From rogerdpack2 at gmail.com  Fri Sep  2 01:54:06 2016
From: rogerdpack2 at gmail.com (Roger Pack)
Date: Thu, 1 Sep 2016 17:54:06 -0600
Subject: [gnutls-help] some mirrors seem stale :|
Message-ID: <CAL1QdWdYR-pW8LiESFaL0iPgRbO_s=vTxgWKVpt4-sVnp5nESg@mail.gmail.com>

As a note, not sure if this is a gnutls issue or not, but clicking on
the "mirrors" link for 3.4 goes here:

https://www.gnupg.org/download/mirrors.en.html

which lists "mirror.tje.me.uk" as "4/day" however their last update was in 2015:

http://mirror.tje.me.uk/pub/mirrors/ftp.gnupg.org/gnutls/

Cheers!
-roger-


From nmav at gnutls.org  Fri Sep  2 15:39:09 2016
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Fri, 2 Sep 2016 15:39:09 +0200
Subject: [gnutls-help] some mirrors seem stale :|
In-Reply-To: <CAL1QdWdYR-pW8LiESFaL0iPgRbO_s=vTxgWKVpt4-sVnp5nESg@mail.gmail.com>
References: <CAL1QdWdYR-pW8LiESFaL0iPgRbO_s=vTxgWKVpt4-sVnp5nESg@mail.gmail.com>
Message-ID: <CAJU7zaK__N6dgfEyV4GTDCFtA8n=ZhrzvgusFiO3YmSEMUrzWw@mail.gmail.com>

On Fri, Sep 2, 2016 at 1:54 AM, Roger Pack <rogerdpack2 at gmail.com> wrote:
> As a note, not sure if this is a gnutls issue or not, but clicking on
> the "mirrors" link for 3.4 goes here:
> https://www.gnupg.org/download/mirrors.en.html
> which lists "mirror.tje.me.uk" as "4/day" however their last update was in 2015:

Thank you; I've forwarded your mail to Werner who maintains the gnupg site.

regards,
Nikos


From hk501jy at gmail.com  Sat Sep  3 10:25:03 2016
From: hk501jy at gmail.com (Yujin Kim)
Date: Sat, 3 Sep 2016 17:25:03 +0900
Subject: [gnutls-help] gnutls using in Android
Message-ID: <CAGkU_txF7OLTA+OdN42L0QQp94DhLw7GSDXxiMzvD0=-4ifO7g@mail.gmail.com>

Hi,

I'm trying to using gnutls in Android.

I used 'cerbero' and take a step

https://gitlab.com/gnutls/cerbero

in here.

so, I get a 'libgnutls.so' file. and how can I using this file in Android
Studio?


Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20160903/05770632/attachment.html>

From galex-713 at galex-713.eu  Sun Sep  4 00:01:35 2016
From: galex-713 at galex-713.eu (Garreau, Alexandre)
Date: Sun, 04 Sep 2016 00:01:35 +0200
Subject: [gnutls-help] OpenPGP instead of X509: what kind of (sub)key?
Message-ID: <zhfxtvzzzzzz.576.xxuns.g6.gal@galex-713.eu>

Hi, I recently discovered that GnuTLS can use OpenPGP as certificate,
instead of X509, which afaik depends on the CA model?

?yet afaik fingerprint change according standard (there are like at
least 4 versions of it for PGP (still using sha1), and at least one for
X509 (afaik still using sha1 too)), so it won?t simplify by ?oh simply
check at the fingerprint and if it?s the same that I gave you it?s ok??
anyway it wouldn?t work because since I don?t want to store my master
private key on my server I prefer to ?ultimate? sign another keypair and
put it on my server?

So my question is: what does ?openpgp support? (as cited there:
http://gnutls.org/openpgp.html and there http://gnutls.org/) mean? only
that the dh parameters will get signed by a privkey with the same
parameters? or only that gnutls will call gpg to sign a different x509
cert with the specified key (at this point I could already do that
manually)? then what automation/comodity do it brings? does it only says
?that cert is secure? if it is signed by someone you trust/you certified
according GPG/GNS/whatever?


