From rogerdpack2 at gmail.com Fri Sep 2 01:54:06 2016 From: rogerdpack2 at gmail.com (Roger Pack) Date: Thu, 1 Sep 2016 17:54:06 -0600 Subject: [gnutls-help] some mirrors seem stale :| Message-ID: As a note, not sure if this is a gnutls issue or not, but clicking on the "mirrors" link for 3.4 goes here: https://www.gnupg.org/download/mirrors.en.html which lists "mirror.tje.me.uk" as "4/day" however their last update was in 2015: http://mirror.tje.me.uk/pub/mirrors/ftp.gnupg.org/gnutls/ Cheers! -roger- From nmav at gnutls.org Fri Sep 2 15:39:09 2016 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Fri, 2 Sep 2016 15:39:09 +0200 Subject: [gnutls-help] some mirrors seem stale :| In-Reply-To: References: Message-ID: On Fri, Sep 2, 2016 at 1:54 AM, Roger Pack wrote: > As a note, not sure if this is a gnutls issue or not, but clicking on > the "mirrors" link for 3.4 goes here: > https://www.gnupg.org/download/mirrors.en.html > which lists "mirror.tje.me.uk" as "4/day" however their last update was in 2015: Thank you; I've forwarded your mail to Werner who maintains the gnupg site. regards, Nikos From hk501jy at gmail.com Sat Sep 3 10:25:03 2016 From: hk501jy at gmail.com (Yujin Kim) Date: Sat, 3 Sep 2016 17:25:03 +0900 Subject: [gnutls-help] gnutls using in Android Message-ID: Hi, I'm trying to using gnutls in Android. I used 'cerbero' and take a step https://gitlab.com/gnutls/cerbero in here. so, I get a 'libgnutls.so' file. and how can I using this file in Android Studio? Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: From galex-713 at galex-713.eu Sun Sep 4 00:01:35 2016 From: galex-713 at galex-713.eu (Garreau, Alexandre) Date: Sun, 04 Sep 2016 00:01:35 +0200 Subject: [gnutls-help] OpenPGP instead of X509: what kind of (sub)key? Message-ID: Hi, I recently discovered that GnuTLS can use OpenPGP as certificate, instead of X509, which afaik depends on the CA model? ?yet afaik fingerprint change according standard (there are like at least 4 versions of it for PGP (still using sha1), and at least one for X509 (afaik still using sha1 too)), so it won?t simplify by ?oh simply check at the fingerprint and if it?s the same that I gave you it?s ok?? anyway it wouldn?t work because since I don?t want to store my master private key on my server I prefer to ?ultimate? sign another keypair and put it on my server? So my question is: what does ?openpgp support? (as cited there: http://gnutls.org/openpgp.html and there http://gnutls.org/) mean? only that the dh parameters will get signed by a privkey with the same parameters? or only that gnutls will call gpg to sign a different x509 cert with the specified key (at this point I could already do that manually)? then what automation/comodity do it brings? does it only says ?that cert is secure? if it is signed by someone you trust/you certified according GPG/GNS/whatever? From nmav at gnutls.org Mon Sep 5 16:33:38 2016 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 5 Sep 2016 16:33:38 +0200 Subject: [gnutls-help] OpenPGP instead of X509: what kind of (sub)key? In-Reply-To: References: Message-ID: On Sun, Sep 4, 2016 at 12:01 AM, Garreau, Alexandre wrote: > Hi, I recently discovered that GnuTLS can use OpenPGP as certificate, > instead of X509, which afaik depends on the CA model? That's true, but note that we are planning to deprecate that support: https://gitlab.com/gnutls/gnutls/issues/102 It will be replaced by raw keys when that support is available. > ?yet afaik fingerprint change according standard (there are like at > least 4 versions of it for PGP (still using sha1), and at least one for > X509 (afaik still using sha1 too)), so it won?t simplify by ?oh simply > check at the fingerprint and if it?s the same that I gave you it?s ok?? > anyway it wouldn?t work because since I don?t want to store my master > private key on my server I prefer to ?ultimate? sign another keypair and > put it on my server? > So my question is: what does ?openpgp support? (as cited there: > http://gnutls.org/openpgp.html and there http://gnutls.org/) mean? only > that the dh parameters will get signed by a