From admin at webmasterdirect.org Wed Dec 5 11:53:29 2012 From: admin at webmasterdirect.org (admin at webmasterdirect.org) Date: Wed, 05 Dec 2012 10:53:29 -0000 Subject: [Help-gnutls] DVD Burner Message-ID: <2737bbe$26b3$761f> An HTML attachment was scrubbed... URL: From nmav at gnutls.org Sat Dec 1 04:26:52 2012 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sat, 01 Dec 2012 04:26:52 +0100 Subject: gnutls4win for 2.12.x or 3.x? In-Reply-To: <50B91796.90103@fifthhorseman.net> References: <50B91796.90103@fifthhorseman.net> Message-ID: <50B978FC.8070706@gnutls.org> On 11/30/2012 09:31 PM, Daniel Kahn Gillmor wrote: > hey folks-- > > Simon's gnutls4win packages [0] look like the latest version is 2.10.1 > [1]. But according to the homepage [2], the latest stable versions are > 2.12.21 and 3.0.26 (and then there's 3.1.5 as well). > How are the gnutls4win packages maintained? You may use the cross.mk to build gnutls if you have mingw64. Otherwise why not the binaries at ftp://ftp.gnu.org/gnu/gnutls/w32/? regards, Nikos From dkg at fifthhorseman.net Sat Dec 1 22:02:01 2012 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Sat, 01 Dec 2012 16:02:01 -0500 Subject: gnutls4win for 2.12.x or 3.x? In-Reply-To: <50B978FC.8070706@gnutls.org> References: <50B91796.90103@fifthhorseman.net> <50B978FC.8070706@gnutls.org> Message-ID: <50BA7049.2040401@fifthhorseman.net> On 11/30/2012 10:26 PM, Nikos Mavrogiannopoulos wrote: > On 11/30/2012 09:31 PM, Daniel Kahn Gillmor wrote: > >> Simon's gnutls4win packages [0] look like the latest version is 2.10.1 >> [1]. But according to the homepage [2], the latest stable versions are >> 2.12.21 and 3.0.26 (and then there's 3.1.5 as well). > >> How are the gnutls4win packages maintained? > > You may use the cross.mk to build gnutls if you have mingw64. Otherwise > why not the binaries at ftp://ftp.gnu.org/gnu/gnutls/w32/? Ah, i hadn't noticed those, thanks! I'll give them a try. Simon, given these packages, what is the status of gnutls4win? should that be removed, or should the page at least point people at the w32/ directory? --dkg From dkg at fifthhorseman.net Mon Dec 3 23:27:40 2012 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Mon, 03 Dec 2012 17:27:40 -0500 Subject: buggy gnutls-cli -h output on w32 builds [was: Re: gnutls4win for 2.12.x or 3.x?] In-Reply-To: <50B978FC.8070706@gnutls.org> References: <50B91796.90103@fifthhorseman.net> <50B978FC.8070706@gnutls.org> Message-ID: <50BD275C.9010303@fifthhorseman.net> Thanks for the pointer, Nikos. I've tried these out now. It looks like someone is wrong with the -h output, which looks like the transcript below. I hope this is a useful report. my debugging skills on windows are extremely rusty. Regards, --dkg > C:\Documents and Settings\dkg\Desktop\gnutls\bin>gnutls-cli.exe -h > gnutls-cli - GnuTLS client - Ver. 3.0.22 > USAGE: gnutls-cli.exe [ - [] | --[{=| }] ]... [hostname] > > -d, --$s$s Enable debugging. > - It must be in the range: > 0 to 9999 > -V, --$s$s More verbose output > - may appear multiple times > --$s$s Enable trust on first use authentication > - disabled as --no-tofu > --$s$s Enable OCSP certificate verification > - disabled as --no-ocsp > -r, --$s$s Establish a session and resume > -e, --$s$s Establish a session and rehandshake > --$s$s Don't accept session tickets > -s, --$s$s Connect, establish a plain session and start TLS. > -u, --$s$s Use DTLS (datagram TLS) over UDP > --$s$s Set MTU for datagram TLS > - It must be in the range: > 0 to 17000 > --$s$s Send CR LF instead of LF > --$s$s Use DER format for certificates to read from > -f, --$s$s Send the openpgp fingerprint, instead of the key > --$s$s Disable all the TLS extensions > --$s$s Print peer's certificate in PEM format > --$s$s The maximum record size to advertize > - It must be in the range: > 0 to 4096 > --$s$s Priorities string > --$s$s Certificate file or PKCS #11 URL to use > --$s$s CRL file to use > - file must pre-exist > --$s$s PGP Key file to use > - file must pre-exist > --$s$s PGP Key ring file to use > - file must pre-exist > --$s$s PGP Public Key (certificate) file to use > - file must pre-exist > --$s$s X.509 key file or PKCS #11 URL to use > --$s$s X.509 Certificate file or PKCS #11 URL to use > --$s$s PGP subkey to use (hex or auto) > --$s$s SRP username to use > --$s$s SRP password to use > --$s$s PSK username to use > --$s$s PSK key (in hex) to use > -p, --$s$s The port or service to connect to > --$s$s Don't abort program if server certificate can't be > validated > --$s$s Benchmark individual ciphers > --$s$s Benchmark individual software ciphers (no hw accel > eration) > --$s$s Benchmark ciphers and key exchange methods in TLS > -l, --$s$s