From jonetsu at teksavvy.com  Tue Aug  9 00:12:32 2016
From: jonetsu at teksavvy.com (jonetsu)
Date: Mon, 08 Aug 2016 18:12:32 -0400
Subject: [gnutls-help] Intermediate CAs
Message-ID: <3d9169bb985447e24bd41f2869bd49fa@teksavvy.com>

Hello,

Is there an example or two around on how to handle intermediate CAs using GnuTLS ?

Thanks.





From nmav at gnutls.org  Tue Aug  9 07:40:20 2016
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Tue, 09 Aug 2016 07:40:20 +0200
Subject: [gnutls-help] gnutls 3.5.3
Message-ID: <1470721220.14429.2.camel@gnutls.org>

Hello,?
?I've just released gnutls 3.5.3. This is a minor enhancements and
bugfix release for the 3.5.x branch.

* Version 3.5.3 (released 2016-08-09)

** libgnutls: Added support for TCP fast open (RFC7413), allowing
???to reduce by one round-trip the handshake process. Based on proposal
? ?and patch by Tim Ruehsen.

** libgnutls: Adopted a simpler with less memory requirements DTLS
? ?sliding window implementation. Based on Fridolin Pokorny's
? ?implementation for AF_KTLS.

** libgnutls: Use getrandom where available via the syscall interface.
???This works around an issue of not-using getrandom even if it exists
???since glibc doesn't declare such function.

** libgnutls: Fixed DNS name constraints checking in the case of empty
???intersection of domain names in the chain. Report and fix by Martin
? ?Ukrop.

** libgnutls: Fixed name constraints checking in the case of chains
???where the higher level certificates contained different types of
???constraints than the ones present in the lower intermediate CAs.
???Report and fix by Martin Ukrop.

** libgnutls: Dropped support for the EGD random generator.

** libgnutls: Allow the decoding of raw elements (starting with #)
???in RFC4514 DN string decoding.

** libgnutls: Fixes in gnutls_x509_crt_list_import2, which was
???ignoring flags if all certificates in the list fit within the
???initially allocated memory. Patch by Tim Kosse.

** libgnutls: Corrected issue which made
? ?gnutls_certificate_get_x509_crt() to return invalid pointers when
? ?returned more than a single certificate. Report and fix by Stefan
? ?S?rensen.

** libgnutls: Fix gnutls_pkcs12_simple_parse to always extract the
? ?complete chain, even when the extra_certs was non-null. Report and
? ?fix by Stefan S?rensen.

** certtool: Added the "add_extension" and "add_critical_extension"
???template options. This allows specifying arbitrary extensions into
???certificates and certificate requests.

** gnutls-cli: Added the --fastopen option.

** API and ABI modifications:
GNUTLS_E_UNAVAILABLE_DURING_HANDSHAKE: Added
gnutls_x509_crq_set_extension_by_oid: Added
gnutls_x509_dn_set_str: Added
gnutls_transport_set_fastopen: Added


Getting the Software
====================

GnuTLS may be downloaded directly from
<ftp://ftp.gnutls.org/gcrypt/gnutls/>.??A list of GnuTLS mirrors can be
found at <http://www.gnutls.org/download.html>.

Here are the XZ compressed sources:

? ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/gnutls-3.5.3.tar.xz

Here are OpenPGP detached signatures signed using key 0x96865171:

? ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/gnutls-3.5.3.tar.xz.sig

Note that it has been signed with my openpgp key:
pub???3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid??????????????????Nikos Mavrogiannopoulos <nmav <at> gnutls.org>
uid??????????????????Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at>
gmail.com>
sub???2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub???2048R/1404A91D 2008-05-04 [expires: 2018-05-02]

regards,
Nikos



From gkdbwl at hanmail.net  Tue Aug  9 08:23:06 2016
From: gkdbwl at hanmail.net (TMYJ)
Date: Tue, 09 Aug 2016 15:23:06 +0900 (KST)
Subject: [gnutls-help] handshake error
Message-ID: <20160809152306.HM.b0000000008eUGa@gkdbwl.wwl1707.hanmail.net>

An HTML attachment was scrubbed...
URL: </pipermail/attachments/20160809/ec7223bb/attachment.html>

From onkurganguly at gmail.com  Tue Aug  9 09:31:59 2016
From: onkurganguly at gmail.com (Onkurananda Ganguly)
Date: Tue, 9 Aug 2016 13:01:59 +0530
Subject: [gnutls-help] Unable to connect Windows IIS8, gives -37
Message-ID: <CAHwEhuq5dkDCCXKORN1-GkiT2WbztxzjHeqKUhO=24tGPEGYSA@mail.gmail.com>

Hi Gnutls team,

I am using CentOS7.1 and my Gnutls versions are:
gnutls-dane-3.3.8-14.el7_2.x86_64
gnutls-utils-3.3.8-14.el7_2.x86_64
gnutls-3.3.8-14.el7_2.x86_64
gnutls-devel-3.3.8-14.el7_2.x86_64
gnutls-c++-3.3.8-14.el7_2.x86_64

Whenever I tried to connect an Windows IIS8 server I am getting below
error----

- Key Exchange: RSA
- Protocol: TLS1.2
- Certificate Type: X.509
- Compression: NULL
- Cipher: AES-128-CBC
- MAC: SHA256
Note: SSL paramaters may change as new connections are established to the
server.
/usr/bin/httpfs2-ssl: main: closing socket.
/usr/bin/httpfs2-ssl: main: closing SSL socket.
/usr/bin/httpfs2-ssl: main: initializing SSL socket.
/usr/bin/httpfs2-ssl: main: read: -37 Rehandshake was requested by the
peer..
/usr/bin/httpfs2-ssl: main: exchange: failed receving reply from server: 5
Input/output error.


I tried to disable DH, RC4 algorithm but no issue. It still giving me the
error.

Any help will be appreciated.

Thanks,
Onkurananda Ganguly
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20160809/9a4e7b3e/attachment-0001.html>

From nmav at gnutls.org  Tue Aug  9 10:12:31 2016
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Tue, 9 Aug 2016 10:12:31 +0200
Subject: [gnutls-help] Unable to connect Windows IIS8, gives -37
In-Reply-To: <CAHwEhuq5dkDCCXKORN1-GkiT2WbztxzjHeqKUhO=24tGPEGYSA@mail.gmail.com>
References: <CAHwEhuq5dkDCCXKORN1-GkiT2WbztxzjHeqKUhO=24tGPEGYSA@mail.gmail.com>
Message-ID: <CAJU7zaJFuBA14Yg9tDYJ=ZGkvoJw9Z_Uq9CDiw5=xM6TJOU4=w@mail.gmail.com>

On Tue, Aug 9, 2016 at 9:31 AM, Onkurananda Ganguly
<onkurganguly at gmail.com> wrote:
> Hi Gnutls team,
> Whenever I tried to connect an Windows IIS8 server I am getting below
> error----
> - Key Exchange: RSA
> - Protocol: TLS1.2
> - Certificate Type: X.509
> - Compression: NULL
> - Cipher: AES-128-CBC
> - MAC: SHA256
> Note: SSL paramaters may change as new connections are established to the
> server.
> /usr/bin/httpfs2-ssl: main: closing socket.
> /usr/bin/httpfs2-ssl: main: closing SSL socket.
> /usr/bin/httpfs2-ssl: main: initializing SSL socket.
> /usr/bin/httpfs2-ssl: main: read: -37 Rehandshake was requested by the
> peer..

The server requested a rehandshake but the client (httpfs2-ssl) you
are using didn't handle it. You'd better report it to that tool.

regards,
Nikos


From onkurganguly at gmail.com  Tue Aug  9 10:39:44 2016
From: onkurganguly at gmail.com (Onkurananda Ganguly)
Date: Tue, 9 Aug 2016 14:09:44 +0530
Subject: [gnutls-help] Unable to connect Windows IIS8, gives -37
In-Reply-To: <CAJU7zaJFuBA14Yg9tDYJ=ZGkvoJw9Z_Uq9CDiw5=xM6TJOU4=w@mail.gmail.com>
References: <CAHwEhuq5dkDCCXKORN1-GkiT2WbztxzjHeqKUhO=24tGPEGYSA@mail.gmail.com>
 <CAJU7zaJFuBA14Yg9tDYJ=ZGkvoJw9Z_Uq9CDiw5=xM6TJOU4=w@mail.gmail.com>
Message-ID: <CAHwEhupWNVUZ_Dk1U58jADKrPL5kumpECZu0JGx5PH-z9C+sQA@mail.gmail.com>

I have already reported to them and below is the response:

This is obviously a SSL problem.

The Windows server uses different SSL settings which GnuTLS does not like.

This is something you should discuss with the GnuTLS packager for your
distribution and/or GnuTLS authors.

httpfs uses the default SSL settings (this is not configurable at the
moment) and those probably disable rehandshake with protocols/ciphers
that cannot do rehandshake securely.


Thanks,

Ganguly

On Tue, Aug 9, 2016 at 1:42 PM, Nikos Mavrogiannopoulos <nmav at gnutls.org>
wrote:

> On Tue, Aug 9, 2016 at 9:31 AM, Onkurananda Ganguly
> <onkurganguly at gmail.com> wrote:
> > Hi Gnutls team,
> > Whenever I tried to connect an Windows IIS8 server I am getting below
> > error----
> > - Key Exchange: RSA
> > - Protocol: TLS1.2
> > - Certificate Type: X.509
> > - Compression: NULL
> > - Cipher: AES-128-CBC
> > - MAC: SHA256
> > Note: SSL paramaters may change as new connections are established to the
> > server.
> > /usr/bin/httpfs2-ssl: main: closing socket.
> > /usr/bin/httpfs2-ssl: main: closing SSL socket.
> > /usr/bin/httpfs2-ssl: main: initializing SSL socket.
> > /usr/bin/httpfs2-ssl: main: read: -37 Rehandshake was requested by the
> > peer..
>
> The server requested a rehandshake but the client (httpfs2-ssl) you
> are using didn't handle it. You'd better report it to that tool.
>
> regards,
> Nikos
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20160809/fd5cf975/attachment.html>

From gkdbwl at hanmail.net  Tue Aug  9 11:06:47 2016
From: gkdbwl at hanmail.net (TMYJ)
Date: Tue, 09 Aug 2016 18:06:47 +0900 (KST)
Subject: [gnutls-help] handshake error
Message-ID: <20160809180647.HM.b0000000008eUGg@gkdbwl.wwl1707.hanmail.net>

An HTML attachment was scrubbed...
URL: </pipermail/attachments/20160809/1098362b/attachment.html>

From hramrach at gmail.com  Tue Aug  9 11:17:25 2016
From: hramrach at gmail.com (Michal Suchanek)
Date: Tue, 9 Aug 2016 11:17:25 +0200
Subject: [gnutls-help] Unable to connect Windows IIS8, gives -37
In-Reply-To: <CAJU7zaJFuBA14Yg9tDYJ=ZGkvoJw9Z_Uq9CDiw5=xM6TJOU4=w@mail.gmail.com>
References: <CAHwEhuq5dkDCCXKORN1-GkiT2WbztxzjHeqKUhO=24tGPEGYSA@mail.gmail.com>
 <CAJU7zaJFuBA14Yg9tDYJ=ZGkvoJw9Z_Uq9CDiw5=xM6TJOU4=w@mail.gmail.com>
Message-ID: <CAOMqctT_xC5L9-AFLp7zvtLyYd9tkSspdQ-KdBkf6+wGTNvqMg@mail.gmail.com>

Hello,

On 9 August 2016 at 10:12, Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:
> On Tue, Aug 9, 2016 at 9:31 AM, Onkurananda Ganguly
> <onkurganguly at gmail.com> wrote:
>> Hi Gnutls team,
>> Whenever I tried to connect an Windows IIS8 server I am getting below
>> error----
>> - Key Exchange: RSA
>> - Protocol: TLS1.2
>> - Certificate Type: X.509
>> - Compression: NULL
>> - Cipher: AES-128-CBC
>> - MAC: SHA256
>> Note: SSL paramaters may change as new connections are established to the
>> server.
>> /usr/bin/httpfs2-ssl: main: closing socket.
>> /usr/bin/httpfs2-ssl: main: closing SSL socket.
>> /usr/bin/httpfs2-ssl: main: initializing SSL socket.
>> /usr/bin/httpfs2-ssl: main: read: -37 Rehandshake was requested by the
>> peer..
>
> The server requested a rehandshake but the client (httpfs2-ssl) you
> are using didn't handle it. You'd better report it to that tool.

what is needed on the clients part to handle the rehandshake?

Does GnuTLS not handle rehandshake internally?

Thanks

Michal


From nmav at gnutls.org  Tue Aug  9 11:58:27 2016
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Tue, 9 Aug 2016 11:58:27 +0200
Subject: [gnutls-help] Unable to connect Windows IIS8, gives -37
In-Reply-To: <CAOMqctT_xC5L9-AFLp7zvtLyYd9tkSspdQ-KdBkf6+wGTNvqMg@mail.gmail.com>
References: <CAHwEhuq5dkDCCXKORN1-GkiT2WbztxzjHeqKUhO=24tGPEGYSA@mail.gmail.com>
 <CAJU7zaJFuBA14Yg9tDYJ=ZGkvoJw9Z_Uq9CDiw5=xM6TJOU4=w@mail.gmail.com>
 <CAOMqctT_xC5L9-AFLp7zvtLyYd9tkSspdQ-KdBkf6+wGTNvqMg@mail.gmail.com>
Message-ID: <CAJU7za+r_WaJuh93i-nzAsdAuepAyMTy1WO7q6eJWo2BfLcqCA@mail.gmail.com>

On Tue, Aug 9, 2016 at 11:17 AM, Michal Suchanek <hramrach at gmail.com> wrote:
>>> Hi Gnutls team,
>>> Whenever I tried to connect an Windows IIS8 server I am getting below
>>> error----
>>> - Key Exchange: RSA
>>> - Protocol: TLS1.2
>>> - Certificate Type: X.509
>>> - Compression: NULL
>>> - Cipher: AES-128-CBC
>>> - MAC: SHA256
>>> Note: SSL paramaters may change as new connections are established to the
>>> server.
>>> /usr/bin/httpfs2-ssl: main: closing socket.
>>> /usr/bin/httpfs2-ssl: main: closing SSL socket.
>>> /usr/bin/httpfs2-ssl: main: initializing SSL socket.
>>> /usr/bin/httpfs2-ssl: main: read: -37 Rehandshake was requested by the
>>> peer..
>>
>> The server requested a rehandshake but the client (httpfs2-ssl) you
>> are using didn't handle it. You'd better report it to that tool.
> what is needed on the clients part to handle the rehandshake?
> Does GnuTLS not handle rehandshake internally?

No. Rehandshake typically means re-authentication and the application
must handle this explicitly with gnutls (see [0]). By the time you
receive such a rehandshake request by the server you can either ignore
it (which the server may or may not like), or act on it by following
the instructions on [0]. Servers typically ask for rehandshake when
the want to connected user to reauthenticate using a client
certificate or so.

Overall it is best to use gnutls_error_is_fatal() and ignore non-fatal
errors from gnutls_record_recv() and gnutls_handshake().

regards,
Nikos

[0]. https://www.gnutls.org/manual/html_node/Re_002dauthentication.html


From onkurganguly at gmail.com  Tue Aug  9 12:53:59 2016
From: onkurganguly at gmail.com (Onkurananda Ganguly)
Date: Tue, 9 Aug 2016 16:23:59 +0530
Subject: [gnutls-help] Unable to connect Windows IIS8, gives -37
In-Reply-To: <CAJU7za+r_WaJuh93i-nzAsdAuepAyMTy1WO7q6eJWo2BfLcqCA@mail.gmail.com>
References: <CAHwEhuq5dkDCCXKORN1-GkiT2WbztxzjHeqKUhO=24tGPEGYSA@mail.gmail.com>
 <CAJU7zaJFuBA14Yg9tDYJ=ZGkvoJw9Z_Uq9CDiw5=xM6TJOU4=w@mail.gmail.com>
 <CAOMqctT_xC5L9-AFLp7zvtLyYd9tkSspdQ-KdBkf6+wGTNvqMg@mail.gmail.com>
 <CAJU7za+r_WaJuh93i-nzAsdAuepAyMTy1WO7q6eJWo2BfLcqCA@mail.gmail.com>
Message-ID: <CAHwEhup9WmHOBezyWgua0p4kzgwoBwRz-eTRoZWYJG1Hh1Cy9w@mail.gmail.com>

Thanks for the info. I will make the necessary changes and try connecting
again.
If I ignore the re-handshake using gnutls_error_is_fatal() and ignore
non-fatal error. Will I able to connect to the server??

On Tue, Aug 9, 2016 at 3:28 PM, Nikos Mavrogiannopoulos <nmav at gnutls.org>
wrote:

> On Tue, Aug 9, 2016 at 11:17 AM, Michal Suchanek <hramrach at gmail.com>
> wrote:
> >>> Hi Gnutls team,
> >>> Whenever I tried to connect an Windows IIS8 server I am getting below
> >>> error----
> >>> - Key Exchange: RSA
> >>> - Protocol: TLS1.2
> >>> - Certificate Type: X.509
> >>> - Compression: NULL
> >>> - Cipher: AES-128-CBC
> >>> - MAC: SHA256
> >>> Note: SSL paramaters may change as new connections are established to
> the
> >>> server.
> >>> /usr/bin/httpfs2-ssl: main: closing socket.
> >>> /usr/bin/httpfs2-ssl: main: closing SSL socket.
> >>> /usr/bin/httpfs2-ssl: main: initializing SSL socket.
> >>> /usr/bin/httpfs2-ssl: main: read: -37 Rehandshake was requested by the
> >>> peer..
> >>
> >> The server requested a rehandshake but the client (httpfs2-ssl) you
> >> are using didn't handle it. You'd better report it to that tool.
> > what is needed on the clients part to handle the rehandshake?
> > Does GnuTLS not handle rehandshake internally?
>
> No. Rehandshake typically means re-authentication and the application
> must handle this explicitly with gnutls (see [0]). By the time you
> receive such a rehandshake request by the server you can either ignore
> it (which the server may or may not like), or act on it by following
> the instructions on [0]. Servers typically ask for rehandshake when
> the want to connected user to reauthenticate using a client
> certificate or so.
>
> Overall it is best to use gnutls_error_is_fatal() and ignore non-fatal
> errors from gnutls_record_recv() and gnutls_handshake().
>
> regards,
> Nikos
>
> [0]. https://www.gnutls.org/manual/html_node/Re_002dauthentication.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20160809/9b6ef559/attachment-0001.html>

From hramrach at gmail.com  Tue Aug  9 12:56:39 2016
From: hramrach at gmail.com (Michal Suchanek)
Date: Tue, 9 Aug 2016 12:56:39 +0200
Subject: [gnutls-help] Unable to connect Windows IIS8, gives -37
In-Reply-To: <CAJU7za+r_WaJuh93i-nzAsdAuepAyMTy1WO7q6eJWo2BfLcqCA@mail.gmail.com>
References: <CAHwEhuq5dkDCCXKORN1-GkiT2WbztxzjHeqKUhO=24tGPEGYSA@mail.gmail.com>
 <CAJU7zaJFuBA14Yg9tDYJ=ZGkvoJw9Z_Uq9CDiw5=xM6TJOU4=w@mail.gmail.com>
 <CAOMqctT_xC5L9-AFLp7zvtLyYd9tkSspdQ-KdBkf6+wGTNvqMg@mail.gmail.com>
 <CAJU7za+r_WaJuh93i-nzAsdAuepAyMTy1WO7q6eJWo2BfLcqCA@mail.gmail.com>
Message-ID: <CAOMqctSEWCnC7gTisbP65BPpL9QRKCJk7vuh616_SyqCCi_gbA@mail.gmail.com>

On 9 August 2016 at 11:58, Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:
> On Tue, Aug 9, 2016 at 11:17 AM, Michal Suchanek <hramrach at gmail.com> wrote:

>>> The server requested a rehandshake but the client (httpfs2-ssl) you
>>> are using didn't handle it. You'd better report it to that tool.
>> what is needed on the clients part to handle the rehandshake?
>> Does GnuTLS not handle rehandshake internally?
>
> No. Rehandshake typically means re-authentication and the application
> must handle this explicitly with gnutls (see [0]). By the time you
> receive such a rehandshake request by the server you can either ignore
> it (which the server may or may not like), or act on it by following
> the instructions on [0]. Servers typically ask for rehandshake when
> the want to connected user to reauthenticate using a client
> certificate or so.
>
> Overall it is best to use gnutls_error_is_fatal() and ignore non-fatal
> errors from gnutls_record_recv() and gnutls_handshake().

This explains the issue.

Thanks

Michal


From onkurganguly at gmail.com  Tue Aug  9 13:11:26 2016
From: onkurganguly at gmail.com (Onkurananda Ganguly)
Date: Tue, 9 Aug 2016 16:41:26 +0530
Subject: [gnutls-help] Unable to connect Windows IIS8, gives -37
In-Reply-To: <CAOMqctSEWCnC7gTisbP65BPpL9QRKCJk7vuh616_SyqCCi_gbA@mail.gmail.com>
References: <CAHwEhuq5dkDCCXKORN1-GkiT2WbztxzjHeqKUhO=24tGPEGYSA@mail.gmail.com>
 <CAJU7zaJFuBA14Yg9tDYJ=ZGkvoJw9Z_Uq9CDiw5=xM6TJOU4=w@mail.gmail.com>
 <CAOMqctT_xC5L9-AFLp7zvtLyYd9tkSspdQ-KdBkf6+wGTNvqMg@mail.gmail.com>
 <CAJU7za+r_WaJuh93i-nzAsdAuepAyMTy1WO7q6eJWo2BfLcqCA@mail.gmail.com>
 <CAOMqctSEWCnC7gTisbP65BPpL9QRKCJk7vuh616_SyqCCi_gbA@mail.gmail.com>
Message-ID: <CAHwEhupBKhyX_zyT5HCPshj2X6p2H=-Yg3RokYgMEQm+a2pH0w@mail.gmail.com>

Michal Suchanek, so I need change the client httpfs2-ssl according to the
resolution given.


On Tue, Aug 9, 2016 at 4:26 PM, Michal Suchanek <hramrach at gmail.com> wrote:

> On 9 August 2016 at 11:58, Nikos Mavrogiannopoulos <nmav at gnutls.org>
> wrote:
> > On Tue, Aug 9, 2016 at 11:17 AM, Michal Suchanek <hramrach at gmail.com>
> wrote:
>
> >>> The server requested a rehandshake but the client (httpfs2-ssl) you
> >>> are using didn't handle it. You'd better report it to that tool.
> >> what is needed on the clients part to handle the rehandshake?
> >> Does GnuTLS not handle rehandshake internally?
> >
> > No. Rehandshake typically means re-authentication and the application
> > must handle this explicitly with gnutls (see [0]). By the time you
> > receive such a rehandshake request by the server you can either ignore
> > it (which the server may or may not like), or act on it by following
> > the instructions on [0]. Servers typically ask for rehandshake when
> > the want to connected user to reauthenticate using a client
> > certificate or so.
> >
> > Overall it is best to use gnutls_error_is_fatal() and ignore non-fatal
> > errors from gnutls_record_recv() and gnutls_handshake().
>
> This explains the issue.
>
> Thanks
>
> Michal
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20160809/dcf7e589/attachment.html>

From alex at alex.org.uk  Tue Aug  9 13:25:24 2016
From: alex at alex.org.uk (Alex Bligh)
Date: Tue, 9 Aug 2016 12:25:24 +0100
Subject: [gnutls-help] Unable to connect Windows IIS8, gives -37
In-Reply-To: <CAHwEhupBKhyX_zyT5HCPshj2X6p2H=-Yg3RokYgMEQm+a2pH0w@mail.gmail.com>
References: <CAHwEhuq5dkDCCXKORN1-GkiT2WbztxzjHeqKUhO=24tGPEGYSA@mail.gmail.com>
 <CAJU7zaJFuBA14Yg9tDYJ=ZGkvoJw9Z_Uq9CDiw5=xM6TJOU4=w@mail.gmail.com>
 <CAOMqctT_xC5L9-AFLp7zvtLyYd9tkSspdQ-KdBkf6+wGTNvqMg@mail.gmail.com>
 <CAJU7za+r_WaJuh93i-nzAsdAuepAyMTy1WO7q6eJWo2BfLcqCA@mail.gmail.com>
 <CAOMqctSEWCnC7gTisbP65BPpL9QRKCJk7vuh616_SyqCCi_gbA@mail.gmail.com>
 <CAHwEhupBKhyX_zyT5HCPshj2X6p2H=-Yg3RokYgMEQm+a2pH0w@mail.gmail.com>
Message-ID: <71796FEE-420A-45F4-909F-164CCF8A60D2@alex.org.uk>


> On 9 Aug 2016, at 12:11, Onkurananda Ganguly <onkurganguly at gmail.com> wrote:
> 
> Michal Suchanek, so I need change the client httpfs2-ssl according to the resolution given.

Or stop the server requesting reauthentication.

Alex

> 
> 
> On Tue, Aug 9, 2016 at 4:26 PM, Michal Suchanek <hramrach at gmail.com> wrote:
> On 9 August 2016 at 11:58, Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:
> > On Tue, Aug 9, 2016 at 11:17 AM, Michal Suchanek <hramrach at gmail.com> wrote:
> 
> >>> The server requested a rehandshake but the client (httpfs2-ssl) you
> >>> are using didn't handle it. You'd better report it to that tool.
> >> what is needed on the clients part to handle the rehandshake?
> >> Does GnuTLS not handle rehandshake internally?
> >
> > No. Rehandshake typically means re-authentication and the application
> > must handle this explicitly with gnutls (see [0]). By the time you
> > receive such a rehandshake request by the server you can either ignore
> > it (which the server may or may not like), or act on it by following
> > the instructions on [0]. Servers typically ask for rehandshake when
> > the want to connected user to reauthenticate using a client
> > certificate or so.
> >
> > Overall it is best to use gnutls_error_is_fatal() and ignore non-fatal
> > errors from gnutls_record_recv() and gnutls_handshake().
> 
> This explains the issue.
> 
> Thanks
> 
> Michal
> 
> _______________________________________________
> Gnutls-help mailing list
> Gnutls-help at lists.gnutls.org
> http://lists.gnupg.org/mailman/listinfo/gnutls-help

-- 
Alex Bligh






From jonetsu at teksavvy.com  Wed Aug 10 01:59:01 2016
From: jonetsu at teksavvy.com (jonetsu at teksavvy.com)
Date: Tue, 9 Aug 2016 19:59:01 -0400
Subject: [gnutls-help] Periodic checking of local certificate
Message-ID: <20160809195901.2e206d8a@mevla>

Hello,

Are there any examples around about doing a periodic checking of local
certificates using GnuTLS ?

Comments, suggestions, much appreciated.


From haujin93 at gmail.com  Wed Aug 10 08:50:56 2016
From: haujin93 at gmail.com (=?UTF-8?B?7ZWY7Jyg7KeE?=)
Date: Wed, 10 Aug 2016 15:50:56 +0900
Subject: [gnutls-help] handshake
In-Reply-To: <CAOkn1A1Y=Pf1UgFPf5b6C5CJ_jm6aryq_G96SpBsdGVOYppMrQ@mail.gmail.com>
References: <CAOkn1A1Y=Pf1UgFPf5b6C5CJ_jm6aryq_G96SpBsdGVOYppMrQ@mail.gmail.com>
Message-ID: <CAOkn1A2mUwAL123Dkd_euE=E_VuEPJwo4F6ogoAQYfWA+Mv00w@mail.gmail.com>

Hello,

I'm trying to compile sample code.

When I excute ex-client-x509 & ex-serv-x509, It displays
the following message

*** Handshake failed
GnuTLS error: Error in the certificate.
The certificate is NOT trusted. The name in the certificate does not match
the expected.

I already copy ca.crt & key.pem to /usr/local/share/ca-
certificates.Also I check /etc/ssl/certs/ca-certificates
and there existed 'GnuTLS Test CA'

How can I make sure that the server's certificate was
issued by the CA that the client knows about the trust?

2016-08-09 23:05 GMT+09:00 ??? <haujin93 at gmail.com>:

> Hello,
>
> I'm trying to compile sample code.
>
> When I excute ex-client-x509 & ex-serv-x509, It displays
> the following message
>
> *** Handshake failed
> GnuTLS error: Error in the certificate.
> The certificate is NOT trusted. The name in the
> certificate does not match the expected.
>
> I already copy ca.crt & key.pem to /usr/local/share/ca-
> certificates.Also I check /etc/ssl/certs/ca-certificates
> and there existed 'GnuTLS Test CA'
>
> How can I make sure that the server's certificate was
> issued by the CA that the client knows about the trust?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20160810/403cf08f/attachment-0001.html>

From haujin93 at gmail.com  Wed Aug 10 09:01:34 2016
From: haujin93 at gmail.com (=?UTF-8?B?7ZWY7Jyg7KeE?=)
Date: Wed, 10 Aug 2016 16:01:34 +0900
Subject: [gnutls-help]  handshake error
Message-ID: <CAOkn1A2KDTmA_U_V6Wev2uBb=reG9uQwtt7NoOZg8vcS9v=qZg@mail.gmail.com>

Hello,

I'm trying to compile sample code.

When I excute ex-client-x509 & ex-serv-x509, It displays
the following message

*** Handshake failed
GnuTLS error: Error in the certificate.
The certificate is NOT trusted. The name in the certificate does not match
the expected.

I already copy ca.crt & key.pem to /usr/local/share/ca-
certificates.Also I check /etc/ssl/certs/ca-certificates
and there existed 'GnuTLS Test CA'

How can I make sure that the server's certificate was
issued by the CA that the client knows about the trust?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20160810/b6b9b619/attachment.html>

From hk501jy at gmail.com  Thu Aug 11 13:03:31 2016
From: hk501jy at gmail.com (Yujin Kim)
Date: Thu, 11 Aug 2016 20:03:31 +0900
Subject: [gnutls-help] Certificate verification error
Message-ID: <CAGkU_tz5S+BCrNV4U2mUsODdYTTm=Z8A_qzROE7okytwJLkwyA@mail.gmail.com>

Hello,

I'm trying to compile sample code  ex-client-x509 & ex-serv-x509.

