUTLS_TRACE( gnutls_certificate_get_x509_crls (fd_g_config->cnf_sec_data.credentials, &CRL_list, (unsigned int *) &CRL_list_length) ); > CHECK_GNUTLS_DO( gnutls_x509_crt_list_verify(certs, cert_max, CA_list, CA_list_length, CRL_list, CRL_list_length, 0, &verify), > { > TRACE_DEBUG(INFO, "Failed to verify the local certificate '%s' against local credentials. Please check your certificate is valid.", fd_g_config->cnf_sec_data.cert_file); > return EINVAL; > } ); What the code you quote is doing is verify certs of cert_max size against the CA_list and CRL_list received from the previous calls. You can do a similar thing using gnutls_certificate_get_issuer(). You get the issuer of certs[cert_max-1] and verify against that. That would something similar to: CHECK_GNUTLS_DO( gnutls_certificate_get_issuer(fd_g_config->cnf_sec_data.credentials, certs[cert_max-1], &CA, 0), { error(cannot find issuer) } ); CHECK_GNUTLS_DO( gnutls_x509_crt_list_verify(certs, cert_max, CA, 1, NULL, 0, 0, &verify), { error(failed to verify) } ); > I don't see how I can replace gnutls_certificate_get_x509_cas and > gnutls_certificate_get_x509_crls with gnutls_certificate_get_issuer > here because gnutls_x509_crt_list_verify needs CA_list and CRL_list > filled out by the two functions. The verification against the CRLs isn't available. If you want to do elaborate verification you may use the functions at: http://www.gnu.org/software/gnutls/manual/html_node/Verifying-X_002e509-certificate-paths.html#Verifying-X_002e509-certificate-paths The certificate structure is supposed to be used by functions like gnutls_certificate_verify_peers2(). > If we come up with a fix, the next question will be what you recommend > on keeping code backwards compatible with gnutls-2. In that case you'll have to use conditional code, or use gnutls_certificate_verify_peers2() is possible (if in the actual snippet above you're verifying the peer's certificate). regards, Nikos From nmav at gnutls.org Sat Aug 18 09:21:34 2012 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sat, 18 Aug 2012 09:21:34 +0200 Subject: Question about gnutls_global_set_log_function() In-Reply-To: References: Message-ID: <502F427E.3060809@gnutls.org> On 08/17/2012 09:06 PM, Murray S. Kucherawy wrote: > I'm writing a multithreaded application that could be doing RSA > signature generations and/or validations in parallel. > > Right now gnutls_global_set_log_function() allows me to specify an > error reporting function, but in theory any thread could call it. It > would be helpful to receive something thread-specific in the function > I provide to gnutls_global_set_log_function() so that, for example, a > buffer could be assigned per thread to receive this information. Indeed. However this is a debugging function, not one that is typically expected to run. Which error conditions do you try to catch using those? The only related function I can see is gnutls_global_set_audit_log_function() which supplies the session argument. > As it stands right now I have to do something like a pthread_key to > get thread-specific storage from the underlying threading > implementation. Not having that dependency would be desirable. Being > able to add gnutls_set_thread_specific() that stores a thread-specific > pointer would be helpful, and then that could be done inside my global > log function to take thread-specific action. What do you mean? Where would the thread-specific pointer would be stored? regards, Nikos From superuser at gmail.com Sun Aug 19 06:23:39 2012 From: superuser at gmail.com (Murray S. Kucherawy) Date: Sat, 18 Aug 2012 21:23:39 -0700 Subject: Question about gnutls_global_set_log_function() In-Reply-To: <502F427E.3060809@gnutls.org> References: <502F427E.3060809@gnutls.org> Message-ID: I suppose I'm comparing this to the openssl method where there's a per-thread queue of error codes which can then be translated to strings. You might get 0 or 1 back from RSA_verify(), for example, but if you want detail you have to go into the per-thread error stack, extract codes, and translate them