Print a list of the supported algorithms and modes > > -v, --$s$s Output version information and exit > -h, --$s$s Display extended usage information and exit > > Options are specified by doubled hyphens and their name or by a single > hyphen and the flag character. > Operands and options may be intermixed. They will be reordered. > > > > Simple client program to set up a TLS connection to some other computer. It > sets up a TLS connection and forwards data from the standard input to the > secured socket and vice versa. > > please send bug reports to: bug-gnutls at gnu.org From nmav at gnutls.org Tue Dec 4 09:35:37 2012 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 04 Dec 2012 09:35:37 +0100 Subject: buggy gnutls-cli -h output on w32 builds [was: Re: gnutls4win for 2.12.x or 3.x?] In-Reply-To: <50BD275C.9010303@fifthhorseman.net> References: <50B91796.90103@fifthhorseman.net> <50B978FC.8070706@gnutls.org> <50BD275C.9010303@fifthhorseman.net> Message-ID: <50BDB5D9.4090702@gnutls.org> On 12/03/2012 11:27 PM, Daniel Kahn Gillmor wrote: > Thanks for the pointer, Nikos. I've tried these out now. It looks like > someone is wrong with the -h output, which looks like the transcript below. > > I hope this is a useful report. my debugging skills on windows are > extremely rusty. > > Regards, > > --dkg > >> C:\Documents and Settings\dkg\Desktop\gnutls\bin>gnutls-cli.exe -h >> gnutls-cli - GnuTLS client - Ver. 3.0.22 >> USAGE: gnutls-cli.exe [ - [] | --[{=| }] ]... [hostname] >> >> -d, --$s$s Enable debugging. >> - It must be in the range: Hello, I noticed that too few days ago. Try this patch: http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=c9658d930016519e0b44ac284e7414292267e57d regards, Nikos From rich at kde.org Wed Dec 5 00:09:02 2012 From: rich at kde.org (Richard Moore) Date: Tue, 4 Dec 2012 23:09:02 +0000 Subject: Possible bug in CRQ code, or possible user error? Message-ID: Hi, I've been trying to access the name fields of certificate requests using gnutls, and I'm not getting any joy, I've included the code below. Is this something I'm doing wrong, or is there a bug here? I always get -56 (The requested data were not available). I've looked over the test cases for this case, and accessing these fields doesn't seem to be covered. Any hints? Cheers Rich. QStringList CertificateRequest::nameEntryInfo(Certificate::EntryType attribute) { QStringList result; #if 0 int index = 0; QByteArray buffer(1024, 0); size_t size = buffer.size(); do { d->errno = gnutls_x509_crq_get_attribute_data(d->crq, index, buffer.data(), &size); result << QString::fromUtf8(buffer); qDebug() << d->errno << gnutls_strerror(d->errno) << buffer; index++; } while(GNUTLS_E_SUCCESS == d->errno); #else QByteArray oid = entrytype_to_oid(attribute); if (oid.isNull()) return result; int index = 0; QByteArray buffer(1024, 0); size_t size = buffer.size(); do { qDebug() << oid; d->errno = gnutls_x509_crq_get_attribute_by_oid(d->crq, oid.constData(), index, buffer.data(), &size); result << QString::fromUtf8(buffer); qDebug() << d->errno << gnutls_strerror(d->errno) << buffer; index++; } while(GNUTLS_E_SUCCESS == d->errno); #endif return result; } From nmav at gnutls.org Wed Dec 5 00:23:44 2012 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 05 Dec 2012 00:23:44 +0100 Subject: Possible bug in CRQ code, or possible user error? In-Reply-To: References: Message-ID: <50BE8600.3070206@gnutls.org> On 12/05/2012 12:09 AM, Richard Moore wrote: > Hi, > > I've been trying to access the name fields of certificate requests > using gnutls, and I'm not getting any joy, I've included the code > below. Is this something I'm doing wrong, or is there a bug here? I > always get -56 (The requested data were not available). I've looked > over the test cases for this case, and accessing these fields doesn't > seem to be covered. Any hints? Hello, Do you mean the DistinguishedName fields? Did you try the: gnutls_x509_crq_get_dn_by_oid() and gnutls_x509_crq_get_dn()? > d->errno = gnutls_x509_crq_get_attribute_data(d->crq, index, > d->errno = gnutls_x509_crq_get_attribute_by_oid(d->crq, The functions that you use in your example above are used to set additional attributes to the certificate request (that have nothing to do with names -e.g. the challenge password is one of those). regards, Nikos From rich at kde.org Wed Dec 5 00:32:14 2012 From: rich at kde.org (Richard Moore) Date: Tue, 4 Dec 2012 23:32:14 +0000 Subject: Possible bug in CRQ code, or possible user error? In-Reply-To: <50BE8600.3070206@gnutls.org> References: <50BE8600.3070206@gnutls.org> Message-ID: On 4 December 2012 23:23, Nikos Mavrogiannopoulos wrote: > On 12/05/2012 12:09 AM, Richard Moore wrote: > >> Hi, >> >> I've been trying to access the name fields of certificate requests >> using gnutls, and I'm not getting any joy, I've included the code >> below. Is this something I'm doing wrong, or is there a bug here? I >> always get -56 (The requested data were not available). I've looked >> over the test cases for this case, and accessing these fields doesn't >> seem to be covered. Any hints? > > > Hello, > Do you mean the DistinguishedName fields? Did you try the: > gnutls_x509_crq_get_dn_by_oid() and gnutls_x509_crq_get_dn()? > >> d->errno = gnutls_x509_crq_get_attribute_data(d->crq, index, >> d->errno = gnutls_x509_crq_get_attribute_by_oid(d->crq, > > The functions that you use in your example above are used to set > additional attributes to the certificate request (that have nothing to > do with names -e.g. the challenge password is one of those). Yep, that was it - thanks a lot for spotting I'm an idiot! :-) Regards Rich. From alfredo.pironti at inria.fr Mon Dec 10 14:30:11 2012 From: alfredo.pironti at inria.fr (Alfredo Pironti) Date: Mon, 10 Dec 2012 14:30:11 +0100 Subject: [gnutls-help] gnutls is moving In-Reply-To: <50C5CF8E.6090100@gnutls.org> References: <50C5CF8E.6090100@gnutls.org> Message-ID: > I'd like to announce that the development of gnutls is moving outside > the infrastructure of the GNU project. I no longer consider GnuTLS > a GNU project and future contributions are not required to be under the > copyright of FSF. The reason is a major disagreement with the > FSF's decisions and practices. We note however, that we _do_ support > the ideas behind the FSF. Interesting shift. Is there any public discussion explaining the reasons of this major disagreement? This could be of interest to some other FSF enthusiasts as well as GnuTLS contributors. Best, Alfredo From nmav at gnutls.org Mon Dec 10 17:35:03 2012 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 10 Dec 2012 17:35:03 +0100 Subject: [gnutls-help] gnutls is moving In-Reply-To: References: <50C5CF8E.6090100@gnutls.org> Message-ID: <50C60F37.6080605@gnutls.org> On 12/10/2012 02:30 PM, Alfredo Pironti wrote: >> I'd like to announce that the development of gnutls is moving outside >> the infrastructure of the GNU project. I no longer consider GnuTLS >> a GNU project and future contributions are not required to be under the >> copyright of FSF. The reason is a major disagreement with the >> FSF's decisions and practices. We note however, that we _do_ support >> the ideas behind the FSF. > > Interesting shift. Is there any public discussion explaining the > reasons of this major disagreement? This could be of interest to some > other FSF enthusiasts as well as GnuTLS contributors. Unfortunately not. I'll send more details on this list in the next days. regards, Nikos From rich at kde.org Sun Dec 16 21:06:55 2012 From: rich at kde.org (Richard Moore) Date: Sun, 16 Dec 2012 20:06:55 +0000 Subject: [gnutls-help] ANNOUNCE: Qt Certificate Addon Message-ID: What is it? =========== Qt Certificate Addon is a framework for creating X.509 certificates using Qt. Unlike the read-only support for certificates that's included in the SSL module this API allows new certificates, keys and signing requests to be created. Features ======== * Easy to use Qt-style Api with built-in integration with the existing QSslKey and QSslCertificate classes. * Create certificate signing requests * Create certificates * Create new keys * Support for some common certificate extensions: * Authority key identifier * Subject key identifier * Subject alternative names * Basic constraints * Key usage * Extended key usage * Pregenereated documentation is available at http://xmelegance.org/devel/qt-certificate-addon/ Source Code =========== The code is available on gitorious at: https://gitorious.org/qt-certificate-addon This code uses the LGPL gnutls library to implement it's facilities. More details about gnutls can be found at http://www.gnutls.org/ Status ====== The code is capable of creating certificates, keys and signing requests with support for the most common types of certificate extension. The documentation is at a reasonable level, there are examples and a moderate level of unit tests. I've only tested the code on Linux, but apart from the RandomGenerator class it should work fine on all platforms. What is it? =========== Qt Certificate Addon is a framework for creating X.509 certificates using Qt. Unlike the read-only support for certificates that's included in the SSL module this API allows new certificates, keys and signing requests to be created. Features ======== * Easy to use Qt-style Api with built-in integration with the existing QSslKey and QSslCertificate classes. * Create certificate signing requests * Create certificates * Create new keys * Support for some common certificate extensions: * Authority key identifier * Subject key identifier * Subject alternative names * Basic constraints * Key usage * Extended key usage * Pregenereated documentation is available at http://xmelegance.org/devel/qt-certificate-addon/ Source Code =========== The code is available on gitorious at: https://gitorious.org/qt-certificate-addon This code uses the LGPL gnutls library to implement it's facilities. More details about gnutls can be found at http://www.gnutls.org/ Status ====== The code is capable of creating certificates, keys and signing requests with support for the most common types of certificate extension. The documentation is at a reasonable level, there are examples and a moderate level of unit tests. I've only tested the code on Linux, but apart from the RandomGenerator class it should work fine on all platforms. Currently the code has only been tested against Qt 4.x, but I'll be making 5.0 the main development target soon. I intend to retain support for using the code with 4.x however. Note that at the moment I expect the API to change in incompatible ways. Wanted ====== Feedback on the API, the facilities offered - anything really. Currently the code has only been tested against Qt 4.x, but I'll be making 5.0 the main development target soon. I intend to retain support for using the code with 4.x however. Note that at the moment I expect the API to change in incompatible ways. Wanted ====== Feedback on the API, the facilities offered - anything really. From rich at kde.org Sun Dec 16 21:18:22 2012 From: rich at kde.org (Richard Moore) Date: Sun, 16 Dec 2012 20:18:22 +0000 Subject: [gnutls-help] ANNOUNCE: Qt Certificate Addon Message-ID: I noticed that this was messed up. Trying again. What is it? =========== Qt Certificate Addon is a framework for creating X.509 certificates using Qt. Unlike the read-only support for certificates that's included in the SSL module this API allows new certificates, keys and signing requests to be created. Features ======== * Easy to use Qt-style Api with built-in integration with the existing QSslKey and QSslCertificate classes. * Create certificate signing requests * Create certificates * Create new keys * Support for some common certificate extensions: * Authority key identifier * Subject key identifier * Subject alternative names * Basic constraints * Key usage * Extended key usage * Pregenereated documentation is available at http://xmelegance.org/devel/qt-certificate-addon/ Source Code =========== The code is available on gitorious at: https://gitorious.org/qt-certificate-addon This code uses the LGPL gnutls library to implement it's facilities. More details about gnutls can be found at http://www.gnutls.org/ Status ====== The code is capable of creating certificates, keys and signing requests with support for the most common types of certificate extension. The documentation is at a reasonable level, there are examples and a moderate level of unit tests. I've only tested the code on Linux, but apart from the RandomGenerator class it should work fine on all platforms. Currently the code has only been tested against Qt 4.x, but I'll be making 5.0 the main development target soon. I intend to retain support for using the code with 4.x however. Wanted ====== Feedback on the API, the facilities offered - anything really. From nmav at gnutls.org Wed Dec 19 17:49:03 2012 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 19 Dec 2012 18:49:03 +0200 Subject: [gnutls-help] ANNOUNCE: Qt Certificate Addon In-Reply-To: References: Message-ID: On Sun, Dec 16, 2012 at 10:18 PM, Richard Moore wrote: > What is it? > =========== > Qt Certificate Addon is a framework for creating X.509 certificates using > Qt. Unlike the read-only support for certificates that's included in the SSL > module this API allows new certificates, keys and signing requests to be > created. Hello Richard, The API looks reasonable. I don't know where this is intended to be used, but it may be useful to have some examples of common usage in the documentation (e.g. how to generate a certificate for a web server). I'd also miss key generation on smart card, but this may not be a popular use-case for a first release. As I see the API it can easily accommodate that in the future. > * Key usage > * Extended key usage These two proved to be hard to use in the internet. On a survey of certificates in web servers those values seem to be randomly selected based on each admin's understanding of the meaning of the values. > The code is capable of creating certificates, keys and signing requests with > support for the most common types of certificate extension. The documentation > is at a reasonable level, there are examples and a moderate level of unit > tests. I've only tested the code on Linux, but apart from the RandomGenerator > class it should work fine on all platforms. Why not use gnutls' gnutls_rnd()? regards, Nikos From rich at kde.org Thu Dec 20 16:14:19 2012 From: rich at kde.org (Richard Moore) Date: Thu, 20 Dec 2012 15:14:19 +0000 Subject: [gnutls-help] ANNOUNCE: Qt Certificate Addon In-Reply-To: References:

Message-ID: On 19 December 2012 16:49, Nikos Mavrogiannopoulos wrote: > On Sun, Dec 16, 2012 at 10:18 PM, Richard Moore wrote: > >> What is it? >> =========== >> Qt Certificate Addon is a framework for creating X.509 certificates using >> Qt. Unlike the read-only support for certificates that's included in the SSL >> module this API allows new certificates, keys and signing requests to be >> created. > > Hello Richard, > The API looks reasonable. I don't know where this is intended to be > used, but it may be useful to have some examples of common usage in > the documentation (e.g. how to generate a certificate for a web > server). At the moment, I'm not 100% sure how people will use it. I had requests from several Qt developers for an API that offered these facilities, but I'm not really clear on what they want to do with it. Personally, I'll be using it to develop some tools to manage an internal CA we use at work. I totally agree with you about the examples, I've got a couple of basic ones in the source tree, but they aren't marked up yet so they can be inlined into the docs. I'm hoping to put together a few recipe-style examples for common tasks. I covered some examples of how to use custom CAs in my dev-days talk this year, and I want this code to let people generate the certs required to use them. > > I'd also miss key generation on smart card, but this may not be a > popular use-case for a first release. As I see the API it can easily > accommodate that in the future. Yes, it's totally feasible to add this in the future. At the moment I have no access to the relevant hardware so I'm not really in a position to look at it. I know at least one developer who's contributed to Qt recently has an interest in this area, so it might well be something that gets worked on. > >> * Key usage >> * Extended key usage > > These two proved to be hard to use in the internet. On a survey of > certificates in web servers those values seem to be randomly selected > based on each admin's understanding of the meaning of the values. I've found the specs for these to be rather confusing (including which should be critical etc.). The CAB forum baseline requirements seems to be the clearest document these days, and has good coverage of the use for web servers at least in appendix B. > >> The code is capable of creating certificates, keys and signing requests with >> support for the most common types of certificate extension. The documentation >> is at a reasonable level, there are examples and a moderate level of unit >> tests. I've only tested the code on Linux, but apart from the RandomGenerator >> class it should work fine on all platforms. > > Why not use gnutls' gnutls_rnd()? Nice, I didn't know that existed. The code has been changed to use it. Thank you very much for the feedback, it's much appreciated. Rich. > > regards, > Nikos From help-gnutls-phil at spodhuis.org Fri Dec 21 02:19:31 2012 From: help-gnutls-phil at spodhuis.org (Phil Pennock) Date: Thu, 20 Dec 2012 20:19:31 -0500 Subject: [gnutls-help] gnutls is moving In-Reply-To: <50C60F37.6080605@gnutls.org> References: <50C5CF8E.6090100@gnutls.org> <50C60F37.6080605@gnutls.org> Message-ID: <20121221011931.GA69236@redoubt.spodhuis.org> On 2012-12-10 at 17:35 +0100, Nikos Mavrogiannopoulos wrote: > Unfortunately not. I'll send more details on this list in the next days. This incident has made Linux Weekly News. If any of the GnuTLS devs are not LWN subscribers, ping me and I'll send you a SubscriberLink so you can see the article (and comments) now, instead of next week when the article is opened to the general public. -Phil From nmav at gnutls.org Fri Dec 21 10:48:55 2012 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 21 Dec 2012 11:48:55 +0200 Subject: [gnutls-help] gnutls is moving In-Reply-To: <20121221011931.GA69236@redoubt.spodhuis.org> References: <50C5CF8E.6090100@gnutls.org> <50C60F37.6080605@gnutls.org> <20121221011931.GA69236@redoubt.spodhuis.org> Message-ID: On Fri, Dec 21, 2012 at 3:19 AM, Phil Pennock wrote: > On 2012-12-10 at 17:35 +0100, Nikos Mavrogiannopoulos wrote: >> Unfortunately not. I'll send more details on this list in the next days. > > This incident has made Linux Weekly News. If any of the GnuTLS devs are > not LWN subscribers, ping me and I'll send you a SubscriberLink so you > can see the article (and comments) now, instead of next week when the > article is opened to the general public. Hello Phil, Thanks that's a nice article. The reason I've not sent any updates is because there is some negotiation going on, that hopefully will prevent any fork of the project. More about it when it is complete (one way or an other). regards, Nikos From rich at kde.org Sat Dec 22 11:49:20 2012 From: rich at kde.org (Richard Moore) Date: Sat, 22 Dec 2012 10:49:20 +0000 Subject: [gnutls-help] ANNOUNCE: Qt Certificate Addon In-Reply-To: References:

Message-ID: On 20 December 2012 15:14, Richard Moore wrote: >> I'd also miss key generation on smart card, but this may not be a >> popular use-case for a first release. As I see the API it can easily >> accommodate that in the future. > > Yes, it's totally feasible to add this in the future. At the moment I > have no access to the relevant hardware so I'm not really in a > position to look at it. I know at least one developer who's > contributed to Qt recently has an interest in this area, so it might > well be something that gets worked on. Thinking some more about this, is there any hardware you could recommend for testing this kind of thing? It seems that some of the smart card devkits are actually quite cheap such as http://www.smartcardfocus.com/shop/ilp/id~85/ACR38_SDK/p/index.shtml - are they enough to try this with gnutls? Cheers Rich. From nmav at gnutls.org Sat Dec 22 11:59:37 2012 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sat, 22 Dec 2012 12:59:37 +0200 Subject: [gnutls-help] ANNOUNCE: Qt Certificate Addon In-Reply-To: References:

Message-ID: On Sat, Dec 22, 2012 at 12:49 PM, Richard Moore wrote: >> Yes, it's totally feasible to add this in the future. At the moment I >> have no access to the relevant hardware so I'm not really in a >> position to look at it. I know at least one developer who's >> contributed to Qt recently has an interest in this area, so it might >> well be something that gets worked on. > Thinking some more about this, is there any hardware you could > recommend for testing this kind of thing? It seems that some of the > smart card devkits are actually quite cheap such as > http://www.smartcardfocus.com/shop/ilp/id~85/ACR38_SDK/p/index.shtml - > are they enough to try this with gnutls? Everything that works with opensc should be ok with gnutls. I test RSA with http://www.gooze.eu/feitian-epass-pki-token or smart card-hsm http://www.opensc-project.org/opensc/wiki/SmartCardHsm for ECDSA. regards, Nikos From rich at kde.org Sat Dec 22 13:29:34 2012 From: rich at kde.org (Richard Moore) Date: Sat, 22 Dec 2012 12:29:34 +0000 Subject: [gnutls-help] ANNOUNCE: Qt Certificate Addon In-Reply-To: References:

Message-ID: On 22 December 2012 10:59, Nikos Mavrogiannopoulos wrote: > Everything that works with opensc should be ok with gnutls. I test RSA > with http://www.gooze.eu/feitian-epass-pki-token or smart card-hsm > http://www.opensc-project.org/opensc/wiki/SmartCardHsm for ECDSA. That one seemed to be discontinued, but I've ordered one of these http://www.gooze.eu/feitian-r-301-sim-reader which is the replacement. Thanks for the advice. Rich. > > regards, > Nikos From darko.koruga at siol.net Wed Dec 26 14:05:39 2012 From: darko.koruga at siol.net (Darko K.) Date: Wed, 26 Dec 2012 14:05:39 +0100 Subject: [gnutls-help] Can't connect to my ISP's mail server using GnuTLS Message-ID: <20121226140539.68427bf4@beavis.confused.org> Hi all, let me start with a bit of a background regarding the problem I am facing. ISP started enforcing SMTP authentication recently and of course I want to use the encrypted channel for sending my password over the line. Mail user agent of my choice (Claws Mail) uses GnuTLS for encrypted communication. So I thought it would be as simple as enabling SMTP authentication and SSL but it turned out it does not work, I always get SSL handshake failed error. ISP's technical support stated that their server does not support TLS 1.1 nor TLS 1.2 so I thought I just need to set a correct priority string. I am using GnuTLS versions 3.0.20 and 3.1.5 for my experiments. I have attached the output of gnutls-cli-debug when connecting to the server in question. Based on the output of gnutls-cli-debug and on what their support said I thought it would be enough to disable TLS 1.1 and TLS 1.2 but unfortunately I still can"t connect to their server. I am using the command line gnutls-cli -p 465 --priority='NORMAL:%COMPAT:+VERS-SSL3.0:-VERS-TLS1.2:-VERS-TLS1.1' --x509cafile=/etc/ssl/certs/ca-certificates.crt