From jgh at wizmail.org Sat Aug 1 16:33:32 2015 From: jgh at wizmail.org (Jeremy Harris) Date: Sat, 1 Aug 2015 15:33:32 +0100 Subject: [gnutls-help] ocsp stapling In-Reply-To: <1438374289.1946.3.camel@gmail.com> References: <55B53EB6.8020308@wizmail.org> <55BA2910.3060506@wizmail.org> <55BAAE4B.9050906@wizmail.org> <1438374289.1946.3.camel@gmail.com> Message-ID: <55BCD8BC.7070809@wizmail.org> On 31/07/15 21:24, Nikos Mavrogiannopoulos wrote: > On Fri, 2015-07-31 at 00:07 +0100, Jeremy Harris wrote: > >> Still occurs with 3.3.16 (as shipped for Debian Stretch). >> Test target: Debian Exim4; TLS enabled with server certificate >> and OCSP proof. >> Test client: "swaks" (an SMTP test utility with TLS capability). > > Thanks. That seems to be a bug. I've committed a fix in the repository. Can you say if any older GnuTLS library versions were affected? I see the fixes applied to 3.4.3+ and 3.3.16+ but not in other branches. I need to know for what library versions I should code Exim to avoid attempting to enable OCSP stapling. -- Thanks, Jeremy From n.mavrogiannopoulos at gmail.com Sat Aug 1 16:42:34 2015 From: n.mavrogiannopoulos at gmail.com (Nikos Mavrogiannopoulos) Date: Sat, 01 Aug 2015 16:42:34 +0200 Subject: [gnutls-help] ocsp stapling In-Reply-To: <55BCD8BC.7070809@wizmail.org> References: <55B53EB6.8020308@wizmail.org> <55BA2910.3060506@wizmail.org> <55BAAE4B.9050906@wizmail.org> <1438374289.1946.3.camel@gmail.com> <55BCD8BC.7070809@wizmail.org> Message-ID: <1438440154.28505.1.camel@gmail.com> On Sat, 2015-08-01 at 15:33 +0100, Jeremy Harris wrote: > On 31/07/15 21:24, Nikos Mavrogiannopoulos wrote: > > On Fri, 2015-07-31 at 00:07 +0100, Jeremy Harris wrote: > > > > > Still occurs with 3.3.16 (as shipped for Debian Stretch). > > > Test target: Debian Exim4; TLS enabled with server certificate > > > and OCSP proof. > > > Test client: "swaks" (an SMTP test utility with TLS capability). > > > > Thanks. That seems to be a bug. I've committed a fix in the > > repository. > Can you say if any older GnuTLS library versions were affected? I > see the fixes applied to 3.4.3+ and 3.3.16+ but not in other > branches. The older branches no longer get updates. The 3.3.x branch is a drop-in update for any previous release after 3.0.0. regards, Nikos From jgh at wizmail.org Sat Aug 1 16:50:06 2015 From: jgh at wizmail.org (Jeremy Harris) Date: Sat, 1 Aug 2015 15:50:06 +0100 Subject: [gnutls-help] ocsp stapling In-Reply-To: <1438440154.28505.1.camel@gmail.com> References: <55B53EB6.8020308@wizmail.org> <55BA2910.3060506@wizmail.org> <55BAAE4B.9050906@wizmail.org> <1438374289.1946.3.camel@gmail.com> <55BCD8BC.7070809@wizmail.org> <1438440154.28505.1.camel@gmail.com> Message-ID: <55BCDC9E.8030609@wizmail.org> On 01/08/15 15:42, Nikos Mavrogiannopoulos wrote: > On Sat, 2015-08-01 at 15:33 +0100, Jeremy Harris wrote: >> On 31/07/15 21:24, Nikos Mavrogiannopoulos wrote: >>> On Fri, 2015-07-31 at 00:07 +0100, Jeremy Harris wrote: >>> >>>> Still occurs with 3.3.16 (as shipped for Debian Stretch). >>>> Test target: Debian Exim4; TLS enabled with server certificate >>>> and OCSP proof. >>>> Test client: "swaks" (an SMTP test utility with TLS capability). >>> >>> Thanks. That seems to be a bug. I've committed a fix in the >>> repository. >> Can you say if any older GnuTLS library versions were affected? I > see the fixes applied to 3.4.3+ and 3.3.16+ but not in other > branches. > > The older branches no longer get updates. The 3.3.x branch is a drop-in > update for any previous release after 3.0.0. Should I regard the older branches as having this bug, in that case? -- Thanks, Jeremy From nmav at gnutls.org Sat Aug 1 19:15:49 2015 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sat, 01 Aug 2015 19:15:49 +0200 Subject: [gnutls-help] ocsp stapling In-Reply-To: <55BCDC9E.8030609@wizmail.org> References: <55B53EB6.8020308@wizmail.org> <55BA2910.3060506@wizmail.org> <55BAAE4B.9050906@wizmail.org> <1438374289.1946.3.camel@gmail.com> <55BCD8BC.7070809@wizmail.org> <1438440154.28505.1.camel@gmail.com> <55BCDC9E.8030609@wizmail.org> Message-ID: <1438449349.10322.1.camel@gnutls.org> On Sat, 2015-08-01 at 15:50 +0100, Jeremy Harris wrote: > > > > > Still occurs with 3.3.16 (as shipped for Debian Stretch). > > > > > Test target: Debian Exim4; TLS enabled with server > > > > > certificate > > > > > and OCSP proof. > > > > > Test client: "swaks" (an SMTP test utility with TLS > > > > > capability). > > > > > > > > Thanks. That seems to be a bug. I've committed a fix in the > > > > repository. > > > Can you say if any older GnuTLS library versions were affected? > > > I > see the fixes applied to 3.4.3+ and 3.3.16+ but not in other > > > > branches. > > The older branches no longer get updates. The 3.3.x branch is a > > drop-in > > update for any previous release after 3.0.0. > Should I regard the older branches as having this bug, in that case? Yes. From jgh at wizmail.org Tue Aug 4 21:08:38 2015 From: jgh at wizmail.org (Jeremy Harris) Date: Tue, 4 Aug 2015 20:08:38 +0100 Subject: [gnutls-help] ocsp stapling In-Reply-To: <1438374289.1946.3.camel@gmail.com> References: <55B53EB6.8020308@wizmail.org> <55BA2910.3060506@wizmail.org> <55BAAE4B.9050906@wizmail.org> <1438374289.1946.3.camel@gmail.com> Message-ID: <55C10DB6.9030106@wizmail.org> On 31/07/15 21:24, Nikos Mavrogiannopoulos wrote: > On Fri, 2015-07-31 at 00:07 +0100, Jeremy Harris wrote: > >> Still occurs with 3.3.16 (as shipped for Debian Stretch). >> Test target: Debian Exim4; TLS enabled with server certificate >> and OCSP proof. >> Test client: "swaks" (an SMTP test utility with TLS capability). > > Thanks. That seems to be a bug. I've committed a fix in the repository. The client side still emits a status_request extension, even when not asked to by the client application. -- Cheers, Jeremy From n.mavrogiannopoulos at gmail.com Wed Aug 5 09:40:29 2015 From: n.mavrogiannopoulos at gmail.com (Nikos Mavrogiannopoulos) Date: Wed, 5 Aug 2015 09:40:29 +0200 Subject: [gnutls-help] ocsp stapling In-Reply-To: <55C10DB6.9030106@wizmail.org> References: <55B53EB6.8020308@wizmail.org> <55BA2910.3060506@wizmail.org> <55BAAE4B.9050906@wizmail.org> <1438374289.1946.3.camel@gmail.com> <55C10DB6.9030106@wizmail.org> Message-ID: On Tue, Aug 4, 2015 at 9:08 PM, Jeremy Harris wrote: > The client side still emits a status_request extension, even when > not asked to by the client application. That is the documented behavior. Check gnutls_init(). regards, Nikos From nmav at gnutls.org Mon Aug 10 09:08:36 2015 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 10 Aug 2015 09:08:36 +0200 Subject: [gnutls-help] gnutls 3.4.4 Message-ID: <1439190516.1717.1.camel@gnutls.org> Hello, I've just released gnutls 3.4.4. This version fixes bugs and adds minor features to the next stable branch. * Version 3.4.4 (released 2015-08-10) ** libgnutls: added high level API (gnutls_prf_rfc5705) to access the PRF as specified by RFC5705. Suggestion and original patch by Rick van Rein. ** libgnutls: Link to trousers (TPM library) dynamically when this functionality is requested. ** libgnutls: Fix issue with server side sending the status request extension even when not requested. Reported by Jeremy Harris. ** libgnutls: Added support for RFC7507 by introducing the %FALLBACK_SCSV priority string option. Patch by Alessandro Ghedini. ** libgnutls: gnutls_pkcs11_privkey_generate2() will store the generated public key, unless the GNUTLS_PKCS11_OBJ_FLAG_NO_STORE_PUBKEY flag is specified. ** libgnutls: Corrected regression from 3.4.3 in loading PKCS #8 keys as fallback. Reported by Daniel Berrange. ** libgnutls: Allow the parsing of very long DNs. Also fixes double free in DN decoding [GNUTLS-SA-2015-3]. ** API and ABI modifications: gnutls_prf_rfc5705: Added gnutls_hex_encode2: Added gnutls_hex_decode2: Added Getting the Software ==================== GnuTLS may be downloaded directly from .??A list of GnuTLS mirrors can be found at . Here are the XZ and LZIP compressed sources: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.4.tar.xz ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.4.tar.lz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.4.tar.xz.sig ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.4.tar.lz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From nmav at gnutls.org Mon Aug 10 09:09:53 2015 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 10 Aug 2015 09:09:53 +0200 Subject: [gnutls-help] gnutls 3.3.17 Message-ID: <1439190593.1717.2.camel@gnutls.org> Hello, I've just released gnutls 3.3.17. This is a bug-fix release on the current stable branch. * Version 3.3.17 (released 2015-08-10) ** libgnutls: Fix issue with server side sending the status request extension even when not requested. Reported by Jeremy Harris. ** libgnutls: gnutls_pkcs11_privkey_generate2() will store the generated public key, unless the GNUTLS_PKCS11_OBJ_FLAG_NO_STORE_PUBKEY flag is specified. ** libgnutls: fixed double free in DN decoding [GNUTLS-SA-2015-3]. ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded directly from .??A list of GnuTLS mirrors can be found at . Here are the XZ and LZIP compressed sources: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.17.tar.xz ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.17.tar.lz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.17.tar.xz.sig ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.17.tar.lz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From lists at schamschula.com Mon Aug 10 14:50:20 2015 From: lists at schamschula.com (Marius Schamschula) Date: Mon, 10 Aug 2015 07:50:20 -0500 Subject: [gnutls-help] [gnutls-devel] gnutls 3.3.17 In-Reply-To: <1439190593.1717.2.camel@gnutls.org> References: <1439190593.1717.2.camel@gnutls.org> Message-ID: Nikos, I?m not sure what happened between gnutls 3.3.16 and 3.3.17 to cause the following errors: (seen under OS X 10.10.4, Note: I am passing --enable-local-libopts which is supposed to prevent this issue. Also tried building w/o autoconf with same result) In file included from In file included from srptool-args.c:43: ./srptool-args.h:61:3: error: option template version mismatches autoopts/options.h header # error option template version mismatches autoopts/options.h header ^ psktool-args.c:43: ./psktool-args.h:61:3: error: option template version mismatches autoopts/options.h header # error option template version mismatches autoopts/options.h header ^ ./psktool-args.h:62:3: error: unknown type name 'Choke' Choke Me. ^ ./psktool-args.h:62:./srptool-args.h:62:3: error: unknown type name 'Choke' Choke Me. ^ ./srptool-args.h:62:11: error: expected ';' after top level declarator Choke Me. ^ ; 11: error: expected ';' after top level declarator Choke Me. ^ ; In file included from cli-args.c:43: ./cli-args.h:61:3: error: option template version mismatches autoopts/options.h header # error option template version mismatches autoopts/options.h header ^ ./cli-args.h:62:3: error: unknown type name 'Choke' Choke Me. ^ ./cli-args.h:62:11: error: expected ';' after top level declarator Choke Me. ^ ; In file included from cli-debug-args.c:43: ./cli-debug-args.h:61:3: error: option template version mismatches autoopts/options.h header # error option template version mismatches autoopts/options.h header ^ In file included from ocsptool-args.c:43: ./ocsptool-args.h:61:3: error: option template version mismatches autoopts/options.h header # error option template version mismatches autoopts/options.h header ^ In file included from serv-args.c:43./cli-debug-args.h./ocsptool-args.h:62:3: error: unknown type name 'Choke' Choke Me. ^ ./ocsptool-args.h:62:11: error: expected ';' after top level declarator Choke Me. ^ ; :62:3: error: In file included from unknown type name 'Choke' Choke Me. ^ ./cli-debug-args.h:62:11: error: expected ';' after top level declarator Choke Me. ^ ; certtool-args.c:43: ./certtool-args.h:61:3: error: option template version mismatches autoopts/options.h header # error option template version mismatches autoopts/options.h header ^ ./certtool-args.h:62:3: error: unknown type name 'Choke' Choke Me. ^ ./certtool-args.h:62:11: error: expected ';' after top level declarator Choke Me. ^ ; : ./serv-args.h:61:3: error: option template version mismatches autoopts/options.h header # error option template version mismatches autoopts/options.h header ^ ./serv-args.h:62:3: error: unknown type name 'Choke' Choke Me. ^ ./serv-args.h:62:11: error: expected ';' after top level declarator Choke Me. ^ ; srptool-args.c:369:29:psktool-args.c:252:29: error: use of undeclared identifier 'INDEX_OPT_VERSION' { /* entry idx, value */ INDEX_OPT_VERSION, VALUE_OPT_VERSION, ^ cli-args.c:434:5: error: psktool-args.c:266:29: error: error: use of undeclared identifier 'INDEX_OPT_VERSION' { /* entry idx, value */ INDEX_OPT_VERSION, VALUE_OPT_VERSION, ^ use of undeclared identifier 'INDEX_OPT_STARTTLS' INDEX_OPT_STARTTLS, NO_EQUIVALENT }; ^ use of undeclared identifier 'INDEX_OPT_HELP' { /* entry idx, value */ INDEX_OPT_HELP, VALUE_OPT_HELP, ^ certtool-args.c:428:srptool-args.c:383:29: error: use of undeclared identifier 'INDEX_OPT_HELP' ocsptool-args.c:214:5: error: use of undeclared identifier 'INDEX_OPT_LOAD_CERT' { /* entry idx, value */ INDEX_OPT_HELP, VALUE_OPT_HELP, ^ INDEX_OPT_LOAD_CERT, ^ cli-args.c:779:5:5: error: use of undeclared identifier 'INDEX_OPT_PORT' INDEX_OPT_PORT, NO_EQUIVALENT }; ^ error: use of undeclared identifier 'INDEX_OPT_INFILE' INDEX_OPT_INFILE, NO_EQUIVALENT }; ^ srptool-args.c:395:29: psktool-args.c:278:29: error: use of undeclared identifier 'INDEX_OPT_MORE_HELP' { /* entry idx, value */ INDEX_OPT_MORE_HELP, VALUE_OPT_MORE_HELP, ocsptool-args.c:215:5: error: use of undeclared identifier 'INDEX_OPT_LOAD_ISSUER' INDEX_OPT_LOAD_ISSUER, NO_EQUIVALENT }; ^ ^ error: use of undeclared identifier 'INDEX_OPT_MORE_HELP' { /* entry idx, value */ INDEX_OPT_MORE_HELP, VALUE_OPT_MORE_HELP, ^ cli-debug-args.c:256:29: psktool-args.c:378:37: warning: implicit declaration of function 'VOIDP' is invalid in C99 [-Wimplicit-function-declaration] optionShowRange(pOptions, pOptDesc, VOIDP(rng), 1); ^ psktool-args.c:378:37: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void *' [-Wint-conversion] optionShowRange(pOptions, pOptDesc, VOIDP(rng), 1); ^~~~~~~~~~ ../src/libopts/autoopts/options.h:1225:57: note: passing argument to parameter here extern void optionShowRange(tOptions*, tOptDesc*, void *, int); ^ error: use of undeclared identifier 'INDEX_OPT_VERSION' { /* entry idx, value */ INDEX_OPT_VERSION, VALUE_OPT_VERSION, ^ srptool-args.c:495:37: warning: implicit declaration of function 'VOIDP' is invalid in C99 [-Wimplicit-function-declaration] optionShowRange(pOptions, pOptDesc, VOIDP(rng), 1); ^ srptool-args.c:495:37: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void *' [-Wint-conversion] optionShowRange(pOptions, pOptDesc, VOIDP(rng), 1); ^~~~~~~~~~ certtool-args.c:468:5: error: use of undeclared identifier 'INDEX_OPT_LOAD_CA_CERTIFICATE' ../src/libopts/autoopts/options.h:1225:57: note: passing argument to parameter here INDEX_OPT_LOAD_CA_CERTIFICATE, NO_EQUIVALENT }; ^ extern void optionShowRange(tOptions*, tOptDesc*, void *, int); ^ psktool-args.c:413:37: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void *' [-Wint-conversion] optionShowRange(pOptions, pOptDesc, VOIDP(rng), 1); ^~~~~~~~~~ ../src/libopts/autoopts/options.h:1225:57: note: passing argument to parameter here extern void optionShowRange(tOptions*, tOptDesc*, void *, int); cli-debug-args.c:270:29: error ^: use of undeclared identifier 'INDEX_OPT_HELP' { /* entry idx, value */ INDEX_OPT_HELP, VALUE_OPT_HELP, ^ serv-args.c:1164:29: error: use of undeclared identifier 'INDEX_OPT_VERSION' { /* entry idx, value */ INDEX_OPT_VERSION, VALUE_OPT_VERSION, ^ cli-args.c:1575:29: error: use of undeclared identifier 'INDEX_OPT_VERSION' { /* entry idx, value */ INDEX_OPT_VERSION, VALUE_OPT_VERSION, ^ srptool-args.c:556:7:serv-args.c:1178 error: :use of undeclared identifier 'INDEX_OPT_MORE_HELP'29: { INDEX_OPT_MORE_HELP, /* more-help option index */ ^ error: use of undeclared identifier 'INDEX_OPT_HELP' { /* entry idx, value */ INDEX_OPT_HELP, VALUE_OPT_HELP, ^ cli-debug-args.c:282:29: error: use of undeclared identifier 'INDEX_OPT_MORE_HELP' { /* entry idx, value */ INDEX_OPT_MORE_HELP, VALUE_OPT_MORE_HELP, ^ ocsptool-args.c:322:5: error: use of undeclared identifier 'INDEX_OPT_LOAD_SIGNER' INDEX_OPT_LOAD_SIGNER, NO_EQUIVALENT }; ^ cli-debug-args.c:382:37: warning: implicit declaration of function 'VOIDP' is invalid in C99 [-Wimplicit-function-declaration] optionShowRange(pOptions, pOptDesc, VOIDP(rng), 1); ^ cli-debug-args.c:382:37psktool-args.c:474:7: error: use of undeclared identifier 'INDEX_OPT_MORE_HELP': warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void *' [-Wint-conversion] optionShowRange(pOptions, pOptDesc, VOIDP(rng), 1); ^~~~~~~~~~ ../src/libopts/autoopts/options.h:1225:57: note: passing argument to parameter here extern void optionShowRange(tOptions*, tOptDesc*, void *, int); ^ cli-debug-args.c:417:37: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void *' [-Wint-conversion] optionShowRange(pOptions, pOptDesc, VOIDP(rng), 1); ^~~~~~~~~~ ../src/libopts/autoopts/options.h:1225:57: note: passing argument to parameter here extern void optionShowRange(tOptions*, tOptDesc*, void *, int); ^ serv-args.c:1190:29: error: use of undeclared identifier 'INDEX_OPT_MORE_HELP' { /* entry idx, value */ INDEX_OPT_MORE_HELP, VALUE_OPT_MORE_HELP, ^ cli-args.c:1589:29: serv-args.c:1290:37: warning: implicit declaration of function 'VOIDP' is invalid in C99 [-Wimplicit-function-declaration] optionShowRange(pOptions, pOptDesc, VOIDP(rng), 1); ^ serv-args.c:1290:37: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void *' [-Wint-conversion] optionShowRange(pOptions, pOptDesc, VOIDP(rng), 1); ^~~~~~~~~~ ../src/libopts/autoopts/options.h:1225:57: note: passing argument to parameter here ocsptool-args.c:339:5: error: use of undeclared identifier 'INDEX_OPT_LOAD_TRUST' extern void optionShowRange(tOptions*, tOptDesc*, void *, int); ^ INDEX_OPT_LOAD_TRUST, NO_EQUIVALENT }; ^ serv-args.c:1325:37: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void *' [-Wint-conversion] optionShowRange(pOptions, pOptDesc, VOIDP(rng), 1); ^~~~~~~~~~ ../src/libopts/autoopts/options.h:1225:57: note: passing argument to parameter here extern void optionShowRange(tOptions*, tOptDesc*, void *, int); ^ { INDEX_OPT_MORE_HELP, /* more-help option index */ ^ cli-debug-args.c:479:7: error: use of undeclared identifier 'INDEX_OPT_MORE_HELP' { INDEX_OPT_MORE_HELP, /* more-help option index */ ^ certtool-args.c:840:5: errorerror: use of undeclared identifier 'INDEX_OPT_HELP' { /* entry idx, value */ INDEX_OPT_HELP, VALUE_OPT_HELP, ^ : use of undeclared identifier 'INDEX_OPT_LOAD_CERTIFICATE' INDEX_OPT_LOAD_CERTIFICATE, NO_EQUIVALENT }; ^ ocsptool-args.c:633:29: error: use of undeclared identifier 'INDEX_OPT_VERSION' { /* entry idx, value */ INDEX_OPT_VERSION, VALUE_OPT_VERSION, ^ ocsptool-args.c:647:29: error: use of undeclared identifier 'INDEX_OPT_HELP' { /* entry idx, value */ INDEX_OPT_HELP, VALUE_OPT_HELP, ^ cli-args.c:1601:29: certtool-args.c:1906:29error: use of undeclared identifier 'INDEX_OPT_MORE_HELP' { /* entry idx, value */ INDEX_OPT_MORE_HELP, VALUE_OPT_MORE_HELP, ^ ocsptool-args.c:659:29: error: error: use of undeclared identifier 'INDEX_OPT_VERSION' { /* entry idx, value */ INDEX_OPT_VERSION, VALUE_OPT_VERSION, cli-args.c:1701:37: warning: implicit declaration of function 'VOIDP' is invalid in C99 [-Wimplicit-function-declaration] optionShowRange(pOptions, pOptDesc, VOIDP(rng), 1); ^ serv-args.c:1626:7: error: use of undeclared identifier 'INDEX_OPT_MORE_HELP' cli-args.c:1701:37:: { INDEX_OPT_MORE_HELP, /* more-help option index */ ^warning : incompatible integer to pointer conversion passing 'int' to parameter of type 'void *' [-Wint-conversion] optionShowRange(pOptions, pOptDesc, VOIDP(rng), 1); ^~~~~~~~~~ ../src/libopts/autoopts/options.h:1225:57: note: passing argument to parameter here extern void optionShowRange(tOptions*, tOptDesc*, void *, int); ^ srptool-args.c:610:19: warning: cast to 'char *' from smaller integer type 'int' [-Wint-to-pointer-cast] res = (char *)VOIDP(_(pz)); ^ srptool-args.c:612:15: warning: cast to 'char *' from smaller integer type 'int' [-Wint-to-pointer-cast] res = (char *)VOIDP(_(pz)); ^ srptool-args.c:651:23: warning: cast to 'char **' from smaller integer type 'int' [-Wint-to-pointer-cast] char ** ppz = (char**)VOIDP(&(option_xlateable_txt)); ^ srptool-args.c:661:19: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] coerce_it(VOIDP(&(opts->pzCopyright))); ^~~~~~~~~~~~~~~~~~~~~~~~~~~ srptool-args.c:630:31: note: passing argument to parameter 's' here static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ srptool-args.c:662:19: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] coerce_it(VOIDP(&(opts->pzCopyNotice))); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ srptool-args.c:630:31: note: passing argument to parameter 's' here static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ srptool-args.c:663:19: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] coerce_it(VOIDP(&(opts->pzFullVersion))); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ srptool-args.c:630:31: note: passing argument to parameter 's' here static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ srptool-args.c:664:19: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] coerce_it(VOIDP(&(opts->pzUsageTitle))); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ srptool-args.c:630:31: note: passing argument to parameter 's' here static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ srptool-args.c:665:19: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] coerce_it(VOIDP(&(opts->pzExplain))); ^~~~~~~~~~~~~~~~~~~~~~~~~ srptool-args.c:630:31: note: passing argument to parameter 's' here static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ srptool-args.c:666:19: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] coerce_it(VOIDP(&(opts->pzDetail))); ^~~~~~~~~~~~~~~~~~~~~~~~ srptool-args.c:630:31: note: passing argument to parameter 's' here static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ srptool-args.c:670:27: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] coerce_it(VOIDP(&(od->pzText))); ^~~~~~~~~~~~~~~~~~~~ srptool-args.c:630:31: note: passing argument to parameter 's' here static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ ^ 12 warnings and 7 errorsuse of undeclared identifier 'INDEX_OPT_MORE_HELP' { /* entry idx, value */ INDEX_OPT_MORE_HELP, VALUE_OPT_MORE_HELP, ^ cli-args.c:1714:47: error generated. ocsptool-args.c:759:37: warning: implicit declaration of function 'VOIDP' is invalid in C99 [-Wimplicit-function-declaration] optionShowRange(pOptions, pOptDesc, VOIDP(rng), 1); ^ ocsptool-args.c:759:37: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void *' [-Wint-conversion] optionShowRange(pOptions, pOptDesc, VOIDP(rng), 1); ^~~~~~~~~~ ../src/libopts/autoopts/options.h:1225:57: note: passing argument to parameter here extern void optionShowRange(tOptions*, tOptDesc*, void *, int); ^ certtool-args.c:1920:29: error: use of undeclared identifier 'INDEX_OPT_HELP' { /* entry