From jgh at wizmail.org  Thu Jan  7 17:40:03 2016
From: jgh at wizmail.org (Jeremy Harris)
Date: Thu, 7 Jan 2016 16:40:03 +0000
Subject: [gnutls-help] hashing in older versions
Message-ID: <568E94E3.5010501@wizmail.org>

I want a sha256/sha1 hash, which can be built
incrementally (we don't want to slurp an entire
mail body, which might be tens of MB) so can't use gnutls_fingerprint().
 gnutls_hash() &c were only
introduced as supported routines in 2.10.0 and
RHEL6.5 - age systems are back with 2.8.5,
but the Exim project still wishes to support them.

What should I use?

-- 
Thanks,
  Jeremy


From dkg at fifthhorseman.net  Fri Jan  8 05:25:06 2016
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Thu, 07 Jan 2016 20:25:06 -0800
Subject: [gnutls-help] hashing in older versions
In-Reply-To: <568E94E3.5010501@wizmail.org>
References: <568E94E3.5010501@wizmail.org>
Message-ID: <87twmo66l9.fsf@alice.fifthhorseman.net>

On Thu 2016-01-07 08:40:03 -0800, Jeremy Harris wrote:
> I want a sha256/sha1 hash, which can be built
> incrementally (we don't want to slurp an entire
> mail body, which might be tens of MB) so can't use gnutls_fingerprint().
>  gnutls_hash() &c were only
> introduced as supported routines in 2.10.0 and
> RHEL6.5 - age systems are back with 2.8.5,
> but the Exim project still wishes to support them.

You're looking for a crypto primitive -- gnutls is a TLS implementation.

Modern versions of GnuTLS rely on the nettle library for crypto
primitives.

nettle contains an entirely reasonable Initialize/Update/Finish (IUF)
framework for hash functions.

Earlier versions of GnuTLS relied on the gcrypt library for crypto
primitives, so libgcrypt is another option.  If you don't want to add
new dependencies to a project that already relies on GnuTLS, you should
probably choose the lower-level crypto library that your version of
GnuTLS uses.

hth,

          --dkg


From nmav at gnutls.org  Fri Jan  8 10:03:20 2016
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Fri, 08 Jan 2016 10:03:20 +0100
Subject: [gnutls-help] gnutls 3.3.20
Message-ID: <1452243800.8569.2.camel@gnutls.org>

Hello, 
 I've just released gnutls 3.3.20. This is a bug-fix release on
the previous stable branch.

* Version 3.3.20 (released 2016-01-08)

** libgnutls: Corrected memory leak in gnutls_pubkey_import_privkey() 
   when used with PKCS #11 keys.

** libgnutls: For DSA and ECDSA keys in PKCS #11 objects, import
   their public keys from either a public key object or a certificate.
   That is, because private keys do not contain all the required
   parameters for a direct import. Reported by Jan Vcelak.

** libgnutls: Fixed issue when writing ECDSA private keys in PKCS #11
   tokens.

** libgnutls: Fixed out-of-bounds read in
   gnutls_x509_ext_export_key_usage(), report and patch by Tim Kosse.

** libgnutls: Handle DNS name constraints with a leading dot. 
   Backported from 3.4.x branch.

** libgnutls: The max-record extension is no longer negotiated on DTLS.
   This resolves issue with the max-record being negotiated but 
   ignored.

** API and ABI modifications:
No changes since last version.


Getting the Software
====================

GnuTLS may be downloaded directly from
<ftp://ftp.gnutls.org/gcrypt/gnutls/>.??A list of GnuTLS mirrors can be
found at <http://www.gnutls.org/download.html>.

Here are the XZ compressed sources:

  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.20.tar.xz

Here are OpenPGP detached signatures signed using key 0x96865171:

  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.20.tar.xz.sig

Note that it has been signed with my openpgp key:
pub   3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid                  Nikos Mavrogiannopoulos <nmav <at> gnutls.org>
uid                  Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at>
gmail.com>
sub   2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub   2048R/1404A91D 2008-05-04 [expires: 2018-05-02]

regards,
Nikos


From nmav at gnutls.org  Fri Jan  8 10:43:03 2016
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Fri, 08 Jan 2016 10:43:03 +0100
Subject: [gnutls-help] gnutls 3.4.8
Message-ID: <1452246183.8569.5.camel@gnutls.org>

Hello, 
 I've just released gnutls 3.4.8. This version fixes bugs and adds
minor features to the current stable branch.

* Version 3.4.8 (released 2016-01-08)

** libgnutls: Corrected memory leak in gnutls_pubkey_import_privkey()
   when used with PKCS #11 keys.

** libgnutls: For DSA and ECDSA keys in PKCS #11 objects, import
   their public keys from either a public key object or a certificate.
   That is, because private keys do not contain all the required
   parameters for a direct import. Reported by Jan Vcelak.

** libgnutls: Fixed issue when writing ECDSA private keys in PKCS #11
   tokens.

** libgnutls: Fixed out-of-bounds read in 
   gnutls_x509_ext_export_key_usage(), report and patch by Tim Kosse.

** libgnutls: The CHACHA20-POLY1305 ciphersuites were updated to 
   conform to draft-ietf-tls-chacha20-poly1305-02.

** libgnutls: Several fixes in PKCS #7 signing which improve 
   compatibility with the MacOSX tools. Reported by sskaje (#59).

** libgnutls: The max-record extension not negotiated on DTLS. This
   resolves issue with the max-record being negotiated but ignored.

** certtool: Added the --p7-include-cert and --p7-show-data options.

** API and ABI modifications:
gnutls_pkcs7_get_embedded_data: Added


Getting the Software
====================

GnuTLS may be downloaded directly from
<ftp://ftp.gnutls.org/gcrypt/gnutls/>.??A list of GnuTLS mirrors can be
found at <http://www.gnutls.org/download.html>.

Here are the XZ compressed sources:

  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.8.tar.xz

Here are OpenPGP detached signatures signed using key 0x96865171:

  ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.8.tar.xz.sig

Note that it has been signed with my openpgp key:
pub   3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid                  Nikos Mavrogiannopoulos <nmav <at> gnutls.org>
uid                  Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at>
gmail.com>
sub   2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub   2048R/1404A91D 2008-05-04 [expires: 2018-05-02]

regards,
Nikos



From cheako+gnutls at mikemestnik.net  Sat Jan 23 16:53:56 2016
From: cheako+gnutls at mikemestnik.net (Mike Mestnik)
Date: Sat, 23 Jan 2016 09:53:56 -0600
Subject: [gnutls-help] No supported cipher suites have been found.
In-Reply-To: <CAF8px54D=EK094Psy2iAXsd_bSm7maQri3GjaM0PBkz8So33Mg@mail.gmail.com>
References: <CAF8px54KkKnQc4+h4hWbFgdo5gTp3jNWyET_5-OUjDr01AL5jw@mail.gmail.com>
 <CAF8px56=MwK7yWPtCicJ8-Fw1y3Gsc_4rX0QUj+ZBhj=MbKt2A@mail.gmail.com>
 <CAJU7zaKn2TcGYLaSM+kwq1OvOSmFtmjefM1dvwbQKwHR82w_og@mail.gmail.com>
 <CAF8px56pVAvDTqyqTwyeVmZXRUndc6pwEoY9E+wCzRx6fyWWsg@mail.gmail.com>
 <CAF8px569Wy4gi+ZS4yOnBETjoqQK2gNS6v3K2uJA8vkjQaT+Vg@mail.gmail.com>
 <1450024887.31642.3.camel@gnutls.org>
 <CAF8px55t8FM8NvzLASvPdty_38rb8OPFG99K_q6-rB2MssAZxQ@mail.gmail.com>
 <CAF8px54D=EK094Psy2iAXsd_bSm7maQri3GjaM0PBkz8So33Mg@mail.gmail.com>
Message-ID: <CAF8px56i+QmL1+uUf4eQ_XJZ4PJZJp1rK81JJBWnRnMDj3Hsdg@mail.gmail.com>

I went to test this again and I'm getting different results now.

cheako at debian:~$ ech=rsa
cheako at debian:~$ gnutls-serv --pgpkeyfile ${ech}_key.txt --pgpcertfile
${ech}_cert.txt --dhparams params.pem --priority
"NORMAL:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:+CTYPE-OPENPGP"
Read Diffie-Hellman parameters.
Error[-59] while reading the OpenPGP key pair ('rsa_cert.txt', 'rsa_key.txt')
Error: GnuTLS internal error.
Warning: no private key and certificate pairs were set.
HTTP Server listening on IPv4 0.0.0.0 port 5556...done
HTTP Server listening on IPv6 :: port 5556...done

* Accepted connection from IPv6 ::1 port 33508 on Sat Jan 23 09:41:06 2016
Error in handshake
Error: No supported cipher suites have been found.
^CExiting via signal 2
cheako at debian:~$ ech=dsa
cheako at debian:~$ gnutls-serv --pgpkeyfile ${ech}_key.txt --pgpcertfile
${ech}_cert.txt --dhparams params.pem --priority
"NORMAL:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:+CTYPE-OPENPGP"
Read Diffie-Hellman parameters.
Error[-59] while reading the OpenPGP key pair ('dsa_cert.txt', 'dsa_key.txt')
Error: GnuTLS internal error.
Warning: no private key and certificate pairs were set.
HTTP Server listening on IPv4 0.0.0.0 port 5556...done
HTTP Server listening on IPv6 :: port 5556...done

* Accepted connection from IPv6 ::1 port 33512 on Sat Jan 23 09:41:27 2016
Error in handshake
Error: No supported cipher suites have been found.
^CExiting via signal 2
cheako at debian:~$ ech=ed
cheako at debian:~$ gnutls-serv --pgpkeyfile ${ech}_key.txt --pgpcertfile
${ech}_cert.txt --dhparams params.pem --priority
"NORMAL:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:+CTYPE-OPENPGP"
Read Diffie-Hellman parameters.
Error[-59] while reading the OpenPGP key pair ('ed_cert.txt', 'ed_key.txt')
Error: GnuTLS internal error.
Warning: no private key and certificate pairs were set.
HTTP Server listening on IPv4 0.0.0.0 port 5556...done
HTTP Server listening on IPv6 :: port 5556...done

* Accepted connection from IPv6 ::1 port 33514 on Sat Jan 23 09:41:57 2016
Error in handshake
Error: No supported cipher suites have been found.
^CExiting via signal 2


cheako at debian:~$ gnutls-cli localhost -p 5556 --insecure --priority
"NORMAL:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:+CTYPE-OPENPGP"
Processed 0 CA certificate(s).
Resolving 'localhost'...
Connecting to '::1:5556'...
*** Fatal error: A TLS fatal alert has been received.
*** Received alert [40]: Handshake failed
*** Handshake has failed
GnuTLS error: A TLS fatal alert has been received.
cheako at debian:~$ gnutls-cli localhost -p 5556 --insecure --priority
"NORMAL:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:+CTYPE-OPENPGP"
Processed 0 CA certificate(s).
Resolving 'localhost'...
Connecting to '::1:5556'...
*** Fatal error: A TLS fatal alert has been received.
*** Received alert [40]: Handshake failed
*** Handshake has failed
GnuTLS error: A TLS fatal alert has been received.
cheako at debian:~$ gnutls-cli localhost -p 5556 --insecure --priority
"NORMAL:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:+CTYPE-OPENPGP"
Processed 0 CA certificate(s).
Resolving 'localhost'...
Connecting to '::1:5556'...
*** Fatal error: A TLS fatal alert has been received.
*** Received alert [40]: Handshake failed
*** Handshake has failed
GnuTLS error: A TLS fatal alert has been received.


This should be a valid archive file.

!<arch>
params.pem/     0           0     0     644     245       `
-----BEGIN DH PARAMETERS-----
MIGGAoGA7q8Kua2zjdacM/gK+o/F6GByYYd1/zwLnqIxTJwlZXbWdN90luqB0zg7
SBPWksbg4NXY4lC5i+SOSVwdYIna0V3H17RhVNa2zo70rWmxXUmCVZspe88YhcUp
9WZmDlfsaO28PAVybMAv1Mv0l26qmv1ROP6DdkNbn8YdL8DrBuMCAQI=
-----END DH PARAMETERS-----

dsa_cert.txt/   0           0     0     644     1385      `
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2

mQMuBFZzWIMRCADYozqn99eQbI+rhyOnyLN+6MAE4aXiFQo+VncnDvETHfUERRAP
t2YaBjEphLZmRb6dw/Hsgaycxj6TZOI5zaN+N70edNwFWkxmJrvijZWV3IjoHeck
/HbZ/YtWKP/1TsDDgvrL6RE71FiDD6LwXcN1uKogP+akaQQIRAlcPBLfWbGx0OuW
2wc/oBKSoiCftqKV+L8IdhXwxWfRpkFq0tKGmqHRImxqmb/5boWK4TxvyxihSl2d
vVMgs9wviaXtDkkOoJ4LDKoOvWgmCjAcRsZT8v96hJDRavl4b4CYyAx7/6TT/J5K
BuQZLuPHFDfAZMNsoY1QZVKhfeOqbSvbb+WbAQDz8lXkHzRogjVpHKZp5sqDEre+
5q69vlZra9Sx78BONwgAwwMOShgrgXLyXWdHV2PpD2V7OAv5tgpqbv6ePSeCap2I
Ly1C0wcGiD4+aK1WeC0gow7clrTDJ4KbAPK8/o1GqtOI0BTWjKe07SOIlGihy6IB
t7KBG7Axh/88x6OExaXyVrvBhvjeAclkgk5uAcfwsk+UlAbomijs7CfOEhcsoTvT
QMGkxoM6Bi+faCtZj6VZp55wpPiAsEbvSfbdd52HNhrlN9KHW53oEE9DfzHWiWrr
7XB134nsCI/qq9pgLu1c1VIl548ksfetL7vrFkzYSyu14CEb0cT1aI2dgTkRToB+
kXtD7slhX6TrKc8aSdTRq0vq2xK/MLRQCyz5MDeWwgf9HgSEOs6WkCQNq3VtraEm
JTD0lErb9BbE2y9ASmiXp6AsOXtNa3x+JHXgu4F4b1YeyTPdV9nhlw1/EljFZkn0
dBFZuFALHeTylTp/nK6PHKVoVv2CqACZPjfYT5shwgX7uwDTDPPYAkztszc15Ilj
YwrRxi13ryWxvnJZMwNfwDuzGja4CNG9gl12XQ33MbWGVBs8wREIfaFOfGBBRJNZ
JmrweHb4qsrUKL6bFRT+E7J5clXk8yddzKfV1/o4hXTccqJRHUjtQ66z2HLhIhJm
e7xEcr5H3clOVV++O/h81E7oOXvsI9PMXM8tdhCiCAgPc/dE1BOAE5fvPDijFKao
z7QJbG9jYWxob3N0iHkEExEIACEFAlZzWIMCGyMFCwkIBwIGFQgJCgsCBBYCAwEC
HgECF4AACgkQjm55X1sReI0Q2AD/dkg2ddnQJJhgiaw1+rEAr40IiQRzBzGPOLfG
oCeT2aIA/jd5fapmjtJv6ThXncQDcySjq87D5rPWQ3gigM0lgD/r
=hU3l
-----END PGP PUBLIC KEY BLOCK-----

dsa_key.txt/    0           0     0     644     1501      `
-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: GnuPG v2

lQOBBFZzWIMRCADYozqn99eQbI+rhyOnyLN+6MAE4aXiFQo+VncnDvETHfUERRAP
t2YaBjEphLZmRb6dw/Hsgaycxj6TZOI5zaN+N70edNwFWkxmJrvijZWV3IjoHeck
/HbZ/YtWKP/1TsDDgvrL6RE71FiDD6LwXcN1uKogP+akaQQIRAlcPBLfWbGx0OuW
2wc/oBKSoiCftqKV+L8IdhXwxWfRpkFq0tKGmqHRImxqmb/5boWK4TxvyxihSl2d
vVMgs9wviaXtDkkOoJ4LDKoOvWgmCjAcRsZT8v96hJDRavl4b4CYyAx7/6TT/J5K
BuQZLuPHFDfAZMNsoY1QZVKhfeOqbSvbb+WbAQDz8lXkHzRogjVpHKZp5sqDEre+
5q69vlZra9Sx78BONwgAwwMOShgrgXLyXWdHV2PpD2V7OAv5tgpqbv6ePSeCap2I
Ly1C0wcGiD4+aK1WeC0gow7clrTDJ4KbAPK8/o1GqtOI0BTWjKe07SOIlGihy6IB
t7KBG7Axh/88x6OExaXyVrvBhvjeAclkgk5uAcfwsk+UlAbomijs7CfOEhcsoTvT
QMGkxoM6Bi+faCtZj6VZp55wpPiAsEbvSfbdd52HNhrlN9KHW53oEE9DfzHWiWrr
7XB134nsCI/qq9pgLu1c1VIl548ksfetL7vrFkzYSyu14CEb0cT1aI2dgTkRToB+
kXtD7slhX6TrKc8aSdTRq0vq2xK/MLRQCyz5MDeWwgf9HgSEOs6WkCQNq3VtraEm
JTD0lErb9BbE2y9ASmiXp6AsOXtNa3x+JHXgu4F4b1YeyTPdV9nhlw1/EljFZkn0
dBFZuFALHeTylTp/nK6PHKVoVv2CqACZPjfYT5shwgX7uwDTDPPYAkztszc15Ilj
YwrRxi13ryWxvnJZMwNfwDuzGja4CNG9gl12XQ33MbWGVBs8wREIfaFOfGBBRJNZ
JmrweHb4qsrUKL6bFRT+E7J5clXk8yddzKfV1/o4hXTccqJRHUjtQ66z2HLhIhJm
e7xEcr5H3clOVV++O/h81E7oOXvsI9PMXM8tdhCiCAgPc/dE1BOAE5fvPDijFKao
z/4HAwJP1s9Cyiunk9uEIv69mtd/eh2SuqCESVvnQ2kH434kn550WOXxHdDV4VuS
EeGrxMoxTGe5twMsV0/hZupkYIkbwIFehTes8vCjIQ1TOnF+tAlsb2NhbGhvc3SI
eQQTEQgAIQUCVnNYgwIbIwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRCObnlf
WxF4jRDYAP92SDZ12dAkmGCJrDX6sQCvjQiJBHMHMY84t8agJ5PZogD+N3l9qmaO
0m/pOFedxANzJKOrzsPms9ZDeCKAzSWAP+s=
=jk6e
-----END PGP PRIVATE KEY BLOCK-----

ed_cert.txt/    0           0     0     644     353       `
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2

mDMEVnNURxYJKwYBBAHaRw8BAQdADB0lJ8rbV1Q/lQzu2u0O8DJcyMYr3Hc0Gg74
TwpYpoe0CWxvY2FsaG9zdIh5BBMWCAAhBQJWc1RHAhsjBQsJCAcCBhUICQoLAgQW
AgMBAh4BAheAAAoJEIJT8qnxF9dJpHIA/iVR5JXctqTCicQfX/8COs5bR76LB6+s
BchEHIOjogzaAPwIHMumz01pNYLxva2c497/KYjR5NwZQD9ZaOhQnx3SDQ==
=nz/w
-----END PGP PUBLIC KEY BLOCK-----

ed_key.txt/     0           0     0     644     465       `
-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: GnuPG v2

lIYEVnNURxYJKwYBBAHaRw8BAQdADB0lJ8rbV1Q/lQzu2u0O8DJcyMYr3Hc0Gg74
TwpYpof+BwMCMUMFq2tRbT3b4Dp338Vwm1Ao4+LhMKGlV6nW6X00Kjwp/0SrFjfo
QJ3kTwsPpwrfmrU5wYudhbISsmnScqSQGRJJw+/EFJmkcgRrmIf4yrQJbG9jYWxo
b3N0iHkEExYIACEFAlZzVEcCGyMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQ
glPyqfEX10mkcgD+JVHkldy2pMKJxB9f/wI6zltHvosHr6wFyEQcg6OiDNoA/Agc
y6bPTWk1gvG9rZzj3v8piNHk3BlAP1lo6FCfHdIN
=mYbZ
-----END PGP PRIVATE KEY BLOCK-----

rsa_cert.txt/   0           0     0     644     906       `
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2

mQENBFZzVakBCACsZ+kPh2v4p0WnsoSz0Tt7G1G5OJ15srR5HHiCEUvJw3gR7c38
xc5HvQCZtHFi5BYQpoe0k8Lf054uz1HdF1WP92pChE196Hh49QvGlvoW0udJMU3J
K1zwKV8Rk9SoTPG48zWgtGWtDuwS82qY2EhlLnMEYzwPbpO8eyrGAmnQVTL+sJr7
EIuNCHvUSUPK/Dj/aaqDl7+8vQpL3v583dVzm4lJju5hImzG529qX34qAvY+VYTo
5IyH+FFwytCggeVoA1x6wUECNAgBxKSmx497AM9wuFqz7acRSKlcNyH0pMdI6xR9
CE0GJ5zUvBShDN/sa8i47cIQNWFReXAmyhRVABEBAAG0CWxvY2FsaG9zdIkBNwQT
AQgAIQUCVnNVqQIbLwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRBxAawi48Zc
TpLaCAClFu70HgyBWNDGcmetH26HRr2zSTMUVeUXatADoKKYRNF00UKTd0nJoVnd
hh84zwwMlMb24LN2kle0q/Od3ocll3i7amaBrc5xGXoudCIMLHjSEAca7uAVuWXU
oA75j10Tf3stuC1Pu98sZ+lCQXRlyapDsBiLW/Yy+86IqSXpdYtYQ7Wf3iqfIzHP
N1n4alEJE21rYUj8n7zIdkJtEiFyKGwmhthtWVFJgUdU+Xkk5PelZfj6vqvAerZI
kQMuOecPUQ5hZZ7v7s+YZbXRhuczoOU410mOkyRU0kcgiKV3d9D1IGBcO5JnQno+
G2Ow5NBUKiep/lsY4lA6MRYeQQK0
=0twV
-----END PGP PUBLIC KEY BLOCK-----
rsa_key.txt/    0           0     0     644     1854      `
-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: GnuPG v2