But when I excute ex-client-x509 & ex-serv-x509, It displays
the following message

cert verify output: The certificate is NOT trusted. The name in the
certificate does not match the expected.
*** Handshake failed: Error in the certificate verification.

I already copy ca.crt & key.pem to /usr/local/share/ca-
certificates.Also I check /etc/ssl/certs/ca-certificates
and there existed 'GnuTLS Test CA'

How can I make sure that the server's certificate was
issued by the CA that the client knows about the trust?

Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20160811/83f3fb8a/attachment.html>

From clopez43 at comcast.net  Tue Aug 23 00:41:51 2016
From: clopez43 at comcast.net (caitin lopez)
Date: Mon, 22 Aug 2016 18:41:51 -0400
Subject: [gnutls-help] strange issue
Message-ID: <5b9372bf-b927-53af-c3bb-ad83b7c269e6@comcast.net>

System: opensuse 13.2 x64 16GB memory (8 core processor)

gcc (SUSE Linux) 4.8.3 20140627 [gcc-4_8-branch revision 212064]

I tried to use opencv (which uses gnutls) but keep failing with the 
error above. So I removed the openCV, the gnu tls from the system, get 
every library which it depends and compile

when I try to compile I get this which is the same issue that I have 
when compiling OpenCV



../lib/.libs/libgnutls.so: undefined reference to `p11_kit_uri_get_pin_value'
../lib/.libs/libgnutls.so: undefined reference to `asn1_decode_simple_ber at LIBTASN1_0_3'
../lib/.libs/libgnutls.so: undefined reference to `asn1_der_decoding2 at LIBTASN1_0_3'
collect2: error: ld returned 1 exit status
Makefile:1832: recipe for target 'psktool' failed


any ideas (no blowing the computer accepted)

Thanks



From nomeryildiz at gmail.com  Thu Aug 25 08:03:28 2016
From: nomeryildiz at gmail.com (=?UTF-8?B?w5ZtZXIgWUlMREla?=)
Date: Thu, 25 Aug 2016 09:03:28 +0300
Subject: [gnutls-help] Fwd: Gnutls Smartcard Support in Windows
In-Reply-To: <CAOAVBm+7Ed=n2pZRWysQoKuKMSU=J7kEqykoh4XehaWdYQZ8Qg@mail.gmail.com>
References: <CAOAVBm+7Ed=n2pZRWysQoKuKMSU=J7kEqykoh4XehaWdYQZ8Qg@mail.gmail.com>
Message-ID: <CAOAVBmKfRqMkTLrmtgjw+jm3ue9-bY722tfMMuic9W3aDifdLQ@mail.gmail.com>

Hi,

I would like to use gnutls with smart card. I can do this in GNU/Linux. I
can't compile gnutls with p11-kit in Windows. Does Gnutls support to use
smart card in Windows? How can I set TLS connection using certificate
inside smart card on windows?

Thanks,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20160825/a51c236a/attachment.html>

From nmav at gnutls.org  Fri Aug 26 09:32:11 2016
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Fri, 26 Aug 2016 09:32:11 +0200
Subject: [gnutls-help] Fwd: Gnutls Smartcard Support in Windows
In-Reply-To: <CAOAVBmKfRqMkTLrmtgjw+jm3ue9-bY722tfMMuic9W3aDifdLQ@mail.gmail.com>
References: <CAOAVBm+7Ed=n2pZRWysQoKuKMSU=J7kEqykoh4XehaWdYQZ8Qg@mail.gmail.com>
 <CAOAVBmKfRqMkTLrmtgjw+jm3ue9-bY722tfMMuic9W3aDifdLQ@mail.gmail.com>
Message-ID: <CAJU7zaK+sSDx8Uzn96S+8Be48tDgF1xOR-Qwe=twnbBFKwDDEg@mail.gmail.com>

On Thu, Aug 25, 2016 at 8:03 AM, ?mer YILDIZ <nomeryildiz at gmail.com> wrote:
> Hi,
>
> I would like to use gnutls with smart card. I can do this in GNU/Linux. I
> can't compile gnutls with p11-kit in Windows. Does Gnutls support to use
> smart card in Windows? How can I set TLS connection using certificate inside
> smart card on windows?

You could use PKCS#11 in windows as well with p11-kit, but it is less
common. Smart cards in windows typically have a driver that registers
its keys as CNG keys. You can use them with gnutls by specifying a
system URL:
https://www.gnutls.org/manual/html_node/Application_002dspecific-keys.html


regards,
Nikos