to strings. It may be the case that the GNUTLS equivalent functions are more descriptive. If that's the case, then I probably don't need this capability after all. -MSK From nmav at gnutls.org Sun Aug 19 09:17:25 2012 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 19 Aug 2012 09:17:25 +0200 Subject: Question about gnutls_global_set_log_function() In-Reply-To: References: <502F427E.3060809@gnutls.org> Message-ID: <50309305.6080201@gnutls.org> On 08/19/2012 06:23 AM, Murray S. Kucherawy wrote: > I suppose I'm comparing this to the openssl method where there's a > per-thread queue of error codes which can then be translated to > strings. You might get 0 or 1 back from RSA_verify(), for example, > but if you want detail you have to go into the per-thread error stack, > extract codes, and translate them to strings. > > It may be the case that the GNUTLS equivalent functions are more > descriptive. If that's the case, then I probably don't need this > capability after all. Indeed. There is nothing like an errno style of error codes in gnutls. Each function returns a proper error code. regards, Nikos From ognen.duzlevski at gmail.com Tue Aug 21 01:05:45 2012 From: ognen.duzlevski at gmail.com (Ognen Duzlevski) Date: Mon, 20 Aug 2012 18:05:45 -0500 Subject: Problem with GnuTLS/openssl Message-ID: Hello, I have a Debian 6.0.5 server running OpenLDAP which appears to be linked against GnuTLS. I have generated a self-signed certificate using certtool and have successfully used it to authenticate Debian client machines against the OpenLDAP ldaps:// server in question. However, when I try to do the same on a CentOS 6 client, I am unable to do so. On the CentOS client, if I try to run ldapsearch against the server, I get the following: ldap_start_tls: Can't contact LDAP server (-1) additional info: TLS error -8101:Certificate type not approved for application. On the CentOS client, if I try to run gnutls-cli-debug, I get the following: gnutls-cli-debug -p 636 ldap.blahblah.com Resolving 'ldap.blahblah.com'... Connecting to '10.6.0.11:636'... Error in %INITIAL_SAFE_RENEGOTIATION Checking for Safe renegotiation support... And then it just dies. I am getting the feeling this has something to do with GnuTLS and openssl? Any ideas? Thanks! OD -------------- next part -------------- An HTML attachment was scrubbed... URL: From nmav at gnutls.org Tue Aug 21 10:36:45 2012 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 21 Aug 2012 10:36:45 +0200 Subject: Problem with GnuTLS/openssl In-Reply-To: References: Message-ID: On Tue, Aug 21, 2012 at 1:05 AM, Ognen Duzlevski wrote: > Hello, > I have a Debian 6.0.5 server running OpenLDAP which appears to be linked > against GnuTLS. I have generated a self-signed certificate using certtool > and have successfully used it to authenticate Debian client machines against > the OpenLDAP ldaps:// server in question. > However, when I try to do the same on a CentOS 6 client, I am unable to do > so. > On the CentOS client, if I try to run ldapsearch against the server, I get > the following: > ldap_start_tls: Can't contact LDAP server (-1) > additional info: TLS error -8101:Certificate type not approved for > application. This is an error I cannot help with. Your should check with an openldap mailing list. > On the CentOS client, if I try to run gnutls-cli-debug, I get the following: > gnutls-cli-debug -p 636 ldap.blahblah.com > Resolving 'ldap.blahblah.com'... > Connecting to '10.6.0.11:636'... > Error in %INITIAL_SAFE_RENEGOTIATION > Checking for Safe renegotiation support... Which version of libgnutls and gnutls-bin is installed in that system? It seems like they have an old library but new binaries. regards, Nikos From simon at josefsson.org Tue Aug 21 12:19:26 2012 From: simon at josefsson.org (Simon Josefsson) Date: Tue, 21 Aug 2012 12:19:26 +0200 Subject: Problem with GnuTLS/openssl In-Reply-To: (Ognen Duzlevski's message of "Mon, 20 Aug 2012 18:05:45 -0500") References: Message-ID: <87628ck0nl.fsf@latte.josefsson.org> Ognen Duzlevski writes: > Hello, > > I have a Debian 