From nmav at gnutls.org Tue Jul 3 00:19:13 2012 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Tue, 03 Jul 2012 00:19:13 +0200 Subject: gnutls 3.0.21 Message-ID: <4FF21E61.8040309@gnutls.org> Hello, I've just released gnutls 3.0.21. This is a minor feature update and bug-fix release on the current stable branch. * Version 3.0.21 (released 2012-07-02) ** libgnutls: fixed bug in gnutls_x509_privkey_import() that prevented the loading of EC private keys when DER encoded. Reported by David Woodhouse. ** libgnutls: In DTLS larger to mtu records result to GNUTLS_E_LARGE_PACKET instead of being truncated. ** libgnutls: gnutls_dtls_get_data_mtu() is more precise. Based on patch by David Woodhouse. ** libgnutls: Fixed memory leak in PKCS #8 key import. ** libgnutls: Added support for an old version of the DTLS protocol used by openconnect vpn client for compatibility with Cisco's AnyConnect SSL VPN. It is marked as GNUTLS_DTLS0_9. Do not use it for newer protocols as it has issues. ** libgnutls: Corrected bug that prevented resolving PKCS #11 URLs if only the label is specified. Patch by David Woodhouse. ** libgnutls: When EMSGSIZE errno is seen then GNUTLS_E_LARGE_PACKET is returned. ** API and ABI modifications: gnutls_dtls_set_data_mtu: Added gnutls_session_set_premaster: Added Getting the Software ==================== GnuTLS may be downloaded from one of the GNU mirror sites or directly >From . The list of GNU mirrors can be found at and a list of GnuTLS mirrors can be found at . Here are the XZ compressed sources: ftp://ftp.gnu.org/gnu/gnutls/gnutls-3.0.21.tar.xz http://ftp.gnu.org/gnu/gnutls/gnutls-3.0.21.tar.xz ftp://ftp.gnutls.org/pub/gnutls/gnutls-3.0.21.tar.xz Here are the LZIP compressed sources: ftp://ftp.gnu.org/gnu/gnutls/gnutls-3.0.21.tar.lz http://ftp.gnu.org/gnu/gnutls/gnutls-3.0.21.tar.lz ftp://ftp.gnutls.org/pub/gnutls/gnutls-3.0.21.tar.lz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnu.org/gnu/gnutls/gnutls-3.0.21.tar.xz.sig http://ftp.gnu.org/gnu/gnutls/gnutls-3.0.21.tar.xz.sig ftp://ftp.gnutls.org/pub/gnutls/gnutls-3.0.21.tar.xz.sig ftp://ftp.gnu.org/gnu/gnutls/gnutls-3.0.21.tar.lz.sig http://ftp.gnu.org/gnu/gnutls/gnutls-3.0.21.tar.lz.sig ftp://ftp.gnutls.org/pub/gnutls/gnutls-3.0.21.tar.lz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From jstuhlmann at gmail.com Tue Jul 10 16:19:38 2012 From: jstuhlmann at gmail.com (Jan S.) Date: Tue, 10 Jul 2012 07:19:38 -0700 (PDT) Subject: High loads and failure due to mod_gnutls In-Reply-To: <999168750910290326o6614a4cy4e32782fa39c4ca9@mail.gmail.com> References: <999168750910280836sf380b45rd6aa1e078fd340ab@mail.gmail.com> <87d446k41w.fsf@mocca.josefsson.org> <999168750910290326o6614a4cy4e32782fa39c4ca9@mail.gmail.com> Message-ID: <34140069.post@talk.nabble.com> Hi, I have exactly the same problem. 100% load divided onto several apache2 processes, since I have activated mod_gnutls. However, the website is responding fast. Did you found a solution? Looks like a configuration problem? Best regards Jan odo-2 wrote: > > Thank you for your answer, but unfortunately it didn't solve the problem. > > 2009/10/29 Simon Josefsson : >> john doe writes: >> >>> Hello, >>> >>> I am using Apache 2.2.9 and mod_gnutls.so (GNUTLS version 1_4) and I >>> have experienced high load values on my server (HTTP/HTTPS Reverse >>> proxy running on Lenny). >>> >>> Regularly a new apache2 process spawns on the `top` command and takes >>> X% of the CPU, if there is a single bugged process X=100, if there are >>> 2 X=50 etc... >>> `w' command reported a load value of 27 this morning, after a restart >>> of apache it went