From nmav at gnutls.org Wed Feb 1 12:57:45 2012 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 1 Feb 2012 12:57:45 +0100 Subject: Libnettle 2.4 was not found In-Reply-To: References: Message-ID: On Tue, Jan 31, 2012 at 11:40 PM, Nick Khamis wrote: > Hello Everyone, > I am using the latest version of Debian. With lib nettle 2.4 installed: > ls /usr/lib/ > libnettle.a > libnettle.so > libnettle.so.4 > libnettle.so.4.3 > When compiling GNU tls, I am getting the libnettle 2.4 not found. Hi, Check you config.log for the reason libnettle was not found. regards, Nikos From lfinsto at gwdg.de Wed Feb 1 18:18:31 2012 From: lfinsto at gwdg.de (lfinsto at gwdg.de) Date: Wed, 1 Feb 2012 18:18:31 +0100 Subject: Libnettle 2.4 was not found Message-ID: <749c470824df305e4f45db3b55524e00.squirrel@mailbox.gwdg.de> Hello, > When compiling GNU tls, I am getting the libnettle 2.4 not found. I tried: I did this a couple of days ago and had some difficulty. You have to install gmp and p11-kit first. If gmp isn't found, installing libnettle will work, but libhogweed will not be created. Then, configure will fail for GNUTLS. I don't have root privileges on the machines where I was installing everything, so you may not need the added complications in the calls to configure. /home/optinum/eron0015/crypto/ is where I installed everything. gmp and p11-kit caused no difficulties. This was how I invoked configure for nettle: ./configure CFLAGS="-I/home/optinum/eron0015/crypto/include" CPPFLAGS="-I/home/optinum/eron0015/crypto/include" LDFLAGS="-L/home/optinum/eron0015/crypto/lib" --disable-openssl --enable-shared --prefix=/home/optinum/eron0015/crypto CPPFLAGS is needed because of a program in the test suite. It should work to set (and export) the environment variables in the shell. It didn't work for me, but that was probably because I mistyped the path names. This was how I invoked configure for GNUTLS: ./configure CFLAGS="-I/home/optinum/eron0015/crypto/include" CPPFLAGS="-I/home/optinum/eron0015/crypto/include" LDFLAGS="-L/home/optinum/eron0015/crypto/lib" --prefix=/home/optinum/eron0015/crypto CPPFLAGS was probably unnecessary. It was leftover from the command for nettle. --with-libnettle-prefix was not necessary. Laurence Finston On Tue, January 31, 2012 11:40 pm, Nick Khamis wrote: > Hello Everyone, > I am using the latest version of Debian. With lib nettle 2.4 installed: ls /usr/lib/ > libnettle.a > libnettle.so > libnettle.so.4 > libnettle.so.4.3 > When compiling GNU tls, I am getting the libnettle 2.4 not found. I tried: > ./configure --prefix=/usr > ./configure --prefix=/usr --with-libnettle-prefix=/usr > And got the same error > Thanks in Advance, > Nicholas. ------------------------------------------------------------- Laurence Finston Gesellschaft fuer wissenschaftliche Datenverarbeitung mbH Am Fassberg 11 37077 Goettingen Telefon: +49 551 201-1882 E-Mail: lfinsto at gwdg.de From ajit.patra at infineon.com Thu Feb 2 06:11:39 2012 From: ajit.patra at infineon.com (ajit) Date: Thu, 2 Feb 2012 05:11:39 +0000 (UTC) Subject: GNUTLS 3.0.8 Compilation Error References: <87fwgvxszj.fsf@latte.josefsson.org> Message-ID: Hi Nicolas, I am facing also the same issue. Did you find a solution for your problem? Thanks in advance. Ajit From mihirk.31 at gmail.com Mon Feb 6 03:06:12 2012 From: mihirk.31 at gmail.com (Mihir Kulkarni) Date: Sun, 5 Feb 2012 18:06:12 -0800 Subject: HELP: Client-Server code for anonymous authentication NOT working Message-ID: Hello, I am part of a team at University of California, Irvine who are trying our hand at GNUTLS. We installed the package and all its dependencies. But when trying with the example code given in the documentation, it throws up an error. The details are: I tried running the server and client with anonymous authentication. The exact error that it gives is: *CLIENT:* mihir at GNU-Linux:~/GNUTLS/gnutls-2.8.6/client$ ./a.out *** Handshake failed GNUTLS ERROR: A TLS packet with unexpected length was received. *SERVER:* mihir at GNU-Linux:~/GNUTLS/gnutls-2.8.6/server$ ./a.out Server ready. Listening to port '5556'. - connection from 127.0.0.1, port 48108 *** Handshake has failed (A TLS packet with unexpected length was received.) What is figured out so far is that the server goes into an infinite loop on line 120 for the statements: do { ret = gnutls_handshake (session); printf("Do...\n"); } while (gnutls_error_is_fatal (ret) == 0); Can someone please tell me what might be going wrong? Thank you for your help. regards, Mihir Kulkarni Graduate Student University of California, Irvine http://goo.gl/CvRcG -------------- next part -------------- An HTML attachment was scrubbed... URL: From code at funwithsoftware.org Mon Feb 6 06:19:10 2012 From: code at funwithsoftware.org (Patrick Pelletier) Date: Sun, 5 Feb 2012 21:19:10 -0800 Subject: HELP: Client-Server code for anonymous authentication NOT working In-Reply-To: References: Message-ID: This sounds like the same problem I ran into recently. I saw the exact same behavior when I tried compiling the current version of the example programs against the GnuTLS libraries that came with my operating system. (GnuTLS 2.8.5 on Ubuntu 10.04.) I'm assuming my issue (and therefore yours) is that I was running example code that was meant for GnuTLS 3.x against an installed library that was GnuTLS 2.x. (And, presumably the change in major version indicates an incompatibility, although unfortunately in this case it's a rather subtle one.) When I installed the examples that were meant for the version of GnuTLS I was actually using (by installing the "gnutls-doc" package on Ubuntu, which put the example source code in /usr/share/doc/gnutls-doc/ examples), and compiled them, it worked fine. (Presumably it would also work to build the latest GnuTLS from source, and then use the latest example code, but that's not the approach I went with, because I wanted to write code that would work with Ubuntu's binary packages.) In particular, the 3.x example code has the while loop you mentioned, while the 2.x example code does not have the while loop. (The example anonymous server is ex-anon-serv.c in both the 2.x and 3.x examples, but the anonymous client is called ex-client1.c in 2.x, while it's called ex-anon-client.c in 3.x.) I hope that helps, --Patrick On Feb 5, 2012, at 6:06 PM, Mihir Kulkarni wrote: > Hello, > I am part of a team at University of California, Irvine who are > trying our hand at GNUTLS. We installed the package and all its > dependencies. But when trying with the example code given in the > documentation, it throws up an error. The details are: > I tried running the server and client with anonymous authentication. > The exact error that it gives is: > > CLIENT: > mihir at GNU-Linux:~/GNUTLS/gnutls-2.8.6/client$ ./a.out > *** Handshake failed > GNUTLS ERROR: A TLS packet with unexpected length was received. > > SERVER: > mihir at GNU-Linux:~/GNUTLS/gnutls-2.8.6/server$ ./a.out > Server ready. Listening to port '5556'. > > - connection from 127.0.0.1, port 48108 > *** Handshake has failed (A TLS packet with unexpected length was > received.) > > What is figured out so far is that the server goes into an infinite > loop on line 120 for the statements: > do > { > ret = gnutls_handshake (session); > printf("Do...