idx, value */ INDEX_OPT_HELP, VALUE_OPT_HELP, ^ : use of undeclared identifier 'INDEX_OPT_STARTTLS_PROTO' int res = optionAlias(pOptions, pOptDesc, INDEX_OPT_STARTTLS_PROTO); ^ cli-args.c:1752:37: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void *' [-Wint-conversion] cli-debug-args.c:533:19: warningoptionShowRange(pOptions, pOptDesc, VOIDP(rng), 1); ^~~~~~~~~~ ../src/libopts/autoopts/options.h:1225:57: note: cast to 'char *' from smaller integer type 'int' [-Wint-to-pointer-cast] res = (char *)VOIDP(_(pz)); ^ cli-debug-args.c:535:15:: warningpassing argument to parameter here extern void optionShowRange(tOptions*, tOptDesc*, void *, int); ^ : cast to 'char *' from smaller integer type 'int' [-Wint-to-pointer-cast] res = (char *)VOIDP(_(pz)); ^ cli-debug-args.c:574:23cli-args.c::1883 :warning37: :cast to 'char **' from smaller integer type 'int' [-Wint-to-pointer-cast] psktool-args.c:528 char ** ppz = (char**)VOIDP(&(option_xlateable_txt));: 19 ^ warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void *' [-Wint-conversion] : warning: cast to 'char *' from smaller integer type 'int' [-Wint-to-pointer-cast] res = (char *)VOIDP(_(pz)); ^ psktool-args.c:530:15: warning: cast to 'char *' from smaller integer type 'int' [-Wint-to-pointer-cast]cli-debug-args.c:584optionShowRange(pOptions, pOptDesc, VOIDP(rng), 1);:19: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] res = (char *)VOIDP(_(pz)); ^ coerce_it(VOIDP(&(opts->pzCopyright))); ^~~~~~~~~~~~~~~~~~~~~~~~~~~ cli-debug-args.c:553:31: note: passing argument to parameter 's' here static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ cli-debug-args.c:585:19: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] coerce_it(VOIDP(&(opts->pzCopyNotice))); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ cli-debug-args.c:553:31: note: passing argument to parameter 's' here static void coerce_it(void ** s) { *s = AO_gettext(*s); ^~~~~~~~~~ psktool-args.c:569:23: warning: ../src/libopts/autoopts/options.hcast to 'char **' from smaller integer type 'int' [-Wint-to-pointer-cast]: 1225:57: note: passing argument to parameter here char ** ppz = (char**)VOIDP(&(option_xlateable_txt)); ^ extern void optionShowRange(tOptions*, tOptDesc*, void *, int); ^ ^ psktool-args.c:579:19: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] cli-debug-args.c:586:19: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] coerce_it(VOIDP(&(opts->pzCopyright))); ^~~~~~~~~~~~~~~~~~~~~~~~~~~ psktool-args.c:548:31: note: passing argument to parameter 's' here coerce_it(VOIDP(&(opts->pzFullVersion))); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cli-debug-args.c:553:31: note: passing argument to parameter 's' here static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ psktool-args.c:580:19: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] cli-debug-args.c:587:19: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] coerce_it(VOIDP(&(opts->pzCopyNotice))); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ psktool-args.c:548:31: note: passing argument to parameter 's' here coerce_it(VOIDP(&(opts->pzUsageTitle))); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ cli-debug-args.c:553:31: note: passing argument to parameter 's' here static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ psktool-args.c:581:19: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] cli-debug-args.c:588:19: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] coerce_it(VOIDP(&(opts->pzFullVersion))); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ psktool-args.c:548:31: note: passing argument to parameter 's' here coerce_it(VOIDP(&(opts->pzExplain))); ^~~~~~~~~~~~~~~~~~~~~~~~~ cli-debug-args.c:553:31: note: passing argument to parameter 's' here static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ psktool-args.c:582:19: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] cli-debug-args.c:589:19: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] coerce_it(VOIDP(&(opts->pzUsageTitle))); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ psktool-args.c:548:31: note: passing argument to parameter 's' here coerce_it(VOIDP(&(opts->pzDetail))); ^~~~~~~~~~~~~~~~~~~~~~~~ cli-debug-args.c:553:31: note: passing argument to parameter 's' herecerttool-args.c:1932:29: error: use of undeclared identifier 'INDEX_OPT_MORE_HELP' static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ psktool-args.c:583:19: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] { /* entry idx, value */ INDEX_OPT_MORE_HELP, VALUE_OPT_MORE_HELP, ^ coerce_it(VOIDP(&(opts->pzExplain))); ^~~~~~~~~~~~~~~~~~~~~~~~~ psktool-args.c:548:31: note: passing argument to parameter 's' here static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ psktool-args.c:584:19: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] coerce_it(VOIDP(&(opts->pzDetail))); ^~~~~~~~~~~~~~~~~~~~~~~~ psktool-args.c:548:31: note: passing argument to parameter 's' here cli-debug-args.c:593:27: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ coerce_it(VOIDP(&(od->pzText))); ^~~~~~~~~~~~~~~~~~~~ cli-debug-args.c:553:31: note: passing argument to parameter 's' here static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ psktool-args.c:588:27: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] coerce_it(VOIDP(&(od->pzText))); ^~~~~~~~~~~~~~~~~~~~ psktool-args.c:548:31: note: passing argument to parameter 's' here static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ certtool-args.c:2032:37: warning: implicit declaration of function 'VOIDP' is invalid in C99 [-Wimplicit-function-declaration] optionShowRange(pOptions, pOptDesc, VOIDP(rng), 1); ^ certtool-args.c:2032:37: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void *' [-Wint-conversion] optionShowRange(pOptions, pOptDesc, VOIDP(rng), 1); ^~~~~~~~~~ ../src/libopts/autoopts/options.h:1225:57: note: passing argument to parameter here extern void optionShowRange(tOptions*, tOptDesc*, void *, int); ^ 13 warnings and 7 errors generated. ocsptool-args.c:989:7: error: use of undeclared identifier 'INDEX_OPT_MORE_HELP' { INDEX_OPT_MORE_HELP, /* more-help option index */ ^ cli-args.c:1969:7: error: use of undeclared identifier 'INDEX_OPT_MORE_HELP' { INDEX_OPT_MORE_HELP, /* more-help option index */ ^ make[4]: *** [srptool-args.lo] Error 1 make[4]: *** Waiting for unfinished jobs.... 13 warnings and 7 errors generated. certtool-args.c:2069:47: error: use of undeclared identifier 'INDEX_OPT_ECC' int res = optionAlias(pOptions, pOptDesc, INDEX_OPT_ECC); ^ make[4]: *** [cli-debug-args.lo] Error 1 serv-args.c:1680:19: warning: cast to 'char *' from smaller integer type 'int' [-Wint-to-pointer-cast] res = (char *)VOIDP(_(pz)); ^ serv-args.c:1682:15: warning: cast to 'char *' from smaller integer type 'int' [-Wint-to-pointer-cast] res = (char *)VOIDP(_(pz)); certtool-args.c:2085:47: ^ serv-args.c :1721:23error: use of undeclared identifier 'INDEX_OPT_INDER' int res = optionAlias(pOptions, pOptDesc, INDEX_OPT_INDER);: warning: cast to 'char **' from smaller integer type 'int' [-Wint-to-pointer-cast] char ** ppz = (char**)VOIDP(&(option_xlateable_txt)); ^ serv-args.c:1731:19: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] coerce_it(VOIDP(&(opts->pzCopyright))); ^~~~~~~~~~~~~~~~~~~~~~~~~~~ serv-args.c:1700:31: note: passing argument to parameter 's' here static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ serv-args.c:1732:19: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] coerce_it(VOIDP(&(opts->pzCopyNotice))); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ serv-args.c:1700:31: note: passing argument to parameter 's' here static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ serv-args.c:1733:19: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] coerce_it(VOIDP(&(opts->pzFullVersion))); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ serv-args.c:1700:31: note: passing argument to parameter 's' here static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ serv-args.c:1734:19: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] coerce_it(VOIDP(&(opts->pzUsageTitle))); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ serv-args.c:1700:31: note: passing argument to parameter 's' here static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ serv-args.c:1735:19: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] coerce_it(VOIDP(&(opts->pzExplain))); ^~~~~~~~~~~~~~~~~~~~~~~~~ serv-args.c:1700:31: note: passing argument to parameter 's' here static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ serv-args.c:1736:19make[4]: *** [psktool-args.lo] Error 1 : warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] coerce_it(VOIDP(&(opts->pzDetail))); ^~~~~~~~~~~~~~~~~~~~~~~~ serv-args.c:1700:31: note: passing argument to parameter 's' here static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ serv-args.c:1740:27: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] coerce_it(VOIDP(&(od->pzText))); ^~~~~~~~~~~~~~~~~~~~ serv-args.c:1700:31: note: passing argument to parameter 's' here static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ ^ 13 warnings and 7 errors generated. certtool-args.c:2101:47: error: use of undeclared identifier 'INDEX_OPT_OUTDER' int res = optionAlias(pOptions, pOptDesc, INDEX_OPT_OUTDER); ^ certtool-args.c:2166:7: error: use of undeclared identifier 'INDEX_OPT_MORE_HELP' { INDEX_OPT_MORE_HELP, /* more-help option index */ ^ ocsptool-args.c:1043:19: warning: cast to 'char *' from smaller integer type 'int' [-Wint-to-pointer-cast] res = (char *)VOIDP(_(pz)); ^ ocsptool-args.c:1045:15: warning: cast to 'char *' from smaller integer type 'int' [-Wint-to-pointer-cast] res = (char *)VOIDP(_(pz)); ^ cli-args.c:2023:19: warning: cast to 'char *' from smaller integer type 'int' [-Wint-to-pointer-cast] res = (char *)VOIDP(_(pz)); ^ cli-args.c:2025:15: warning: cast to 'char *' from smaller integer type 'int' [-Wint-to-pointer-cast] res = (char *)VOIDP(_(pz)); ^ ocsptool-args.c:1084:23: warning: cast to 'char **' from smaller integer type 'int' [-Wint-to-pointer-cast] char ** ppz = (char**)VOIDP(&(option_xlateable_txt)); ^ ocsptool-args.c:1094:19: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] cli-args.c:2064:23: warning: cast to 'char **' from smaller integer type 'int' [-Wint-to-pointer-cast] coerce_it(VOIDP(&(opts->pzCopyright))); ^~~~~~~~~~~~~~~~~~~~~~~~~~~ ocsptool-args.c:1063:31: note: passing argument to parameter 's' here char ** ppz = (char**)VOIDP(&(option_xlateable_txt)); ^ static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ ocsptool-args.c:1095:19: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] cli-args.c:2074:19: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] coerce_it(VOIDP(&(opts->pzCopyNotice))); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ ocsptool-args.c:1063:31: note: passing argument to parameter 's' here coerce_it(VOIDP(&(opts->pzCopyright))); ^~~~~~~~~~~~~~~~~~~~~~~~~~~ static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ cli-args.c:2043:31: note: passing argument to parameter 's' here ocsptool-args.c:1096:19:static void coerce_it(void ** s) { *s = AO_gettext(*s); warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] ^ coerce_it(VOIDP(&(opts->pzFullVersion))); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ocsptool-args.c:1063:31:cli-args.c:2075:19: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] coerce_it(VOIDP(&(opts->pzCopyNotice))); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ cli-args.c:2043:31: note: passing argument to parameter 's' here note: passing argument to parameter 's' here make[4]: *** [serv-args.lo] Error 1 