From toastedmilk at gmail.com Wed Mar 2 03:57:02 2016 From: toastedmilk at gmail.com (Mark Rager) Date: Tue, 1 Mar 2016 20:57:02 -0600 Subject: [gnutls-help] gpg verify issue with 3.4.9 Message-ID: Please forgive me if I have made any egregious errors in my process, I was unable to find an associated IRC channel for this project. I recently obtained 3.4.9 from gnutls.org and with the provided key was unable to validate the authenticity of the download. $ gpg --fetch-keyshttp://members.hellug.gr/nmav/pgpkeys.asc gpg: keyring `/home/USER/.gnupg/secring.gpg' created gpg: key 96865171: public key "Nikos Mavrogiannopoulos " imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) gpg: no ultimately trusted keys found $ gpg --verify gnutls-3.4.9.tar.xz.sig gnutls-3.4.9.tar.xz gpg: Signature made Wed 03 Feb 2016 02:23:48 AM CST using RSA key ID 9013B842 gpg: Good signature from "Nikos Mavrogiannopoulos " gpg: aka "Nikos Mavrogiannopoulos < n.mavrogiannopoulos at gmail.com>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 1F42 4189 05D8 206A A754 CCDC 29EE 58B9 9686 5171 Subkey fingerprint: A812 CBFD FCDC 4D0B E7A0 9312 9D5E AAF6 9013 B842 $ Have I missed something here, or is this a security vulnerability? -------------- next part -------------- An HTML attachment was scrubbed... URL: From dkg at fifthhorseman.net Wed Mar 2 08:49:22 2016 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Wed, 02 Mar 2016 08:49:22 +0100 Subject: [gnutls-help] gpg verify issue with 3.4.9 In-Reply-To: References: Message-ID: <878u21pbel.fsf@alice.fifthhorseman.net> On Wed 2016-03-02 03:57:02 +0100, Mark Rager wrote: > Please forgive me if I have made any egregious errors in my process, I was > unable to find an associated IRC channel for this project. I recently > obtained 3.4.9 from gnutls.org and with the provided key was unable to > validate the authenticity of the download. I think you're misunderstanding the output of GnuPG: > $ gpg --verify gnutls-3.4.9.tar.xz.sig gnutls-3.4.9.tar.xz > > gpg: Signature made Wed 03 Feb 2016 02:23:48 AM CST using RSA key ID 9013B842 > gpg: Good signature from "Nikos Mavrogiannopoulos " > gpg: aka "Nikos Mavrogiannopoulos " > > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the owner. > > Primary key fingerprint: 1F42 4189 05D8 206A A754 CCDC 29EE 58B9 9686 5171 > Subkey fingerprint: A812 CBFD FCDC 4D0B E7A0 9312 9D5E AAF6 9013 B842 > $ This tells you that the the signature over the package was made correctly, and indicates the fingerprint of the signing key itself. However, gnupg has no way of knowing whether the OpenPGP certificate (which wrapps the key) actually belongs to Nikos -- it does not know where that certificate came from. This is accurate, but does not indicate a security vulnerability in GnuTLS. If the key with fingerprint 1F42 4189 05D8 206A A754 CCDC 29EE 58B9 9686 5171 does belong to Nikos (i believe it does) then all is well. If you want to tell GnuPG that you believe that this key belongs to Nikos, so that it does not warn you any longer about it, you can make a non-exportable certification using your own OpenPGP key, like this: gpg2 --lsign '1F42 4189 05D8 206A A754 CCDC 29EE 58B9 9686 5171' after that, verification of the package signature should not have the WARNING: message. Regards, --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 948 bytes Desc: not available URL: From nmav at gnutls.org Thu Mar 3 09:31:25 2016 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 03 Mar 2016 09:31:25 +0100 Subject: [gnutls-help] gnutls 3.4.10 Message-ID: <1456993885.2768.1.camel@gnutls.org> Hello, I've just released gnutls 3.4.10. This is a bug fix release of the current stable branch. * Version 3.4.10 (released 2016-03-03) ** libgnutls: Eliminated issues preventing buffers more than 2^32 bytes to be used with hashing functions. ** libgnutls: Corrected leaks and other issues in gnutls_x509_crt_list_import(). ** libgnutls: Fixes in DSA key handling for PKCS #11. Report and patches by Jan Vcelak. ** libgnutls: Several fixes to prevent relying on undefined behavior of C (found with libubsan). ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded directly from .??A list of GnuTLS mirrors can be found at . Here are the XZ compressed sources: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.10.tar.xz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.10.tar.xz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From anton.vojlenko at gmail.com Fri Mar 4 16:12:31 2016 From: anton.vojlenko at gmail.com (Anton) Date: Fri, 4 Mar 2016 17:12:31 +0200 Subject: [gnutls-help] Compilation error Message-ID: <56D9A5DF.2090408@gmail.com> Hello, I downloaded GnuTLS 3.4.10 sources from ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.10.tar.xz and while making them i have next errors: libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -I./gl -I./gl -I./../lib/includes -I./../lib/includes -I./../libdane/includes -I./../extra/includes -W -Wabi -Waddress -Wall -Wattributes -Wbad-function-cast -Wbuiltin-macro-redefined -Wcast-align -Wchar-subscripts -Wclobbered -Wcomment -Wcomments -Wcoverage-mismatch -Wdeprecated -Wdeprecated-declarations -Wdisabled-optimization -Wdiv-by-zero -Wempty-body -Wendif-labels -Wenum-compare -Wextra -Wformat-contains-nul -Wformat-extra-args -Wformat-security -Wformat-zero-length -Wignored-qualifiers -Wimplicit -Wimplicit-function-declaration -Wimplicit-int -Winit-self -Wint-to-pointer-cast -Winvalid-pch -Wlogical-op -Wmain -Wmissing-braces -Wmissing-declarations -Wmissing-field-initializers -Wmissing-include-dirs -Wmissing-parameter-type -Wmissing-prototypes -Wmultichar -Wnested-externs -Wnonnull -Wold-style-declaration -Wold-style-definition -Woverflow -Woverride-init -Wpacked -Wpacked-bitfield-compat -Wparentheses -Wpointer-arith -Wpointer-sign -Wpointer-to-int-cast -Wpragmas -Wreturn-type -Wsequence-point -Wshadow -Wstrict-aliasing -Wstrict-prototypes -Wswitch -Wsync-nand -Wtrigraphs -Wtype-limits -Wuninitialized -Wunknown-pragmas -Wunsafe-loop-optimizations -Wunused -Wunused-but-set-parameter -Wunused-but-set-variable -Wunused-function -Wunused-label -Wunused-macros -Wunused-parameter -Wunused-value -Wunused-variable -Wvariadic-macros -Wvolatile-register-var -Wwrite-strings -Wnormalized=nfc -fdiagnostics-show-option -funit-at-a-time -Wno-missing-field-initializers -Wno-missing-field-initializers -Wno-format-y2k -Wno-unused-value -Wno-unused-parameter -Wno-stack-protector -Wno-int-to-pointer-cast -fdiagnostics-show-option -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -MT ocsptool-args.lo -MD -MP -MF .deps/ocsptool-args.Tpo -c ocsptool-args.c -fPIC -DPIC -o .libs/ocsptool-args.o cc1: warning: command line option "-Wenum-compare" is valid for C++/ObjC++ but not for C ocsptool-args.c:269: warning: 'static' is not at beginning of declaration [-Wold-style-declaration] ocsptool-args.c:269: error: duplicate 'static' ocsptool-args.c:269: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'optDesc' ocsptool-args.c:563: warning: suggest parentheses around arithmetic in operand of '|' [-Wparentheses] ocsptool-args.c:568: error: 'optDesc' undeclared here (not in a function) ocsptool-args.c: In function 'doOptDebug': ocsptool-args.c:609: warning: nested extern declaration of 'option_usage_fp' [-Wnested-externs] ocsptool-args.c:615: warning: implicit declaration of function 'strtol' [-Wimplicit-function-declaration] ocsptool-args.c:615: warning: nested extern declaration of 'strtol' [-Wnested-externs] ocsptool-args.c:42:1: warning: macro "OPTION_CODE_COMPILE" is not used make[4]: *** [ocsptool-args.lo] Error 1 Any ideas what wrong with the sources? Thanks. Best regards, Anton From ankitashukla707 at gmail.com Fri Mar 4 18:29:26 2016 From: ankitashukla707 at gmail.com (Ankita Shukla) Date: Fri, 4 Mar 2016 22:59:26 +0530 Subject: [gnutls-help] p11tool error In-Reply-To: References: Message-ID: Hi, I was trying to install tlspool in my system. I have been able to install it as per the instructions given here. The next steps as given here , ask to cd into testdata/ and run "make". But every time, I run make in the testdata/ directory, I get this error . The error says Invalid option 'generate-rsa' Try `p11tool --help' for more information. while "man p11tool" does show --generate-rsa as an option for key generation. I tried googling this, but unfortunately not a lot of material is available in this regard. -- Thanks and Regards, Ankita Shukla Computer Science Engineering B.Tech Final Year (Senior) Indian Institute of Technology Roorkee -------------- next part -------------- An HTML attachment was scrubbed... URL: From nmav at gnutls.org Thu Mar 10 08:27:05 2016 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 10 Mar 2016 08:27:05 +0100 Subject: [gnutls-help] gnutls 3.3.22 Message-ID: <1457594825.20131.0.camel@gnutls.org> Hello, I've just released gnutls 3.3.22. This is a bug-fix release on the previous stable branch. * Version 3.3.22 (released 2016-03-10) ** libgnutls: Eliminated issues preventing buffers more than 2^32 bytes to be used with hashing functions. ** libgnutls: Follow closely RFC5280 recommendations and use UTCTime for dates prior to 2050. Backported from 3.4.x branch. ** libgnutls: Several fixes to prevent relying on undefined behavior of C (found with libubsan). ** libgnutls: SSL 3.0 is no longer included in the default priorities list. It has to be explicitly enabled, e.g., with a string like "NORMAL:+VERS-SSL3.0". The previous behavior can be restored using the flag --with-ssl3 to configure. ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded directly from .??A list of GnuTLS mirrors can be found at . Here are the XZ compressed sources: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.22.tar.xz Here are OpenPGP detached signatures signed using key 0x96865171: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.22.tar.xz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From n.mavrogiannopoulos at gmail.com Thu Mar 31 13:05:28 2016 From: n.mavrogiannopoulos at gmail.com (Nikos Mavrogiannopoulos) Date: Thu, 31 Mar 2016 13:05:28 +0200 Subject: [gnutls-help] Error:-localhost rsyslogd-2078: unexpected GnuTLS error -37 in nsd_gtls.c:530: Rehandshake was requested by the peer In-Reply-To: References:

Message-ID: On Wed, Mar 30, 2016 at 5:43 PM, AKHIL KUNHIPPARAMBATH wrote: > hi Team, > When using rsyslog server and after my device send renegotation request i am > seeing the below error .Does it mean that TLS renegotiation is not supported > by rsyslog? > ingMode: 0 , cellId: 828674#015 > Mar 31 04:23:59 localhost rsyslogd-2078: unexpected GnuTLS error -37 in > nsd_gtls.c:530: Rehandshake was requested by the peer. [v8.17.0 try > http://www.rsyslog.com/e/2078 ] > Mar 31 04:23:59 localhost rsyslogd-2078: netstream session 0x7f12acd73900 > from 10.53.68.5 will be closed due to error [v8.17.0 try > http://www.rsyslog.com/e/2078 ] Correct. Renegotiation must be explicitly handled by applications. This behavior ensures that there is no implicit re-authentication to applications that do not require it. regards, Nikos