\n"); > } > while (gnutls_error_is_fatal (ret) == 0); > > > Can someone please tell me what might be going wrong? > Thank you for your help. > > regards, > Mihir Kulkarni > Graduate Student > University of California, Irvine > http://goo.gl/CvRcG > _______________________________________________ > Help-gnutls mailing list > Help-gnutls at gnu.org > https://lists.gnu.org/mailman/listinfo/help-gnutls -------------- next part -------------- An HTML attachment was scrubbed... URL: From mihirk.31 at gmail.com Mon Feb 6 06:24:33 2012 From: mihirk.31 at gmail.com (Mihir Kulkarni) Date: Sun, 5 Feb 2012 21:24:33 -0800 Subject: HELP: Client-Server code for anonymous authentication NOT working In-Reply-To: References: Message-ID: Hello Patrick, Thats exactly my case! GnuTLS 2.8.6 on Ubuntu 10.04. Thanks a lot for the prompt reply. Though I'm not at my machine right now, but I'll surely do what you've said and let you know if I face any other problems. But yes, your observations are exactly correct regarding the client and server code in 2.x and 3.x! I hadn't expected an early reply on Superbowl Sunday! [?] Anyways, thanks a lot. cheers, Mihir Kulkarni Graduate Student University of California, Irvine http://goo.gl/CvRcG On Sun, Feb 5, 2012 at 9:19 PM, Patrick Pelletier wrote: > This sounds like the same problem I ran into recently. I saw the exact > same behavior when I tried compiling the current version of the example > programs against the GnuTLS libraries that came with my operating system. > (GnuTLS 2.8.5 on Ubuntu 10.04.) > > I'm assuming my issue (and therefore yours) is that I was running example > code that was meant for GnuTLS 3.x against an installed library that was > GnuTLS 2.x. (And, presumably the change in major version indicates an > incompatibility, although unfortunately in this case it's a rather subtle > one.) > > When I installed the examples that were meant for the version of GnuTLS I > was actually using (by installing the "gnutls-doc" package on Ubuntu, which > put the example source code in /usr/share/doc/gnutls-doc/examples), and > compiled them, it worked fine. > > (Presumably it would also work to build the latest GnuTLS from source, and > then use the latest example code, but that's not the approach I went with, > because I wanted to write code that would work with Ubuntu's binary > packages.) > > In particular, the 3.x example code has the while loop you mentioned, > while the 2.x example code does not have the while loop. > > (The example anonymous server is ex-anon-serv.c in both the 2.x and 3.x > examples, but the anonymous client is called ex-client1.c in 2.x, while > it's called ex-anon-client.c in 3.x.) > > I hope that helps, > > --Patrick > > > On Feb 5, 2012, at 6:06 PM, Mihir Kulkarni wrote: > > Hello, > I am part of a team at University of California, Irvine who are trying our > hand at GNUTLS. We installed the package and all its dependencies. But when > trying with the example code given in the documentation, it throws up an > error. The details are: > I tried running the server and client with anonymous authentication. The > exact error that it gives is: > > *CLIENT:* > mihir at GNU-Linux:~/GNUTLS/gnutls-2.8.6/client$ ./a.out > *** Handshake failed > GNUTLS ERROR: A TLS packet with unexpected length was received. > > *SERVER:* > mihir at GNU-Linux:~/GNUTLS/gnutls-2.8.6/server$ ./a.out > Server ready. Listening to port '5556'. > > - connection from 127.0.0.1, port 48108 > *** Handshake has failed (A TLS packet with unexpected length was > received.) > > What is figured out so far is that the server goes into an infinite loop > on line 120 for the statements: > do > { > ret = gnutls_handshake (session); > printf("Do...\n"); > } > while (gnutls_error_is_fatal (ret) == 0); > > > Can someone please tell me what might be going wrong? > Thank you for your help. > > regards, > Mihir Kulkarni > Graduate Student > University of California, Irvine > http://goo.gl/CvRcG > _______________________________________________ > Help-gnutls mailing list > Help-gnutls at gnu.org > https://lists.gnu.org/mailman/listinfo/help-gnutls > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 611 bytes Desc: not available URL: From n.mavrogiannopoulos at gmail.com Tue Feb 7 19:27:51 2012 From: n.mavrogiannopoulos at gmail.com (Nikos Mavrogiannopoulos) Date: Tue, 07 Feb 2012 19:27:51 +0100 Subject: HELP: Client-Server code for anonymous authentication NOT working In-Reply-To: References: Message-ID: <4F316D27.6010403@gmail.com> On 02/06/2012 06:19 AM, Patrick Pelletier wrote: > This sounds like the same problem I ran into recently. I saw the exact > same behavior when I tried compiling the current version of the example > programs against the GnuTLS libraries that came with my operating > system. (GnuTLS 2.8.5 on Ubuntu 10.04.) > I'm assuming my issue (and therefore yours) is that I was running > example code that was meant for GnuTLS 3.x against an installed library > that was GnuTLS 2.x. (And, presumably the change in major version > indicates an incompatibility, although unfortunately in this case it's a > rather subtle one.) You are right. The example in the website enables elliptic curve anonymous Diffie-Hellman which doesn't exist in gnutls 2. The error is subtle because the examples do not include error checking and thus do not catch the error in gnutls_priority_set_direct(). If you fix the priority string the same example should work as is. regards, Nikos From shengwl at uci.edu Tue Feb 7 23:23:51 2012 From: shengwl at uci.edu (Shengwei Li (William)) Date: Tue, 7 Feb 2012 14:23:51 -0800 Subject: Cross compile issue about gnutls 3.0.12 on ubuntu with MinGW Message-ID: Hi there, I am trying to configure gnutls 3.0.12 on ubuntu with the following command: ./configure --without-p11-kit --disable-cxx CC="i586-mingw32msvc-gcc" --build=i586-pc-linux-gnu --host=i686-pc-mingw32msvc This is to build a gnutls library that I would use on Windows XP for Winsock program. But I got the error: =============================================================== checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for i686-pc-mingw32msvc-strip... no checking for strip... strip configure: WARNING: using cross tools not prefixed with host triplet checking for a thread-safe mkdir -p... /bin/mkdir -p checking for gawk... no checking for mawk... mawk checking whether make sets $(MAKE)... yes *** *** Checking for compilation programs... checking for i686-pc-mingw32msvc-gcc... i586-mingw32msvc-gcc checking whether the C compiler works... yes checking for C compiler default output file name... a.exe checking for suffix of executables... .exe checking whether we are cross compiling... yes checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether i586-mingw32msvc-gcc accepts -g... yes checking for i586-mingw32msvc-gcc option to accept ISO C89... none needed checking for style of include used by make... GNU checking dependency style of i586-mingw32msvc-gcc... gcc3 checking dependency style of i586-mingw32msvc-gcc... gcc3 checking for i686-pc-mingw32msvc-g++... no checking for i686-pc-mingw32msvc-c++... no checking for i686-pc-mingw32msvc-gpp... no checking for i686-pc-mingw32msvc-aCC... no checking for i686-pc-mingw32msvc-CC... no checking for i686-pc-mingw32msvc-cxx... no checking for i686-pc-mingw32msvc-cc++... no checking for i686-pc-mingw32msvc-cl.exe... no checking for i686-pc-mingw32msvc-FCC... no checking for i686-pc-mingw32msvc-KCC... no checking for i686-pc-mingw32msvc-RCC... no checking for i686-pc-mingw32msvc-xlC_r... no checking for i686-pc-mingw32msvc-xlC... no checking for g++... g++ checking whether we are using the GNU C++ compiler... yes checking whether g++ accepts -g... yes checking dependency style of g++... gcc3 checking how to run the C preprocessor... i586-mingw32msvc-gcc -E checking for grep that handles long lines and -e... /bin/grep checking for egrep... /bin/grep -E checking for Minix Amsterdam compiler... no checking for i686-pc-mingw32msvc-ar... no checking for ar... ar checking for i686-pc-mingw32msvc-ranlib... no checking for ranlib... ranlib checking build system type... i586-pc-linux-gnu checking host system type... i686-pc-mingw32msvc checking for ANSI C header files... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking minix/config.h usability... no checking minix/config.h presence... no checking for minix/config.h... no checking whether it is safe to define __EXTENSIONS__... yes checking for _LARGEFILE_SOURCE value needed for large files... unknown checking for special C compiler options needed for large files... no checking for _FILE_OFFSET_BITS value needed for large files... unknown checking for _LARGE_FILES value needed for large files... unknown checking for i586-mingw32msvc-gcc option to accept ISO C99... -std=gnu99 checking for i586-mingw32msvc-gcc -std=gnu99 option to accept ISO Standard C... (cached) -std=gnu99 checking for inline... inline checking for ANSI C header files... (cached) yes checking cpuid.h usability... yes checking cpuid.h presence... yes checking for cpuid.h... yes checking for ld used by GCC... /usr/i586-mingw32msvc/bin/ld checking if the linker (/usr/i586-mingw32msvc/bin/ld) is GNU ld... yes checking for shared library run path origin... done checking whether to use nettle... yes checking for libnettle... no configure: error: *** *** Libnettle 2.4 was not found. =============================================================== It seemed to me that /usr/i586-mingw32msvc/bin/ld could not locate nettle 2.4, which I've installed. I also tried to use " --with-libnettle-prefix=/usr/local" and , but no luck. Could someone please help on this? Thank you in advance. BTW, I could compile it with standard gcc coming with the system. Regards, Shengwei (William) Li -------------- next part -------------- An HTML attachment was scrubbed... URL: From laurence.rochfort at gmail.com Fri Feb 10 12:45:19 2012 From: laurence.rochfort at gmail.com (Laurence Rochfort) Date: Fri, 10 Feb 2012 11:45:19 +0000 Subject: Unexpected message, handshake failed Message-ID: Hello, gnutls is producing the following error for a certificate, prevents all gnutls backed applications from connecting. openssl backed applications connect successfully. I have no access to the server, but any advice that would allow my gnutls backed applications to work would be very much appreciated. Many thanks, Laurence. $ gnutls-cli -V -p 5223 stbeehive.oracle.com Resolving 'stbeehive.oracle.com'... Connecting to '141.146.118.10:5223'... *** Fatal error: A TLS fatal alert has been received. *** Received alert [10]: Unexpected message *** Handshake has failed GnuTLS error: A TLS fatal alert has been received. $ openssl s_client -showcerts -connect stbeehive.oracle.com:5223 CONNECTED(00000003) depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=Redwood Shores/O=Oracle Corporation/OU=Global IT/OU=Terms of use at www.verisign.com/rpa (c)05/CN=stbeehive.oracle.com i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server CA - G3 -----BEGIN CERTIFICATE----- MIIFvTCCBKWgAwIBAgIQEsIMvG/ctPbaCLF4fte+4TANBgkqhkiG9w0BAQUFADCB vDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDE2MDQGA1UEAxMt VmVyaVNpZ24gQ2xhc3MgMyBJbnRlcm5hdGlvbmFsIFNlcnZlciBDQSAtIEczMB4X DTExMTAyMDAwMDAwMFoXDTEyMTIxODIzNTk1OVowgcAxCzAJBgNVBAYTAlVTMRMw EQYDVQQIEwpDYWxpZm9ybmlhMRcwFQYDVQQHFA5SZWR3b29kIFNob3JlczEbMBkG A1UEChQST3JhY2xlIENvcnBvcmF0aW9uMRIwEAYDVQQLFAlHbG9iYWwgSVQxMzAx BgNVBAsUKlRlcm1zIG9mIHVzZSBhdCB3d3cudmVyaXNpZ24uY29tL3JwYSAoYykw NTEdMBsGA1UEAxQUc3RiZWVoaXZlLm9yYWNsZS5jb20wggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQC/avK+LNahcDOThTJX2grsCHR6sQnBdB3B77MtEdsX ga7AHAISslsogKIhXaDoQ217fBRA4yvejSeF2nYsII9RTwEu1dw0UQbsWD4elZZP 0KnY6P/pM5DG3e6v2zC/bZjCDNDFIw//UilM+b1Yg/qPZ/LmuTOwjtQBqKS99GZE mfaPiBgG/P0NsxCCkDr3qk7hUPpuINPvl1Yn4J1zJk0alxyfEhKdTMLQUQ54clqw Q3gdeSHrB9m/0bxxElwKdgxDxlLwc6qTKN8DjKtnBCW60aL9Tp2+el3+GEOFRxJ8 ApWFqITgIwuEXiupXVAmP5pR2RIBwp5dYeFywX+O88pLAgMBAAGjggGzMIIBrzAJ BgNVHRMEAjAAMAsGA1UdDwQEAwIFoDBEBgNVHSAEPTA7MDkGC2CGSAGG+EUBBxcD MCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwQQYD VR0fBDowODA2oDSgMoYwaHR0cDovL1NWUkludGwtRzMtY3JsLnZlcmlzaWduLmNv bS9TVlJJbnRsRzMuY3JsMCgGA1UdJQQhMB8GCCsGAQUFBwMBBggrBgEFBQcDAgYJ YIZIAYb4QgQBMHIGCCsGAQUFBwEBBGYwZDAkBggrBgEFBQcwAYYYaHR0cDovL29j c3AudmVyaXNpZ24uY29tMDwGCCsGAQUFBzAChjBodHRwOi8vU1ZSSW50bC1HMy1h aWEudmVyaXNpZ24uY29tL1NWUkludGxHMy5jZXIwbgYIKwYBBQUHAQwEYjBgoV6g XDBaMFgwVhYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQUS2u5KJYGDLvQUjibKaxL B4shBRgwJhYkaHR0cDovL2xvZ28udmVyaXNpZ24uY29tL3ZzbG9nbzEuZ2lmMA0G CSqGSIb3DQEBBQUAA4IBAQATDDXxm9yUF4N5NxWQAamYtH9Sc8C48Sb3XM8I4RiG 3zuBwDCMaV4WQmaHcjZmWcJqb48U3Dm+mmvAs/BOSfrPI6bxe/l5pTdqI8AoZWss ec6SiyN5KErR1hGeBWchjnR1sH78N1xg1lCVW3HYvdxWCWTkW4Y2x9+HtzRGWqLu PgVrIZinE+GtOb1whgZZjgxo9NgqLdLCs3uk/N9iaIUFs9T76uP728ZmfXGFehki gOt+l1ZHrs+06wwyqAgP3l3QHPySmtIxP0Biaz6EYlEx67EJ6PCYrTEScBRoILs/ wY+jH131xtP8pjxu8pi26CCVdzxBsfYLiLI8S5Ll/E0c -----END CERTIFICATE----- 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server CA - G3 i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 -----BEGIN CERTIFICATE----- MIIGKTCCBRGgAwIBAgIQZBvoIM4CCBPzLU0tldZ+ZzANBgkqhkiG9w0BAQUFADCB yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0 