static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ cli-args.c:2076:19: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] ocsptool-args.c:1097:19: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] coerce_it(VOIDP(&(opts->pzFullVersion))); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cli-args.c:2043:31: note: passing argument to parameter 's' here coerce_it(VOIDP(&(opts->pzUsageTitle))); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ ocsptool-args.c:1063:31: note: passing argument to parameter 's' here static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ cli-args.c:2077:19: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] ocsptool-args.c:1098:19: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] coerce_it(VOIDP(&(opts->pzUsageTitle))); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ cli-args.c:2043:31: note: passing argument to parameter 's' here coerce_it(VOIDP(&(opts->pzExplain))); ^~~~~~~~~~~~~~~~~~~~~~~~~ ocsptool-args.c:1063:31: note: passing argument to parameter 's' here static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ cli-args.c:2078:19: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] ocsptool-args.c:1099: coerce_it(VOIDP(&(opts->pzExplain)));19 : ^~~~~~~~~~~~~~~~~~~~~~~~~ warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] cli-args.c:2043:31: coerce_it(VOIDP(&(opts->pzDetail))); note: passing argument to parameter 's' here static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ cli-args.c:2079:19: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] ^~~~~~~~~~~~~~~~~~~~~~~~ coerce_it(VOIDP(&(opts->pzDetail))); ^~~~~~~~~~~~~~~~~~~~~~~~ ocsptool-args.c:1063:31cli-args.c:: 2043note:: 31passing argument to parameter 's' here static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ : note: passing argument to parameter 's' here static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ ocsptool-args.c:1103:27: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] coerce_it(VOIDP(&(od->pzText))); ^~~~~~~~~~~~~~~~~~~~ ocsptool-args.c:1063:31: note: passing argument to parameter 's' here cli-args.c:2083:27: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ coerce_it(VOIDP(&(od->pzText))); ^~~~~~~~~~~~~~~~~~~~ cli-args.c:2043:31: note: passing argument to parameter 's' here static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ 12 warnings and 11 errors generated. 14 warnings and 10 errors generated. make[4]: *** [ocsptool-args.lo] Error 1 make[4]: *** [cli-args.lo] Error 1 certtool-cfg.c:1133:60: warning: format specifies type 'unsigned long' but the argument has type 'uint64_t' (aka 'unsigned long long') [-Wformat] snprintf(tmsg, sizeof(tmsg), "%s (default: %lu): ", msg, default_serial_int); ~~~ ^~~~~~~~~~~~~~~~~~ %llu /usr/include/secure/_stdio.h:57:62: note: expanded from macro 'snprintf' __builtin___snprintf_chk (str, len, 0, __darwin_obsz(str), __VA_ARGS__) ^ certtool-args.c:2220:19: warning: cast to 'char *' from smaller integer type 'int' [-Wint-to-pointer-cast] res = (char *)VOIDP(_(pz)); ^ certtool-args.c:2222:15: warning: cast to 'char *' from smaller integer type 'int' [-Wint-to-pointer-cast] res = (char *)VOIDP(_(pz)); ^ certtool-args.c:2261:23: warning: cast to 'char **' from smaller integer type 'int' [-Wint-to-pointer-cast] char ** ppz = (char**)VOIDP(&(option_xlateable_txt)); ^ certtool-args.c:2271:19: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] coerce_it(VOIDP(&(opts->pzCopyright))); ^~~~~~~~~~~~~~~~~~~~~~~~~~~ certtool-args.c:2240:31: note: passing argument to parameter 's' here static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ certtool-args.c:2272:19: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] coerce_it(VOIDP(&(opts->pzCopyNotice))); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ certtool-args.c:2240:31: note: passing argument to parameter 's' here static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ certtool-args.c:2273:19: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] coerce_it(VOIDP(&(opts->pzFullVersion))); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ certtool-args.c:2240:31: note: passing argument to parameter 's' here static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ certtool-args.c:2274:19: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] coerce_it(VOIDP(&(opts->pzUsageTitle))); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ certtool-args.c:2240:31: note: passing argument to parameter 's' here static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ certtool-args.c:2275:19: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] coerce_it(VOIDP(&(opts->pzExplain))); ^~~~~~~~~~~~~~~~~~~~~~~~~ certtool-args.c:2240:31: note: passing argument to parameter 's' here static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ certtool-args.c:2276:19: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] coerce_it(VOIDP(&(opts->pzDetail))); ^~~~~~~~~~~~~~~~~~~~~~~~ certtool-args.c:2240:31: note: passing argument to parameter 's' here static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ certtool-args.c:2280:27: warning: incompatible integer to pointer conversion passing 'int' to parameter of type 'void **' [-Wint-conversion] coerce_it(VOIDP(&(od->pzText))); ^~~~~~~~~~~~~~~~~~~~ certtool-args.c:2240:31: note: passing argument to parameter 's' here static void coerce_it(void ** s) { *s = AO_gettext(*s); ^ 12 warnings and 13 errors generated. make[4]: *** [certtool-args.lo] Error 1 1 warning generated. On Aug 10, 2015, at 2:09 AM, Nikos Mavrogiannopoulos wrote: > Hello, > I've just released gnutls 3.3.17. This is a bug-fix release on > the current stable branch. > > > * Version 3.3.17 (released 2015-08-10) > > ** libgnutls: Fix issue with server side sending the status request > extension even when not requested. Reported by Jeremy Harris. > > ** libgnutls: gnutls_pkcs11_privkey_generate2() will store the > generated public key, unless the > GNUTLS_PKCS11_OBJ_FLAG_NO_STORE_PUBKEY flag is specified. > > ** libgnutls: fixed double free in DN decoding [GNUTLS-SA-2015-3]. > > ** API and ABI modifications: > No changes since last version. > > > Getting the Software > ==================== > > GnuTLS may be downloaded directly from > . A list of GnuTLS mirrors can be > found at . > > Here are the XZ and LZIP compressed sources: > > ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.17.tar.xz > ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.17.tar.lz > > Here are OpenPGP detached signatures signed using key 0x96865171: > > ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.17.tar.xz.sig > ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.17.tar.lz.sig > > Note that it has been signed with my openpgp key: > pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] > uid Nikos Mavrogiannopoulos gnutls.org> > uid Nikos Mavrogiannopoulos > gmail.com> > sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] > sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] > > regards, > Nikos > > > _______________________________________________ > Gnutls-devel mailing list > Gnutls-devel at lists.gnutls.org > http://lists.gnupg.org/mailman/listinfo/gnutls-devel Marius -- Marius Schamschula -------------- next part -------------- An HTML attachment was scrubbed... URL: From nmav at gnutls.org Mon Aug 10 16:11:14 2015 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 10 Aug 2015 16:11:14 +0200 Subject: [gnutls-help] [gnutls-devel] gnutls 3.3.17 In-Reply-To: References: <1439190593.1717.2.camel@gnutls.org> Message-ID: On Mon, Aug 10, 2015 at 2:50 PM, Marius Schamschula wrote: > Nikos, > I?m not sure what happened between gnutls 3.3.16 and 3.3.17 to cause the > following errors: (seen under OS X 10.10.4, Note: I am passing > --enable-local-libopts which is supposed to prevent this issue. Also tried > building w/o autoconf with same result) > In file included from In file included from srptool-args.c:43: > ./srptool-args.h:61:3: error: option template version mismatches > autoopts/options.h header > # error option template version mismatches autoopts/options.h header That's a libopts issue. When the auto-generated files from autogen are regenerated using a newer autogen, the included libopts library is automatically invalidated. The check in libopts is for any version (major, minor or even patch - as in that case). A work-around would be to regenerate the autogen files locally with autogen 5.18.4 to make --enable-local-libopts work. I'd have to add some check for autogen/included libopts match to prevent this from happening again. regards, Nikos From lists at schamschula.com Mon Aug 10 17:39:50 2015 From: lists at schamschula.com (Marius Schamschula) Date: Mon, 10 Aug 2015 10:39:50 -0500 Subject: [gnutls-help] [gnutls-devel] gnutls 3.3.17 In-Reply-To: References: <1439190593.1717.2.camel@gnutls.org> Message-ID: <37B1ACD2-A959-4398-B2DD-91E96295E7CA@schamschula.com> Nikos, Two notes: 1) Installing autogen 5.18.4 made no difference 2) I see the identical error with gnutls 3.4.4 On Aug 10, 2015, at 9:11 AM, Nikos Mavrogiannopoulos wrote: > On Mon, Aug 10, 2015 at 2:50 PM, Marius Schamschula > wrote: >> Nikos, >> I?m not sure what happened between gnutls 3.3.16 and 3.3.17 to cause the >> following errors: (seen under OS X 10.10.4, Note: I am passing >> --enable-local-libopts which is supposed to prevent this issue. Also tried >> building w/o autoconf with same result) >> In file included from In file included from srptool-args.c:43: >> ./srptool-args.h:61:3: error: option template version mismatches >> autoopts/options.h header >> # error option template version mismatches autoopts/options.h header > > That's a libopts issue. When the auto-generated files from autogen are > regenerated > using a newer autogen, the included libopts library is automatically > invalidated. The check > in libopts is for any version (major, minor or even patch - as in that case). > > A work-around would be to regenerate the autogen files locally with > autogen 5.18.4 to make --enable-local-libopts work. > > I'd have to add some check for autogen/included libopts match to > prevent this from happening again. > > regards, > Nikos Marius -- Marius Schamschula From nmav at gnutls.org Mon Aug 10 19:56:47 2015 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 10 Aug 2015 19:56:47 +0200 Subject: [gnutls-help] [gnutls-devel] gnutls 3.3.17 In-Reply-To: <37B1ACD2-A959-4398-B2DD-91E96295E7CA@schamschula.com> References: <1439190593.1717.2.camel@gnutls.org> <37B1ACD2-A959-4398-B2DD-91E96295E7CA@schamschula.com> Message-ID: <1439229407.12310.1.camel@gnutls.org> On Mon, 2015-08-10 at 10:39 -0500, Marius Schamschula wrote: > Nikos, > > Two notes: > > 1) Installing autogen 5.18.4 made no difference You'd need to auto-generate the files. Using touch src/*.def makes the trick on my system. I've just made released 3.3.17.1 and 3.4.4.1 which include the correct auto-generated files for --enable-local-libopts to work. regards, Nikos From lists at schamschula.com Mon Aug 10 20:35:18 2015 From: lists at schamschula.com (Marius Schamschula) Date: Mon, 10 Aug 2015 13:35:18 -0500 Subject: [gnutls-help] [gnutls-devel] gnutls 3.3.17 In-Reply-To: <1439229407.12310.1.camel@gnutls.org> References: <1439190593.1717.2.camel@gnutls.org> <37B1ACD2-A959-4398-B2DD-91E96295E7CA@schamschula.com> <1439229407.12310.1.camel@gnutls.org> Message-ID: Nikos, Thanks for the quick turn around! Both gnutls 3.3.17.1 and 3.4.4.1 build cleanly. On Aug 10, 2015, at 12:56 PM, Nikos Mavrogiannopoulos wrote: > On Mon, 2015-08-10 at 10:39 -0500, Marius Schamschula wrote: >> Nikos, >> >> Two notes: >> >> 1) Installing autogen 5.18.4 made no difference > > You'd need to auto-generate the files. Using touch src/*.def makes the > trick on my system. > > I've just made released 3.3.17.1 and 3.4.4.1 which include the correct > auto-generated files for --enable-local-libopts to work. > > regards, > Nikos > Marius -- Marius Schamschula From max.bruce12 at gmail.com Tue Aug 11 02:02:19 2015 From: max.bruce12 at gmail.com (Max Bruce) Date: Mon, 10 Aug 2015 17:02:19 -0700 Subject: [gnutls-help] [gnutls-devel] gnutls 3.3.17 In-Reply-To: <1439229407.12310.1.camel@gnutls.org> References: <1439190593.1717.2.camel@gnutls.org> <37B1ACD2-A959-4398-B2DD-91E96295E7CA@schamschula.com> <1439229407.12310.1.camel@gnutls.org> Message-ID: I'm running into this issue on version 4.3, I removed both autogen(turns out I never had it), libopts25, and libopts25-dev (mint/ubuntu) from my system after trying various configurations to get it to compile. I also tried: ./configure --enable-local-libopts but that didn't seem to change anything. I tried doing the touch src/*.def in the main gnutls directory, no change. On Mon, Aug 10, 2015 at 10:56 AM, Nikos Mavrogiannopoulos wrote: > On Mon, 2015-08-10 at 10:39 -0500, Marius Schamschula wrote: > > Nikos, > > > > Two notes: > > > > 1) Installing autogen 5.18.4 made no difference > > You'd need to auto-generate the files. Using touch src/*.def makes the > trick on my system. > > I've just made released 3.3.17.1 and 3.4.4.1 which include the correct > auto-generated files for --enable-local-libopts to work. > > regards, > Nikos > > > _______________________________________________ > Gnutls-help mailing list > Gnutls-help at lists.gnutls.org > http://lists.gnupg.org/mailman/listinfo/gnutls-help > -- Thanks, Max Bruce www.avuna.