mail.siol.net for testing the connection. Relevant bit of output for GnuTLS 3.1.5: Processed 151 CA certificate(s). Resolving 'mail.siol.net'... Connecting to '89.143.246.11:465'... - Certificate type: X.509 - Got a certificate list of 4 certificates. ... (certificates info comes here) - Status: The certificate is trusted. *** Fatal error: A TLS fatal alert has been received. *** Received alert [0]: Close notify *** Handshake has failed GnuTLS error: A TLS fatal alert has been received. Can someone please explain what this error means ? When I use GnuTLS 3.0.20 I get a different error: - Peer's certificate issuer is unknown - Peer's certificate is NOT trusted - The hostname in the certificate matches 'mail.siol.net'. *** Verifying server certificate failed... *** Fatal error: Error in the certificate. How come GnuTLS 3.1.5 conciders the same certificate as trusted but GnuTLS 3.0.20 does not ? I hope someone can help me resolve these connection issue. Regards, Darko -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: gnutls-debug.txt URL: From nmav at gnutls.org Wed Dec 26 16:41:49 2012 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 26 Dec 2012 17:41:49 +0200 Subject: [gnutls-help] Can't connect to my ISP's mail server using GnuTLS In-Reply-To: <20121226140539.68427bf4@beavis.confused.org> References: <20121226140539.68427bf4@beavis.confused.org> Message-ID: On Wed, Dec 26, 2012 at 3:05 PM, Darko K. wrote: > Hi all, > > let me start with a bit of a background regarding the problem I am > facing. ISP started enforcing SMTP authentication recently and of > course I want to use the encrypted channel for sending my password > over the line. Mail user agent of my choice (Claws Mail) uses GnuTLS for > encrypted communication. So I thought it would be as simple as enabling > SMTP authentication and SSL but it turned out it does not work, I > always get SSL handshake failed error. > > ISP's technical support stated that their server does not support TLS > 1.1 nor TLS 1.2 so I thought I just need to set a correct priority > string. I am using GnuTLS versions 3.0.20 and 3.1.5 for my experiments. > I have attached the output of gnutls-cli-debug when connecting to the > server in question. Hello, This is quite an understatement. Your ISP's server breaks if the client supports TLS 1.1 or TLS 1.2, and any other cipher than ARCFOUR. If it wouldn't support them it would just negotiate an earlier version of the protocol. Try: NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:+VERS-SSL3.0:-CIPHER-ALL:+ARCFOUR-128:%COMPAT regards, Nikos From dkg at fifthhorseman.net Wed Dec 26 16:43:23 2012 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 26 Dec 2012 10:43:23 -0500 Subject: [gnutls-help] Can't connect to my ISP's mail server using GnuTLS In-Reply-To: <20121226140539.68427bf4@beavis.confused.org> References: <20121226140539.68427bf4@beavis.confused.org> Message-ID: <50DB1B1B.1030505@fifthhorseman.net> On 12/26/2012 08:05 AM, Darko K. wrote: > gnutls-cli -p 465 --priority='NORMAL:%COMPAT:+VERS-SSL3.0:-VERS-TLS1.2:-VERS-TLS1.1' --x509cafile=/etc/ssl/certs/ca-certificates.crt mail.siol.net I think your isp's mailserver is oddly configured in more than one way. For one thing, their list of intermediate certificates isn't a linear progression from the end-entity (EE) certificate to the root certificate. There is actually a root certificate in the provided chain, which is against the TLS spec. They should remove the first certificate in their chain (the one with both issuer and subject set to "C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA") if they're interested in complying with the TLS specification. The server also does not claim to be able to support secure renegotiation, which indicates that it isn't being kept up-to-date -- this is a critical extension on today's network, if any sort of TLS renegotiation is to be supported. fwiw, I also can't get it to successfully negotiate a connection with openssl s_client. Are you able to connect to this successfully with any TLS client? Sorry this doesn't answer your question specifically, but these are the problems i see with the server upon first investigation. --dkg From darko.koruga at siol.net Thu Dec 27 10:35:34 2012 From: darko.koruga at siol.net (Darko K.) Date: Thu, 27 Dec 2012 10:35:34 +0100 Subject: [gnutls-help] Can't connect to my ISP's mail server using GnuTLS In-Reply-To: References: <20121226140539.68427bf4@beavis.confused.org> Message-ID: <20121227103534.4163d1ec@beavis.confused.org> On Wed, 26 Dec 2012 17:41:49 +0200 Nikos Mavrogiannopoulos wrote: > On Wed, Dec 26, 2012 at 3:05 PM, Darko K. > wrote: > > Hi all, > > > > let