aG9yaXR5IC0gRzUwHhcNMTAwMjA4MDAwMDAwWhcNMjAwMjA3MjM1OTU5WjCBvDEL MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQg aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDE2MDQGA1UEAxMtVmVy aVNpZ24gQ2xhc3MgMyBJbnRlcm5hdGlvbmFsIFNlcnZlciBDQSAtIEczMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmdacYvAV9IGaQQhZjxOdF8mfUdza sVLv/+NB3eDfxCjG4615HycQmLi7IJfBKERBD+qpqFLPTU4bi7u1xHbZzFYG7rNV ICreFY1xy1TIbxfNiQDk3P/hwB9ocenHKS5+vDv85burJlSLZpDN9pK5MSSAvJ5s 1fx+0uFLjNxC+kRLX/gYtS4w9D0SmNNiBXNUppyiHb5SgzoHRsQ7AlYhv/JRT9Cm mTnprqU/iZucff5NYAclIPe712mDK4KTQzfZg0EbawurSmaET0qO3n40mY5o1so5 BptMs5pITRNGtFghBMT7oE2sLktiEuP7TfbJUQABH/weaoEqOOC5T9YtRQIDAQAB o4ICFTCCAhEwEgYDVR0TAQH/BAgwBgEB/wIBADBwBgNVHSAEaTBnMGUGC2CGSAGG +EUBBxcDMFYwKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9j cHMwKgYIKwYBBQUHAgIwHhocaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYTAO BgNVHQ8BAf8EBAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2Uv Z2lmMCEwHzAHBgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDov L2xvZ28udmVyaXNpZ24uY29tL3ZzbG9nby5naWYwNAYDVR0lBC0wKwYIKwYBBQUH AwEGCCsGAQUFBwMCBglghkgBhvhCBAEGCmCGSAGG+EUBCAEwNAYIKwYBBQUHAQEE KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC52ZXJpc2lnbi5jb20wNAYDVR0f BC0wKzApoCegJYYjaHR0cDovL2NybC52ZXJpc2lnbi5jb20vcGNhMy1nNS5jcmww KAYDVR0RBCEwH6QdMBsxGTAXBgNVBAMTEFZlcmlTaWduTVBLSS0yLTcwHQYDVR0O BBYEFNebfNgioBX33a1fzimbWMO8RgC1MB8GA1UdIwQYMBaAFH/TZafC3ey78DAJ 80M5+gKvMzEzMA0GCSqGSIb3DQEBBQUAA4IBAQBxtX1zUkrd1000Ky6vlEalSVAC T/gvF3DyE9wfIYaqwk98NzzURniuXXhv0bpavBCrWDbFjGIVRWAXIeLVQqh3oVXY QwRR9m66SOZdTLdE0z6k1dYzmp8N5tdOlkSVWmzWoxZTDphDzqS4w2Z6BVxiEOgb Ett9LnZQ/9/XaxvMisxx+rNAVnwzeneUW/ULU/sOX7xo+68q7jA3eRaTJX9NEP9X +79uOzMh3nnchhdZLUNkt6Zmh+q8lkYZGoaLb9e3SQBb26O/KZru99MzrqP0nkzK XmnUG623kHdq2FlveasB+lXwiiFm5WVu/XzT3x7rfj8GkPsZC9MGAht4Q5mo -----END CERTIFICATE----- 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority -----BEGIN CERTIFICATE----- MIIE0DCCBDmgAwIBAgIQJQzo4DBhLp8rifcFTXz4/TANBgkqhkiG9w0BAQUFADBf MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw HhcNMDYxMTA4MDAwMDAwWhcNMjExMTA3MjM1OTU5WjCByjELMAkGA1UEBhMCVVMx FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz dCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZv ciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAz IFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1nmAMqudLO07cfLw8 RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbext0uz/o9+B1fs70Pb ZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIzSdhDY2pSS9KP6HBR TdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQGBO+QueQA5N06tRn/ Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+rCpSx4/VBEnkjWNH iDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/NIeWiu5T6CUVAgMB AAGjggGbMIIBlzAPBgNVHRMBAf8EBTADAQH/MDEGA1UdHwQqMCgwJqAkoCKGIGh0 dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA4GA1UdDwEB/wQEAwIBBjA9 BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVy aXNpZ24uY29tL2NwczAdBgNVHQ4EFgQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwbQYI KwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQU j+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVyaXNpZ24uY29t L3ZzbG9nby5naWYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v b2NzcC52ZXJpc2lnbi5jb20wPgYDVR0lBDcwNQYIKwYBBQUHAwEGCCsGAQUFBwMC BggrBgEFBQcDAwYJYIZIAYb4QgQBBgpghkgBhvhFAQgBMA0GCSqGSIb3DQEBBQUA A4GBABMC3fjohgDyWvj4IAxZiGIHzs73Tvm7WaGY5eE43U68ZhjTresY8g3JbT5K lCDDPLq9ZVTGr0SzEK0saz6r1we2uIFjxfleLuUqZ87NMwwq14lWAyMfs77oOghZ tOxFNfeKW/9mz1Cvxm1XjRl4t7mi0VfqH5pLr7rJjhJ+xr3/ -----END CERTIFICATE----- 3 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority -----BEGIN CERTIFICATE----- MIICPDCCAaUCEDyRMcsf9tAbDpq40ES/Er4wDQYJKoZIhvcNAQEFBQAwXzELMAkG A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2 MDEyOTAwMDAwMFoXDTI4MDgwMjIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G CSqGSIb3DQEBBQUAA4GBABByUqkFFBkyCEHwxWsKzH4PIRnN5GfcX6kb5sroc50i 2JhucwNhkcV8sEVAbkSdjbCxlnRhLQ2pRdKkkirWmnWXbj9T/UWZYB2oK0z5XqcJ 2HUw19JlYD1n1khVdWk/kfVIC0dpImmClr7JyDiGSnoscxlIaU5rfGW/D/xwzoiQ -----END CERTIFICATE----- --- Server certificate subject=/C=US/ST=California/L=Redwood Shores/O=Oracle Corporation/OU=Global IT/OU=Terms of use at www.verisign.com/rpa (c)05/CN=stbeehive.oracle.com issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server CA - G3 --- No client certificate CA names sent --- SSL handshake has read 5005 bytes and written 537 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: Session-ID-ctx: Master-Key: B72E368D6290F0DD98498C1D62AAF25BB37D66614E8ABE527848D61E7A5BC1FF3C3AA5200C12CF77F3EBF9564166856D Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1328874127 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) -------------- next part -------------- An HTML attachment was scrubbed... URL: From nmav at gnutls.org Fri Feb 10 16:07:40 2012 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 10 Feb 2012 16:07:40 +0100 Subject: Unexpected message, handshake failed In-Reply-To: References: Message-ID: <4F3532BC.1020106@gnutls.org> On 02/10/2012 12:45 PM, Laurence Rochfort wrote: > gnutls is producing the following error for a certificate, prevents > all gnutls backed applications from connecting. openssl backed > applications connect successfully. > > I have no access to the server, but any advice that would allow my > gnutls backed applications to work would be very much appreciated. Which gnutls is that? I just tried stbeehive.oracle.com and it seems to work. regards, Nikos From nmav at gnutls.org Fri Feb 10 16:54:43 2012 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 10 Feb 2012 16:54:43 +0100 Subject: Unexpected message, handshake failed In-Reply-To: References: <4F3532BC.1020106@gnutls.org> Message-ID: <4F353DC3.6000207@gnutls.org> If you run gnutls-cli-debug on the server it shows that it is pretty broken. Checking whether %COMPAT is required... yes Checking for TLS 1.0 support... yes Checking for TLS 1.1 support... no Checking fallback from TLS 1.1 to... failed It fails to understand non-minimal padded records and fails if it sees TLS 1.1 or laters. You might want to check: http://www.gnu.org/software/gnutls/manual/html_node/Interoperability.html (this is for gnutls 2.12.0+ though, I don't know if this priority string would work on 2.10.) regards, Nikos On 02/10/2012 04:31 PM, Laurence Rochfort wrote: > Hi Nikos, > > I'm running 2.10.2. > > Did you use port 5223? I find that port 443, works for me, but I need to > use 5223 for XMPP. > > I'm within Oracle, so maybe that has something to do with it. Could you > provide a tracert and example of what you're seeing? > > Many thanks for looking at this, > Laurence. > > On 10 February 2012 15:07, Nikos Mavrogiannopoulos wrote: > >> On 02/10/2012 12:45 PM, Laurence Rochfort wrote: >> >>> gnutls is producing the following error for a certificate, prevents >>> all gnutls backed applications from connecting. openssl backed >>> applications connect successfully. >>> >>> I have no access to the server, but any advice that would allow my >>> gnutls backed applications to work would be very much appreciated. >> >> >> Which gnutls is that? I just tried stbeehive.oracle.com and it seems to >> work. >> >> regards, >> Nikos >> > From nmav at gnutls.org Sat Feb 18 14:34:49 2012 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sat, 18 Feb 2012 14:34:49 +0100 Subject: gnutls 3.0.10 Message-ID: <4F3FA8F9.1000204@gnutls.org> Hello, I've just released gnutls 3.0.13. This release fixes bugs and adds new features in the current stable branch. The main additions are, (1) a new helper interface to support trust on first use (SSH-like) authentication, (2) gnutls-cli and ocsptool support the on-line verification of a certificate using OCSP, (3) several updates in Datagram TLS handling of missed packets and retransmissions (thanks to work of Sean Buckheister). * Version 3.0.13 (released 2012-02-18) ** gnutls-cli: added the --ocsp option which will verify the peer's certificate with OCSP. ** gnutls-cli: added the --tofu and if specified, gnutls-cli will use an ssh-style authentication method. ** gnutls-cli: if no --x509cafile is provided a default is assumed (/etc/ssl/certs/ca-certificates.crt), if it exists. ** ocsptool: Added --ask parameter, to verify a certificate's status from an ocsp server. ** command line apps: Use gnu autogen (libopts) to parse command line arguments and template files. ** tests: Added stress test for DTLS packet losses and out-of-order receival. Contributed by Sean Buckheister. ** libgnutls: Several updates and corrections in the DTLS DTLS lost packet handling and retransmission timeouts. Report and patches by Sean Buckheister. ** libgnutls: Added new functions to easily allow the usage of a trust on first use (SSH-style) authentication. ** libgnutls: SUITEB128 and SUITEB192 priority strings account for the RFC6460 requirements. ** libgnutls: Added new security parameter GNUTLS_SEC_PARAM_LEGACY to account for security level of 96-bits. ** libgnutls: In client side if server does not advertise any known CAs and only a single certificate is set in the credentials, sent that one. ** libgnutls: Added functions to parse authority key identifiers when stored as a 'general name' and serial combo. ** libgnutls: Added function to force explicit reinitialization of PKCS #11 modules. This is required on the child process after a fork (if PKCS #11 functionality is desirable). ** libgnutls: Depend on p11-kit 0.11. ** API and ABI modifications: gnutls_dtls_get_timeout: Added gnutls_verify_stored_pubkey: Added gnutls_store_pubkey: Added gnutls_store_commitment: Added gnutls_x509_crt_get_authority_key_gn_serial: Added gnutls_x509_crl_get_authority_key_gn_serial: Added gnutls_pkcs11_reinit: Added gnutls_ecc_curve_list: Added gnutls_priority_certificate_type_list: Added gnutls_priority_sign_list: Added gnutls_priority_protocol_list: Added gnutls_priority_compression_list: Added gnutls_priority_ecc_curve_list: Added gnutls_tdb_init: Added gnutls_tdb_set_store_func: Added gnutls_tdb_set_store_commitment_func: Added gnutls_tdb_set_verify_func: Added gnutls_tdb_deinit: Added Getting the Software ==================== GnuTLS may be downloaded from one of the GNU mirror sites or directly >From . The list of GNU mirrors can be found at and a list of GnuTLS mirrors can be found at . Here are the XZ compressed sources: ftp://ftp.gnu.org/gnu/gnutls/gnutls-3.0.13.tar.xz http://ftp.gnu.org/gnu/gnutls/gnutls-3.0.13.tar.xz ftp://ftp.gnutls.org/pub/gnutls/gnutls-3.0.13.tar.xz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnu.org/gnu/gnutls/gnutls-3.0.13.tar.xz.sig http://ftp.gnu.org/gnu/gnutls/gnutls-3.0.13.tar.xz.sig ftp://ftp.gnutls.org/pub/gnutls/gnutls-3.0.13.tar.xz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From nmav at gnutls.org Fri Feb 24 17:24:47 2012 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 24 Feb 2012 17:24:47 +0100 Subject: gnutls 3.0.14 Message-ID: <4F47B9CF.6080102@gnutls.org> Hello, I've just released gnutls 3.0.14. This is a bug-fix release on the current stable branch. * Version 3.0.14 (released 2012-02-24) ** command line apps: Included libopts doesn't get installed by default. ** libgnutls: Eliminate double free on wrongly formatted certificate list. Reported by Remi Gacogne. ** libgnutls: cryptodev code corrected, updated to account for hashes and GCM mode. ** libgnutls: Eliminated memory leak in PCKS #11 initialization. Report and fix by Sam Varshavchik. ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded from one of the GNU mirror sites or directly >From . The list of GNU mirrors can be found at and a list of GnuTLS mirrors can be found at . Here are the XZ compressed sources: ftp://ftp.gnu.org/gnu/gnutls/gnutls-3.0.14.tar.xz http://ftp.gnu.org/gnu/gnutls/gnutls-3.0.14.tar.xz ftp://ftp.gnutls.org/pub/gnutls/gnutls-3.0.14.tar.xz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnu.org/gnu/gnutls/gnutls-3.0.14.tar.xz.sig http://ftp.gnu.org/gnu/gnutls/gnutls-3.0.14.tar.xz.sig ftp://ftp.gnutls.org/pub/gnutls/gnutls-3.0.14.tar.xz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From laurence.rochfort at gmail.com Fri Feb 24 18:11:58 2012 From: laurence.rochfort at gmail.com (Laurence Rochfort) Date: Fri, 24 Feb 2012 17:11:58 +0000 Subject: Help-gnutls Digest, Vol 100, Issue 8 In-Reply-To: References: Message-ID: Unsubscribe On Feb 24, 2012 5:01 PM, wrote: > Send Help-gnutls mailing list submissions to > help-gnutls at gnu.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.gnu.org/mailman/listinfo/help-gnutls > or, via email, send a message with subject or body 'help' to > help-gnutls-request at gnu.org > > You can reach the person managing the list at > help-gnutls-owner at gnu.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Help-gnutls digest..." > > Today's Topics: > > 1. gnutls 3.0.14 (Nikos Mavrogiannopoulos) > > > ---------- Forwarded message ---------- > From: Nikos Mavrogiannopoulos > To: GnuTLS development list , GnuTLS mailing list < > help-gnutls at gnu.org>, info-gnu at gnu.org > Cc: > Date: Fri, 24 Feb 2012 17:24:47 +0100 > Subject: gnutls 3.0.14 > Hello, > I've just released gnutls 3.0.14. This is a bug-fix release on the > current stable branch. > > * Version 3.0.14 (released 2012-02-24) > > ** command line apps: Included libopts doesn't get installed > by default. > > ** libgnutls: Eliminate double free on wrongly formatted > certificate list. Reported by Remi Gacogne. > > ** libgnutls: cryptodev code corrected, updated to account > for hashes and GCM mode. > > ** libgnutls: Eliminated memory leak in PCKS #11 initialization. > Report and fix by Sam Varshavchik. > > ** API and ABI modifications: > No changes since last version. > > > Getting the Software > ==================== > > GnuTLS may be downloaded from one of the GNU mirror sites or directly > >From . The list of GNU mirrors can be > found at and a list of GnuTLS mirrors > can be found at . > > Here are the XZ compressed sources: > > ftp://ftp.gnu.org/gnu/gnutls/gnutls-3.0.14.tar.xz > http://ftp.gnu.org/gnu/gnutls/gnutls-3.0.14.tar.xz > ftp://ftp.gnutls.org/pub/gnutls/gnutls-3.0.14.tar.xz > > Here are OpenPGP detached signatures signed using key 0x96865171: > > ftp://ftp.gnu.org/gnu/gnutls/gnutls-3.0.14.tar.xz.sig > http://ftp.gnu.org/gnu/gnutls/gnutls-3.0.14.tar.xz.sig > ftp://ftp.gnutls.org/pub/gnutls/gnutls-3.0.14.tar.xz.sig > > Note that it has been signed with my openpgp key: > pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] > uid Nikos Mavrogiannopoulos gnutls.org> > uid Nikos Mavrogiannopoulos > gmail.com> > sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] > sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] > > regards, > Nikos > > > > _______________________________________________ > Help-gnutls mailing list > Help-gnutls at gnu.org > https://lists.gnu.org/mailman/listinfo/help-gnutls > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter.penzov at gmail.com Sun Feb 26 22:02:57 2012 From: peter.penzov at gmail.com (Peter Penzov) Date: Sun, 26 Feb 2012 23:02:57 +0200 Subject: How to use Java and GnuTLS Message-ID: Hi, I want to create encrypted communication between Java server and C client. I want to use GnuTLS for cryptographic library. Is it possible to use GnuTLS and Java. What are the options? And I know that Java has internal support for encrypting the network traffic using SSL. Is it possible to create to create Java server which uses internal cryptographic libraries and C client which uses GnuTLS? Best wishes Peter -------------- next part -------------- An HTML attachment was scrubbed... URL: From fweimer at bfk.de Mon Feb 27 11:44:06 2012 From: fweimer at bfk.de (Florian Weimer) Date: Mon, 27 Feb 2012 10:44:06 +0000 Subject: How to use Java and GnuTLS References: Message-ID: <82booktv2h.fsf@mid.bfk.de> * Peter Penzov: > Is it possible to create to create Java server which uses internal > cryptographic libraries and C client which uses GnuTLS? Yes, the most recent versions are interoperable, at least if you do not change preferences too much. -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra?e 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 From nmav at gnutls.org Mon Feb 27 17:44:03 2012 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 27 Feb 2012 17:44:03 +0100 Subject: How to use Java and GnuTLS In-Reply-To: References: Message-ID: <4F4BB2D3.7060800@gnutls.org> On 02/26/2012 10:02 PM, Peter Penzov wrote: > Hi, > I want to create encrypted communication between Java server and C > client. I want to use GnuTLS for cryptographic library. Is it possible to > use GnuTLS and Java. What are the options? And I know that Java has > internal support for encrypting the network traffic using SSL. Is it > possible to create to create Java server which uses internal cryptographic > libraries and C client which uses GnuTLS? It is. They both use the same protocol and are compatible. regards, Nikos From peter.penzov at gmail.com Mon Feb 27 20:54:22 2012 From: peter.penzov at gmail.com (Peter Penzov) Date: Mon, 27 Feb 2012 21:54:22 +0200 Subject: How to use Java and GnuTLS In-Reply-To: <4F4BB2D3.7060800@gnutls.org> References: <4F4BB2D3.7060800@gnutls.org> Message-ID: Ok, thank you! As far as I see JSSE can support the most basic security implementations - TLS 1.0. Is this means that I cannot implement a server in C which can communicate with java clients using advanced encryption methods like OpenPGP, PSK authentication, TLS-SRP, x509? Can you share some information what are the options? Best wishes Peter On Mon, Feb 27, 2012 at 6:44 PM, Nikos Mavrogiannopoulos wrote: > On 02/26/2012 10:02 PM, Peter Penzov wrote: > > > Hi, > > I want to create encrypted communication between Java server and C > > client. I want to use GnuTLS for cryptographic library. Is it possible to > > use GnuTLS and Java. What are the options? And I know that Java has > > internal support for encrypting the network traffic using SSL. Is it > > possible to create to create Java server which uses internal > cryptographic > > libraries and C client which uses GnuTLS? > > > It is. They both use the same protocol and are compatible. > > regards, > Nikos > > _______________________________________________ > Help-gnutls mailing list > Help-gnutls at gnu.org > https://lists.gnu.org/mailman/listinfo/help-gnutls > -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter.penzov at gmail.com Mon Feb 27 23:38:32 2012 From: peter.penzov at gmail.com (Peter Penzov) Date: Tue, 28 Feb 2012 00:38:32 +0200 Subject: error in compiling GnuTLS example Message-ID: Hi, I use Centos with GnuTLS version gnutls-2.8.5-4.el6.x86_64. I trying to compile the example ex-serv-x509.c. When I try to compile it using this command: gcc -o server ex-serv-x509.c -lgnutls I get this error: ex-serv-x509.c: In function ?generate_dh_params?: ex-serv-x509.c:57: error: ?GNUTLS_PK_DH? undeclared (first use in this function) ex-serv-x509.c:57: error: (Each undeclared identifier is reported only once ex-serv-x509.c:57: error: for each function it appears in.) ex-serv-x509.c:57: error: ?GNUTLS_SEC_PARAM_LOW? undeclared (first use in this function) ex-serv-x509.c: In function ?main?: ex-serv-x509.c:137: warning: cast to pointer from integer of different size How I can fix this error? Best wishes Peter -------------- next part -------------- An HTML attachment was scrubbed... URL: From nmav at gnutls.org Tue Feb 28 09:31:09 2012 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 28 Feb 2012 09:31:09 +0100 Subject: error in compiling GnuTLS example In-Reply-To: References: Message-ID: <4F4C90CD.9060206@gnutls.org> On 02/27/2012 11:38 PM, Peter Penzov wrote: > Hi, I use Centos with GnuTLS version gnutls-2.8.5-4.el6.x86_64. I > trying to compile the example ex-serv-x509.c. When I try to compile > it using this command: gcc -o server ex-serv-x509.c -lgnutls > > I get this error: ex-serv-x509.c: In function ?generate_dh_params?: > ex-serv-x509.c:57: error: ?GNUTLS_PK_DH? undeclared (first use in > this function) ex-serv-x509.c:57: error: (Each undeclared identifier > is reported only once ex-serv-x509.c:57: error: for each function it > appears in.) ex-serv-x509.c:57: error: ?GNUTLS_SEC_PARAM_LOW? > undeclared (first use in this function) ex-serv-x509.c: In function > ?main?: ex-serv-x509.c:137: warning: cast to pointer from integer of > different size How I can fix this error? Most probably you are compiling one of the examples in the current documentation using the "old" 2.8.5. This is not possible. Either use a current version of gnutls or use the examples from the documentation in your distribution. regards, Nikos From nmav at gnutls.org Tue Feb 28 09:46:30 2012 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 28 Feb 2012 09:46:30 +0100 Subject: How to use Java and GnuTLS In-Reply-To: References: <4F4BB2D3.7060800@gnutls.org> Message-ID: <4F4C9466.1000407@gnutls.org> On 02/27/2012 08:54 PM, Peter Penzov wrote: > Ok, thank you! > As far as I see JSSE can support the most basic security implementations > - TLS 1.0. Is this means that I cannot implement a server in C which can > communicate with java clients using advanced encryption methods like > OpenPGP, PSK > authentication, TLS-SRP, x509? Not all implementations support all authentication methods. You might want to check the comparison article below. http://en.wikipedia.org/wiki/Comparison_of_TLS_Implementations regards, Nikos From peter.penzov at gmail.com Tue Feb 28 12:55:14 2012 From: peter.penzov at gmail.com (Peter Penzov) Date: Tue, 28 Feb 2012 13:55:14 +0200 Subject: How to compile GnuTLS for every posix operating system Message-ID: I want to create secure server and client which use GnuTLS for encrypting the network communication. I want to deploy the clients on many Unix operating systems and many Linux distributions. I found that for example in Centos 5 and 6 the versions of GnuTLS which are by default installed are different versions. Maybe in other operating systems the version of GnuTLS is always different. One solutions will be to compile GnuTLS every time from source in order to have always the same version. Is it possible to compile it into one monolithic(including all dependent libraries) executable program and use it in every Posix operating system? Best wishes Peter -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter.penzov at gmail.com Tue Feb 28 13:29:11 2012 From: peter.penzov at gmail.com (Peter Penzov) Date: Tue, 28 Feb 2012 14:29:11 +0200 Subject: Compatibility between different GnuTLS versions Message-ID: Hi, I'm interested about the compatibility between different versions of GnuTLS. For example I want to implement simple TLS server and client which use x509 certificate. Are they going to work if I deploy them on different Centos servers with different GnuTLS versions? Are there any testing data? Best Wishes Peter -------------- next part -------------- An HTML attachment was scrubbed... URL: From nmav at gnutls.org Tue Feb 28 22:16:47 2012 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 28 Feb 2012 22:16:47 +0100 Subject: How to compile GnuTLS for every posix operating system In-Reply-To: References: Message-ID: <4F4D443F.9020903@gnutls.org> On 02/28/2012 12:55 PM, Peter Penzov wrote: > I want to create secure server and client which use GnuTLS for encrypting > the network communication. I want to deploy the clients on many Unix > operating systems and many Linux distributions. I found that for example in > Centos 5 and 6 the versions of GnuTLS which are by default installed are > different versions. Maybe in other operating systems the version of GnuTLS > is always different. One solutions will be to compile GnuTLS every time > from source in order to have always the same version. Is it possible to > compile it into one monolithic(including all dependent libraries) > executable program and use it in every Posix operating system? You can always static link. From nmav at gnutls.org Tue Feb 28 22:19:49 2012 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 28 Feb 2012 22:19:49 +0100 Subject: Compatibility between different GnuTLS versions In-Reply-To: References: Message-ID: <4F4D44F5.70907@gnutls.org> On 02/28/2012 01:29 PM, Peter Penzov wrote: > Hi, > I'm interested about the compatibility between different versions of > GnuTLS. For example I want to implement simple TLS server and client which > use x509 certificate. Are they going to work if I deploy them on different > Centos servers with different GnuTLS versions? Are there any testing data? I have no idea what centos is distributing, however I don't believe we ever had any compatibility problems on x509 authentication. regards, Nikos From peter.penzov at gmail.com Tue Feb 28 23:00:01 2012 From: peter.penzov at gmail.com (Peter Penzov) Date: Wed, 29 Feb 2012 00:00:01 +0200 Subject: How to compile example Message-ID: Hi, I'm trying to compile the example ex-serv-srp.c with the command gcc -o server ex-serv-srp.c -lgnutls I get this error: [rcbandit at Laptop GnuTLS 3.14 examples]$ gcc -o server ex-serv-srp.c -lgnutls ex-serv-srp.c: In function ?main?: ex-serv-srp.c:118: warning: cast to pointer from integer of different size /tmp/cc5xxpcN.o: In function `main': ex-serv-srp.c:(.text+0xb3): undefined reference to `gnutls_srp_allocate_server_credentials' ex-serv-srp.c:(.text+0xcc): undefined reference to `gnutls_srp_set_server_credentials_file' ex-serv-srp.c:(.text+0x322): undefined reference to `gnutls_srp_server_get_username' collect2: ld returned 1 exit status I'm sure that I'm missing an argument in gcc command. Can you tell what commands I need to execute in order to compile the example. Best wishes Peter -------------- next part -------------- An HTML attachment was scrubbed... URL: From matthew.finkel at gmail.com Wed Feb 29 02:24:18 2012 From: matthew.finkel at gmail.com (Matthew Finkel) Date: Tue, 28 Feb 2012 20:24:18 -0500 Subject: How to compile example In-Reply-To: References: Message-ID: On Tue, Feb 28, 2012 at 5:00 PM, Peter Penzov wrote: > Hi, > I'm trying to compile the example ex-serv-srp.c with the command gcc -o > server ex-serv-srp.c -lgnutls > I get this error: > > [rcbandit at Laptop GnuTLS 3.14 examples]$ gcc -o server ex-serv-srp.c > -lgnutls > ex-serv-srp.c: In function ?main?: > ex-serv-srp.c:118: warning: cast to pointer from integer of different size > /tmp/cc5xxpcN.o: In function `main': > ex-serv-srp.c:(.text+0xb3): undefined reference to > `gnutls_srp_allocate_server_credentials' > ex-serv-srp.c:(.text+0xcc): undefined reference to > `gnutls_srp_set_server_credentials_file' > ex-serv-srp.c:(.text+0x322): undefined reference to > `gnutls_srp_server_get_username' > collect2: ld returned 1 exit status > > I'm sure that I'm missing an argument in gcc command. Can you tell what > commands I need to execute in order to compile the example. > > Best wishes > Peter Hi Peter, It looks like a linking issue. Do you have the libraries installed (libgnutls)? I know they're contained in a separate package in some distro. - Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: From mihirk.31 at gmail.com Wed Feb 29 04:46:58 2012 From: mihirk.31 at gmail.com (Mihir Kulkarni) Date: Tue, 28 Feb 2012 19:46:58 -0800 Subject: Error Code -56 Message-ID: Hello, We are trying out with Gnutls. We have created a dummy extension Foobar following the steps given in the manual. We are using "_gnutls_ext_set_session_data" in the client and then using "_gnutls_ext_get_session_data" in the server to retrieve the data. The value gets set correctly in client but when we retrieve it in the server, the get function returns -56 as error code. Our implementation of Foobar extension is almost similar to server-name extension already present in Gnutls. Can someone give some clarification as to what might be going wrong? Do let me know if more information is needed. Thank you. regards, Mihir Kulkarni Graduate Student University of California, Irvine http://goo.gl/CvRcG -------------- next part -------------- An HTML attachment was scrubbed... URL: From lfinsto at gwdg.de Wed Feb 29 09:00:13 2012 From: lfinsto at gwdg.de (lfinsto at gwdg.de) Date: Wed, 29 Feb 2012 09:00:13 +0100 Subject: How to compile example In-Reply-To: References: Message-ID: > I'm sure that I'm missing an argument in gcc command. Can you tell what > commands I need to execute in order to compile the example. -L Laurence Finston On Tue, February 28, 2012 11:00 pm, Peter Penzov wrote: > Hi, > I'm trying to compile the example ex-serv-srp.c with the command gcc -o > server ex-serv-srp.c -lgnutls > I get this error: > > [rcbandit at Laptop GnuTLS 3.14 examples]$ gcc -o server ex-serv-srp.c > -lgnutls > ex-serv-srp.c: In function ?main?: > ex-serv-srp.c:118: warning: cast to pointer from integer of different size > /tmp/cc5xxpcN.o: In function `main': > ex-serv-srp.c:(.text+0xb3): undefined reference to > `gnutls_srp_allocate_server_credentials' > ex-serv-srp.c:(.text+0xcc): undefined reference to > `gnutls_srp_set_server_credentials_file' > ex-serv-srp.c:(.text+0x322): undefined reference to > `gnutls_srp_server_get_username' > collect2: ld returned 1 exit status > > I'm sure that I'm missing an argument in gcc command. Can you tell what > commands I need to execute in order to compile the example. > > Best wishes > Peter > _______________________________________________ > Help-gnutls mailing list > Help-gnutls at gnu.org > https://lists.gnu.org/mailman/listinfo/help-gnutls > ------------------------------------------------------------- Laurence Finston Gesellschaft fuer wissenschaftliche Datenverarbeitung mbH Am Fassberg 11 37077 Goettingen Telefon: +49 551 201-1882 E-Mail: lfinsto at gwdg.de From nmav at gnutls.org Wed Feb 29 10:13:37 2012 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 29 Feb 2012 10:13:37 +0100 Subject: How to compile example In-Reply-To: References: Message-ID: On Tue, Feb 28, 2012 at 11:00 PM, Peter Penzov wrote: > Hi, > ?? I'm trying to compile the example ex-serv-srp.c with the command gcc -o > server ex-serv-srp.c -lgnutls > I get this error: > [rcbandit at Laptop GnuTLS 3.14 examples]$ gcc -o server ex-serv-srp.c -lgnutls > ex-serv-srp.c: In function ?main?: > ex-serv-srp.c:118: warning: cast to pointer from integer of different size > /tmp/cc5xxpcN.o: In function `main': > ex-serv-srp.c:(.text+0xb3): undefined reference to > `gnutls_srp_allocate_server_credentials' > ex-serv-srp.c:(.text+0xcc): undefined reference to > `gnutls_srp_set_server_credentials_file' > ex-serv-srp.c:(.text+0x322): undefined reference to > `gnutls_srp_server_get_username' > collect2: ld returned 1 exit status > I'm sure that I'm missing an argument in gcc command. Can you tell what > commands I need to execute in order to compile the example. You might want to bring this up to a centos or redhat ml and/or the documentation they provide for gnutls. Redhat for some reason disables SRP support in the installed gnutls. regards, Nikos From lists at fuchsschwanzdomain.de Wed Feb 29 15:19:32 2012 From: lists at fuchsschwanzdomain.de (Sven Geggus) Date: Wed, 29 Feb 2012 15:19:32 +0100 Subject: Smartcard + pkcs11 = segmentation fault... Message-ID: <20120229141932.GA4435@geggus.net> Hello, Im trying to enable pkcs11 support in gnutls (2.12.16). Unfortunately I'm currently stuck with a proprietary pkcs11 library (which however works well in firefox/thunderbird). Here is what I have so far: ~/ > p11-kit -l aet: /usr/lib/libaetpkss.so library-description: Cryptographic Token Interface library-manufacturer: A.E.T. Europe B.V. library-version: 3.0 token: Fraunhofer-Smartcard manufacturer: A.E.T. Europe B.V. model: 3384110107000000 serial-number: 00113C3800009B09 flags: rng login-required user-pin-initialized token-initialized ~/ > /usr/lib/libgnutls26/p11tool --login --list-all Token 'Fraunhofer-Smartcard' with URL 'pkcs11:model=3384110107000000;manufacturer=A.E.T.%20Europe%20B.V.;serial=00113C3800009B09;token=Fraunhofer-Smartcard' requires user PIN Enter PIN: Object 0: URL: pkcs11:library-description=Cryptographic%20Token%20Interface;library-manufacturer=A.E.T.%20Europe%20B.V.;model=3384110107000000;manufacturer=A.E.T.%20Europe%20B.V.;serial=00113C3800009B09;token=Fraunhofer-Smartcard;object=Secude%20Token%20ID;object-type=data Type: Data Label: Secude Token ID Segmentation fault Any hint? Sven -- The main thing to note is that when you choose open source you don't get a Windows operating system. (from http://www.dell.com/ubuntu) /me is giggls at ircnet, http://sven.gegg.us/ on the Web From nmav at gnutls.org Wed Feb 29 15:36:09 2012 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 29 Feb 2012 15:36:09 +0100 Subject: Smartcard + pkcs11 = segmentation fault... In-Reply-To: <20120229141932.GA4435@geggus.net> References: <20120229141932.GA4435@geggus.net> Message-ID: On Wed, Feb 29, 2012 at 3:19 PM, Sven Geggus wrote: > Hello, > > Im trying to enable pkcs11 support in gnutls (2.12.16). > Unfortunately I'm currently stuck with a proprietary pkcs11 library (which > however works well in firefox/thunderbird). Hello, Could you try using valgrind or gdb to pinpoint the crash? Could you also try whether that issue occurs in gnutls 3.0.14? regards, Nikos From peter.penzov at gmail.com Wed Feb 29 19:32:33 2012 From: peter.penzov at gmail.com (Peter Penzov) Date: Wed, 29 Feb 2012 20:32:33 +0200 Subject: how to compile GnuTLS Message-ID: I trying to compile GnuTLS. These are the steps: I use Centos 6.2 x86_64 I downloaded Nettle 2.4 [root at localhost opt]# wget http://www.lysator.liu.se/~nisse/archive/nettle-2.4.tar.gz [root at localhost nettle-2.4]# tar zxvf nettle-2.4.tar.gz [root at localhost nettle-2.4]# cd nettle-2.4 [root at localhost nettle-2.4]# ./configure --enable-shared --prefix=/usr Version: nettle 2.4 Host type: x86_64-unknown-linux-gnu ABI: 64 Assembly files: x86_64 Install prefix: /usr Library directory: ${exec_prefix}/lib64 Compiler: gcc Shared libraries: yes Public key crypto: no I run the command make and make install I downloaded the latest GnuTLS ./configure --with-libnettle-prefix=/usr hecking for shared library run path origin... done checking whether to use nettle... yes checking for libnettle... no configure: error: *** *** Libnettle 2.4 was not found. What am I missing? Best wishes Peter -------------- next part -------------- An HTML attachment was scrubbed... URL: