From shadiakiki1986 at gmail.com  Mon Jun  1 13:26:17 2015
From: shadiakiki1986 at gmail.com (shadi akiki)
Date: Mon, 1 Jun 2015 14:26:17 +0300
Subject: [gnutls-help] compiling gnutls 3.1.28 not being used by php in
	travis-ci workers
In-Reply-To: <CACk+RNs_PapibLSteSJqbfG+9+Mbb_+QdpLvytjC815HXNHWbQ@mail.gmail.com>
References: <CACk+RNs_PapibLSteSJqbfG+9+Mbb_+QdpLvytjC815HXNHWbQ@mail.gmail.com>
Message-ID: <CACk+RNs2W5nF-L_mJ7zkc9x=MPkzGO9kOEW-Zf707CYr3yi_Ng@mail.gmail.com>

So I've dug a bit further and learned that I should compile curl for this,
and not php.
My problem now is that this works on an experimental ec2 instance, but
doesn't work on the travis-ci workers.

Running
*ldd /usr/lib/php5/20090626/curl.so|grep gnutls*
on the ec2 instance yields

/usr/lib/php5/20090626/curl.so: /usr/local/lib/libcurl.so.4: no version
information available (required by /usr/lib/php5/20090626/curl.so)
        libgnutls.so.28 => /usr/local/lib/libgnutls.so.28
(0x00007f58946e5000)

showing that it's referencing GnuTls 3.1.28 that I compiled

but on the travis-ci workers yields

/usr/lib/php5/20090626/curl.so: /usr/local/lib/libcurl.so.4: no
version information available (required by
/usr/lib/php5/20090626/curl.so)
	libgnutls.so.26 => /usr/lib/x86_64-linux-gnu/libgnutls.so.26
(0x00002aca991d0000)

showing that it's still referencing GnuTls 2.12 (full log here
<https://s3.amazonaws.com/archive.travis-ci.org/jobs/64888398/log.txt> )

A var_dump(curl_version()) confirms this.
My specific commands are found here
<https://github.com/shadiakiki1986/gnutls-3.1-travisci/blob/master/Makefile>
Has anyone faced this problem before?



On Sun, May 31, 2015 at 1:39 AM, shadi akiki <shadiakiki1986 at gmail.com>
wrote:

> Hi
>
> I'm compiling gnutls 3.1.28 from source on travis-ci to use it from php.
>
> Running "*pkg-config --modversion gnutls*" before the compilation shows
> 2.12.14 whereas afterwards shows 3.1.28.
> However, running "*var_dump(curl_version())*" as well as "*phpinfo*()"
> before and after the compilation show 'ssl_version'="*GnuTLS/2.12.14*"
> only.
>
> From digging around, I understood that php is using
> /usr/lib/x86_64-linux-gnu/libgnutls.so.26 . My compiled gnutls is ending up
> in /usr/local/lib/libgnutls.so.28
> I thought that perhaps replacing libgnutls.so.26 with a symlink to libgnutls.so.28
> could be a dirty fix, but it doesn't work. Php complains:
> *symbol gnutls_certificate_get_x509_cas, version GNUTLS_1_4 not defined in
> file libgnutls.so.26 with link time reference*
>
> What do I still need to do to get php to use my compiled gnutls?
> Should I recompile php from source as well?
>
> Here are some files with details
>
>    - Log file
>    <https://s3.amazonaws.com/archive.travis-ci.org/jobs/64740717/log.txt>
>    - .travis.yml file
>    <https://github.com/shadiakiki1986/gnutls-3.1-travisci/blob/master/.travis.yml>
>    - Compilation bash script
>    <https://github.com/shadiakiki1986/gnutls-3.1-travisci/blob/master/updateGnutls.sh>
>
>
> --
> Best, Shadi AKIKI
> www.akikieng.com/shadi
>



-- 
Best, Shadi AKIKI
www.akikieng.com/shadi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20150601/d8e2ac95/attachment.html>

From marcossp at kth.se  Mon Jun  1 14:38:16 2015
From: marcossp at kth.se (=?iso-8859-1?Q?Marcos_Sim=F3_Pic=F3?=)
Date: Mon, 1 Jun 2015 12:38:16 +0000
Subject: [gnutls-help] Certtool and TPM
Message-ID: <1433162297320.1926@kth.se>

?Hi everyone,


I'm trying to generate a certificate of a key stored in a TPM using certtool. Basically I was following the commands explained in http://nmav.gnutls.org/2012/08/using-trusted-platform-module-to.html


I can generate the RSA key pair and get the public part perfectly, however, when I invoke certtool for generating a certificate, it returns: Error in provided SRK password for TPM.? As far as I know, there's no option to provide the SRK to certtool.


I'm using GnuTLS 3.3.15, and tried to clear the TPM several times and repeat everything with no success.


Thanks in advance for any help you are able to provide.


Best,

Marcos.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20150601/79341070/attachment.html>

From nmav at gnutls.org  Mon Jun  1 21:40:46 2015
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Mon, 01 Jun 2015 21:40:46 +0200
Subject: [gnutls-help] Certtool and TPM
In-Reply-To: <1433162297320.1926@kth.se>
References: <1433162297320.1926@kth.se>
Message-ID: <1433187646.1760.12.camel@gnutls.org>

On Mon, 2015-06-01 at 12:38 +0000, Marcos Sim? Pic? wrote:
> ?Hi everyone, 
> I'm trying to generate a certificate of a key stored in a TPM using
> certtool. Basically I was following the commands explained
> in http://nmav.gnutls.org/2012/08/using-trusted-platform-module-to.html
> I can generate the RSA key pair and get the public part perfectly,
> however, when I invoke certtool for generating a certificate, it
> returns: Error in provided SRK password for TPM.? As far as I know,
> there's no option to provide the SRK to certtool. 
> I'm using GnuTLS 3.3.15, and tried to clear the TPM several times and
> repeat everything with no success. 

Hi,
 What is the output when you use -d 9? It should have asked for a
password using the PKCS #11 callback. It is either a regression or you
have PKCS #11 disabled?

regards,
Nikos




From nmav at gnutls.org  Mon Jun  1 22:00:51 2015
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Mon, 01 Jun 2015 22:00:51 +0200
Subject: [gnutls-help] compiling gnutls 3.1.28 not being used by php in
 travis-ci workers
In-Reply-To: <CACk+RNs_PapibLSteSJqbfG+9+Mbb_+QdpLvytjC815HXNHWbQ@mail.gmail.com>
References: <CACk+RNs_PapibLSteSJqbfG+9+Mbb_+QdpLvytjC815HXNHWbQ@mail.gmail.com>
Message-ID: <1433188851.1760.17.camel@gnutls.org>

On Sun, 2015-05-31 at 01:39 +0300, shadi akiki wrote:
> Hi

> I'm compiling gnutls 3.1.28 from source on travis-ci to use it from
> php.
> Running "pkg-config --modversion gnutls" before the compilation shows
> 2.12.14 whereas afterwards shows 3.1.28.
> However, running "var_dump(curl_version())" as well as "phpinfo()"
> before and after the compilation show 'ssl_version'="GnuTLS/2.12.14"
> only. 
> From digging around, I understood that php is
> using /usr/lib/x86_64-linux-gnu/libgnutls.so.26 . My compiled gnutls
> is ending up in /usr/local/lib/libgnutls.so.28

When soversion changes the libraries are not compatible. You'll have to
recompile all programs using them.

regards,
Nikos





From marcossp at kth.se  Tue Jun  2 11:38:40 2015
From: marcossp at kth.se (Marcos Simo Pico)
Date: Tue, 02 Jun 2015 11:38:40 +0200
Subject: [gnutls-help] Certtool and TPM
In-Reply-To: <1433187646.1760.12.camel@gnutls.org>
References: <1433162297320.1926@kth.se> <1433187646.1760.12.camel@gnutls.org>
Message-ID: <556D79A0.1030505@kth.se>

The output I had was:

Setting log level to 9
Generating a signed certificate...
|<3>| ASSERT: tpm.c:482
|<2>| TPM (tpm) error: Authentication failed (1)
|<3>| ASSERT: tpm.c:219
|<3>| ASSERT: tpm.c:222
|<3>| ASSERT: tpm.c:345
|<3>| ASSERT: tpm.c:900
importing key: 
tpmkey:uuid=37cfd26a-e03b-4215-8ed7-3a699f21fd21;storage=user: Error in 
provided SRK password for TPM.

I just reinstalled GnuTLS with PKCS #11 support and now it's working fine.

Thank you very much for your help.

Best,
Marcos

On 01/06/15 21:40, Nikos Mavrogiannopoulos wrote:
> On Mon, 2015-06-01 at 12:38 +0000, Marcos Sim? Pic? wrote:
>> ?Hi everyone,
>> I'm trying to generate a certificate of a key stored in a TPM using
>> certtool. Basically I was following the commands explained
>> in http://nmav.gnutls.org/2012/08/using-trusted-platform-module-to.html
>> I can generate the RSA key pair and get the public part perfectly,
>> however, when I invoke certtool for generating a certificate, it
>> returns: Error in provided SRK password for TPM.? As far as I know,
>> there's no option to provide the SRK to certtool.
>> I'm using GnuTLS 3.3.15, and tried to clear the TPM several times and
>> repeat everything with no success.
> Hi,
>   What is the output when you use -d 9? It should have asked for a
> password using the PKCS #11 callback. It is either a regression or you
> have PKCS #11 disabled?
>
> regards,
> Nikos
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20150602/8222da8a/attachment.html>

From anilkumar21t at gmail.com  Fri Jun  5 07:33:00 2015
From: anilkumar21t at gmail.com (Anil Kumar)
Date: Fri, 5 Jun 2015 11:03:00 +0530
Subject: [gnutls-help] Query-regarding-client-certificate
Message-ID: <CADjoLeP4=Fq8tT6YPMjJGKihe3RB8qSMfr2h9ncBfKM+C9yfPw@mail.gmail.com>

Hi ,


I am using same key file and certificate file for both server and client.

Is this fine ? or I have to generate separate files for client and server ?

I am generating the file using certtool binary.

My handshake process is success, but in wireshark capture I can only see
the server certificate.

I have set the required API's at both the ends to verify the certificate,
but still I am not seeing the client certifcate being exchanged.

May I know what is the issue here .


Thanks
Anil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20150605/ec4886a0/attachment.html>

From dkg at fifthhorseman.net  Tue Jun  9 06:24:32 2015
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Tue, 09 Jun 2015 00:24:32 -0400
Subject: [gnutls-help] Query-regarding-client-certificate
In-Reply-To: <CADjoLeP4=Fq8tT6YPMjJGKihe3RB8qSMfr2h9ncBfKM+C9yfPw@mail.gmail.com>
References: <CADjoLeP4=Fq8tT6YPMjJGKihe3RB8qSMfr2h9ncBfKM+C9yfPw@mail.gmail.com>
Message-ID: <87oakpqzjz.fsf@alice.fifthhorseman.net>

Hi Anil--

On Fri 2015-06-05 01:33:00 -0400, Anil Kumar wrote:

> I am using same key file and certificate file for both server and client.

why?  what are you expecting to gain from this configuration?  If client
and server can share secret key material, you might decide to use a
different handshake mode entirely, like PSK.

> Is this fine ? or I have to generate separate files for client and server ?

It's generally good practice to ensure that secret key material is
limited to the machines that truly need it.

> I am generating the file using certtool binary.
>
> My handshake process is success, but in wireshark capture I can only see
> the server certificate.

In TLS, the client will never send a certificate unless the server asks
for one.

> I have set the required API's at both the ends to verify the certificate,
> but still I am not seeing the client certifcate being exchanged.

what APIs have you invoked?  when does your program invoke them?  being
specific will help.

In particular, have you invoked gnutls_certificate_server_set_request()
on the server side before the handshake is underway?

 http://gnutls.org/manual/gnutls.html#gnutls_005fcertificate_005fserver_005fset_005frequest

 --dkg


From shadiakiki1986 at gmail.com  Wed Jun 10 08:15:31 2015
From: shadiakiki1986 at gmail.com (shadi akiki)
Date: Wed, 10 Jun 2015 09:15:31 +0300
Subject: [gnutls-help] compiling gnutls 3.1.28 not being used by php in
	travis-ci workers
In-Reply-To: <CACk+RNs2W5nF-L_mJ7zkc9x=MPkzGO9kOEW-Zf707CYr3yi_Ng@mail.gmail.com>
References: <CACk+RNs_PapibLSteSJqbfG+9+Mbb_+QdpLvytjC815HXNHWbQ@mail.gmail.com>
 <CACk+RNs2W5nF-L_mJ7zkc9x=MPkzGO9kOEW-Zf707CYr3yi_Ng@mail.gmail.com>
Message-ID: <CACk+RNt-=DWqAdkxOCbFGz3P0m0xtZzqrHPfW1fvptfs0g+y=Q@mail.gmail.com>

On Mon, Jun 1, 2015 at 2:26 PM, shadi akiki <shadiakiki1986 at gmail.com>
wrote:

> So I've dug a bit further and learned that I should compile curl for this,
> and not php.
> My problem now is that this works on an experimental ec2 instance, but
> doesn't work on the travis-ci workers.
>
> Running
> *ldd /usr/lib/php5/20090626/curl.so|grep gnutls*
> on the ec2 instance yields
>
> /usr/lib/php5/20090626/curl.so: /usr/local/lib/libcurl.so.4: no version
> information available (required by /usr/lib/php5/20090626/curl.so)
>         libgnutls.so.28 => /usr/local/lib/libgnutls.so.28
> (0x00007f58946e5000)
>
> showing that it's referencing GnuTls 3.1.28 that I compiled
>
> but on the travis-ci workers yields
>
> /usr/lib/php5/20090626/curl.so: /usr/local/lib/libcurl.so.4: no version information available (required by /usr/lib/php5/20090626/curl.so)
> 	libgnutls.so.26 => /usr/lib/x86_64-linux-gnu/libgnutls.so.26 (0x00002aca991d0000)
>
> showing that it's still referencing GnuTls 2.12 (full log here
> <https://s3.amazonaws.com/archive.travis-ci.org/jobs/64888398/log.txt> )
>
> A var_dump(curl_version()) confirms this.
> My specific commands are found here
> <https://github.com/shadiakiki1986/gnutls-3.1-travisci/blob/master/Makefile>
> Has anyone faced this problem before?
>
>
>
> On Sun, May 31, 2015 at 1:39 AM, shadi akiki <shadiakiki1986 at gmail.com>
> wrote:
>
>> Hi
>>
>> I'm compiling gnutls 3.1.28 from source on travis-ci to use it from php.
>>
>> Running "*pkg-config --modversion gnutls*" before the compilation shows
>> 2.12.14 whereas afterwards shows 3.1.28.
>> However, running "*var_dump(curl_version())*" as well as "*phpinfo*()"
>> before and after the compilation show 'ssl_version'="*GnuTLS/2.12.14*"
>> only.
>>
>> From digging around, I understood that php is using
>> /usr/lib/x86_64-linux-gnu/libgnutls.so.26 . My compiled gnutls is ending up
>> in /usr/local/lib/libgnutls.so.28
>> I thought that perhaps replacing libgnutls.so.26 with a symlink to libgnutls.so.28
>> could be a dirty fix, but it doesn't work. Php complains:
>> *symbol gnutls_certificate_get_x509_cas, version GNUTLS_1_4 not defined
>> in file libgnutls.so.26 with link time reference*
>>
>> What do I still need to do to get php to use my compiled gnutls?
>> Should I recompile php from source as well?
>>
>> Here are some files with details
>>
>>    - Log file
>>    <https://s3.amazonaws.com/archive.travis-ci.org/jobs/64740717/log.txt>
>>    - .travis.yml file
>>    <https://github.com/shadiakiki1986/gnutls-3.1-travisci/blob/master/.travis.yml>
>>    - Compilation bash script
>>    <https://github.com/shadiakiki1986/gnutls-3.1-travisci/blob/master/updateGnutls.sh>
>>
>>
>> --
>> Best, Shadi AKIKI
>> www.akikieng.com/shadi
>>
>
>
>
> --
> Best, Shadi AKIKI
> www.akikieng.com/shadi
>


It turned out that installing a separate php CLI on the travis-ci worker
other than the ones that it already had (in phpenv) solved it for me.
The php binary /usr/bin/php5 was linking properly to the curl and gnutls
libraries that I install in /usr/local/lib,
but the binaries that phpenv automatically used didn't.

-- 
Best, Shadi AKIKI
www.akikieng.com/shadi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20150610/d2b06388/attachment-0001.html>

From jw at ib-weinhardt.de  Wed Jun 10 22:24:09 2015
From: jw at ib-weinhardt.de (=?UTF-8?B?SsO2cmcgV2VpbmhhcmR0?=)
Date: Wed, 10 Jun 2015 22:24:09 +0200
Subject: [gnutls-help] Sporadical error message "Fatal error: Public key
 signature verification has failed"
Message-ID: <55789CE9.1010205@ib-weinhardt.de>

Hi,

I am testing a HTTPS server and sometimes the SSL handshake fails and I
get an error at the Browser.
No I try to test the the HTTPS connection handshake only with GnuTLS and
therefore I'm using the following command line in a loop:
	gnutls-cli -d 5 --verbose --insecure 192.168.92.217  < nul

Version is gnutls-3.4.0-w32

Sometimes (about 1 of 50) I get the message
*** Fatal error: Public key signature verification has failed

It is not clear for me what GnuTLS is complaining about. The HTTPS
Server should deliver always the same data.

The debug output around the problem looks like this:

|<3>| ASSERT: dn.c:315
|<3>| ASSERT: dn.c:425
|<3>| ASSERT: x509.c:551
- Status: The certificate is NOT trusted. The certificate issuer is
unknown. The name in the certificate does not match the expec
*** PKI verification of server certificate failed...
|<3>| ASSERT: gnutls_buffers.c:1111
|<4>| HSK[0060bfd8]: SERVER KEY EXCHANGE (12) was received. Length
329[333], frag offset 0, frag length: 329, sequence: 0
|<3>| ASSERT: gnutls_buffers.c:1346
|<4>| HSK[0060bfd8]: Selected ECC curve SECP256R1 (2)
|<4>| HSK[0060bfd8]: verify handshake data: using RSA-SHA256
|<3>| ASSERT: signature.c:329
|<3>| ASSERT: pk.c:710
|<3>| ASSERT: gnutls_pubkey.c:1946
|<3>| ASSERT: gnutls_sig.c:258
|<3>| ASSERT: gnutls_sig.c:353
|<3>| ASSERT: cert.c:2214
|<3>| ASSERT: gnutls_kx.c:474
|<3>| ASSERT: gnutls_handshake.c:2782
*** Fatal error: Public key signature verification has failed.
|<5>| REC: Sending Alert[2|80] - Internal error


If the handshake is ok it looks like this:


|<3>| ASSERT: dn.c:315
|<3>| ASSERT: dn.c:425
|<3>| ASSERT: x509.c:551
- Status: The certificate is NOT trusted. The certificate issuer is
unknown. The name in the certificate does not match the expec
*** PKI verification of server certificate failed...
|<3>| ASSERT: gnutls_buffers.c:1111
|<4>| HSK[004dbfd8]: SERVER KEY EXCHANGE (12) was received. Length
329[333], frag offset 0, frag length: 329, sequence: 0
|<3>| ASSERT: gnutls_buffers.c:1346
|<4>| HSK[004dbfd8]: Selected ECC curve SECP256R1 (2)
|<4>| HSK[004dbfd8]: verify handshake data: using RSA-SHA256
|<3>| ASSERT: signature.c:329
|<3>| ASSERT: gnutls_buffers.c:1111
|<4>| HSK[004dbfd8]: SERVER HELLO DONE (14) was received. Length 0[0],
frag offset 0, frag length: 1, sequence: 0
|<3>| ASSERT: gnutls_buffers.c:1102
|<3>| ASSERT: gnutls_buffers.c:1346
|<3>| ASSERT: gnutls_buffers.c:1329
|<4>| HSK[004dbfd8]: CLIENT KEY EXCHANGE was queued [70 bytes]
|<4>| REC[004dbfd8]: Sent ChangeCipherSpec
|<5>| REC[004dbfd8]: Initializing epoch #1

I would be happy for every hint which gets me closer to the problem.

regards,
Joerg






From nmav at gnutls.org  Thu Jun 11 10:32:51 2015
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Thu, 11 Jun 2015 10:32:51 +0200
Subject: [gnutls-help] Sporadical error message "Fatal error: Public key
 signature verification has failed"
In-Reply-To: <55789CE9.1010205@ib-weinhardt.de>
References: <55789CE9.1010205@ib-weinhardt.de>
Message-ID: <CAJU7zaLuVVAgpp=uC6Ugfy2jaTNw2sFuwFfNeaTb_=i1Phuujg@mail.gmail.com>

There is a test program in the gnutls tests/ directory called
x509sign-verify.c. Can you modify it so that it reproduces the issue?

On Wed, Jun 10, 2015 at 10:24 PM, J?rg Weinhardt <jw at ib-weinhardt.de> wrote:
> Hi,
>
> I am testing a HTTPS server and sometimes the SSL handshake fails and I
> get an error at the Browser.
> No I try to test the the HTTPS connection handshake only with GnuTLS and
> therefore I'm using the following command line in a loop:
>         gnutls-cli -d 5 --verbose --insecure 192.168.92.217  < nul
>
> Version is gnutls-3.4.0-w32
>
> Sometimes (about 1 of 50) I get the message
> *** Fatal error: Public key signature verification has failed
>
> It is not clear for me what GnuTLS is complaining about. The HTTPS
> Server should deliver always the same data.
>
> The debug output around the problem looks like this:
>
> |<3>| ASSERT: dn.c:315
> |<3>| ASSERT: dn.c:425
> |<3>| ASSERT: x509.c:551
> - Status: The certificate is NOT trusted. The certificate issuer is
> unknown. The name in the certificate does not match the expec
> *** PKI verification of server certificate failed...
> |<3>| ASSERT: gnutls_buffers.c:1111
> |<4>| HSK[0060bfd8]: SERVER KEY EXCHANGE (12) was received. Length
> 329[333], frag offset 0, frag length: 329, sequence: 0
> |<3>| ASSERT: gnutls_buffers.c:1346
> |<4>| HSK[0060bfd8]: Selected ECC curve SECP256R1 (2)
> |<4>| HSK[0060bfd8]: verify handshake data: using RSA-SHA256
> |<3>| ASSERT: signature.c:329
> |<3>| ASSERT: pk.c:710
> |<3>| ASSERT: gnutls_pubkey.c:1946
> |<3>| ASSERT: gnutls_sig.c:258
> |<3>| ASSERT: gnutls_sig.c:353
> |<3>| ASSERT: cert.c:2214
> |<3>| ASSERT: gnutls_kx.c:474
> |<3>| ASSERT: gnutls_handshake.c:2782
> *** Fatal error: Public key signature verification has failed.
> |<5>| REC: Sending Alert[2|80] - Internal error
>
>
> If the handshake is ok it looks like this:
>
>
> |<3>| ASSERT: dn.c:315
> |<3>| ASSERT: dn.c:425
> |<3>| ASSERT: x509.c:551
> - Status: The certificate is NOT trusted. The certificate issuer is
> unknown. The name in the certificate does not match the expec
> *** PKI verification of server certificate failed...
> |<3>| ASSERT: gnutls_buffers.c:1111
> |<4>| HSK[004dbfd8]: SERVER KEY EXCHANGE (12) was received. Length
> 329[333], frag offset 0, frag length: 329, sequence: 0
> |<3>| ASSERT: gnutls_buffers.c:1346
> |<4>| HSK[004dbfd8]: Selected ECC curve SECP256R1 (2)
> |<4>| HSK[004dbfd8]: verify handshake data: using RSA-SHA256
> |<3>| ASSERT: signature.c:329
> |<3>| ASSERT: gnutls_buffers.c:1111
> |<4>| HSK[004dbfd8]: SERVER HELLO DONE (14) was received. Length 0[0],
> frag offset 0, frag length: 1, sequence: 0
> |<3>| ASSERT: gnutls_buffers.c:1102
> |<3>| ASSERT: gnutls_buffers.c:1346
> |<3>| ASSERT: gnutls_buffers.c:1329
> |<4>| HSK[004dbfd8]: CLIENT KEY EXCHANGE was queued [70 bytes]
> |<4>| REC[004dbfd8]: Sent ChangeCipherSpec
> |<5>| REC[004dbfd8]: Initializing epoch #1
>
> I would be happy for every hint which gets me closer to the problem.
>
> regards,
> Joerg
>
>
>
>
>
> _______________________________________________
> Gnutls-help mailing list
> Gnutls-help at lists.gnutls.org
> http://lists.gnupg.org/mailman/listinfo/gnutls-help


From i7tiol at t-online.de  Fri Jun 12 11:24:59 2015
From: i7tiol at t-online.de (Olaf Till)
Date: Fri, 12 Jun 2015 11:24:59 +0200
Subject: [gnutls-help] secure deallocation?
Message-ID: <20150612092459.GA16582@till>

Dear all,

can someone tell me the reason why gnutls_global_set_mem_functions()
isn't supported anymore? I might be wrong, but as I see it such a
functionality is needed, at least in my application:

I've based a plugin for parallel command execution in a cluster on
gnutls with SRP. Both client and server machines hold a cleartext
password in memory allocated by gnutls. Since gnutls just uses free(),
the password is not zeroed before deallocation. To my understanding,
after the client or server program exits, other users on these
machines have a chance to have the password in memory they allocate
which was previously allocated and freed by gnutls.

So I'd like to replace free() (and realloc ()) with something that
zeroes out first (using malloc_usable_size()), but since my program is
only a plugin, it seems I can't make the gnutls links to free() to
resolve to a replacement of free(), since the free() symbol is already
provided to gnutls by the main program. I'd like to avoid to have to
start the main program with LD_PRELOAD.

Kind regards,

Olaf

PS: Please CC me, I'm not subscribed.

-- 
public key id EAFE0591, e.g. on x-hkp://pool.sks-keyservers.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: </pipermail/attachments/20150612/88f41319/attachment.sig>

From nmav at gnutls.org  Fri Jun 12 16:36:23 2015
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Fri, 12 Jun 2015 16:36:23 +0200
Subject: [gnutls-help] secure deallocation?
In-Reply-To: <20150612092459.GA16582@till>
References: <20150612092459.GA16582@till>
Message-ID: <CAJU7za+DAKu-NqKQLvG72T2gLWJdtjciVcLHjM2DO+iT4hPhcQ@mail.gmail.com>

On Fri, Jun 12, 2015 at 11:24 AM, Olaf Till <i7tiol at t-online.de> wrote:
> Dear all,
> can someone tell me the reason why gnutls_global_set_mem_functions()
> isn't supported anymore? I might be wrong, but as I see it such a
> functionality is needed, at least in my application:
> I've based a plugin for parallel command execution in a cluster on
> gnutls with SRP. Both client and server machines hold a cleartext
> password in memory allocated by gnutls. Since gnutls just uses free(),
> the password is not zeroed before deallocation. To my understanding,
> after the client or server program exits, other users on these
> machines have a chance to have the password in memory they allocate
> which was previously allocated and freed by gnutls.

In modern operating systems such as Linux pages are zeroized before they
are passed to other applications so this is not really a threat. The
threat remains
however when you have bugs like heartbleed and arbitrary memory areas are
exposed. For that, since gnutls 3.3.x sensitive memory areas are overwritten by
gnutls itself when needed (the focus with that change was mostly the FIPS140-2
related algorithms so an audit in the SRP code may be needed).

regards,
Nikos


From i7tiol at t-online.de  Fri Jun 12 18:20:29 2015
From: i7tiol at t-online.de (Olaf Till)
Date: Fri, 12 Jun 2015 18:20:29 +0200
Subject: [gnutls-help] secure deallocation?
In-Reply-To: <CAJU7za+DAKu-NqKQLvG72T2gLWJdtjciVcLHjM2DO+iT4hPhcQ@mail.gmail.com>
References: <20150612092459.GA16582@till>
 <CAJU7za+DAKu-NqKQLvG72T2gLWJdtjciVcLHjM2DO+iT4hPhcQ@mail.gmail.com>
Message-ID: <20150612162029.GA5243@till>

On Fri, Jun 12, 2015 at 04:36:23PM +0200, Nikos Mavrogiannopoulos wrote:
> On Fri, Jun 12, 2015 at 11:24 AM, Olaf Till <i7tiol at t-online.de> wrote:
> > Dear all,
> > can someone tell me the reason why gnutls_global_set_mem_functions()
> > isn't supported anymore? I might be wrong, but as I see it such a
> > functionality is needed, at least in my application:
> > I've based a plugin for parallel command execution in a cluster on
> > gnutls with SRP. Both client and server machines hold a cleartext
> > password in memory allocated by gnutls. Since gnutls just uses free(),
> > the password is not zeroed before deallocation. To my understanding,
> > after the client or server program exits, other users on these
> > machines have a chance to have the password in memory they allocate
> > which was previously allocated and freed by gnutls.
> 
> In modern operating systems such as Linux pages are zeroized before they
> are passed to other applications so this is not really a threat. The
> threat remains
> however when you have bugs like heartbleed and arbitrary memory areas are
> exposed. For that, since gnutls 3.3.x sensitive memory areas are overwritten by
> gnutls itself when needed (the focus with that change was mostly the FIPS140-2
> related algorithms so an audit in the SRP code may be needed).

Ok, thanks for the information. In particular I wasn't aware that
Linux zeroizes passed pages.

Regards, Olaf

-- 
public key id EAFE0591, e.g. on x-hkp://pool.sks-keyservers.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: </pipermail/attachments/20150612/a50d8a31/attachment-0001.sig>

From nmav at gnutls.org  Tue Jun 16 22:07:59 2015
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Tue, 16 Jun 2015 22:07:59 +0200
Subject: [gnutls-help] gnutls 3.4.2
Message-ID: <1434485279.7405.2.camel@gnutls.org>

Hello, 
 I've just released gnutls 3.4.2. This version fixes bugs and enhances
support for PKCS #7 structures on the next stable branch.


* Version 3.4.2 (released 2015-06-16)

** libgnutls: DTLS blocking API is more robust against infinite blocking,
and will notify of more possible timeouts.

** libgnutls: corrected regression with Camellia-256-GCM cipher. Reported
by Manuel Pegourie-Gonnard.

** libgnutls: Introduced the GNUTLS_NO_SIGNAL flag to gnutls_init(). That
allows to disable SIGPIPE for writes done within gnutls.

** libgnutls: Enhanced the PKCS #7 API to allow signing and verification
of structures. API moved to gnutls/pkcs7.h header.

** certtool: Added options to generate PKCS #7 bundles and signed
structures.

** API and ABI modifications:
gnutls_x509_dn_get_str: Added
gnutls_pkcs11_get_raw_issuer_by_subject_key_id: Added
gnutls_x509_trust_list_get_issuer_by_subject_key_id: Added
gnutls_x509_crt_verify_data2: Added
gnutls_pkcs7_get_crt_raw2: Added
gnutls_pkcs7_signature_info_deinit: Added
gnutls_pkcs7_get_signature_info: Added
gnutls_pkcs7_verify_direct: Added
gnutls_pkcs7_verify: Added
gnutls_pkcs7_get_crl_raw2: Added
gnutls_pkcs7_sign: Added
gnutls_pkcs7_attrs_deinit: Added
gnutls_pkcs7_add_attr: Added
gnutls_pkcs7_get_attr: Added
gnutls_pkcs7_print: Added


Getting the Software
====================

GnuTLS may be downloaded directly from
<ftp://ftp.gnutls.org/gcrypt/gnutls/>.  A list of GnuTLS mirrors can be
found at <http://www.gnutls.org/download.html>.

Here are the XZ and LZIP compressed sources:

  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.2.tar.xz
  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.2.tar.lz

Here are OpenPGP detached signatures signed using key 0x96865171:

  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.2.tar.xz.sig
  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.2.tar.lz.sig

Note that it has been signed with my openpgp key:
pub   3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid                  Nikos Mavrogiannopoulos <nmav <at> gnutls.org>
uid                  Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at>
gmail.com>
sub   2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub   2048R/1404A91D 2008-05-04 [expires: 2018-05-02]

regards,
Nikos




From anilkumar21t at gmail.com  Wed Jun 17 09:00:50 2015
From: anilkumar21t at gmail.com (Anil Kumar)
Date: Wed, 17 Jun 2015 12:30:50 +0530
Subject: [gnutls-help] Query-Regarding-Enabling-TLS-In-Kamailio
Message-ID: <CADjoLeO=aXfn+qKnrMYJbG-7hGkxckbJiywoVnrnMhNaFQ3nDQ@mail.gmail.com>

Hi,

My client is able to send client hello to server, and server is responding
with ack.

But later no messages are being exchanged between them.

I see gnutls_handshake is timing out (GnuTLS error: The operation timed
out).

I have included tls module and build the kamailio.

I see some key and cert files are generated in /usr/local/etc/kamailio .

Also I see enable_tls=yes in kamailo.cfg file.

May I know why tls server is not responding as expected ?


Thanks
Anil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20150617/7f5eb027/attachment.html>

From anilkumar21t at gmail.com  Wed Jun 17 09:11:14 2015
From: anilkumar21t at gmail.com (Anil Kumar)
Date: Wed, 17 Jun 2015 12:41:14 +0530
Subject: [gnutls-help] Query-Regarding-Enabling-TLS-In-Kamailio
In-Reply-To: <CADjoLeO=aXfn+qKnrMYJbG-7hGkxckbJiywoVnrnMhNaFQ3nDQ@mail.gmail.com>
References: <CADjoLeO=aXfn+qKnrMYJbG-7hGkxckbJiywoVnrnMhNaFQ3nDQ@mail.gmail.com>
Message-ID: <CADjoLeN3zqCaX5=yzustOJyfEOzWjS-oMYjqhqzbinfZsUDXdg@mail.gmail.com>

Hi,

Does Kamailio support gnutls ?

Thanks
Anil

On Wed, Jun 17, 2015 at 12:30 PM, Anil Kumar <anilkumar21t at gmail.com> wrote:

> Hi,
>
> My client is able to send client hello to server, and server is responding
> with ack.
>
> But later no messages are being exchanged between them.
>
> I see gnutls_handshake is timing out (GnuTLS error: The operation timed
> out).
>
> I have included tls module and build the kamailio.
>
> I see some key and cert files are generated in /usr/local/etc/kamailio .
>
> Also I see enable_tls=yes in kamailo.cfg file.
>
> May I know why tls server is not responding as expected ?
>
>
> Thanks
> Anil
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20150617/431bcfe9/attachment.html>

From j.ballantine at gmail.com  Wed Jun 17 15:36:52 2015
From: j.ballantine at gmail.com (Jim Ballantine)
Date: Wed, 17 Jun 2015 09:36:52 -0400
Subject: [gnutls-help] gnutls 3.4.2
In-Reply-To: <1434485279.7405.2.camel@gnutls.org>
References: <1434485279.7405.2.camel@gnutls.org>
Message-ID: <CADcmFMW5hE22=4fCw77gvcOLVDW-x8UBoNwg7KRYzT3cHTx4aw@mail.gmail.com>

Hi,

I just tried to build the lastest gnutls and it failed with:
checking for NETTLE... Unknown keyword 'URL' in
'/usr/local/add-on/nettle/lib/pkgconfig/nettle.pc'
no
configure: error:
  ***
  *** Libnettle 3.1 was not found.

nettle was a stand install, any thoughts on what is wrong and how to fix it?

On Tue, Jun 16, 2015 at 4:07 PM, Nikos Mavrogiannopoulos <nmav at gnutls.org>
wrote:

> Hello,
>  I've just released gnutls 3.4.2. This version fixes bugs and enhances
> support for PKCS #7 structures on the next stable branch.
>
>
> * Version 3.4.2 (released 2015-06-16)
>
> ** libgnutls: DTLS blocking API is more robust against infinite blocking,
> and will notify of more possible timeouts.
>
> ** libgnutls: corrected regression with Camellia-256-GCM cipher. Reported
> by Manuel Pegourie-Gonnard.
>
> ** libgnutls: Introduced the GNUTLS_NO_SIGNAL flag to gnutls_init(). That
> allows to disable SIGPIPE for writes done within gnutls.
>
> ** libgnutls: Enhanced the PKCS #7 API to allow signing and verification
> of structures. API moved to gnutls/pkcs7.h header.
>
> ** certtool: Added options to generate PKCS #7 bundles and signed
> structures.
>
> ** API and ABI modifications:
> gnutls_x509_dn_get_str: Added
> gnutls_pkcs11_get_raw_issuer_by_subject_key_id: Added
> gnutls_x509_trust_list_get_issuer_by_subject_key_id: Added
> gnutls_x509_crt_verify_data2: Added
> gnutls_pkcs7_get_crt_raw2: Added
> gnutls_pkcs7_signature_info_deinit: Added
> gnutls_pkcs7_get_signature_info: Added
> gnutls_pkcs7_verify_direct: Added
> gnutls_pkcs7_verify: Added
> gnutls_pkcs7_get_crl_raw2: Added
> gnutls_pkcs7_sign: Added
> gnutls_pkcs7_attrs_deinit: Added
> gnutls_pkcs7_add_attr: Added
> gnutls_pkcs7_get_attr: Added
> gnutls_pkcs7_print: Added
>
>
> Getting the Software
> ====================
>
> GnuTLS may be downloaded directly from
> <ftp://ftp.gnutls.org/gcrypt/gnutls/>.  A list of GnuTLS mirrors can be
> found at <http://www.gnutls.org/download.html>.
>
> Here are the XZ and LZIP compressed sources:
>
>   ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.2.tar.xz
>   ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.2.tar.lz
>
> Here are OpenPGP detached signatures signed using key 0x96865171:
>
>   ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.2.tar.xz.sig
>   ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.2.tar.lz.sig
>
> Note that it has been signed with my openpgp key:
> pub   3104R/96865171 2008-05-04 [expires: 2028-04-29]
> uid                  Nikos Mavrogiannopoulos <nmav <at> gnutls.org>
> uid                  Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at>
> gmail.com>
> sub   2048R/9013B842 2008-05-04 [expires: 2018-05-02]
> sub   2048R/1404A91D 2008-05-04 [expires: 2018-05-02]
>
> regards,
> Nikos
>
>
>
> _______________________________________________
> Gnutls-help mailing list
> Gnutls-help at lists.gnutls.org
> http://lists.gnupg.org/mailman/listinfo/gnutls-help
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20150617/52a56fd1/attachment.html>

From anilkumar21t at gmail.com  Fri Jun 19 12:43:06 2015
From: anilkumar21t at gmail.com (Anil Kumar)
Date: Fri, 19 Jun 2015 16:13:06 +0530
Subject: [gnutls-help] Query-Regarding-Gnutls-Build
Message-ID: <CADjoLeMNRzQ-6b9dyArC4Nt+7NG65R5TkDXBSAP0ZMYKUT8zwg@mail.gmail.com>

Hi All,


I am asked to develop a transport client that use gnutls (I am using 3.4.1).

Also I want to simulate more number of such tls clients .

In my application each client is a separate process.

My each process dynamically links with the gmp,nettle and gnutls libs.

Without tls I am able to easily simulate more than 10k connections(with
tcp/udp) in my machine(of 8 gb RAM).

But with tls in place I am not able to simulate more than 800 connections.

Memory is getting dried up, and is a big concern for me.

I ran with Valgrind memory check tool and I see zero errors and zero
warnings .

Can anyone please help me what care I should take while building the
gnutls, so that it is optimized and can be made best possible use.


Thanks
Anil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20150619/854b3337/attachment.html>

From julie_peace59 at hotmail.fr  Wed Jun 24 18:14:36 2015
From: julie_peace59 at hotmail.fr (Julie P)
Date: Wed, 24 Jun 2015 18:14:36 +0200
Subject: [gnutls-help] tpmtool
Message-ID: <DUB125-W46B15A979BECD91ACF1846E4AF0@phx.gbl>

Bonjour,

I have a problem and didn't find any solution : tpmtool command is not found.
I installed gnutls-3.3.15, with nettle and co., the 'certtool' command works.
I am using Ubuntu 14.04.
And 'locate tpmtool' didn't find anything.
Did you know what is my problem??