From nmav at gnutls.org  Mon Sep  5 16:33:38 2016
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Mon, 5 Sep 2016 16:33:38 +0200
Subject: [gnutls-help] OpenPGP instead of X509: what kind of (sub)key?
In-Reply-To: <zhfxtvzzzzzz.576.xxuns.g6.gal@galex-713.eu>
References: <zhfxtvzzzzzz.576.xxuns.g6.gal@galex-713.eu>
Message-ID: <CAJU7zaJJ3pgK5a1Q17xH2_L83a8gxPSF3b9HeCeq+5LT0fMXcA@mail.gmail.com>

On Sun, Sep 4, 2016 at 12:01 AM, Garreau, Alexandre
<galex-713 at galex-713.eu> wrote:
> Hi, I recently discovered that GnuTLS can use OpenPGP as certificate,
> instead of X509, which afaik depends on the CA model?

That's true, but note that we are planning to deprecate that support:
https://gitlab.com/gnutls/gnutls/issues/102
It will be replaced by raw keys when that support is available.

> ?yet afaik fingerprint change according standard (there are like at
> least 4 versions of it for PGP (still using sha1), and at least one for
> X509 (afaik still using sha1 too)), so it won?t simplify by ?oh simply
> check at the fingerprint and if it?s the same that I gave you it?s ok??
> anyway it wouldn?t work because since I don?t want to store my master
> private key on my server I prefer to ?ultimate? sign another keypair and
> put it on my server?
> So my question is: what does ?openpgp support? (as cited there:
> http://gnutls.org/openpgp.html and there http://gnutls.org/) mean? only
> that the dh parameters will get signed by a privkey with the same
> parameters?

It directly uses openpgp certificates and keys for signatures.

> cert with the specified key (at this point I could already do that
> manually)? then what automation/comodity do it brings? does it only says
> ?that cert is secure? if it is signed by someone you trust/you certified
> according GPG/GNS/whatever?

You can verify the certificate against a "ring" of trusted keys.

regards,
Nikos


From galex-713 at galex-713.eu  Mon Sep  5 18:19:25 2016
From: galex-713 at galex-713.eu (Garreau, Alexandre)
Date: Mon, 05 Sep 2016 18:19:25 +0200
Subject: [gnutls-help] OpenPGP instead of X509: what kind of (sub)key?
In-Reply-To: <CAJU7zaJJ3pgK5a1Q17xH2_L83a8gxPSF3b9HeCeq+5LT0fMXcA@mail.gmail.com> (Nikos
 Mavrogiannopoulos's message of "Mon, 5 Sep 2016 16:33:38 +0200")
References: <zhfxtvzzzzzz.576.xxuns.g6.gal@galex-713.eu>
 <CAJU7zaJJ3pgK5a1Q17xH2_L83a8gxPSF3b9HeCeq+5LT0fMXcA@mail.gmail.com>
Message-ID: <062h7yzzzzzz.8f9.xxuns.g6.gal@galex-713.eu>

On 2016-09-05 at 16:33, Nikos Mavrogiannopoulos wrote:
> On Sun, Sep 4, 2016 at 12:01 AM, Garreau, Alexandre
> <galex-713 at galex-713.eu> wrote:
>> Hi, I recently discovered that GnuTLS can use OpenPGP as certificate,
>> instead of X509, which afaik depends on the CA model?
>
> That's true, but note that we are planning to deprecate that support:
> https://gitlab.com/gnutls/gnutls/issues/102
> It will be replaced by raw keys when that support is available.
>
>> ?yet afaik fingerprint change according standard (there are like at
>> least 4 versions of it for PGP (still using sha1), and at least one for
>> X509 (afaik still using sha1 too)), so it won?t simplify by ?oh simply
>> check at the fingerprint and if it?s the same that I gave you it?s ok??
>> anyway it wouldn?t work because since I don?t want to store my master
>> private key on my server I prefer to ?ultimate? sign another keypair and
>> put it on my server?
>> So my question is: what does ?openpgp support? (as cited there:
>> http://gnutls.org/openpgp.html and there http://gnutls.org/) mean? only
>> that the dh parameters will get signed by a privkey with the same
>> parameters?
>
> It directly uses openpgp certificates and keys for signatures.

So? if I run gnutls-server somewhere, and connect to it with
gnutls-client? the fingerprints I will see are those of the opengpg
masterkey? or of the signing subkey? or is it possible to use a subkey
for this usage? what features/?usages? should have a openpgp cert used
by GnuTLS? ?sign?? ?certificate??  can I use the new GnuPG Curves25519?

Or if I consider WoT doesn?t work enough [1], can I make so the key of
each person I know is ?allowed? to certificate only keys owned by this
same very person (without having to ?trust? everybody on everybody)?

[1]
https://lists.torproject.org/pipermail/tor-talk/2013-September/030235.html


From nmav at gnutls.org  Mon Sep  5 18:35:31 2016
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Mon, 05 Sep 2016 18:35:31 +0200
Subject: [gnutls-help] OpenPGP instead of X509: what kind of (sub)key?
In-Reply-To: <062h7yzzzzzz.8f9.xxuns.g6.gal@galex-713.eu>
References: <zhfxtvzzzzzz.576.xxuns.g6.gal@galex-713.eu>
 <CAJU7zaJJ3pgK5a1Q17xH2_L83a8gxPSF3b9HeCeq+5LT0fMXcA@mail.gmail.com>
 <062h7yzzzzzz.8f9.xxuns.g6.gal@galex-713.eu>
Message-ID: <1473093331.4738.0.camel@gnutls.org>

On Mon, 2016-09-05 at 18:19 +0200, Garreau, Alexandre wrote:

> > It directly uses openpgp certificates and keys for signatures.
> So? if I run gnutls-server somewhere, and connect to it with
> gnutls-client? the fingerprints I will see are those of the opengpg
> masterkey? or of the signing subkey? or is it possible to use a
> subkey
> for this usage? what features/?usages? should have a openpgp cert
> used
> by GnuTLS? ?sign?? ?certificate????can I use the new GnuPG
> Curves25519?
> 
> Or if I consider WoT doesn?t work enough [1], can I make so the key
> of
> each person I know is ?allowed? to certificate only keys owned by
> this
> same very person (without having to ?trust? everybody on everybody)?
> [1]
> https://lists.torproject.org/pipermail/tor-talk/2013-September/030235
> .html

If you are developing a new application, I'd simply suggest to ignore
this API and pretend it doesn't exist. It will go away.

regards,
Nikos



From nmav at gnutls.org  Thu Sep  8 07:49:37 2016
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Thu, 08 Sep 2016 07:49:37 +0200
Subject: [gnutls-help] gnutls 3.5.4
Message-ID: <1473313777.792.2.camel@gnutls.org>

Hello,?
?I've just released gnutls 3.5.4. This is a minor enhancements and
bugfix release for the 3.5.x branch.

* Version 3.5.4 (released 2016-09-08)

** libgnutls: Corrected the comparison of the serial size in OCSP
? ?response. Previously the OCSP certificate check wouldn't verify the
? ?serial length and could succeed in cases it shouldn't?
? ?(GNUTLS-SA-2016-3). Reported by Stefan Buehler.

** libgnutls: Added support for IP name constraints. Patch by Martin
? ?Ukrop.

** libgnutls: Added support for PKCS#8 file decryption using
? ?DES-CBC-MD5. This is added to allow decryption of PKCS #8 private
? ?keys from openssl prior to 1.1.0.

** libgnutls: Added support for decrypting PKCS#8 files which use?
? ?HMAC-SHA256 as PRF. This allow decrypting PKCS #8 private keys
? ?generated with openssl 1.1.0.

** libgnutls: Added support for internationalized passwords in PKCS#12
? ?files. Previous versions would only encrypt or decrypt using
? ?passwords from the ASCII set.

** libgnutls: Addressed issue with PKCS#11 signature generation on
? ?ECDSA keys. The signature is now written as unsigned integers into
? ?the DSASignatureValue structure. Previously signed integers could be
? ?written depending on what the underlying module would produce.
? ?Addresses #122.