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From max.bruce12 at gmail.com Tue Aug 11 02:09:47 2015 From: max.bruce12 at gmail.com (Max Bruce) Date: Mon, 10 Aug 2015 17:09:47 -0700 Subject: [gnutls-help] [gnutls-devel] gnutls 3.3.17 In-Reply-To: References: <1439190593.1717.2.camel@gnutls.org> <37B1ACD2-A959-4398-B2DD-91E96295E7CA@schamschula.com> <1439229407.12310.1.camel@gnutls.org> Message-ID: Version 3.4.4* On Mon, Aug 10, 2015 at 5:02 PM, Max Bruce wrote: > I'm running into this issue on version 4.3, I removed both autogen(turns > out I never had it), libopts25, and libopts25-dev (mint/ubuntu) from my > system after trying various configurations to get it to compile. I also > tried: > ./configure --enable-local-libopts > but that didn't seem to change anything. I tried doing the touch src/*.def > in the main gnutls directory, no change. > > > On Mon, Aug 10, 2015 at 10:56 AM, Nikos Mavrogiannopoulos > wrote: > >> On Mon, 2015-08-10 at 10:39 -0500, Marius Schamschula wrote: >> > Nikos, >> > >> > Two notes: >> > >> > 1) Installing autogen 5.18.4 made no difference >> >> You'd need to auto-generate the files. Using touch src/*.def makes the >> trick on my system. >> >> I've just made released 3.3.17.1 and 3.4.4.1 which include the correct >> auto-generated files for --enable-local-libopts to work. >> >> regards, >> Nikos >> >> >> _______________________________________________ >> Gnutls-help mailing list >> Gnutls-help at lists.gnutls.org >> http://lists.gnupg.org/mailman/listinfo/gnutls-help >> > > > > -- > Thanks, > Max Bruce > www.avuna.org > -- Thanks, Max Bruce www.avuna.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From max.bruce12 at gmail.com Wed Aug 12 07:35:44 2015 From: max.bruce12 at gmail.com (Max Bruce) Date: Tue, 11 Aug 2015 22:35:44 -0700 Subject: [gnutls-help] GNUTLS_E_PARSING_ERROR when reading PEM, yet is a PKCS11 error? Message-ID: Calling code: int e1 = gnutls_certificate_set_x509_key_file(oc->cert, certj, keyj, GNUTLS_X509_FMT_PEM); All looks good from my side, and both certj/keyj are absolute paths to a certificate & private key in PEM format. It returns -302, which translates to GNUTLS_E_PARSING_ERROR, of which is under the category of errors "PKCS11 related" I'll attach a copy of the public key to this, and I can send the private key to anyone that asks to see it(it's PEM directly from StartCom). -- Thanks, Max Bruce www.avuna.org -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ssl.crt Type: application/pkix-cert Size: 2589 bytes Desc: not available URL: From rick at tamos.net Tue Aug 11 20:05:13 2015 From: rick at tamos.net (Rick Hanson) Date: Tue, 11 Aug 2015 14:05:13 -0400 Subject: [gnutls-help] Behind office/workplace firewall Message-ID: Hi List! When I'm at the office I can't seem to reach an outside server with gnutls. The situation looks like this. $ gnutls-cli-debug marmalade-repo.org Resolving 'marmalade-repo.org'... Connecting to '80.69.77.43:443'... connect: Connection timed out Yet, when I ssh out to another machine outside of my workplace firewall, the same command works fine. gnutls-cli-debug marmalade-repo.org Resolving 'marmalade-repo.org'... Connecting to '80.69.77.43:443'... Checking for SSL 3.0 support... no Checking whether %COMPAT is required... no [Rest of output cut.] (So now, I'm assuming I'm getting cut off at that firewall.) I already have a SOCKS proxy (via `ssh -D`) established from behind my workplace firewall for use, e.g., with Firefox. Question: (how) can I direct gnutls to use that tunnel, or another, to get "outside"? I read the man page but didn't see it; so if I missed it, mea culpa and sorry. Thanks for your help. Best, --Rick From ADunsmoor at elemechinc.com Tue Aug 11 23:17:13 2015 From: ADunsmoor at elemechinc.com (Adam Dunsmoor) Date: Tue, 11 Aug 2015 16:17:13 -0500 Subject: [gnutls-help] Make Errors Message-ID: <13B35C9F1D974C4AA1561C701ED8427B01EF67CD82C4@SERVER1.elemech.local> Hello. I am trying to make GnuTLS 3.4.4 and am getting the following errors: //user/local/lib/libgnutls.so.30: undefined reference to 'asn1_decode_simple_ber at LIBTASN1_0_3' //user/local/lib/libgnutls.so.30: undefined reference to 'p11_kit_uri_get_pin_value' I can skip p11 "./configure -without-p11-kit" but can't for libtasn I noticed that in version 4.3 of libtasn1 they added asn1_decode_simple_ber(). Should I install an earlier version of libtasn1 than 4.3? Thank you. EleMech, Inc. 2275 White Oak Circle Aurora, IL 60504 Programmer Phone: 630.499.7080 X19 Fax: 630-499-7760 The information transmitted in this email is intended for the person or entity to which it is addressed, and may contain confidential and/or privileged material. Any review, retransmission or other use of, or taking any action in reliance upon this information by persons or entities other than the intended recipient is strictly prohibited. If you receive this email in error, please contact the sender and delete material from any system. [cid:image001.jpg at 01D0D449.EA2A3480] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 54192 bytes Desc: image001.jpg URL: From nmav at gnutls.org Wed Aug 12 09:32:48 2015 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 12 Aug 2015 09:32:48 +0200 Subject: [gnutls-help] GNUTLS_E_PARSING_ERROR when reading PEM, yet is a PKCS11 error? In-Reply-To: References: Message-ID: On Wed, Aug 12, 2015 at 7:35 AM, Max Bruce wrote: > Calling code: > int e1 = gnutls_certificate_set_x509_key_file(oc->cert, certj, keyj, > GNUTLS_X509_FMT_PEM); > All looks good from my side, and both certj/keyj are absolute paths to a > certificate & private key in PEM format. It returns -302, which translates > to GNUTLS_E_PARSING_ERROR, of which is under the category of errors "PKCS11 > related" > I'll attach a copy of the public key to this, and I can send the private key > to anyone that asks to see it(it's PEM directly from StartCom). Hello, Don't send your private key to anybody unless it is a test key. Just copy/paste the header (the BEGIN --- part), and whether certtool -k succeeds in parsing it. regards, Nikos From nmav at gnutls.org Wed Aug 12 09:36:11 2015 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 12 Aug 2015 09:36:11 +0200 Subject: [gnutls-help] Make Errors In-Reply-To: <13B35C9F1D974C4AA1561C701ED8427B01EF67CD82C4@SERVER1.elemech.local> References: <13B35C9F1D974C4AA1561C701ED8427B01EF67CD82C4@SERVER1.elemech.local> Message-ID: On Tue, Aug 11, 2015 at 11:17 PM, Adam Dunsmoor wrote: > Hello. I am trying to make GnuTLS 3.4.4 and am getting the following > errors: > > > > //user/local/lib/libgnutls.so.30: undefined reference to > 'asn1_decode_simple_ber at LIBTASN1_0_3' > //user/local/lib/libgnutls.so.30: undefined reference to > 'p11_kit_uri_get_pin_value' > > I can skip p11 ?./configure ?without-p11-kit? but can?t for libtasn > You are compiling with a newer library than the one you are linking with. Most likely you have both versions of the libraries available but your flags to linker are not correct. regards, Nikos -------------- next part -------------- An HTML attachment was scrubbed... URL: From max.bruce12 at gmail.com Wed Aug 12 09:39:40 2015 From: max.bruce12 at gmail.com (Max Bruce) Date: Wed, 12 Aug 2015 00:39:40 -0700 Subject: [gnutls-help] GNUTLS_E_PARSING_ERROR when reading PEM, yet is a PKCS11 error? In-Reply-To: References: Message-ID: I figured it out, I thought the certificate was supposed to be in a PEM format, however I found a set of specs somewhere that elaborated a bit and said it's PKCS#7, and converted it to PKCS#7. Interestingly enough, that didn't work, and I tried PEM format again, and it worked. I'll chalk it up to some bizarre issue. Anyway, would the GNUTLS project be interested in a Java port? I made a limited one for my NIO system in my web server. I'd be willing to port the full library over if there is interest. (My motives were that there's no good NIO & TLS & SNI system combined for Java). On Wed, Aug 12, 2015 at 12:32 AM, Nikos Mavrogiannopoulos wrote: > On Wed, Aug 12, 2015 at 7:35 AM, Max Bruce wrote: > > Calling code: > > int e1 = gnutls_certificate_set_x509_key_file(oc->cert, certj, keyj, > > GNUTLS_X509_FMT_PEM); > > All looks good from my side, and both certj/keyj are absolute paths to a > > certificate & private key in PEM format. It returns -302, which > translates > > to GNUTLS_E_PARSING_ERROR, of which is under the category of errors > "PKCS11 > > related" > > I'll attach a copy of the public key to this, and I can send the private > key > > to anyone that asks to see it(it's PEM directly from StartCom). > > Hello, > Don't send your private key to anybody unless it is a test key. Just > copy/paste the header (the BEGIN --- part), and whether certtool -k > succeeds in parsing it. > > regards, > Nikos > -- Thanks, Max Bruce www.avuna.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From nmav at gnutls.org Wed Aug 12 10:22:17 2015 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Wed, 12 Aug 2015 10:22:17 +0200 Subject: [gnutls-help] GNUTLS_E_PARSING_ERROR when reading PEM, yet is a PKCS11 error? In-Reply-To: References: Message-ID: On Wed, Aug 12, 2015 at 9:39 AM, Max Bruce wrote: > Anyway, would the GNUTLS project be interested in a Java port? I made a > limited one for my NIO system in my web server. I'd be willing to port the > full library over if there is interest. (My motives were that there's no > good NIO & TLS & SNI system combined for Java). If you setup some project in gitlab (or github), I will certainly link to it from [0]. If there is interest and it progresses it could be made part of the gnutls group in gitlab. thanks, Nikos [0]. http://www.gnutls.org/download.html From andreas at stapelspeicher.org Thu Aug 13 21:24:27 2015 From: andreas at stapelspeicher.org (Andreas =?utf-8?Q?M=C3=BCller?=) Date: Thu, 13 Aug 2015 21:24:27 +0200 Subject: [gnutls-help] certificate issuer validation issue Message-ID: <20150813192427.GA1800@darkstar> Hi, recently I noticed that one of my e-mail accounts would not be fetched and figured the problems would be gnutls. It cannot verify the issuer. Using openssl allows my client (mpop) to fetch the mails via TLS. I am pretty sure it started when I updated the ca-certificates package for my distribution. (Slackware64-current using ca-certificates_20150426.tar.xz, I guess they are from Debian) The site in question is pop3.arcor-online.net:995 openssl validates the certificate, while gnutls (tested 3.2.15, 3.2.21 and 3.3.17) won't. Is it a problem with gnutls, openssl, my local certificate files or the site? Maybe relevant sidenote: Using gnutls, mpop would show the issuer name with a backslash. "Thawte\, Inc." while using openssl just shows "Thawte, Inc.". The same in "gnutls-cli" and "openssl s_client". Thanks in advance, Andreas M?ller From nmav at gnutls.org Fri Aug 14 09:56:32 2015 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 14 Aug 2015 09:56:32 +0200 Subject: [gnutls-help] certificate issuer validation issue In-Reply-To: <20150813192427.GA1800@darkstar> References: <20150813192427.GA1800@darkstar> Message-ID: On Thu, Aug 13, 2015 at 9:24 PM, Andreas M?ller wrote: > Hi, recently I noticed that one of my e-mail accounts would not be > fetched and figured the problems would be gnutls. It cannot verify the > issuer. > Using openssl allows my client (mpop) to fetch the mails via TLS. > I am pretty sure it started when I updated the ca-certificates package > for my distribution. (Slackware64-current using ca-certificates_20150426.tar.xz, I guess they are from Debian) The best would be to report that to debian instead. In any case, what is the certificate chain that cannot be validated? Do you know which CA certificates were removed by the update? regards, Nikos From andreas at stapelspeicher.org Fri Aug 14 16:27:30 2015 From: andreas at stapelspeicher.org (Andreas =?utf-8?Q?M=C3=BCller?=) Date: Fri, 14 Aug 2015 16:27:30 +0200 Subject: [gnutls-help] certificate issuer validation issue In-Reply-To: References: <20150813192427.GA1800@darkstar> Message-ID: <20150814142730.GA4476@darkstar> Nikos Mavrogiannopoulos wrote: > On Thu, Aug 13, 2015 at 9:24 PM, Andreas M?ller > wrote: > > Hi, recently I noticed that one of my e-mail accounts would not be > > fetched and figured the problems would be gnutls. It cannot verify the > > issuer. > > Using openssl allows my client (mpop) to fetch the mails via TLS. > > I am pretty sure it started when I updated the ca-certificates package > > for my distribution. (Slackware64-current using ca-certificates_20150426.tar.xz, I guess they are from Debian) > > The best would be to report that to debian instead. In any case, what > is the certificate chain that cannot be validated? Do you know which > CA certificates were removed by the update? > > regards, > Nikos Debian basically get's the bundle from mozilla and it seems that one of the certificates in the chain has been removed indeed. CN = Thawte Premium Server CA SHA1 Fingerprint: 62:7F:8D:78:27:65:63:99:D2:7D:7F:90:44:C9:FE:B3:F3:3E:FA:9A (https://blog.mozilla.org/security/2015/01/28/phase-2-phasing-out-certificates-with-1024-bit-rsa-keys/) Still I wonder because openssl validates while gnutls does not. (I checked the ca-certificates.crt to make sure the certificate mentioned above is not in there, and make openssl use it explicitly.) Which one is wrong? Or am I? I am appending outputs on my machine for: $ gnutls-cli -V -V pop3.arcor.de -p 995 and $ openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -showcerts -connect pop3.arcor.de:995 Thanks, Andreas M?ller -------------- next part -------------- Processed 352 CA certificate(s). Resolving 'pop3.arcor.de'... Connecting to '151.189.21.113:995'... - Certificate type: X.509 - Got a certificate list of 4 certificates. - Certificate[0] info: - X.509 Certificate Information: Version: 3 Serial Number (hex): 267d33756973616ac508cc01f5fb63a6 Issuer: C=US,O=Thawte\, Inc.,CN=Thawte SSL CA Validity: Not Before: Mon Sep 26 00:00:00 UTC 2011 Not After: Fri Sep 25 23:59:59 UTC 2015 Subject: C=DE,ST=NRW,L=Duesseldorf,O=Vodafone D2 GmbH,CN=pop3.arcor.de Subject Public Key Algorithm: RSA Algorithm Security Level: Legacy (2048 bits) Modulus (bits 2048): 00:ae:0a:4d:d4:3c:3c:88:ce:b6:ef:37:03:87:01:0f 05:61:88:27:3c:d1:d3:ef:69:b1:28:c1:07:d2:aa:ab d0:19:32:c3:9f:96:90:6f:99:36:5e:4c:8d:4d:3e:5c cb:ac:35:17:4e:0b:a3:b1:05:1d:ab:94:cb:25:60:e5 db:89:e8:60:fd:5b:e9:48:2f:ca:59:72:f3:61:08:bd d6:aa:7d:75:bd:72:e5:44:91:45:be:7c:0c:46:5a:b6 20:9c:f6:b6:a5:d4:7f:55:bc:e4:e1:5b:28:cd:b2:45 a0:54:4b:35:6e:e3:c5:10:b5:6f:cf:91:c4:25:7d:9e ef:05:dc:60:75:55:1b:b5:11:74:46:6a:64:62:09:6f 7a:d0:f6:ff:33:95:45:6c:d1:f9:9b:b1:bb:9f:b9:53 7a:ad:bb:94:88:25:98:98:b5:c0:80:f5:3d:bb:57:5c a2:50:2a:9f:d4:14:0f:9a:48:35:58:eb:16:32:c3:20 e4:c3:d4:79:ef:21:ae:72:de:31:a8:ac:52:94:c4:a8 b4:e7:20:b8:eb:e6:47:10:55:24:8b:5f:26:a9:1e:47 ce:51:34:04:b2:db:3f:33:b8:54:3b:0d:6f:ea:2d:83 f7:53:96:4a:df:e0:1c:53:21:80:ce:81:22:ae:cd:f6 07 Exponent (bits 24): 01:00:01 Extensions: Basic Constraints (critical): Certificate Authority (CA): FALSE CRL Distribution points (not critical): URI: http://svr-ov-crl.thawte.com/ThawteOV.crl Key Purpose (not critical): TLS WWW Server. TLS WWW Client. Authority Information Access (not critical): Access Method: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp) Access Location URI: http://ocsp.thawte.com Signature Algorithm: RSA-SHA1 Signature: 4b:63:3d:0e:a2:dc:2a:05:7d:61:17:b2:bd:90:56:de 63:ca:f6:a6:68:5b:85:37:2e:0b:d2:c7:a8:d8:5a:bc ed:3e:ff:88:06:58:c9:eb:b4:8f:27:a6:cc:f5:e1:2b 5c:91:9b:cc:2c:76:12:a0:fe:3a:f0:88:cc:c3:ca:7d d9:92:f3:d8:c4:4c:d9:05:f7:c1:2a:48:c3:3c:9b:b9 9c:af:4b:1c:e8:80:e9:bc:31:96:be:9c:ea:89:ae:6b 81:22:db:1f:8c:84:17:ff:1d:47:28:e8:0d:4e:c4:a2 73:c9:57:a9:5d:8b:83:ad:c9:ff:86:9c:af:0f:78:b2 ee:23:2d:5b:7b:a1:a9:da:9c:9e:e3:35:60:5c:e5:57 a3:bf:c3:b9:7d:56:d4:2e:5f:4f:8f:13:1a:03:43:7f 11:6d:9c:21:de:43:ac:06:46:ca:46:cc:a7:37:16:f2 be:57:1d:2f:f1:84:f4:60:ab:3d:57:54:ba:35:19:fe 9c:ae:e8:6c:35:38:2c:42:51:15:03:da:09:ec:74:34 3d:5b:f4:9b:f5:a2:76:f1:3d:69:d9:93:d8:a9:6f:10 7b:02:39:17:3e:fa:5c:4a:e4:cf:12:2d:eb:c1:e1:fb 0e:91:17:03:d9:21:41:92:0d:3f:84:78:df:37:b1:a9 Other Information: SHA-1 fingerprint: fdb9acc645c092fdaa94ab2b3d512b5a928e8258 Public Key ID: 5f6f79a455e8ed9816b8a7bac781af16b7d4101d Public key's random art: +--[ RSA 2048]----+ | .E. | | . .. | | .. .| | .o ..| | S .ooo +| | .o.+o.X | | .*.oX o| | . == . | | .+=. | +-----------------+ -----BEGIN CERTIFICATE----- MIIDyzCCArOgAwIBAgIQJn0zdWlzYWrFCMwB9ftjpjANBgkqhkiG9w0BAQUFADA8 MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMRYwFAYDVQQDEw1U aGF3dGUgU1NMIENBMB4XDTExMDkyNjAwMDAwMFoXDTE1MDkyNTIzNTk1OVowZDEL MAkGA1UEBhMCREUxDDAKBgNVBAgTA05SVzEUMBIGA1UEBxQLRHVlc3NlbGRvcmYx GTAXBgNVBAoUEFZvZGFmb25lIEQyIEdtYkgxFjAUBgNVBAMUDXBvcDMuYXJjb3Iu ZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCuCk3UPDyIzrbvNwOH AQ8FYYgnPNHT72mxKMEH0qqr0Bkyw5+WkG+ZNl5MjU0+XMusNRdOC6OxBR2rlMsl YOXbiehg/VvpSC/KWXLzYQi91qp9db1y5USRRb58DEZatiCc9ral1H9VvOThWyjN skWgVEs1buPFELVvz5HEJX2e7wXcYHVVG7URdEZqZGIJb3rQ9v8zlUVs0fmbsbuf uVN6rbuUiCWYmLXAgPU9u1dcolAqn9QUD5pINVjrFjLDIOTD1HnvIa5y3jGorFKU xKi05yC46+ZHEFUki18mqR5HzlE0BLLbPzO4VDsNb+otg/dTlkrf4BxTIYDOgSKu zfYHAgMBAAGjgaAwgZ0wDAYDVR0TAQH/BAIwADA6BgNVHR8EMzAxMC+gLaArhilo dHRwOi8vc3ZyLW92LWNybC50aGF3dGUuY29tL1RoYXd0ZU9WLmNybDAdBgNVHSUE FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUF BzABhhZodHRwOi8vb2NzcC50aGF3dGUuY29tMA0GCSqGSIb3DQEBBQUAA4IBAQBL Yz0OotwqBX1hF7K9kFbeY8r2pmhbhTcuC9LHqNhavO0+/4gGWMnrtI8npsz14Stc kZvMLHYSoP468IjMw8p92ZLz2MRM2QX3wSpIwzybuZyvSxzogOm8MZa+nOqJrmuB ItsfjIQX/x1HKOgNTsSic8lXqV2Lg63J/4acrw94su4jLVt7oananJ7jNWBc5Vej v8O5fVbULl9PjxMaA0N/EW2cId5DrAZGykbMpzcW8r5XHS/xhPRgqz1XVLo1Gf6c ruhsNTgsQlEVA9oJ7HQ0PVv0m/WidvE9admT2KlvEHsCORc++lxK5M8SLevB4fsO kRcD2SFBkg0/hHjfN7Gp -----END CERTIFICATE----- - Certificate[1] info: - X.509 Certificate Information: Version: 3 Serial Number (hex): 4d5f2c3408b24c20cd6d507e244dc9ec Issuer: C=US,O=thawte\, Inc.,OU=Certification Services Division,OU=(c) 2006 thawte\, Inc. - For authorized use only,CN=thawte Primary Root CA Validity: Not Before: Mon Feb 08 00:00:00 UTC 2010 Not After: Fri Feb 07 23:59:59 UTC 2020 Subject: C=US,O=Thawte\, Inc.,CN=Thawte SSL CA Subject Public Key Algorithm: RSA Algorithm Security Level: Legacy (2048 bits) Modulus (bits 2048): 00:99:e4:85:5b:76:49:7d:2f:05:d8:c5:ac:c8:c8:a9 d3:dc:98:e6:d7:34:a6:2f:0c:f2:22:26:d8:a3:c9:14 4c:8f:05:a4:45:e8:14:0c:58:90:05:1a:b7:c5:c1:06 a5:80:af:bb:1d:49:6b:52:34:88:c3:59:e7:ef:6b:c4 27:41:8c:2b:66:1d:d0:e0:a3:97:98:19:34:4b:41:d5 98:d5:c7:05:ad:a2:e4:d7:ed:0c:ad:4f:c1:b5:b0:21 fd:3e:50:53:b2:c4:90:d0:d4:30:67:6c:9a:f1:0e:74 c4:c2:dc:8a:e8:97:ff:c9:92:ae:01:8a:56:0a:98:32 b0:00:23:ec:90:1a:60:c3:ed:bb:3a:cb:0f:63:9f:0d 44:c9:52:e1:25:96:bf:ed:50:95:89:7f:56:14:b1:b7 61:1d:1c:07:8c:3a:2c:f7:ff:80:de:39:45:d5:af:1a d1:78:d8:c7:71:6a:a3:19:a7:32:50:21:e9:f2:0e:a1 c6:13:03:44:48:d1:66:a8:52:57:d7:11:b4:93:8b:e5 99:9f:5d:e7:78:51:e5:4d:f6:b7:59:b4:76:b5:09:37 4d:06:38:13:7a:1c:08:98:5c:c4:48:4a:cb:52:a0:a9 f8:b1:9d:8e:7b:79:b0:20:2f:3c:96:a8:11:62:47:bb 11 Exponent (bits 24): 01:00:01 Extensions: Authority Information Access (not critical): Access Method: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp) Access Location URI: http://ocsp.thawte.com Basic Constraints (critical): Certificate Authority (CA): TRUE Path Length Constraint: 0 CRL Distribution points (not critical): URI: http://crl.thawte.com/ThawtePCA.crl Key Usage (critical): Certificate signing. CRL signing. Subject Alternative Name (not critical): directoryName: CN=VeriSignMPKI-2-9 Subject Key Identifier (not critical): a7a283bb3445403dfcd5304f12b93ea1019ff6db Authority Key Identifier (not critical): 7b5b45cfafcecb7afd31921a6ab6f346eb574850 Signature Algorithm: RSA-SHA1 Signature: 80:22:80:e0:6c:c8:95:16:d7:57:26:87:f3:72:34:db c6:72:56:27:3e:d3:96:f6:2e:25:91:a5:3e:33:97:a7 4b:e5:2f:fb:25:7d:2f:07:61:fa:6f:83:74:4c:4c:53 72:20:a4:7a:cf:51:51:56:81:88:b0:6d:1f:36:2c:c8 2b:b1:88:99:c1:fe:44:ab:48:51:7c:d8:f2:44:64:2a d8:71:a7:fb:1a:2f:f9:19:8d:34:b2:23:bf:c4:4c:55 1d:8e:44:e8:aa:5d:9a:dd:9f:fd:03:c7:ba:24:43:8d 2d:47:44:db:f6:d8:98:c8:b2:f9:da:ef:ed:29:5c:69 12:fa:d1:23:96:0f:bf:9c:0d:f2:79:45:53:37:9a:56 2f:e8:57:10:70:f6:ee:89:0c:49:89:9a:c1:23:f5:c2 2a:cc:41:cf:22:ab:65:6e:b7:94:82:6d:2f:40:5f:58 de:eb:95:2b:a6:72:68:52:19:91:2a:ae:75:9d:4e:92 e6:ca:de:54:ea:18:ab:25:3c:e6:64:a6:79:1f:26:7d 61:ed:7d:d2:e5:71:55:d8:93:17:7c:14:38:30:3c:df 86:e3:4c:ad:49:e3:97:59:ce:1b:9b:2b:ce:dc:65:d4 0b:28:6b:4e:84:46:51:44:f7:33:08:2d:58:97:21:ae Other Information: SHA-1 fingerprint: 73e42686657aece354fbf685712361658f2f4357 Public Key ID: 2dbe1cca1d9bf373d4d873facab94fc61abb1a4d Public key's random art: +--[ RSA 2048]----+ | | | | | | | . | | S . +E | | . . oo+..| | + .. o++| | . +.*. .o.B | | o *o.o..O*o| +-----------------+ -----BEGIN CERTIFICATE----- MIIEbDCCA1SgAwIBAgIQTV8sNAiyTCDNbVB+JE3J7DANBgkqhkiG9w0BAQUFADCB qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw MDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNV BAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMTAwMjA4MDAwMDAwWhcNMjAw MjA3MjM1OTU5WjA8MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMu MRYwFAYDVQQDEw1UaGF3dGUgU1NMIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEAmeSFW3ZJfS8F2MWsyMip09yY5tc0pi8M8iIm2KPJFEyPBaRF6BQM WJAFGrfFwQalgK+7HUlrUjSIw1nn72vEJ0GMK2Yd0OCjl5gZNEtB1ZjVxwWtouTX 7QytT8G1sCH9PlBTssSQ0NQwZ2ya8Q50xMLciuiX/8mSrgGKVgqYMrAAI+yQGmDD 7bs6yw9jnw1EyVLhJZa/7VCViX9WFLG3YR0cB4w6LPf/gN45RdWvGtF42MdxaqMZ pzJQIenyDqHGEwNESNFmqFJX1xG0k4vlmZ9d53hR5U32t1m0drUJN00GOBN6HAiY XMRISstSoKn4sZ2Oe3mwIC88lqgRYke7EQIDAQABo4H7MIH4MDIGCCsGAQUFBwEB BCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AudGhhd3RlLmNvbTASBgNVHRMB Af8ECDAGAQH/AgEAMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwudGhhd3Rl LmNvbS9UaGF3dGVQQ0EuY3JsMA4GA1UdDwEB/wQEAwIBBjAoBgNVHREEITAfpB0w GzEZMBcGA1UEAxMQVmVyaVNpZ25NUEtJLTItOTAdBgNVHQ4EFgQUp6KDuzRFQD38 1TBPErk+oQGf9tswHwYDVR0jBBgwFoAUe1tFz6/Oy3r9MZIaarbzRutXSFAwDQYJ KoZIhvcNAQEFBQADggEBAIAigOBsyJUW11cmh/NyNNvGclYnPtOW9i4lkaU+M5en S+Uv+yV9Lwdh+m+DdExMU3IgpHrPUVFWgYiwbR82LMgrsYiZwf5Eq0hRfNjyRGQq 2HGn+xov+RmNNLIjv8RMVR2OROiqXZrdn/0Dx7okQ40tR0Tb9tiYyLL52u/tKVxp EvrRI5YPv5wN8nlFUzeaVi/oVxBw9u6JDEmJmsEj9cIqzEHPIqtlbreUgm0vQF9Y 3uuVK6ZyaFIZkSqudZ1OkubK3lTqGKslPOZkpnkfJn1h7X3S5XFV2JMXfBQ4MDzf huNMrUnjl1nOG5srztxl1Asoa06ERlFE9zMILViXIa4= -----END CERTIFICATE----- - Certificate[2] info: - X.509 Certificate Information: Version: 3 Serial Number (hex): 3365500879ad73e230b9e01d0d7fac91 Issuer: C=ZA,ST=Western Cape,L=Cape Town,O=Thawte Consulting cc,OU=Certification Services Division,CN=Thawte Premium Server CA,EMAIL=premium-server at thawte.com Validity: Not Before: Fri Nov 17 00:00:00 UTC 2006 Not After: Wed Dec 30 23:59:59 UTC 2020 Subject: C=US,O=thawte\, Inc.,OU=Certification Services Division,OU=(c) 2006 thawte\, Inc. - For authorized use only,CN=thawte Primary Root CA Subject Public Key Algorithm: RSA Algorithm Security Level: Legacy (2048 bits) Modulus (bits 2048): 00:ac:a0:f0:fb:80:59:d4:9c:c7:a4:cf:9d:a1:59:73 09:10:45:0c:0d:2c:6e:68:f1:6c:5b:48:68:49:59:37 fc:0b:33:19:c2:77:7f:cc:10:2d:95:34:1c:e6:eb:4d 09:a7:1c:d2:b8:c9:97:36:02:b7:89:d4:24:5f:06:c0 cc:44:94:94:8d:02:62:6f:eb:5a:dd:11:8d:28:9a:5c 84:90:10:7a:0d:bd:74:66:2f:6a:38:a0:e2:d5:54:44 eb:1d:07:9f:07:ba:6f:ee:e9:fd:4e:0b:29:f5:3e:84 a0:01:f1:9c:ab:f8:1c:7e:89:a4:e8:a1:d8:71:65:0d a3:51:7b:ee:bc:d2:22:60:0d:b9:5b:9d:df:ba:fc:51 5b:0b:af:98:b2:e9:2e:e9:04:e8:62:87:de:2b:c8:d7 4e:c1:4c:64:1e:dd:cf:87:58:ba:4a:4f:ca:68:07:1d 1c:9d:4a:c6:d5:2f:91:cc:7c:71:72:1c:c5:c0:67:eb 32:fd:c9:92:5c:94:da:85:c0:9b:bf:53:7d:2b:09:f4 8c:9d:91:1f:97:6a:52:cb:de:09:36:a4:77:d8:7b:87 50:44:d5:3e:6e:29:69:fb:39:49:26:1e:09:a5:80:7b 40:2d:eb:e8:27:85:c9:fe:61:fd:7e:e6:7c:97:1d:d5 9d Exponent (bits 24): 01:00:01 Extensions: Basic Constraints (critical): Certificate Authority (CA): TRUE Certificate Policies (not critical): 2.5.29.32.0 URI: https://www.thawte.com/cps Key Usage (critical): Certificate signing. CRL signing. Subject Key Identifier (not critical): 7b5b45cfafcecb7afd31921a6ab6f346eb574850 CRL Distribution points (not critical): URI: http://crl.thawte.com/ThawtePremiumServerCA.crl Signature Algorithm: RSA-SHA1 Signature: 84:a8:4c:c9:3e:2a:bc:9a:e2:cc:8f:0b:b2:25:77:c4 61:89:89:63:5a:d4:a3:15:40:d4:fb:5e:3f:b4:43:ea 63:17:2b:6b:99:74:9e:09:a8:dd:d4:56:15:2e:7a:79 31:5f:63:96:53:1b:34:d9:15:ea:4f:6d:70:ca:be:f6 82:a9:ed:da:85:77:cc:76:1c:6a:81:0a:21:d8:41:99 7f:5e:2e:82:c1:e8:aa:f7:93:81:05:aa:92:b4:1f:b7 9a:c0:07:17:f5:cb:c6:b4:4c:0e:d7:56:dc:71:20:74 38:d6:74:c6:d6:8f:6b:af:8b:8d:a0:6c:29:0b:61:e0 Other Information: SHA-1 fingerprint: 1fa490d1d4957942cd23545f6e823d0000796ea2 Public Key ID: 6ccabd7db47e94a5759901b6a7dfd45d1c091ccc Public key's random art: +--[ RSA 2048]----+ | +=+..| | .E.+.| | . .*| | . ooB| | S . ==| | . + . =..| | o . . o ..| | o o . | | . .o.. | +-----------------+ -----BEGIN CERTIFICATE----- MIIERTCCA66gAwIBAgIQM2VQCHmtc+IwueAdDX+skTANBgkqhkiG9w0BAQUFADCB zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UE CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhh d3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl cnZlckB0aGF3dGUuY29tMB4XDTA2MTExNzAwMDAwMFoXDTIwMTIzMDIzNTk1OVow gakxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwx0aGF3dGUsIEluYy4xKDAmBgNVBAsT H0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xODA2BgNVBAsTLyhjKSAy MDA2IHRoYXd0ZSwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MR8wHQYD VQQDExZ0aGF3dGUgUHJpbWFyeSBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEArKDw+4BZ1JzHpM+doVlzCRBFDA0sbmjxbFtIaElZN/wLMxnC d3/MEC2VNBzm600JpxzSuMmXNgK3idQkXwbAzESUlI0CYm/rWt0RjSiaXISQEHoN vXRmL2o4oOLVVETrHQefB7pv7un9Tgsp9T6EoAHxnKv4HH6JpOih2HFlDaNRe+68 0iJgDblbnd+6/FFbC6+Ysuku6QToYofeK8jXTsFMZB7dz4dYukpPymgHHRydSsbV L5HMfHFyHMXAZ+sy/cmSXJTahcCbv1N9Kwn0jJ2RH5dqUsveCTakd9h7h1BE1T5u KWn7OUkmHgmlgHtALevoJ4XJ/mH9fuZ8lx3VnQIDAQABo4HCMIG/MA8GA1UdEwEB /wQFMAMBAf8wOwYDVR0gBDQwMjAwBgRVHSAAMCgwJgYIKwYBBQUHAgEWGmh0dHBz Oi8vd3d3LnRoYXd0ZS5jb20vY3BzMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU e1tFz6/Oy3r9MZIaarbzRutXSFAwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cDovL2Ny bC50aGF3dGUuY29tL1RoYXd0ZVByZW1pdW1TZXJ2ZXJDQS5jcmwwDQYJKoZIhvcN AQEFBQADgYEAhKhMyT4qvJrizI8LsiV3xGGJiWNa1KMVQNT7Xj+0Q+pjFytrmXSe Cajd1FYVLnp5MV9jllMbNNkV6k9tcMq+9oKp7dqFd8x2HGqBCiHYQZl/Xi6Cweiq 95OBBaqStB+3msAHF/XLxrRMDtdW3HEgdDjWdMbWj2uvi42gbCkLYeA= -----END CERTIFICATE----- - Certificate[3] info: - X.509 Certificate Information: Version: 3 Serial Number (hex): 01 Issuer: C=ZA,ST=Western Cape,L=Cape Town,O=Thawte Consulting cc,OU=Certification Services Division,CN=Thawte Premium Server CA,EMAIL=premium-server at thawte.com Validity: Not Before: Thu Aug 01 00:00:00 UTC 1996 Not After: Thu Dec 31 23:59:59 UTC 2020 Subject: C=ZA,ST=Western Cape,L=Cape Town,O=Thawte Consulting cc,OU=Certification Services Division,CN=Thawte Premium Server CA,EMAIL=premium-server at thawte.com Subject Public Key Algorithm: RSA Algorithm Security Level: Weak (1024 bits) Modulus (bits 1024): 00:d2:36:36:6a:8b:d7:c2:5b:9e:da:81:41:62:8f:38 ee:49:04:55:d6:d0:ef:1c:1b:95:16:47:ef:18:48:35 3a:52:f4:2b:6a:06:8f:3b:2f:ea:56:e3:af:86:8d:9e 17:f7:9e:b4:65:75:02:4d:ef:cb:09:a2:21:51:d8:9b d0:67:d0:ba:0d:92:06:14:73:d4:93:cb:97:2a:00:9c 5c:4e:0c:bc:fa:15:52:fc:f2:44:6e:da:11:4a:6e:08 9f:2f:2d:e3:f9:aa:3a:86:73:b6:46:53:58:c8:89:05 bd:83:11:b8:73:3f:aa:07:8d:f4:42:4d:e7:40:9d:1c 37 Exponent (bits 24): 01:00:01 Extensions: Basic Constraints (critical): Certificate Authority (CA): TRUE Signature Algorithm: RSA-MD5 warning: signed using a broken signature algorithm that can be forged. Signature: 26:48:2c:16:c2:58:fa:e8:16:74:0c:aa:aa:5f:54:3f f2:d7:c9:78:60:5e:5e:6e:37:63:22:77:36:7e:b2:17 c4:34:b9:f5:08:85:fc:c9:01:38:ff:4d:be:f2:16:42 43:e7:bb:5a:46:fb:c1:c6:11:1f:f1:4a:b0:28:46:c9 c3:c4:42:7d:bc:fa:ab:59:6e:d5:b7:51:88:11:e3:a4 85:19:6b:82:4c:a4:0c:12:ad:e9:a4:ae:3f:f1:c3:49 65:9a:8c:c5:c8:3e:25:b7:94:99:bb:92:32:71:07:f0 86:5e:ed:50:27:a6:0d:a6:23:f9:bb:cb:a6:07:14:42 Other Information: SHA-1 fingerprint: 627f8d7827656399d27d7f9044c9feb3f33efa9a Public Key ID: 5ff3246c8f9124af9b5f3eb0346af42d5ca85dcc Public key's random art: +--[ RSA 1024]----+ | | | | | . . | | = . | | S X+. | | ..+=OE | | .oB.B+ | | +o*oo | | .o..... | +-----------------+ -----BEGIN CERTIFICATE----- MIIDJzCCApCgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBzjELMAkGA1UEBhMCWkEx FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYD VQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlv biBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhhd3RlIFByZW1pdW0gU2Vy dmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNlcnZlckB0aGF3dGUuY29t MB4XDTk2MDgwMTAwMDAwMFoXDTIwMTIzMTIzNTk1OVowgc4xCzAJBgNVBAYTAlpB MRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsG A1UEChMUVGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRp b24gU2VydmljZXMgRGl2aXNpb24xITAfBgNVBAMTGFRoYXd0ZSBQcmVtaXVtIFNl cnZlciBDQTEoMCYGCSqGSIb3DQEJARYZcHJlbWl1bS1zZXJ2ZXJAdGhhd3RlLmNv bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0jY2aovXwlue2oFBYo847kkE VdbQ7xwblRZH7xhINTpS9CtqBo87L+pW46+GjZ4X9560ZXUCTe/LCaIhUdib0GfQ ug2SBhRz1JPLlyoAnFxODLz6FVL88kRu2hFKbgifLy3j+ao6hnO2RlNYyIkFvYMR uHM/qgeN9EJN50CdHDcCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG 9w0BAQQFAAOBgQAmSCwWwlj66BZ0DKqqX1Q/8tfJeGBeXm43YyJ3Nn6yF8Q0ufUI hfzJATj/Tb7yFkJD57taRvvBxhEf8UqwKEbJw8RCfbz6q1lu1bdRiBHjpIUZa4JM pAwSremkrj/xw0llmozFyD4lt5SZu5IycQfwhl7tUCemDaYj+bvLpgcUQg== -----END CERTIFICATE----- *** Fatal error: Error in the certificate. *** Handshake has failed GnuTLS error: Error in the certificate. - Status: The certificate is NOT trusted. The certificate issuer is unknown. *** PKI verification of server certificate failed... -------------- next part -------------- depth=2 C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA verify return:1 depth=1 C = US, O = "Thawte, Inc.", CN = Thawte SSL CA verify return:1 depth=0 C = DE, ST = NRW, L = Duesseldorf, O = Vodafone D2 GmbH, CN = pop3.arcor.de verify return:1 CONNECTED(00000003) --- Certificate chain 0 s:/C=DE/ST=NRW/L=Duesseldorf/O=Vodafone D2 GmbH/CN=pop3.arcor.de i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA -----BEGIN CERTIFICATE----- MIIDyzCCArOgAwIBAgIQJn0zdWlzYWrFCMwB9ftjpjANBgkqhkiG9w0BAQUFADA8 MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMRYwFAYDVQQDEw1U aGF3dGUgU1NMIENBMB4XDTExMDkyNjAwMDAwMFoXDTE1MDkyNTIzNTk1OVowZDEL MAkGA1UEBhMCREUxDDAKBgNVBAgTA05SVzEUMBIGA1UEBxQLRHVlc3NlbGRvcmYx GTAXBgNVBAoUEFZvZGFmb25lIEQyIEdtYkgxFjAUBgNVBAMUDXBvcDMuYXJjb3Iu ZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCuCk3UPDyIzrbvNwOH AQ8FYYgnPNHT72mxKMEH0qqr0Bkyw5+WkG+ZNl5MjU0+XMusNRdOC6OxBR2rlMsl YOXbiehg/VvpSC/KWXLzYQi91qp9db1y5USRRb58DEZatiCc9ral1H9VvOThWyjN skWgVEs1buPFELVvz5HEJX2e7wXcYHVVG7URdEZqZGIJb3rQ9v8zlUVs0fmbsbuf uVN6rbuUiCWYmLXAgPU9u1dcolAqn9QUD5pINVjrFjLDIOTD1HnvIa5y3jGorFKU xKi05yC46+ZHEFUki18mqR5HzlE0BLLbPzO4VDsNb+otg/dTlkrf4BxTIYDOgSKu zfYHAgMBAAGjgaAwgZ0wDAYDVR0TAQH/BAIwADA6BgNVHR8EMzAxMC+gLaArhilo dHRwOi8vc3ZyLW92LWNybC50aGF3dGUuY29tL1RoYXd0ZU9WLmNybDAdBgNVHSUE FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUF BzABhhZodHRwOi8vb2NzcC50aGF3dGUuY29tMA0GCSqGSIb3DQEBBQUAA4IBAQBL Yz0OotwqBX1hF7K9kFbeY8r2pmhbhTcuC9LHqNhavO0+/4gGWMnrtI8npsz14Stc kZvMLHYSoP468IjMw8p92ZLz2MRM2QX3wSpIwzybuZyvSxzogOm8MZa+nOqJrmuB ItsfjIQX/x1HKOgNTsSic8lXqV2Lg63J/4acrw94su4jLVt7oananJ7jNWBc5Vej v8O5fVbULl9PjxMaA0N/EW2cId5DrAZGykbMpzcW8r5XHS/xhPRgqz1XVLo1Gf6c ruhsNTgsQlEVA9oJ7HQ0PVv0m/WidvE9admT2KlvEHsCORc++lxK5M8SLevB4fsO kRcD2SFBkg0/hHjfN7Gp -----END CERTIFICATE----- 1 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA -----BEGIN CERTIFICATE----- MIIEbDCCA1SgAwIBAgIQTV8sNAiyTCDNbVB+JE3J7DANBgkqhkiG9w0BAQUFADCB qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw MDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNV BAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMTAwMjA4MDAwMDAwWhcNMjAw MjA3MjM1OTU5WjA8MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMu MRYwFAYDVQQDEw1UaGF3dGUgU1NMIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEAmeSFW3ZJfS8F2MWsyMip09yY5tc0pi8M8iIm2KPJFEyPBaRF6BQM WJAFGrfFwQalgK+7HUlrUjSIw1nn72vEJ0GMK2Yd0OCjl5gZNEtB1ZjVxwWtouTX 7QytT8G1sCH9PlBTssSQ0NQwZ2ya8Q50xMLciuiX/8mSrgGKVgqYMrAAI+yQGmDD 7bs6yw9jnw1EyVLhJZa/7VCViX9WFLG3YR0cB4w6LPf/gN45RdWvGtF42MdxaqMZ pzJQIenyDqHGEwNESNFmqFJX1xG0k4vlmZ9d53hR5U32t1m0drUJN00GOBN6HAiY XMRISstSoKn4sZ2Oe3mwIC88lqgRYke7EQIDAQABo4H7MIH4MDIGCCsGAQUFBwEB BCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AudGhhd3RlLmNvbTASBgNVHRMB Af8ECDAGAQH/AgEAMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwudGhhd3Rl LmNvbS9UaGF3dGVQQ0EuY3JsMA4GA1UdDwEB/wQEAwIBBjAoBgNVHREEITAfpB0w GzEZMBcGA1UEAxMQVmVyaVNpZ25NUEtJLTItOTAdBgNVHQ4EFgQUp6KDuzRFQD38 1TBPErk+oQGf9tswHwYDVR0jBBgwFoAUe1tFz6/Oy3r9MZIaarbzRutXSFAwDQYJ KoZIhvcNAQEFBQADggEBAIAigOBsyJUW11cmh/NyNNvGclYnPtOW9i4lkaU+M5en S+Uv+yV9Lwdh+m+DdExMU3IgpHrPUVFWgYiwbR82LMgrsYiZwf5Eq0hRfNjyRGQq 2HGn+xov+RmNNLIjv8RMVR2OROiqXZrdn/0Dx7okQ40tR0Tb9tiYyLL52u/tKVxp EvrRI5YPv5wN8nlFUzeaVi/oVxBw9u6JDEmJmsEj9cIqzEHPIqtlbreUgm0vQF9Y 3uuVK6ZyaFIZkSqudZ1OkubK3lTqGKslPOZkpnkfJn1h7X3S5XFV2JMXfBQ4MDzf huNMrUnjl1nOG5srztxl1Asoa06ERlFE9zMILViXIa4= -----END CERTIFICATE----- 