6.0.5 server running OpenLDAP which appears to be linked > against GnuTLS. I have generated a self-signed certificate using certtool > and have successfully used it to authenticate Debian client machines > against the OpenLDAP ldaps:// server in question. > > However, when I try to do the same on a CentOS 6 client, I am unable to do > so. > > On the CentOS client, if I try to run ldapsearch against the server, I get > the following: > > ldap_start_tls: Can't contact LDAP server (-1) > additional info: TLS error -8101:Certificate type not approved for > application. Maybe you need to answer one of these with 'y' when you generate the cert: Is this also a TLS web server certificate? (y/N): Will the certificate be used for signing (required for TLS)? (y/N): Will the certificate be used for encryption (not required for TLS)? (y/N): /Simon From ognen.duzlevski at gmail.com Tue Aug 21 18:10:49 2012 From: ognen.duzlevski at gmail.com (Ognen Duzlevski) Date: Tue, 21 Aug 2012 11:10:49 -0500 Subject: Problem with GnuTLS/openssl In-Reply-To: References: Message-ID: Nikos, On Tue, Aug 21, 2012 at 3:36 AM, Nikos Mavrogiannopoulos wrote: > Which version of libgnutls and gnutls-bin is installed in that system? > It seems like they have an old library but new binaries. > > Thanks for answering. Here is the output of ldd /usr/bin/gnutls-cli-debug [root at dualamd ~]# ldd /usr/bin/gnutls-cli-debug linux-vdso.so.1 => (0x00007fff58fff000) libgnutls.so.26 => /usr/lib64/libgnutls.so.26 (0x0000003d4f000000) libc.so.6 => /lib64/libc.so.6 (0x0000003dec800000) libtasn1.so.3 => /usr/lib64/libtasn1.so.3 (0x0000003e01000000) libz.so.1 => /lib64/libz.so.1 (0x0000003dee000000) libgcrypt.so.11 => /usr/local/lib/libgcrypt.so.11 (0x00007f2d102f3000) /lib64/ld-linux-x86-64.so.2 (0x0000003dec400000) libgpg-error.so.0 => /usr/local/lib/libgpg-error.so.0 (0x00007f2d100ef000) I compiled my own versions of libgnutls and latest gnutls-cli binaries and it all worked, I was able to get gnutls-cli-debug to connect to my server and give me the report I expected. Now the question becomes what kind of surgery I need to do to this box to get it to authenticate to ldap via tls. Cheers, Ognen -------------- next part -------------- An HTML attachment was scrubbed... URL: From nmav at gnutls.org Wed Aug 22 11:05:00 2012 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 22 Aug 2012 11:05:00 +0200 Subject: Problem with GnuTLS/openssl In-Reply-To: References: Message-ID: On Tue, Aug 21, 2012 at 6:10 PM, Ognen Duzlevski wrote: > Thanks for answering. > Here is the output of ldd /usr/bin/gnutls-cli-debug You'd better check the versions of the installed packages in the distribution. It is not easy to find the actual version for the shared library version. > I compiled my own versions of libgnutls and latest gnutls-cli binaries and > it all worked, I was able to get gnutls-cli-debug to connect to my server > and give me the report I expected. Try to report the issue in your distribution. > Now the question becomes what kind of surgery I need to do to this box to > get it to authenticate to ldap via tls. Doesn't the ldap work with the new library your installed? regards, Nikos From tomackermann at gmail.com Fri Aug 24 09:42:11 2012 From: tomackermann at gmail.com (Tom Ackermann) Date: Fri, 24 Aug 2012 09:42:11 +0200 Subject: certtool never asks for CA-password when signing certificates Message-ID: Hi all I have already posted this in several (ubuntu-) forums but haven't received any hints so far, maybe somebody on this list can shed some light on this: When creating a CA with a password, certtool never again asks for the password when signing new certificates. Steps to reproduce (on Ubuntu 12.04, amd64) ---- [root at host] certtool -v certtool (GnuTLS) 2.12.14 (...) ---- 1. Create a private key for the CA: ---- $ [root at host] certtool --generate-privkey --outfile ca_tls.key --password "secret" (...) ---- 2. Create a self-signed certificate for the CA ---- [root at host] certtool --generate-self-signed --load-privkey ca_tls.key --outfile ca_tls.cert --password "secret" Generating a self signed certificate... Please enter the details of the certificate's distinguished name. Just press enter to ignore a field. (...) Does the certificate belong to an authority? (y/N): y Path length constraint (decimal, -1 for no constraint): -1 Is this a TLS web client certificate? (y/N): n Will the certificate be used for IPsec IKE operations? (y/N): Is this also a TLS web server certificate? (y/N): n Enter the e-mail of the subject of the certificate: Will the certificate be used to sign other certificates? (y/N): y Will the certificate be used to sign CRLs? (y/N): y Will the certificate be used to sign code? (y/N): y Will the certificate be used to sign OCSP requests? (y/N): y (...) ---- 3. Create a key for the server ---- [root at host] certtool --generate-privkey --outfile server_tls.key ---- 4. Create a certificate for the server ---- [root at host] certtool --generate-certificate --load-privkey server_tls.key --load-ca-certificate ca_tls.cert --load-ca-privkey ca_tls.key --outfile server_tls.cert Generating a signed certificate... Please enter the details of the certificate's distinguished name. Just press enter to ignore a field. (...) Does the certificate belong to an authority? (y/N): Is this a TLS web client certificate? (y/N): Will the certificate be used for IPsec IKE operations? (y/N): Is this also a TLS web server certificate? (y/N): y Enter a dnsName of the subject of the certificate: server Enter a dnsName of the subject of the certificate: server.com Enter a dnsName of the subject of the certificate: www.server.com Enter a dnsName of the subject of the certificate: Enter the IP address of the subject of the certificate: Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): Will the certificate be used for encryption (RSA ciphersuites)? (y/N): y (...) Is the above information ok? (y/N): y Signing certificate... ---- The certificate for the server gets created and works fine (e.g. importing the CA cert in firefox and configuring apache with the server cert). However, I would expect to be asked for the CA password (created in step1) when signing the certificate in step 4. This doesn't happen. By the way: Why can I even define a password for the CA certificate in step 2? I would think a password for the CA key should be sufficient? Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: From nmav at gnutls.org Fri Aug 24 14:40:51 2012 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 24 Aug 2012 14:40:51 +0200 Subject: certtool never asks for CA-password when signing certificates In-Reply-To: References: Message-ID: On Fri, Aug 24, 2012 at 9:42 AM, Tom Ackermann wrote: > Hi all > I have already posted this in several (ubuntu-) forums but haven't received > any hints so far, maybe somebody on this list can shed some light on this: > When creating a CA with a password, certtool never again asks for the > password when signing new certificates. Thanks for reporting that. The default key format doesn't support any passwords. You have to use the PKCS #8 format (with the --pkcs8 parameter). I'll put a check to do it automatically if a password has been supplied. regards, Nikos From bortzmeyer at nic.fr Tue Aug 28 11:28:17 2012 From: bortzmeyer at nic.fr (Stephane Bortzmeyer) Date: Tue, 28 Aug 2012 11:28:17 +0200 Subject: www.gnutls.org does not have TLS... Message-ID: <20120828092816.GA26625@nic.fr> % gnutls-cli www.gnutls.org Processed 150 CA certificate(s). Resolving 'www.gnutls.org'... Connecting to '199.59.163.239:443'... Cannot connect to www.gnutls.org:443: Connection refused :-( From bortzmeyer at nic.fr Tue Aug 28 11:30:08 2012 From: bortzmeyer at nic.fr (Stephane Bortzmeyer) Date: Tue, 28 Aug 2012 11:30:08 +0200 Subject: Any TLS server with OpenPGP certificates? Message-ID: <20120828093008.GA26733@nic.fr> GnuTLS handles OpenPGP certificates (RFC 6091) for a long time. Does anyone know in the wild a TLS server using these? From mr_mol13 at hotmail.com Tue Aug 28 19:23:20 2012 From: mr_mol13 at hotmail.com (Minh Nguyen Huu) Date: Tue, 28 Aug 2012 17:23:20 +0000 Subject: GNUTLS + MingGW help Message-ID: Hi, I'm trying to compilre the gnutls library using MinGW on Windows 7 (64bit). After some struggling, I've managed to compile Nettle (+GMP), however I cannot make GNUTLS. When I run ./configure in the GNUTLS everything seems ok, but when I try to make the library I keep getting the same error, which I have pasted below. Does anyone have experience making gnutls on Windows and can help me out? Thanks in advance, Minh *** Warning: This system can not link to static lib archive D:/MinGW/lib/libgmp. la. *** I have the capability to make that library automatically link in when *** you link to this library. But I can only do this if you have a *** shared version of the library, which you do not appear to have. Creating library file: .libs/libgnutls.dll.a nettle/.libs/libcrypto.a(mpi.o): In function `wrap_nettle_mpi_new': D:\MinGW\msys\1.0\home\Minh\gnutls-3.0.22\lib\nettle/mpi.c:97: undefined referen ce to `___gmpz_init2' nettle/.libs/libcrypto.a(mpi.o): In function `wrap_nettle_mpi_div': D:\MinGW\msys\1.0\home\Minh\gnutls-3.0.22\lib\nettle/mpi.c:342: undefined refere nce to `___gmpz_cdiv_q' nettle/.libs/libcrypto.a(ecc_make_key.o): In function `ecc_make_key': D:\MinGW\msys\1.0\home\Minh\gnutls-3.0.22\lib\nettle/ecc_make_key.c:142: undefin ed reference to `___gmpz_set_str' D:\MinGW\msys\1.0\home\Minh\gnutls-3.0.22\lib\nettle/ecc_make_key.c:143: undefin ed reference to `___gmpz_set_str' D:\MinGW\msys\1.0\home\Minh\gnutls-3.0.22\lib\nettle/ecc_make_key.c:144: undefin ed reference to `___gmpz_set_str' D:\MinGW\msys\1.0\home\Minh\gnutls-3.0.22\lib\nettle/ecc_make_key.c:145: undefin ed reference to `___gmpz_set_str' D:\MinGW\msys\1.0\home\Minh\gnutls-3.0.22\lib\nettle/ecc_make_key.c:146: undefin ed reference to `___gmpz_set_str' nettle/.libs/libcrypto.a(ecc_make_key.o):D:\MinGW\msys\1.0\home\Minh\gnutls-3.0. 22\lib\nettle/ecc_make_key.c:147: more undefined references to `___gmpz_set_str' follow nettle/.libs/libcrypto.a(ecc_projective_dbl_point_3.o): In function `ecc_project ive_dbl_point': D:\MinGW\msys\1.0\home\Minh\gnutls-3.0.22\lib\nettle/ecc_projective_dbl_point_3. c:113: undefined reference to `___gmpz_divexact_ui' nettle/.libs/libcrypto.a(ecc_projective_add_point.o): In function `ecc_projectiv e_add_point': D:\MinGW\msys\1.0\home\Minh\gnutls-3.0.22\lib\nettle/ecc_projective_add_point.c: 214: undefined reference to `___gmpz_divexact_ui' collect2.exe: error: ld returned 1 exit status make[3]: *** [libgnutls.la] Error 1 make[3]: Leaving directory `/home/Minh/gnutls-3.0.22/lib' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/home/Minh/gnutls-3.0.22/lib' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/home/Minh/gnutls-3.0.22' make: *** [all] Error 2 -------------- next part -------------- An HTML attachment was scrubbed... URL: From nmav at gnutls.org Wed Aug 29 10:54:58 2012 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 29 Aug 2012 10:54:58 +0200 Subject: www.gnutls.org does not have TLS... In-Reply-To: <20120828092816.GA26625@nic.fr> References: <20120828092816.GA26625@nic.fr> Message-ID: On Tue, Aug 28, 2012 at 11:28 AM, Stephane Bortzmeyer wrote: > % gnutls-cli www.gnutls.org > Processed 150 CA certificate(s). > Resolving 'www.gnutls.org'... > Connecting to '199.59.163.239:443'... > Cannot connect to www.gnutls.org:443: Connection refused Unfortunately we don't have the resources to sustain an https server. regards, Nikos From nmav at gnutls.org Wed Aug 29 13:31:48 2012 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 29 Aug 2012 13:31:48 +0200 Subject: Any TLS server with OpenPGP certificates? In-Reply-To: <20120828093008.GA26733@nic.fr> References: <20120828093008.GA26733@nic.fr> Message-ID: On Tue, Aug 28, 2012 at 11:30 AM, Stephane Bortzmeyer wrote: > GnuTLS handles OpenPGP certificates (RFC 6091) for a long time. Does > anyone know in the wild a TLS server using these? mod_gnutls [0] can be used with openpgp certificates. I don't know if or which Internet servers use it. regards, Nikos [0]. http://modgnutls.sourceforge.net/