Thanks in advance!

Julie
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20150624/e8dd2bb5/attachment-0001.html>

From lucasrangit at gmail.com  Fri Jun 26 01:14:02 2015
From: lucasrangit at gmail.com (Lucas Magasweran)
Date: Thu, 25 Jun 2015 23:14:02 +0000 (UTC)
Subject: [gnutls-help] tpmtool
References: <DUB125-W46B15A979BECD91ACF1846E4AF0@phx.gbl>
Message-ID: <loom.20150626T001948-258@post.gmane.org>

Julie P <julie_peace59 <at> hotmail.fr> writes:

> tpmtool command is not found.

Did ./configure find TPM support (see config.log)?

> I installed gnutls-3.3.15, with nettle and co., the 'certtool' command 
works.

Did you install the Trousers library. On Ubuntu 14.04 I installed the build 
dependencies using the following commands. The last package installs the 
Trousers library headers.

    sudo add-apt-repository "deb http://archive.ubuntu.com/ubuntu 
$(lsb_release -sc) universe"
    sudo apt-get update
    sudo apt-get install build-essential nettle-dev libgmp-dev trousers tpm-
tools libtspi-dev

After running `sudo make install`, I also had to symlink the library (credit 
http://www.bauer-power.net/2014/06/how-to-install-gnutls-3123-from-
source.html)

    sudo ln -s /usr/local/lib/libgnutls.so.28 /usr/lib/libgnutls.so.28



From lucasrangit at gmail.com  Fri Jun 26 18:27:04 2015
From: lucasrangit at gmail.com (Lucas Magasweran)
Date: Fri, 26 Jun 2015 16:27:04 +0000 (UTC)
Subject: [gnutls-help] tpmtool
References: <DUB125-W46B15A979BECD91ACF1846E4AF0@phx.gbl>
 <loom.20150626T001948-258@post.gmane.org>
Message-ID: <loom.20150626T182327-267@post.gmane.org>

Lucas Magasweran <lucasrangit <at> gmail.com> writes:
> After running `sudo make install`, I also had to symlink the library 
(credit 

Actually, I think running `sudo ldconfig` is more correct.





From andreas_freimuth at web.de  Tue Jun 30 15:16:50 2015
From: andreas_freimuth at web.de (Andreas Freimuth)
Date: Tue, 30 Jun 2015 15:16:50 +0200
Subject: [gnutls-help] The certificate chain violates the signer's
	constraints.
Message-ID: <559296C2.7040407@web.de>

Hi all,

I have a problem with the gnutls validating a certificate path. Can
someone tell me if it is a mistake in the Certs, or a bug in GnuTLS?

Relevent parts of the Certs:
== server.crt ==
Subject: C=US, O=Foo Bar Inc., CN=bazz.foobar.com
X509v3 Subject Alternative Name:
     DNS:update.foobar.com, DNS:mx.foobar.email

== CA ==
     X509v3 Name Constraints:
       Permitted:
         DNS:foobar.com
         DNS:foobar.email
         DirName: C = US, O = Foo Bar Inc.
       Excluded:
         DNS:www.foobar.com
         DNS:www.foobar.email
         IP:0.0.0.0/0.0.0.0
         IP:0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0


Openssl verify says every thing is fine.
> $ openssl verify -CAfile CA-chain.crt server.crt
> server.crt: OK

But GnuTLS (3.3.8 and 3.3.15) complains:
"The certificate chain violates the signer's constraints."

> $ openssl verify -CAfile CA-chain.crt server.crt 
> server.crt: OK

> $ gnutls-serv --x509keyfile server.key --x509certfile server.crt -p 9999

(I added update.foobar.com to /etc/hosts)
> $ gnutls-cli --x509cafile CA-chain.crt -p 9999 update.foobar.com
> Processed 2 CA certificate(s).
> Resolving 'update.foobar.com'...
> Connecting to '127.0.0.1:9999'...
> - Certificate type: X.509
> - Got a certificate list of 1 certificates.
> - Certificate[0] info:
>  - subject `C=US,O=Foo Bar Inc.,CN=bazz.foobar.com', issuer `C=US,O=Foo Bar Inc.,CN=Foo Bar Sub CA 1,OU=Public Key Infrastructure', RSA key 512 bits, signed using RSA-SHA1, activated `2015-06-30 12:35:31 UTC', expires `2016-06-29 12:35:31 UTC', SHA-1 fingerprint `297d9f2e6e4246306a94a7c2a35d99fa85819485'
>         Public Key ID:
>                 f2a2f8279dff958588a4b91f94d773f4bdf06837
>         Public key's random art:
>                 +--[ RSA  512]----+
>                 |                 |
>                 |                 |
>                 |        .     .  |
>                 |       + o o o ..|
>                 |      + S o +.o o|
>                 |       = .   =+ .|
>                 |     .o.o   oo E |
>                 |   ...+o . .. . .|
>                 |  ..oo .o..      |
>                 +-----------------+
> 
> - Status: The certificate is NOT trusted. The certificate chain violates the signer's constraints. 
> *** PKI verification of server certificate failed...
> *** Fatal error: Error in the certificate.
> *** Handshake has failed
> GnuTLS error: Error in the certificate.

Thank you in advance
-- 
Andreas Freimuth
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CA-chain.crt
Type: application/pkix-cert
Size: 2092 bytes
Desc: not available
URL: </pipermail/attachments/20150630/61786779/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: server.crt
Type: application/pkix-cert
Size: 1021 bytes
Desc: not available
URL: </pipermail/attachments/20150630/61786779/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: server.key
Type: application/x-iwork-keynote-sffkey
Size: 522 bytes
Desc: not available
URL: </pipermail/attachments/20150630/61786779/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 538 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150630/61786779/attachment.sig>