me start with a bit of a background regarding the problem I am > > facing. ISP started enforcing SMTP authentication recently and of > > course I want to use the encrypted channel for sending my password > > over the line. Mail user agent of my choice (Claws Mail) uses > > GnuTLS for encrypted communication. So I thought it would be as > > simple as enabling SMTP authentication and SSL but it turned out it > > does not work, I always get SSL handshake failed error. > > > > ISP's technical support stated that their server does not support > > TLS 1.1 nor TLS 1.2 so I thought I just need to set a correct > > priority string. I am using GnuTLS versions 3.0.20 and 3.1.5 for my > > experiments. I have attached the output of gnutls-cli-debug when > > connecting to the server in question. > > Hello, > This is quite an understatement. Your ISP's server breaks if the > client supports TLS 1.1 or TLS 1.2, and any other cipher than ARCFOUR. > If it wouldn't support them it would just negotiate an earlier version > of the protocol. Try: > NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:+VERS-SSL3.0:-CIPHER-ALL:+ARCFOUR-128:%COMPAT > Nikos, thank you for your help. I can now proceed with my Clas Mail modification to allow specifying a GnuTLS priority string. Regards, Darko From darko.koruga at siol.net Thu Dec 27 10:43:05 2012 From: darko.koruga at siol.net (Darko K.) Date: Thu, 27 Dec 2012 10:43:05 +0100 Subject: [gnutls-help] Can't connect to my ISP's mail server using GnuTLS In-Reply-To: <50DB1B1B.1030505@fifthhorseman.net> References: <20121226140539.68427bf4@beavis.confused.org> <50DB1B1B.1030505@fifthhorseman.net> Message-ID: <20121227104305.10cae672@beavis.confused.org> On Wed, 26 Dec 2012 10:43:23 -0500 Daniel Kahn Gillmor wrote: > On 12/26/2012 08:05 AM, Darko K. wrote: > > gnutls-cli -p 465 > > --priority='NORMAL:%COMPAT:+VERS-SSL3.0:-VERS-TLS1.2:-VERS-TLS1.1' > > --x509cafile=/etc/ssl/certs/ca-certificates.crt mail.siol.net > > I think your isp's mailserver is oddly configured in more than one > way. > > For one thing, their list of intermediate certificates isn't a linear > progression from the end-entity (EE) certificate to the root > certificate. There is actually a root certificate in the provided > chain, which is against the TLS spec. > > They should remove the first certificate in their chain (the one with > both issuer and subject set to "C=US,O=GeoTrust Inc.,CN=GeoTrust > Global CA") if they're interested in complying with the TLS > specification. > > The server also does not claim to be able to support secure > renegotiation, which indicates that it isn't being kept up-to-date -- > this is a critical extension on today's network, if any sort of TLS > renegotiation is to be supported. > > fwiw, I also can't get it to successfully negotiate a connection with > openssl s_client. Are you able to connect to this successfully with > any TLS client? > > Sorry this doesn't answer your question specifically, but these are > the problems i see with the server upon first investigation. > Hello Daniel, thank you for your help. My bet is they run some proprietary software on Windows which obviously implements security very poorly. If I were more familiar about SSL and TLS protocols I would definitely open a ticket with them. I was able to connect using OpenSSL s_client but I forgot what command line I used and what version of OpenSSL it was. It wasn't interesting for me since Claws Mail does not support OpenSSL. Regards, Darko From dkg at fifthhorseman.net Thu Dec 27 17:07:13 2012 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Thu, 27 Dec 2012 11:07:13 -0500 Subject: [gnutls-help] Can't connect to my ISP's mail server using GnuTLS In-Reply-To: <20121227104305.10cae672@beavis.confused.org> References: <20121226140539.68427bf4@beavis.confused.org> <50DB1B1B.1030505@fifthhorseman.net> <20121227104305.10cae672@beavis.confused.org> Message-ID: <50DC7231.5050000@fifthhorseman.net> On 12/27/2012 04:43 AM, Darko K. wrote: > thank you for your help. My bet is they run some proprietary software > on Windows which obviously implements security very poorly. If I were > more familiar about SSL and TLS protocols I would definitely open a > ticket with them. You could also open a ticket with them and point them to the archive of this mailing list discussion (starting here): http://lists.gnutls.org/pipermail/gnutls-help/2012-December/003029.html fwiw, I'd be wary of entrusting my mail to a mail server with misconfigurations/brokenness this severe in its TLS stack, on the (possibly mistaken) assumption that lack of attention to detail here is probably indicative of similar sloppiness in other parts of the infrastructure. --dkg