From denissalem at tuxfamily.org Sun Sep 2 00:04:03 2018 From: denissalem at tuxfamily.org (denissalem at tuxfamily.org) Date: Sun, 02 Sep 2018 00:04:03 +0200 Subject: [gnutls-help] Missing break into server code examples? Message-ID: Hello fellow coders! I'm new to GnuTLS and I'm studying examples provided by documentation. I noticed in most server examples there is no break after gnutls_record_send() (or only if error is triggered). I don't know if it's intentional, but while testing example given in 7.2.1 titled "Echo server with X.509 authentication", it appears that code hang when calling gnutls_record_recv() after echoing back data. Firefox is loading indefinitely as well as curl which never complete. The only way I found to have something right is to set a break after gnutls_record_send(). By doing that I'm able to complete the loading of the server response with a browser or a command line tool. Is there something I don't understand about this? Best regards, Denis From thomas at m3y3r.de Fri Sep 21 14:01:22 2018 From: thomas at m3y3r.de (thomas at m3y3r.de) Date: Fri, 21 Sep 2018 14:01:22 +0200 Subject: [gnutls-help] cannot to connect to lwn.net with gnutls 3.6.3 on windows 10 Message-ID: <86musbys8d.fsf@DESKTOP-DQBDJ0U.i-did-not-set--mail-host-address--so-tickle-me> Hi, any ideas what could be wrong here? gnutls-cli lwn.net gives me: Processed 59 CA certificate(s). Resolving 'lwn.net:443'... Connecting to '2600:3c03::f03c:91ff:fe61:5c5b:443'... Connecting to '45.33.94.129:443'... |<1>| There was a non-CA certificate in the trusted list: OU=Copyright (c) 1997 Microsoft Corp.,OU=Microsoft Corporation,CN=Microsoft Root Authority. |<1>| There was a non-CA certificate in the trusted list: C=US,O=MSFT,CN=Microsoft Authenticode(tm) Root Authority. |<1>| There was a non-CA certificate in the trusted list: CN=Root Agency. *** Fatal error: Error in the push function. *** Fatal error: Error in the push function. Could not connect to 45.33.94.129:443: Bad file descriptor any help or pointers are welcome. with kind regards thomas From thomas at m3y3r.de Sat Sep 22 11:00:49 2018 From: thomas at m3y3r.de (thomas at m3y3r.de) Date: Sat, 22 Sep 2018 11:00:49 +0200 Subject: [gnutls-help] cannot to connect to lwn.net with gnutls 3.6.3 on windows 10 In-Reply-To: <86musbys8d.fsf@DESKTOP-DQBDJ0U.i-did-not-set--mail-host-address--so-tickle-me> (thomas's message of "Fri, 21 Sep 2018 14:01:22 +0200") References: <86musbys8d.fsf@DESKTOP-DQBDJ0U.i-did-not-set--mail-host-address--so-tickle-me> Message-ID: <86mus9q532.fsf@DESKTOP-DQBDJ0U.i-did-not-set--mail-host-address--so-tickle-me> mhh. debugging with -d 999 shows that the connection fails after writing the first byte of the client hello: |<5>| REC[0000000002c7b1c0]: Preparing Packet Handshake(22) with length: 213 and min pad: 0 |<9>| ENC[0000000002c7b1c0]: cipher: NULL, MAC: MAC-NULL, Epoch: 0 |<11>| WRITE: enqueued 218 bytes for 000000000069eaf0. Total 218 bytes. |<5>| REC[0000000002c7b1c0]: Sent Packet[1] Handshake(22) in epoch 0 and length: 218 |<11>| HWRITE: wrote 1 bytes, 0 bytes left. |<11>| WRITE FLUSH: 218 bytes in buffer. |<3>| ASSERT: buffers.c[_gnutls_writev_emu]:464 -> -1 is returned! |<2>| WRITE: -1 returned from 000000000069eaf0, errno: 0 |<3>| ASSERT: buffers.c[errno_to_gerr]:230 |<11>| WRITE error: code -53, 218 bytes left. -> ERROR_BAD_NETPATH (?) |<3>| ASSERT: buffers.c[_gnutls_io_write_flush]:722 |<3>| ASSERT: handshake.c[handshake_client]:2793 what could be the problem here? any hint is welcome! with kind regards thomas From ametzler at bebt.de Sat Sep 22 11:10:31 2018 From: ametzler at bebt.de (Andreas Metzler) Date: Sat, 22 Sep 2018 11:10:31 +0200 Subject: [gnutls-help] cannot to connect to lwn.net with gnutls 3.6.3 on windows 10 In-Reply-To: <86musbys8d.fsf@DESKTOP-DQBDJ0U.i-did-not-set--mail-host-address--so-tickle-me> References: <86musbys8d.fsf@DESKTOP-DQBDJ0U.i-did-not-set--mail-host-address--so-tickle-me> Message-ID: <20180922091031.GB1496@argenau.bebt.de> On 2018-09-21 thomas at m3y3r.de wrote: > any ideas what could be wrong here? > gnutls-cli lwn.net gives me: > Processed 59 CA certificate(s). > Resolving 'lwn.net:443'... > Connecting to '2600:3c03::f03c:91ff:fe61:5c5b:443'... > Connecting to '45.33.94.129:443'... > |<1>| There was a non-CA certificate in the trusted list: OU=Copyright (c) 1997 Microsoft Corp.,OU=Microsoft Corporation,CN=Microsoft Root Authority. > |<1>| There was a non-CA certificate in the trusted list: C=US,O=MSFT,CN=Microsoft Authenticode(tm) Root Authority. > |<1>| There was a non-CA certificate in the trusted list: CN=Root Agency. > *** Fatal error: Error in the push function. > *** Fatal error: Error in the push function. > Could not connect to 45.33.94.129:443: Bad file descriptor > any help or pointers are welcome. > with kind regards What version of GnuTLS are you using? - It works for me. (3.5.19). cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' From thomas at m3y3r.de Sat Sep 22 12:17:21 2018 From: thomas at m3y3r.de (thomas at m3y3r.de) Date: Sat, 22 Sep 2018 12:17:21 +0200 Subject: [gnutls-help] cannot to connect to lwn.net with gnutls 3.6.3 on windows 10 In-Reply-To: <20180922091031.GB1496@argenau.bebt.de> (Andreas Metzler's message of "Sat, 22 Sep 2018 11:10:31 +0200") References: <86musbys8d.fsf@DESKTOP-DQBDJ0U.i-did-not-set--mail-host-address--so-tickle-me> <20180922091031.GB1496@argenau.bebt.de> Message-ID: <86in2xq1ji.fsf@DESKTOP-DQBDJ0U.i-did-not-set--mail-host-address--so-tickle-me> Hi, yeah, all my other computers, which don't run windows 10 are working fine with gnutls. So I'm pretty sure it isn't the network, something on this machine must be different! I'm using the mingw64 version from the download page: https://gitlab.com/gnutls/gnutls/builds/artifacts/gnutls_3_6_3/download?job=MinGW64.DLLs which says about itself: >gnutls-cli.exe -v gnutls-cli @VERSION@ Copyright (C) 2000- at YEAR@ Free Software Foundation, and others, all rights reserved. This is free software. It is licensed for use, modification and redistribution under the terms of the GNU General Public License, version 3 or later Please send bug reports to: <@PACKAGE_BUGREPORT@> --- And sadly this build seems to lack the debug symbols, so no chance to attach via gdb. I try to compile the library myself, but lacking the time to finish. the bootstrap step seems to take ages to finish... with kind regards thomas From nmav at gnutls.org Mon Sep 24 17:51:54 2018 From: nmav at gnutls.org (Nikos Mavrogiannopoulos) Date: Mon, 24 Sep 2018 17:51:54 +0200 Subject: [gnutls-help] gnutls 3.6.4 Message-ID: Hello, I've just released gnutls 3.6.4. This release adds support for the final TLS 1.3 protocol version, and enables it by default. The more detailed list of changes follows. * Version 3.6.4 (released 2018-09-24) ** libgnutls: Added the final (RFC8446) version numbering of the TLS1.3 protocol. ** libgnutls: Corrected regression since 3.6.3 in the callbacks set with gnutls_certificate_set_retrieve_function() which could not handle the case where no certificates were returned, or the callbacks were set to NULL (see #528). ** libgnutls: gnutls_handshake() on server returns early on handshake when no certificate is presented by client and the gnutls_init() flag GNUTLS_ENABLE_EARLY_START is specified. ** libgnutls: Added session ticket key rotation on server side with TOTP. The key set with gnutls_session_ticket_enable_server() is used as a master key to generate time-based keys for tickets. The rotation relates to the gnutls_db_set_cache_expiration() period. ** libgnutls: The 'record size limit' extension is added and preferred to the 'max record size' extension when possible. ** libgnutls: Provide a more flexible PKCS#11 search of trust store certificates. This addresses the problem where the CA certificate doesn't have a subject key identifier whereas the end certificates have an authority key identifier (#569) ** libgnutls: gnutls_privkey_export_gost_raw2(), gnutls_privkey_import_gost_raw(), gnutls_pubkey_export_gost_raw2(), gnutls_pubkey_import_gost_raw() import and export GOST parameters in the "native" little endian format used for these curves. This is an intentional incompatible change with 3.6.3. ** libgnutls: Added support for seperately negotiating client and server certificate types as defined in RFC7250. This mechanism must be explicitly enabled via the GNUTLS_ENABLE_CERT_TYPE_NEG flag in gnutls_init(). ** gnutls-cli: enable CRL validation on startup (#564) ** API and ABI modifications: GNUTLS_ENABLE_EARLY_START: Added GNUTLS_ENABLE_CERT_TYPE_NEG: Added GNUTLS_TL_FAIL_ON_INVALID_CRL: Added GNUTLS_CERTIFICATE_VERIFY_CRLS: Added gnutls_ctype_target_t: New enumeration gnutls_record_set_max_early_data_size: Added gnutls_certificate_type_get2: Added gnutls_priority_certificate_type_list2: Added gnutls_ffdhe_6144_group_prime: Added gnutls_ffdhe_6144_group_generator: Added gnutls_ffdhe_6144_key_bits: Added Getting the Software ==================== GnuTLS may be downloaded directly from . A list of GnuTLS mirrors can be found at . Here are the XZ compressed sources: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.4.tar.xz Here are OpenPGP detached signatures signed using key 0x96865171: https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.4.tar.xz.sig Note that it has been signed with my openpgp key: pub 3104R/96865171 2008-05-04 [expires: 2028-04-29] uid Nikos Mavrogiannopoulos gnutls.org> uid Nikos Mavrogiannopoulos gmail.com> sub 2048R/9013B842 2008-05-04 [expires: 2018-05-02] sub 2048R/1404A91D 2008-05-04 [expires: 2018-05-02] regards, Nikos From thomas at m3y3r.de Sat Sep 29 20:56:16 2018 From: thomas at m3y3r.de (thomas at m3y3r.de) Date: Sat, 29 Sep 2018 20:56:16 +0200 Subject: [gnutls-help] cannot to connect to lwn.net with gnutls 3.6.3 on windows 10 In-Reply-To: <20180922091031.GB1496@argenau.bebt.de> (Andreas Metzler's message of "Sat, 22 Sep 2018 11:10:31 +0200") References: <86musbys8d.fsf@DESKTOP-DQBDJ0U.i-did-not-set--mail-host-address--so-tickle-me> <20180922091031.GB1496@argenau.bebt.de> Message-ID: <86o9cgqgj3.fsf@DESKTOP-DQBDJ0U.i-did-not-set--mail-host-address--so-tickle-me> Hi, did you compile the version yourself? where exactly can I get your binary/version? I now was able to setup the mingw64 toolchain, and the self compiled version works! sadly no debugging possible because gdb and exe seems to miss debug symbols. a quick view shows this difference: gitlab mingw64 build version 3.6.3; linked on the gnutls homepage: gnutls-cli lwn.net |<1>| There was a non-CA certificate in the trusted list: OU=Copyright (c) 1997 Microsoft Corp.,OU=Microsoft Corporation,CN=Microsoft Root Authority. |<1>| There was a non-CA certificate in the trusted list: C=US,O=MSFT,CN=Microsoft Authenticode(tm) Root Authority. |<1>| There was a non-CA certificate in the trusted list: CN=Root Agency. Processed 59 CA certificate(s). [...] my 3.6.3 version build locally on a windows 10 machine: gnutls-cli lwn.net Processed 155 CA certificate(s). [...]