2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server at thawte.com -----BEGIN CERTIFICATE----- MIIERTCCA66gAwIBAgIQM2VQCHmtc+IwueAdDX+skTANBgkqhkiG9w0BAQUFADCB zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UE CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhh d3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl cnZlckB0aGF3dGUuY29tMB4XDTA2MTExNzAwMDAwMFoXDTIwMTIzMDIzNTk1OVow gakxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwx0aGF3dGUsIEluYy4xKDAmBgNVBAsT H0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xODA2BgNVBAsTLyhjKSAy MDA2IHRoYXd0ZSwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MR8wHQYD VQQDExZ0aGF3dGUgUHJpbWFyeSBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEArKDw+4BZ1JzHpM+doVlzCRBFDA0sbmjxbFtIaElZN/wLMxnC d3/MEC2VNBzm600JpxzSuMmXNgK3idQkXwbAzESUlI0CYm/rWt0RjSiaXISQEHoN vXRmL2o4oOLVVETrHQefB7pv7un9Tgsp9T6EoAHxnKv4HH6JpOih2HFlDaNRe+68 0iJgDblbnd+6/FFbC6+Ysuku6QToYofeK8jXTsFMZB7dz4dYukpPymgHHRydSsbV L5HMfHFyHMXAZ+sy/cmSXJTahcCbv1N9Kwn0jJ2RH5dqUsveCTakd9h7h1BE1T5u KWn7OUkmHgmlgHtALevoJ4XJ/mH9fuZ8lx3VnQIDAQABo4HCMIG/MA8GA1UdEwEB /wQFMAMBAf8wOwYDVR0gBDQwMjAwBgRVHSAAMCgwJgYIKwYBBQUHAgEWGmh0dHBz Oi8vd3d3LnRoYXd0ZS5jb20vY3BzMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU e1tFz6/Oy3r9MZIaarbzRutXSFAwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cDovL2Ny bC50aGF3dGUuY29tL1RoYXd0ZVByZW1pdW1TZXJ2ZXJDQS5jcmwwDQYJKoZIhvcN AQEFBQADgYEAhKhMyT4qvJrizI8LsiV3xGGJiWNa1KMVQNT7Xj+0Q+pjFytrmXSe Cajd1FYVLnp5MV9jllMbNNkV6k9tcMq+9oKp7dqFd8x2HGqBCiHYQZl/Xi6Cweiq 95OBBaqStB+3msAHF/XLxrRMDtdW3HEgdDjWdMbWj2uvi42gbCkLYeA= -----END CERTIFICATE----- 3 s:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server at thawte.com i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server at thawte.com -----BEGIN CERTIFICATE----- MIIDJzCCApCgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBzjELMAkGA1UEBhMCWkEx FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYD VQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlv biBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhhd3RlIFByZW1pdW0gU2Vy dmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNlcnZlckB0aGF3dGUuY29t MB4XDTk2MDgwMTAwMDAwMFoXDTIwMTIzMTIzNTk1OVowgc4xCzAJBgNVBAYTAlpB MRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsG A1UEChMUVGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRp b24gU2VydmljZXMgRGl2aXNpb24xITAfBgNVBAMTGFRoYXd0ZSBQcmVtaXVtIFNl cnZlciBDQTEoMCYGCSqGSIb3DQEJARYZcHJlbWl1bS1zZXJ2ZXJAdGhhd3RlLmNv bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0jY2aovXwlue2oFBYo847kkE VdbQ7xwblRZH7xhINTpS9CtqBo87L+pW46+GjZ4X9560ZXUCTe/LCaIhUdib0GfQ ug2SBhRz1JPLlyoAnFxODLz6FVL88kRu2hFKbgifLy3j+ao6hnO2RlNYyIkFvYMR uHM/qgeN9EJN50CdHDcCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG 9w0BAQQFAAOBgQAmSCwWwlj66BZ0DKqqX1Q/8tfJeGBeXm43YyJ3Nn6yF8Q0ufUI hfzJATj/Tb7yFkJD57taRvvBxhEf8UqwKEbJw8RCfbz6q1lu1bdRiBHjpIUZa4JM pAwSremkrj/xw0llmozFyD4lt5SZu5IycQfwhl7tUCemDaYj+bvLpgcUQg== -----END CERTIFICATE----- --- Server certificate subject=/C=DE/ST=NRW/L=Duesseldorf/O=Vodafone D2 GmbH/CN=pop3.arcor.de issuer=/C=US/O=Thawte, Inc./CN=Thawte SSL CA --- No client certificate CA names sent --- SSL handshake has read 4344 bytes and written 621 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 551933FB4E62D93B77DBEC72152F3280E3CBE4BE04B0EC8237210D69DD6571E7 Session-ID-ctx: Master-Key: 8D3E82916B29A8E3EE79A137150912A8C6C8508C6E65E9781DD47CB165C3542872E0BC5B614EF58355CF8F393A4CC6FB Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket: 0000 - be 45 ac 5a 4f 57 74 90-25 d1 1a a0 bf ca ef 4a .E.ZOWt.%......J 0010 - 23 63 19 ee 44 bf c3 d8-a9 d5 f7 39 2f c4 43 57 #c..D......9/.CW 0020 - db c3 af 02 e1 84 b0 07-e9 c5 4a af b1 22 09 fb ..........J..".. 0030 - 14 bc dc db ba e7 21 b9-6d 80 b2 3c 1c 32 54 36 ......!.m..<.2T6 0040 - df 25 92 45 e6 08 19 6a-0d 0a cd 53 e6 51 21 2b .%.E...j...S.Q!+ 0050 - ca f5 11 d6 7a 62 16 73-b7 6f 6a 4d 84 d8 4a b1 ....zb.s.ojM..J. 0060 - 99 76 b9 7c 76 98 c5 3e-b2 08 80 cc ac b1 91 4d .v.|v..>.......M 0070 - da 02 cc ef c0 19 9d 44-08 2f 32 cc d8 49 b5 cf .......D./2..I.. 0080 - b1 10 8a ce f0 48 d8 52-4b 1c 79 24 e8 45 dd 03 .....H.RK.y$.E.. 0090 - e4 7e 43 32 93 f8 fd e6-8d 03 47 f4 12 75 57 7e .~C2......G..uW~ Start Time: 1439561337 Timeout : 300 (sec) Verify return code: 0 (ok) --- DONE From max.bruce12 at gmail.com Sat Aug 15 00:11:56 2015 From: max.bruce12 at gmail.com (Max Bruce) Date: Fri, 14 Aug 2015 15:11:56 -0700 Subject: [gnutls-help] gnutls_handshake endlessly returning GNUTLS_E_AGAIN. Message-ID: I'm running GNUTLS 3.3.17, and it's working flawlessly, except for when I attempt STARTTLS. Right now, I'm just calling gnutls_handshake and then wrapping read/write with the GNUTLS gnutls_record_recv/gnutls_record_send. If I establish a connection it works fine. With STARTTLS, it just endlessly returns EAGAIN. I am running this in non blocking mode both at socket level & at GNUTLS level. It also takes a lot of CPU, but I can safely assume that's because I'm just mindlessly looping, and not running a select/poll, but first I'd like to make it work before I worry about that. Applicable Code below: int ret = 0; do { ret = gnutls_handshake(sessiond); printf("%i\n", ret); }while (ret < 0 && gnutls_error_is_fatal(ret) == 0); -- Thanks, Max Bruce www.avuna.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From nmav at gnutls.org Sun Aug 16 09:11:43 2015 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Sun, 16 Aug 2015 09:11:43 +0200 Subject: [gnutls-help] gnutls_handshake endlessly returning GNUTLS_E_AGAIN. In-Reply-To: References: Message-ID: On Sat, Aug 15, 2015 at 12:11 AM, Max Bruce wrote: > I'm running GNUTLS 3.3.17, and it's working flawlessly, except for when I > attempt STARTTLS. Right now, I'm just calling gnutls_handshake and then > wrapping read/write with the GNUTLS gnutls_record_recv/gnutls_record_send. > If I establish a connection it works fine. With STARTTLS, it just endlessly > returns EAGAIN. I am running this in non blocking mode both at socket level > & at GNUTLS level. It also takes a lot of CPU, but I can safely assume > that's because I'm just mindlessly looping, and not running a select/poll, > but first I'd like to make it work before I worry about that. If you don't use select() to see if you have any data in queue, how do you know that GNUTLS_E_AGAIN shouldn't have been returned? From n.mavrogiannopoulos at gmail.com Tue Aug 18 19:45:24 2015 From: n.mavrogiannopoulos at gmail.com (Nikos Mavrogiannopoulos) Date: Tue, 18 Aug 2015 19:45:24 +0200 Subject: [gnutls-help] certificate issuer validation issue In-Reply-To: <20150814142730.GA4476@darkstar> References: <20150813192427.GA1800@darkstar> <20150814142730.GA4476@darkstar> Message-ID: <1439919924.3580.9.camel@gmail.com> On Fri, 2015-08-14 at 16:27 +0200, Andreas M?ller wrote: > >The best would be to report that to debian instead. In any case, > > what > > is the certificate chain that cannot be validated? Do you know > > which > > CA certificates were removed by the update? > > > > regards, > > Nikos > Debian basically get's the bundle from mozilla and it seems that one > of the certificates in the chain has been removed indeed. > CN = Thawte Premium Server CA > SHA1 Fingerprint: > 62:7F:8D:78:27:65:63:99:D2:7D:7F:90:44:C9:FE:B3:F3:3E:FA:9A > (https://blog.mozilla.org/security/2015/01/28/phase-2-phasing-out > -certificates-with-1024-bit-rsa-keys/) Mozilla has removed the 1024-bit CAs, however, it gnutls (3.3.x+) is capable of detecting an alternative path. In my debian (testing) system, certtool --verify and this chain gives: Subject: C=US,O=thawte\, Inc.,OU=Certification Services Division,OU=(c) 2006 thawte\, Inc. - For authorized use only,CN=thawte Primary Root CA Issuer: C=ZA,ST=Western Cape,L=Cape Town,O=Thawte Consulting cc,OU=Certification Services Division,CN=Thawte Premium Server CA, EMAIL=premium-server at thawte.com Output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown. Subject: C=US,O=thawte\, Inc.,OU=Certification Services Division,OU=(c) 2006 thawte\, Inc. - For authorized use only,CN=thawte Primary Root CA Issuer: C=ZA,ST=Western Cape,L=Cape Town,O=Thawte Consulting cc,OU=Certification Services Division,CN=Thawte Premium Server CA, EMAIL=premium-server at thawte.com Checked against: C=US,O=thawte\, Inc.,OU=Certification Services Division,OU=(c) 2006 thawte\, Inc. - For authorized use only,CN=thawte Primary Root CA Output: Verified. The certificate is trusted. Subject: C=US,O=Thawte\, Inc.,CN=Thawte SSL CA Issuer: C=US,O=thawte\, Inc.,OU=Certification Services Division,OU=(c) 2006 thawte\, Inc. - For authorized use only,CN=thawte Primary Root CA Checked against: C=US,O=thawte\, Inc.,OU=Certification Services Division,OU=(c) 2006 thawte\, Inc. - For authorized use only,CN=thawte Primary Root CA Output: Verified. The certificate is trusted. Subject: C=DE,ST=NRW,L=Duesseldorf,O=Vodafone D2 GmbH,CN=pop3.arcor.de Issuer: C=US,O=Thawte\, Inc.,CN=Thawte SSL CA Checked against: C=US,O=Thawte\, Inc.,CN=Thawte SSL CA Output: Verified. The certificate is trusted. Chain verification output: Verified. The certificate is trusted. To verify the chain gnutls tries first to find the 1024-bit CA called "C=ZA,ST=Western Cape,L=Cape Town,O=Thawte Consulting cc,OU=Certification Services Division,CN=Thawte Premium Server CA, EMAIL=premium-server at thawte.com" Since that is not available it tries to find the issuer of the next certificate in the chain which is: "C=US,O=thawte\, Inc.,OU=Certification Services Division,OU=(c) 2006 thawte\, Inc. - For authorized use only,CN=thawte Primary Root CA" And indeed there is a new CA which signs that certificate (see the "Checked against" entry). What do you see in your system for the same command? regards, Nikos From andreas at stapelspeicher.org Wed Aug 19 00:15:23 2015 From: andreas at stapelspeicher.org (Andreas =?utf-8?Q?M=C3=BCller?=) Date: Wed, 19 Aug 2015 00:15:23 +0200 Subject: [gnutls-help] certificate issuer validation issue In-Reply-To: <1439919924.3580.9.camel@gmail.com> References: <20150813192427.GA1800@darkstar> <20150814142730.GA4476@darkstar> <1439919924.3580.9.camel@gmail.com> Message-ID: <20150818221523.GA25527@darkstar> Nikos Mavrogiannopoulos wrote: > On Fri, 2015-08-14 at 16:27 +0200, Andreas M?ller wrote: > > >The best would be to report that to debian instead. In any case, > > > what > > > is the certificate chain that cannot be validated? Do you know > > > which > > > CA certificates were removed by the update? > > > > > > regards, > > > Nikos > > Debian basically get's the bundle from mozilla and it seems that one > > of the certificates in the chain has been removed indeed. > > > CN = Thawte Premium Server CA > > SHA1 Fingerprint: > > 62:7F:8D:78:27:65:63:99:D2:7D:7F:90:44:C9:FE:B3:F3:3E:FA:9A > > (https://blog.mozilla.org/security/2015/01/28/phase-2-phasing-out > > -certificates-with-1024-bit-rsa-keys/) > > Mozilla has removed the 1024-bit CAs, however, it gnutls (3.3.x+) is > capable of detecting an alternative path. >... > In my debian (testing) system, certtool --verify and this chain gives: >... > What do you see in your system for the same command? Hmm, the same output (with 3.3.17) as yours. I am sorry, I probably made some mistake while testing 3.3.* and 3.4.* and continued checking with 3.2.21 (because of presumed abi/api-changes), which didn't have that alternative path searching feature. I don't encounter any problems with 3.3.17 anymore. That mistake might have been the wrong URL for the certificate but I don't have logs on that. Sorry for wasting your time and thanks for clarification. At least I might've learned a thing or two on gnutls and bug-hunting documentation. Andreas M?ller