** gnutls-cli: Fixed starttls regression from 3.5.3.

** API and ABI modifications:
GNUTLS_E_MALFORMED_CIDR: Added
gnutls_x509_cidr_to_rfc5280: Added
gnutls_oid_to_mac: Added


Getting the Software
====================

GnuTLS may be downloaded directly from
<ftp://ftp.gnutls.org/gcrypt/gnutls/>.??A list of GnuTLS mirrors can be
found at <http://www.gnutls.org/download.html>.

Here are the XZ compressed sources:

? ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/gnutls-3.5.4.tar.xz

Here are OpenPGP detached signatures signed using key 0x96865171:

? ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/gnutls-3.5.4.tar.xz.sig

Note that it has been signed with my openpgp key:
pub???3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid??????????????????Nikos Mavrogiannopoulos <nmav <at> gnutls.org>
uid??????????????????Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at>
gmail.com>
sub???2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub???2048R/1404A91D 2008-05-04 [expires: 2018-05-02]

regards,
Nikos



From nmav at gnutls.org  Thu Sep  8 07:59:24 2016
From: nmav at gnutls.org (Nikos Mavrogiannopoulos)
Date: Thu, 08 Sep 2016 07:59:24 +0200
Subject: [gnutls-help] gnutls 3.4.15
Message-ID: <1473314364.792.5.camel@gnutls.org>

Hello,?
?I've just released gnutls 3.4.15. This is a bug fix release of the
current stable branch.

* Version 3.4.15 (released 2016-09-08)

** libgnutls: Corrected the comparison of the serial size in OCSP
? ?response. Previously the OCSP certificate check wouldn't verify the
? ?serial length and could succeed in cases it shouldn't
? ?(GNUTLS-SA-2016-3). Reported by Stefan Buehler.

** libgnutls: Fixes in gnutls_x509_crt_list_import2, which was
???ignoring flags if all certificates in the list fit within the
???initially allocated memory.

** libgnutls: Corrected issue which made
? ?gnutls_certificate_get_x509_crt() to return invalid pointers when
? ?returned more than a single certificate. Report and fix by Stefan
? ?S?rensen.

** libgnutls: Fix gnutls_pkcs12_simple_parse to always extract the
? ?complete chain. Report and fix by Stefan S?rensen.

** libgnutls: Added support for decrypting PKCS#8 files which use the
? ?HMAC-SHA256 as PRF.

** libgnutls: Addressed issue with PKCS#11 signature generation on
? ?ECDSA keys. The signature is now written as unsigned integers into
? ?the DSASignatureValue structure. Previously signed integers could be
? ?written depending on what the underlying module would produce.
? ?Addresses #122.

** API and ABI modifications:
No changes since last version.


Getting the Software
====================

GnuTLS may be downloaded directly from
<ftp://ftp.gnutls.org/gcrypt/gnutls/>.??A list of GnuTLS mirrors can be
found at <http://www.gnutls.org/download.html>.

Here are the XZ compressed sources:

? ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.15.tar.xz

Here are OpenPGP detached signatures signed using key 0x96865171:

? ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.15.tar.xz.sig

Note that it has been signed with my openpgp key:
pub???3104R/96865171 2008-05-04 [expires: 2028-04-29]
uid??????????????????Nikos Mavrogiannopoulos <nmav <at> gnutls.org>
uid??????????????????Nikos Mavrogiannopoulos <n.mavrogiannopoulos <at>
gmail.com>
sub???2048R/9013B842 2008-05-04 [expires: 2018-05-02]
sub???2048R/1404A91D 2008-05-04 [expires: 2018-05-02]

regards,
Nikos



From olivier.soldano at savoirfairelinux.com  Fri Sep 30 15:24:17 2016
From: olivier.soldano at savoirfairelinux.com (Olivier Soldano)
Date: Fri, 30 Sep 2016 09:24:17 -0400 (EDT)
Subject: [gnutls-help] Fwd: problem with dtls heartbeat pong reception in
 v3.4.x
In-Reply-To: <529950576.362466.1475181970881.JavaMail.zimbra@savoirfairelinux.com>
References: <529950576.362466.1475181970881.JavaMail.zimbra@savoirfairelinux.com>
Message-ID: <1587088793.48650.1475241857176.JavaMail.zimbra@savoirfairelinux.com>



Hello,

I'm currently implementing a heartbeat sequence in my project,
and I'm encountering a few hiccups, namely trying to get a pong after a ping,
and receiving a GNUTLS_E_UNEXPECTED_PACKET.
After a few investigations I diagnocised a potential error on my behalf.
I enable heartbeat with the function gnutls_heartbeat_enable(session, GNUTLS_HB_LOCAL_ALLOWED_TO_SEND) in order to be able to send pings (heartbeat.c line 171)
but this configuration generates the previous error when reaching the function 
_gnutls_heartbeat_handle (heartbeat.c line 323) due to needing the function gnutls_heartbeat_enable(session, GNUTLS_HB_PEER_ALLOWED_TO_SEND).

is it possible to configure gnutls_heartbeat_enable with both GNUTLS_HB_LOCAL_ALLOWED_TO_SEND 
and GNUTLS_HB_PEER_ALLOWED_TO_SEND at the same time?


best regards


Olivier SOLDANO
Savoir Faire Linux
Project RING


From olivier.soldano at savoirfairelinux.com  Fri Sep 30 19:01:55 2016
From: olivier.soldano at savoirfairelinux.com (Olivier Soldano)
Date: Fri, 30 Sep 2016 13:01:55 -0400 (EDT)
Subject: [gnutls-help] Fwd: problem with dtls heartbeat pong reception
 in v3.4.x
In-Reply-To: <1587088793.48650.1475241857176.JavaMail.zimbra@savoirfairelinux.com>
References: <529950576.362466.1475181970881.JavaMail.zimbra@savoirfairelinux.com>
 <1587088793.48650.1475241857176.JavaMail.zimbra@savoirfairelinux.com>
Message-ID: <625935297.84277.1475254915646.JavaMail.zimbra@savoirfairelinux.com>

Ok I found my mistake, you just have to use gnutls_heartbeat_enable(session, GNUTLS_HB_PEER_ALLOWED_TO_SEND | GNUTLS_HB_LOCAL_ALLOWED_TO_SEND)
for the member which is pinging and gnutls_heartbeat_enable(session, GNUTLS_HB_PEER_ALLOWED_TO_SEND) for the pong-er.

However the example code in tests/mini-dtls-heartbeat.c uses gnutls_heartbeat_enable(session, GNUTLS_HB_PEER_ALLOWED_TO_SEND); for both
members.

moreover I found unclear the documentation http://www.gnutls.org/manual/html_node/Core-TLS-API.html#gnutls_005fheartbeat_005fenable
as it -for me- differentiates and excludes the use of the two types GNUTLS_HB_PEER_ALLOWED_TO_SEND , and GNUTLS_HB_LOCAL_ALLOWED_TO_SEND.



----- Mail original -----
De: "Olivier Soldano" <olivier.soldano at savoirfairelinux.com>
?: "gnutls-help" <gnutls-help at lists.gnutls.org>
Envoy?: Vendredi 30 Septembre 2016 09:24:17
Objet: [gnutls-help] Fwd: problem with dtls heartbeat pong reception in v3.4.x

Hello,

I'm currently implementing a heartbeat sequence in my project,
and I'm encountering a few hiccups, namely trying to get a pong after a ping,
and receiving a GNUTLS_E_UNEXPECTED_PACKET.
After a few investigations I diagnocised a potential error on my behalf.
I enable heartbeat with the function gnutls_heartbeat_enable(session, GNUTLS_HB_LOCAL_ALLOWED_TO_SEND) in order to be able to send pings (heartbeat.c line 171)
but this configuration generates the previous error when reaching the function 
_gnutls_heartbeat_handle (heartbeat.c line 323) due to needing the function gnutls_heartbeat_enable(session, GNUTLS_HB_PEER_ALLOWED_TO_SEND).

is it possible to configure gnutls_heartbeat_enable with both GNUTLS_HB_LOCAL_ALLOWED_TO_SEND 
and GNUTLS_HB_PEER_ALLOWED_TO_SEND at the same time?


best regards


Olivier SOLDANO
Savoir Faire Linux
Project RING

_______________________________________________
Gnutls-help mailing list
Gnutls-help at lists.gnutls.org
http://lists.gnupg.org/mailman/listinfo/gnutls-help