lQPGBFZzVakBCACsZ+kPh2v4p0WnsoSz0Tt7G1G5OJ15srR5HHiCEUvJw3gR7c38
xc5HvQCZtHFi5BYQpoe0k8Lf054uz1HdF1WP92pChE196Hh49QvGlvoW0udJMU3J
K1zwKV8Rk9SoTPG48zWgtGWtDuwS82qY2EhlLnMEYzwPbpO8eyrGAmnQVTL+sJr7
EIuNCHvUSUPK/Dj/aaqDl7+8vQpL3v583dVzm4lJju5hImzG529qX34qAvY+VYTo
5IyH+FFwytCggeVoA1x6wUECNAgBxKSmx497AM9wuFqz7acRSKlcNyH0pMdI6xR9
CE0GJ5zUvBShDN/sa8i47cIQNWFReXAmyhRVABEBAAH+BwMC+qKN8FlTI0HbtX3Z
QmEnHCJnAOri/miFkHPBg871rsMaINPaqvblGhPA6Te9tH+adFDl28ZGEbatGxPB
OxETYsWbXEFMCaCZbbDCNXUiO3Er3Q12C4Qk131m5ddoRsC19kTW2cpdvh5upuUs
g8cOAx2O9y6mditsIGBegOwvz/mymsGnPvjkl6v8wk+kwVefaPCrE9NeIFAxVgac
3Kg/yxpC+aekYHq0x4PSlhmmbNK9hRGRfrjlceI6aXMmJ1o99FsqdySOGS3PZCxm
HAbqo07sC5kyV54pOw9YOXBuNY73AIupyx5PJoqYSp8mltjyB+pQZkSLOVxvcx/3
D5CTdcWuVw+zn/oIpciRpHxWgJADP0Z6BgHNDiAEFUgdk2/ki6bolALgCtPItBOJ
a41BgrEs3LE863eySYeZAo4S7ybqfSOTnb108L08ppHswzI14SU2MQbkIkZJ+2cT
QY28+fUSNbArjSipDxVvD9lmfqvDp6aKJGBGZriPm7ToNtLpU6eToU5Ms2zu/1IK
wd+td4idgcXwF4r5XFDllqAYQq+CGM+X84Ga59PmMS7Yt33efVgfWD/LYAqzqqDr
AiLd+Rxxj4GvBO1T+jnkLvvA4WPHXfW/Zl7tKF28xKz6YP6Chpl0eobrj+MLNcSX
UGX4ZR1P6Rrqo8Lm8/ocu1FVjUr2PDoXpFgGsFn77wgYazHAr6eQyLTMApltid5e
8Zkp6qGGJFCXCMg6W8IiDW07lQXf7SibzSeWoy3fGY3zYZb/jPmpzJp+bukS92Ad
EnFZlNukmpBK5jTu+6k8xphZWEj2Kulns54FMyDmds9Cx2lfdoBnLfvn03TrUUXA
ZVJ6/CQEojLkFEnzf8WFbLRDoaJqTYJM0dhqZu+v7Yuf9zeb/KqE5RTqdSAex0vN
uxA/X5Lavj2KtAlsb2NhbGhvc3SJATcEEwEIACEFAlZzVakCGy8FCwkIBwIGFQgJ
CgsCBBYCAwECHgECF4AACgkQcQGsIuPGXE6S2ggApRbu9B4MgVjQxnJnrR9uh0a9
s0kzFFXlF2rQA6CimETRdNFCk3dJyaFZ3YYfOM8MDJTG9uCzdpJXtKvznd6HJZd4
u2pmga3OcRl6LnQiDCx40hAHGu7gFbll1KAO+Y9dE397LbgtT7vfLGfpQkF0Zcmq
Q7AYi1v2MvvOiKkl6XWLWEO1n94qnyMxzzdZ+GpRCRNta2FI/J+8yHZCbRIhcihs
JobYbVlRSYFHVPl5JOT3pWX4+r6rwHq2SJEDLjnnD1EOYWWe7+7PmGW10YbnM6Dl
ONdJjpMkVNJHIIild3fQ9SBgXDuSZ0J6PhtjsOTQVConqf5bGOJQOjEWHkECtA==
=oZP5
-----END PGP PRIVATE KEY BLOCK-----


From jonetsu at teksavvy.com  Tue Jan 26 17:21:29 2016
From: jonetsu at teksavvy.com (jonetsu)
Date: Tue, 26 Jan 2016 11:21:29 -0500
Subject: [gnutls-help] Restricting 224 and 192 curves
Message-ID: <ede30c9d07f04c1e3d1eeda9d8290e07@teksavvy.com>

Hello,

Is it possible to disable the use of CURVE-SECP224R1 and CURVE-SECP192R1 at runtime (by a parameter or programmatically) ?

Thanks.





From jonetsu at teksavvy.com  Tue Jan 26 17:35:21 2016
From: jonetsu at teksavvy.com (jonetsu)
Date: Tue, 26 Jan 2016 11:35:21 -0500
Subject: [gnutls-help] Key sizes available for DSA
Message-ID: <fdd910fa6b1c65038d55bbf8c0abcfd1@teksavvy.com>

				Hello,

Which key sizes are available for DSA signature generation and verification ?

Thanks.




From dkg at fifthhorseman.net  Tue Jan 26 18:55:47 2016
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Tue, 26 Jan 2016 12:55:47 -0500
Subject: [gnutls-help] Restricting 224 and 192 curves
In-Reply-To: <ede30c9d07f04c1e3d1eeda9d8290e07@teksavvy.com>
References: <ede30c9d07f04c1e3d1eeda9d8290e07@teksavvy.com>
Message-ID: <87zivs6x98.fsf@alice.fifthhorseman.net>

On Tue 2016-01-26 11:21:29 -0500, jonetsu wrote:

> Is it possible to disable the use of CURVE-SECP224R1 and
> CURVE-SECP192R1 at runtime (by a parameter or programmatically) ?

yes, you can set a priority string like
"NORMAL:-CURVE-SECP224R1:-CURVE-SECP192R1"

See http://gnutls.org/manual/gnutls.html#Priority-Strings for more
details.

        --dkg