privkey with the same > parameters? It directly uses openpgp certificates and keys for signatures. > cert with the specified key (at this point I could already do that > manually)? then what automation/comodity do it brings? does it only says > ?that cert is secure? if it is signed by someone you trust/you certified > according GPG/GNS/whatever? You can verify the certificate against a "ring" of trusted keys. regards, Nikos From galex-713 at galex-713.eu Mon Sep 5 18:19:25 2016 From: galex-713 at galex-713.eu (Garreau, Alexandre) Date: Mon, 05 Sep 2016 18:19:25 +0200 Subject: [gnutls-help] OpenPGP instead of X509: what kind of (sub)key? In-Reply-To: (Nikos Mavrogiannopoulos's message of "Mon, 5 Sep 2016 16:33:38 +0200") References: Message-ID: <062h7yzzzzzz.8f9.xxuns.g6.gal@galex-713.eu> On 2016-09-05 at 16:33, Nikos Mavrogiannopoulos wrote: > On Sun, Sep 4, 2016 at 12:01 AM, Garreau, Alexandre > wrote: >> Hi, I recently discovered that GnuTLS can use OpenPGP as certificate, >> instead of X509, which afaik depends on the CA model? > > That's true, but note that we are planning to deprecate that support: > https://gitlab.com/gnutls/gnutls/issues/102 > It will be replaced by raw keys when that support is available. > >> ?yet afaik fingerprint change according standard (there are like at >> least 4 versions of it for PGP (still using sha1), and at least one for >> X509 (afaik still using sha1 too)), so it won?t simplify by ?oh simply >> check at the fingerprint and if it?s the same that I gave you it?s ok?? >> anyway it wouldn?t work because since I don?t want to store my master >> private key on my server I prefer to ?ultimate? sign another keypair and >> put it on my server? >> So my question is: what does ?openpgp support? (as cited there: >> http://gnutls.org/openpgp.html and there http://gnutls.org/) mean? only >> that the dh parameters will get signed by a privkey with the same >> parameters? > > It directly uses openpgp certificates and keys for signatures. So? if I run gnutls-server somewhere, and connect to it with gnutls-client? the fingerprints I will see are those of the opengpg masterkey? or of the signing subkey? or is it possible to use a subkey for this usage? what features/?usages? should have a openpgp cert used by GnuTLS? ?sign?? ?certificate?? can I use the new GnuPG Curves25519? Or if I consider WoT doesn?t work enough [1], can I make so the key of each person I know is ?allowed? to certificate only keys owned by this same very person (without having to ?trust? everybody on everybody)? [1] https://lists.torproject.org/pipermail/tor-talk/2013-September/030235.html From nmav at gnutls.org Mon Sep 5 18:35:31 2016 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 05 Sep 2016 18:35:31 +0200 Subject: [gnutls-help] OpenPGP instead of X509: what kind of (sub)key? In-Reply-To: <062h7yzzzzzz.8f9.xxuns.g6.gal@galex-713.eu> References: <062h7yzzzzzz.8f9.xxuns.g6.gal@galex-713.eu> Message-ID: <1473093331.4738.0.camel@gnutls.org> On Mon, 2016-09-05 at 18:19 +0200, Garreau, Alexandre wrote: > > It directly uses openpgp certificates and keys for signatures. > So? if I run gnutls-server somewhere, and connect to it with > gnutls-client? the fingerprints I will see are those of the opengpg > masterkey? or of the signing subkey? or is it possible to use a > subkey > for this usage? what features/?usages? should have a openpgp cert > used > by GnuTLS? ?sign?? ?certificate????can I use the new GnuPG > Curves25519? > > Or if I consider WoT doesn?t work enough [1], can I make so the key > of > each person I know is ?allowed? to certificate only keys owned by > this > same very person (without having to ?trust? everybody on everybody)? > [1] > https://lists.torproject.org/pipermail/tor-talk/2013-September/030235 > .html If you are developing a new application, I'd simply suggest to ignore this API and pretend it doesn't exist. It will go away. regards, Nikos From nmav at gnutls.org Thu Sep 8 07:49:37 2016 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 08 Sep 2016 07:49:37 +0200 Subject: [gnutls-help] gnutls 3.5.4 Message-ID: <1473313777.792.2.camel@gnutls.org> Hello,? ?I've just released gnutls 3.5.4. This is a minor enhancements and bugfix release for the 3.5.x branch. * Version 3.5.4 (released 2016-09-08) ** libgnutls: Corrected the comparison of the serial size in OCSP ? ?response. Previously the OCSP certificate check wouldn't verify the ? ?serial length and could succeed in cases it shouldn't? ? ?(GNUTLS-SA-2016-3). Reported by Stefan Buehler. ** libgnutls: Added support for IP name constraints. Patch by Martin ? ?Ukrop. ** libgnutls: Added support for PKCS#8 file decryption using ? ?DES-CBC-MD5. This is added to allow decryption of PKCS #8 private ? ?keys from openssl prior to 1.1.0. ** libgnutls: Added support for decrypting PKCS#8 files which use? ? ?HMAC-SHA256 as PRF. This allow decrypting PKCS #8 private keys ? ?generated with openssl 1.1.0. ** libgnutls: Added support for internationalized passwords in PKCS#12 ? ?files. Previous versions would only encrypt or decrypt using ? ?passwords from the ASCII set. ** libgnutls: Addressed issue with PKCS#11 signature generation on ? ?ECDSA keys. The signature is now written as unsigned integers into ? ?the DSASignatureValue structure. Previously signed integers could be ? ?written depending on what the underlying module would produce. ? ?Addresses #122. ** gnutls-cli: Fixed starttls regression from 3.5.3. ** API and ABI modifications: GNUTLS_E_MALFORMED_CIDR: Added gnutls_x509_cidr_to_rfc5280: Added gnutls_oid_to_mac: Added Getting the Software ==================== GnuTLS may be downloaded directly from .??A list of GnuTLS mirrors can be found at . Here are the XZ compressed sources: ? ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/gnutls-3.5.4.tar.xz Here are OpenPGP detached signatures signed using key 0x96865171: ? ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/gnutls-3.5.4.tar.xz.sig Note that it has been signed with my openpgp key: pub???3104R/96865171 2008-05-04 [expires: 2028-04-29] uid??????????????????Nikos Mavrogiannopoulos gnutls.org> uid??????????????????Nikos Mavrogiannopoulos gmail.com> sub???2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub???2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From nmav at gnutls.org Thu Sep 8 07:59:24 2016 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Thu, 08 Sep 2016 07:59:24 +0200 Subject: [gnutls-help] gnutls 3.4.15 Message-ID: <1473314364.792.5.camel@gnutls.org> Hello,? ?I've just released gnutls 3.4.15. This is a bug fix release of the current stable branch. * Version 3.4.15 (released 2016-09-08) ** libgnutls: Corrected the comparison of the serial size in OCSP ? ?response. Previously the OCSP certificate check wouldn't verify the ? ?serial length and could succeed in cases it shouldn't ? ?(GNUTLS-SA-2016-3). Reported by Stefan Buehler. ** libgnutls: Fixes in gnutls_x509_crt_list_import2, which was ???ignoring flags if all certificates in the list fit within the ???initially allocated memory. ** libgnutls: Corrected issue which made ? ?gnutls_certificate_get_x509_crt() to return invalid pointers when ? ?returned more than a single certificate. Report and fix by Stefan ? ?S?rensen. ** libgnutls: Fix gnutls_pkcs12_simple_parse to always extract the ? ?complete chain. Report and fix by Stefan S?rensen. ** libgnutls: Added support for decrypting PKCS#8 files which use the ? ?HMAC-SHA256 as PRF. ** libgnutls: Addressed issue with PKCS#11 signature generation on ? ?ECDSA keys. The signature is now written as unsigned integers into ? ?the DSASignatureValue structure. Previously signed integers could be ? ?written depending on what the underlying module would produce. ? ?Addresses #122. ** API and ABI modifications: No changes since last version. Getting the Software ==================== GnuTLS may be downloaded directly from .??A list of GnuTLS mirrors can be found at . Here are the XZ compressed sources: ? ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.15.tar.xz Here are OpenPGP detached signatures signed using key 0x96865171: ? ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.15.tar.xz.sig Note that it has been signed with my openpgp key: pub???3104R/96865171 2008-05-04 [expires: 2028-04-29] uid??????????????????Nikos Mavrogiannopoulos gnutls.org> uid??????????????????Nikos Mavrogiannopoulos gmail.com> sub???2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub???2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From olivier.soldano at savoirfairelinux.com Fri Sep 30 15:24:17 2016 From: olivier.soldano at savoirfairelinux.com (Olivier Soldano) Date: Fri, 30 Sep 2016 09:24:17 -0400 (EDT) Subject: [gnutls-help] Fwd: problem with dtls heartbeat pong reception in v3.4.x In-Reply-To: <529950576.362466.1475181970881.JavaMail.zimbra@savoirfairelinux.com> References: <529950576.362466.1475181970881.JavaMail.zimbra@savoirfairelinux.com> Message-ID: <1587088793.48650.1475241857176.JavaMail.zimbra@savoirfairelinux.com> Hello, I'm currently implementing a heartbeat sequence in my project, and I'm encountering a few hiccups, namely trying to get a pong after a ping, and receiving a GNUTLS_E_UNEXPECTED_PACKET. After a few investigations I diagnocised a potential error on my behalf. I enable heartbeat with the function gnutls_heartbeat_enable(session, GNUTLS_HB_LOCAL_ALLOWED_TO_SEND) in order to be able to send pings (heartbeat.c line 171) but this configuration generates the previous error when reaching the function _gnutls_heartbeat_handle (heartbeat.c line 323) due to needing the function gnutls_heartbeat_enable(session, GNUTLS_HB_PEER_ALLOWED_TO_SEND). is it possible to configure gnutls_heartbeat_enable with both GNUTLS_HB_LOCAL_ALLOWED_TO_SEND and GNUTLS_HB_PEER_ALLOWED_TO_SEND at the same time? best regards Olivier SOLDANO Savoir Faire Linux Project RING From olivier.soldano at savoirfairelinux.com Fri Sep 30 19:01:55 2016 From: olivier.soldano at savoirfairelinux.com (Olivier Soldano) Date: Fri, 30 Sep 2016 13:01:55 -0400 (EDT) Subject: [gnutls-help] Fwd: problem with dtls heartbeat pong reception in v3.4.x In-Reply-To: <1587088793.48650.1475241857176.JavaMail.zimbra@savoirfairelinux.com> References: <529950576.362466.1475181970881.JavaMail.zimbra@savoirfairelinux.com> <1587088793.48650.1475241857176.JavaMail.zimbra@savoirfairelinux.com> Message-ID: <625935297.84277.1475254915646.JavaMail.zimbra@savoirfairelinux.com> Ok I found my mistake, you just have to use gnutls_heartbeat_enable(session, GNUTLS_HB_PEER_ALLOWED_TO_SEND | GNUTLS_HB_LOCAL_ALLOWED_TO_SEND) for the member which is pinging and gnutls_heartbeat_enable(session, GNUTLS_HB_PEER_ALLOWED_TO_SEND) for the pong-er. However the example code in tests/mini-dtls-heartbeat.c uses gnutls_heartbeat_enable(session, GNUTLS_HB_PEER_ALLOWED_TO_SEND); for both members. moreover I found unclear the documentation http://www.gnutls.org/manual/html_node/Core-TLS-API.html#gnutls_005fheartbeat_005fenable as it -for me- differentiates and excludes the use of the two types GNUTLS_HB_PEER_ALLOWED_TO_SEND , and GNUTLS_HB_LOCAL_ALLOWED_TO_SEND. ----- Mail original ----- De: "Olivier Soldano" ?: "gnutls-help" Envoy?: Vendredi 30 Septembre 2016 09:24:17 Objet: [gnutls-help] Fwd: problem with dtls heartbeat pong reception in v3.4.x Hello, I'm currently implementing a heartbeat sequence in my project, and I'm encountering a few hiccups, namely trying to get a pong after a ping, and receiving a GNUTLS_E_UNEXPECTED_PACKET. After a few investigations I diagnocised a potential error on my behalf. I enable heartbeat with the function gnutls_heartbeat_enable(session, GNUTLS_HB_LOCAL_ALLOWED_TO_SEND) in order to be able to send pings (heartbeat.c line 171) but this configuration generates the previous error when reaching the function _gnutls_heartbeat_handle (heartbeat.c line 323) due to needing the function gnutls_heartbeat_enable(session, GNUTLS_HB_PEER_ALLOWED_TO_SEND). is it possible to configure gnutls_heartbeat_enable with both GNUTLS_HB_LOCAL_ALLOWED_TO_SEND and GNUTLS_HB_PEER_ALLOWED_TO_SEND at the same time? best regards Olivier SOLDANO Savoir Faire Linux Project RING _______________________________________________ Gnutls-help mailing list Gnutls-help at lists.gnutls.org http://lists.gnupg.org/mailman/listinfo/gnutls-help