down to 0 again. After 2 hours the load is now at 2. >> >> I've seen this too, especially in high-load scenarios, but for me it >> always appeared to be related to the 'GnuTLSCache dbm' setting. ?Maybe >> you could try changing /etc/apache2/mods-enabled/gnutls.conf to use >> 'GnuTLSCache none none' to see if the problem goes away? >> >> Maybe someone on the mod_gnutls list knows more. >> >> /Simon >> >>> I am not used to troubleshooting but I managed to get a backtrace with >>> gdb, here is the output: >>> >>> #0 ?0xb7f78a0e in apr_bucket_free () from /usr/lib/libaprutil-1.so.0 >>> #1 ?0x08078dac in ap_core_output_filter () >>> #2 ?0xb75133d3 in mgs_transport_write () from >>> /usr/lib/apache2/modules/mod_gnutls.so >>> #3 ?0xb78b93f2 in _gnutls_io_write_buffered () from >>> /usr/lib/libgnutls.so.26 >>> #4 ?0xb78b9950 in _gnutls_io_write_flush () from >>> /usr/lib/libgnutls.so.26 >>> #5 ?0xb78b5dc0 in _gnutls_send_int () from /usr/lib/libgnutls.so.26 >>> #6 ?0xb78b627b in gnutls_record_send () from /usr/lib/libgnutls.so.26 >>> #7 ?0xb7513b09 in mgs_filter_output () from >>> /usr/lib/apache2/modules/mod_gnutls.so >>> #8 ?0x0806f10e in ap_content_length_filter () >>> #9 ?0xb74e07fc in ?? () from /usr/lib/apache2/modules/mod_proxy_http.so >>> #10 0x08407b98 in ?? () >>> #11 0x084223a0 in ?? () >>> #12 0x084223a0 in ?? () >>> #13 0x00000001 in ?? () >>> #14 0x00002000 in ?? () >>> #15 0x00000000 in ?? () >>> >>> I sent a interrupt signal to the process and then ended up in a sort >>> of fatal error function from gnu_tls (I cannot recall the name). >>> Maybe some function in gnu_tls is looping forever, waiting for a right >>> return value (that never come unfortunately). >>> >>> Here are some other debugging clues: >>> >>> >>> PID USER ? ? ?PR ?NI ?VIRT ?RES ?SHR S %CPU %MEM ? ?TIME+ ?COMMAND >>> 5269 www-data ?20 ? 0 15136 5516 2424 R 49.8 ?0.4 ?15:53.62 apache2 >>> 5314 www-data ?20 ? 0 15012 5296 2308 R 47.8 ?0.4 ?10:55.86 apache2 >>> >>> load average: 1.50, 1.80, 1.68 >>> >>> This output is redundant in apache error log: >>> >>> [Wed Oct 28 15:54:44 2009] [debug] proxy_util.c(1819): proxy: worker >>> proxy:reverse already initialized >>> [Wed Oct 28 15:54:44 2009] [debug] proxy_util.c(1913): proxy: >>> initialized single connection worker 17 in child 5461 for (*) >>> ===================================================================================== >>> [Wed Oct 28 15:48:33 2009] [info] [client 62.36.240.2] (104)Connection >>> reset by peer: core_output_filter: writing data to the network >>> [Wed Oct 28 15:49:40 2009] [info] [client 193.203.96.2] (32)Broken >>> pipe: core_output_filter: writing data to the network >>> [Wed Oct 28 15:53:59 2009] [info] [client 193.203.96.2] (32)Broken >>> pipe: core_output_filter: writing data to the network >>> >>> >>> I may not be able to give you more information about this server, the >>> load was high but there were no latency. >>> Do you have an idea about this issue ? >>> >>> Thank you for your attention. >>> Regards. >> > > > > -- > Regards, > > shiro. > > > _______________________________________________ > Help-gnutls mailing list > Help-gnutls at gnu.org > http://lists.gnu.org/mailman/listinfo/help-gnutls > > -- View this message in context: http://old.nabble.com/High-loads-and-failure-due-to-mod_gnutls-tp26096882p34140069.html Sent from the Gnu - TLS mailing list archive at Nabble.com. From brunovern.a at gmail.com Tue Jul 10 16:39:45 2012 From: brunovern.a at gmail.com (Bruno Vernay) Date: Tue, 10 Jul 2012 16:39:45 +0200 Subject: gnutls-cli-debug results interpretation Message-ID: Hello, I have a hard time to understand the gnutls-cli-debug results. Simply from "Checking for version rollback bug in RSA PMS... no". Does it mean: No, the bug is not present or: No, the server didn't pass the check ?? Then, what exactly is the "version rollback bug in RSA PMS" ? A link to some reference information would be nice. I guess it is some kind of downgrade re-negotiation, but without further information, I cannot conclude anything. Thanks -- Bruno From nmav at gnutls.org Sat Jul 14 09:09:08 2012 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sat, 14 Jul 2012 09:09:08 +0200 Subject: gnutls-cli-debug results interpretation In-Reply-To: References: Message-ID: <50011B14.4060108@gnutls.org> On 07/10/2012 04:39 PM, Bruno Vernay wrote: > Hello, > > I have a hard time to understand the gnutls-cli-debug results. > Simply from "Checking for version rollback bug in RSA PMS... no". > Does it mean: No, the bug is not present That one. > Then, what exactly is the "version rollback bug in RSA PMS" ? gnutls-cli-debug is a tool I used to debug servers while developing gnutls and some messages may have been only apparent to me. The comment in the test mentions: "here we enable both SSL 3.0 and TLS 1.0 and try to connect and use rsa authentication. If the server is old, buggy and only supports SSL 3.0 then the handshake will fail." > A link to some reference information would be nice. I guess it is some > kind of downgrade re-negotiation, but without further information, I > cannot conclude anything. There is no comprehensive list of TLS and SSL bugs that are I'm aware of. Documenting all of them is substantial work and it is not in my immediate plans. regards, Nikos From bgurup.ndk at gmail.com Wed Jul 18 07:50:54 2012 From: bgurup.ndk at gmail.com (Guru Prasad) Date: Wed, 18 Jul 2012 11:20:54 +0530 Subject: Issue in SSL/TLS connection setup Message-ID: I am facing SSL/TLS connection setup issue with python-twisted (12.0.0) and python-gnutls(1.1.9). Version of Ubuntu (unstable), I am using is: 12.10 During the SSL/TLS connection setup, there is ClientHello request from the client and for this request there is no response from the server where Twisted and GnuTLS are running. I see only TCP FIN and RST sent by the server end for the ClientHello request. When I checked the syslog, I see below messages. Traceback (most recent call last): : File "/usr/lib/python2.7/dist- packages/twisted/python/log.py", line 84, in callWithLogger : return callWithContext({"system": lp}, func, *args, **kw) : File "/usr/lib/python2.7/dist-packages/twisted/python/log.py", line 69, in callWithContext : return context.call({ILogContext: newCtx}, func, *args, **kw) : File "/usr/lib/python2.7/dist-packages/twisted/python/context.py", line 118, in callWithContext : return self.currentContext().callWithContext(ctx, func, *args, **kw) : File "/usr/lib/python2.7/dist-packages/twisted/python/context.py", line 81, in callWithContext : return func(*args,**kw) : File "/usr/lib/python2.7/dist-packages/twisted/internet/posixbase.py", line 599, in _doReadOrWrite : self._disconnectSelectable(selectable, why, inRead) : File "/usr/lib/python2.7/dist-packages/twisted/internet/posixbase.py", line 266, in _disconnectSelectable : selectable.connectionLost(failure.Failure(why)) : File "/usr/local/lib/python2.7/dist-packages/gnutls/interfaces/twisted/__init__.py", line 328, in connectionLost : tcp.Server.connectionLost(self, reason) : File "/usr/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 277, in connectionLost : protocol.connectionLost(reason) : File "/usr/lib/python2.7/dist-packages/twisted/web2/channel/http.py", line 853, in connectionLost : self.readConnectionLost() : File "/usr/lib/python2.7/dist-packages/twisted/web2/channel/http.py", line 842, in readConnectionLost : self.transport.loseConnection() : File "/usr/local/lib/python2.7/dist-packages/gnutls/interfaces/twisted/__init__.py", line 322, in loseConnection : tcp.Server.loseConnection(self, reason) : TypeError: loseConnection() takes exactly 1 argument (2 given) Anyone else has faced this issue, earlier? Is this a bug in GnuTLS package? I am not having any clue like what went wrong. Have I missed anything which is required? Please help me to come out of this issue. --bgurup -------------- next part -------------- An HTML attachment was scrubbed... URL: From bgurup.ndk at gmail.com Tue Jul 24 07:49:22 2012 From: bgurup.ndk at gmail.com (Guru Prasad) Date: Tue, 24 Jul 2012 11:19:22 +0530 Subject: Fwd: Issue in SSL/TLS connection setup In-Reply-To: References: Message-ID: Please let me know whether the issue reported a bug in python-gnutls. ---------- Forwarded message ---------- From: Guru Prasad Date: Fri, Jul 20, 2012 at 2:52 PM Subject: Issue in SSL/TLS connection setup To: help-gnutls at gnu.org Hello All, I am facing SSL/TLS connection setup issue with python-twisted (12.0.0) and python-gnutls(1.1.9). Version of Ubuntu (unstable), I am using is: 12.10 During the SSL/TLS connection setup, there is ClientHello request from the client and for this request there is no response from the server where Twisted and GnuTLS are running. I see only TCP FIN and RST sent by the server end for the ClientHello request. When I checked the syslog, I see below messages. Traceback (most recent call last): : File "/usr/lib/python2.7/dist- packages/twisted/python/log.py", line 84, in callWithLogger : return callWithContext({"system": lp}, func, *args, **kw) : File "/usr/lib/python2.7/dist-packages/twisted/python/log.py", line 69, in callWithContext : return context.call({ILogContext: newCtx}, func, *args, **kw) : File "/usr/lib/python2.7/dist-packages/twisted/python/context.py", line 118, in callWithContext : return self.currentContext().callWithContext(ctx, func, *args, **kw) : File "/usr/lib/python2.7/dist-packages/twisted/python/context.py", line 81, in callWithContext : return func(*args,**kw) : File "/usr/lib/python2.7/dist-packages/twisted/internet/posixbase.py", line 599, in _doReadOrWrite : self._disconnectSelectable(selectable, why, inRead) : File "/usr/lib/python2.7/dist-packages/twisted/internet/posixbase.py", line 266, in _disconnectSelectable : selectable.connectionLost(failure.Failure(why)) : File "/usr/local/lib/python2.7/dist-packages/gnutls/interfaces/twisted/__init__.py", line 328, in connectionLost : tcp.Server.connectionLost(self, reason) : File "/usr/lib/python2.7/dist-packages/twisted/internet/tcp.py", line 277, in connectionLost : protocol.connectionLost(reason) : File "/usr/lib/python2.7/dist-packages/twisted/web2/channel/http.py", line 853, in connectionLost : self.readConnectionLost() : File "/usr/lib/python2.7/dist-packages/twisted/web2/channel/http.py", line 842, in readConnectionLost : self.transport.loseConnection() : File "/usr/local/lib/python2.7/dist-packages/gnutls/interfaces/twisted/__init__.py", line 322, in loseConnection : tcp.Server.loseConnection(self, reason) : TypeError: loseConnection() takes exactly 1 argument (2 given) Anyone else has faced this issue, earlier? Is this a bug in GnuTLS package? I am not having any clue like what went wrong. Have I missed anything which is required? Please help me to come out of this issue. --bgurup -------------- next part -------------- An HTML attachment was scrubbed... URL: