From jgh at wizmail.org Sun Feb 10 14:30:35 2019 From: jgh at wizmail.org (Jeremy Harris) Date: Sun, 10 Feb 2019 13:30:35 +0000 Subject: [gnutls-help] priority string SIGN- ordering Message-ID: <6df65b91-e3b9-ab76-75ee-4af5b33857fe@wizmail.org> Hi, With 3.6.5 (on Fedora 29) I am seeing a problem where the server apparently ignores the order given in the priority string (NORMAL:-SIGN-ALL:+SIGN-RSA-SHA256:+SIGN-ECDSA-SHA512:-VERS-TLS1.3). Is that the right way to do it? The manual appears to say "Don't use NONE-and-add-your-own, because versioning problems - and indeed I do get problems across versions when trying to do that. Server debug: 1942 GnuTLS global init required. 1942 initialising GnuTLS server session 1942 GnuTLS<5>: REC[0x564c6e85c480]: Allocating epoch #0 1942 Expanding various TLS configuration options for session credentials. 1942 certificate file = TESTSUITE/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem : TESTSUITE/aux -fixed/exim-ca/example_ec.com/server1.example_ec.com/server1.example_ec.com.pem 1942 key file = TESTSUITE/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key : TESTSUITE/au x-fixed/exim-ca/example_ec.com/server1.example_ec.com/server1.example_ec.com.unlocked.key 1942 GnuTLS<3>: ASSERT: x509_ext.c[gnutls_subject_alt_names_get]:110 1942 GnuTLS<3>: ASSERT: x509.c[get_alt_name]:1815 1942 GnuTLS<3>: ASSERT: mpi.c[wrap_nettle_mpi_print]:60 1942 TLS: cert/key TESTSUITE/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem registered 1942 GnuTLS<3>: ASSERT: x509_ext.c[gnutls_subject_alt_names_get]:110 1942 GnuTLS<3>: ASSERT: x509.c[get_alt_name]:1815 1942 GnuTLS<3>: ASSERT: pk.c[_wrap_nettle_pk_sign]:783 1942 GnuTLS<2>: Security level of algorithm requires hash SHA512(64) or better 1942 GnuTLS<3>: ASSERT: mpi.c[wrap_nettle_mpi_print]:60 1942 GnuTLS<3>: ASSERT: mpi.c[wrap_nettle_mpi_print]:60 1942 TLS: cert/key TESTSUITE/aux-fixed/exim-ca/example_ec.com/server1.example_ec.com/server1.example_ec.com.pem registered 1942 verify certificates = TESTSUITE/aux-fixed/exim-ca/example.com/server2.example.com/ca_chain.pem size=sss 1942 Added 2 certificate authorities. 1942 Initialising GnuTLS server params. 1942 Loading default hard-coded DH params 1942 GnuTLS<3>: ASSERT: dh.c[gnutls_dh_params_import_pkcs3]:488 1942 Loaded fixed standard D-H parameters >>>>> 1942 GnuTLS session cipher/priority "NORMAL:-SIGN-ALL:+SIGN-RSA-SHA256:+SIGN-ECDSA-SHA512:-VERS-TLS1.3" >>>>> 1942 GnuTLS<2>: added 5 protocols, 29 ciphersuites, 2 sig algos and 9 groups into priority list 1942 TLS: a client certificate will not be requested. 1942 SMTP>> 220 TLS go ahead 1942 GnuTLS<5>: REC[0x564c6e85c480]: Allocating epoch #1 1942 GnuTLS<3>: ASSERT: buffers.c[get_last_packet]:1171 1942 GnuTLS<5>: REC[0x564c6e85c480]: SSL 3.1 Handshake packet received. Epoch 0, length: 154 1942 GnuTLS<5>: REC[0x564c6e85c480]: Expected Packet Handshake(22) 1942 GnuTLS<5>: REC[0x564c6e85c480]: Received Packet Handshake(22) with length: 154 1942 GnuTLS<5>: REC[0x564c6e85c480]: Decrypted Packet[0] Handshake(22) with length: 154 1942 GnuTLS<4>: HSK[0x564c6e85c480]: CLIENT HELLO (1) was received. Length 150[150], frag offset 0, frag length: 150, seque nce: 0 1942 GnuTLS<4>: HSK[0x564c6e85c480]: Client's version: 3.3 1942 GnuTLS<4>: EXT[0x564c6e85c480]: Parsing extension 'Encrypt-then-MAC/22' (0 bytes) 1942 GnuTLS<4>: EXT[0x564c6e85c480]: Parsing extension 'Safe Renegotiation/65281' (1 bytes) 1942 GnuTLS<3>: ASSERT: db.c[_gnutls_server_restore_session]:334 1942 GnuTLS<3>: ASSERT: server_name.c[gnutls_server_name_get]:235 1942 TLS: no SNI presented in handshake. 1942 GnuTLS<4>: EXT[0x564c6e85c480]: Parsing extension 'Supported Groups/10' (20 bytes) 1942 GnuTLS<4>: EXT[0x564c6e85c480]: Received group SECP256R1 (0x17) [+groups 0x18, 19, 1d, 100-104] 1942 GnuTLS<4>: EXT[0x564c6e85c480]: Selected group SECP256R1 1942 GnuTLS<4>: EXT[0x564c6e85c480]: Parsing extension 'Supported EC Point Formats/11' (2 bytes) 1942 GnuTLS<4>: EXT[0x564c6e85c480]: Parsing extension 'Signature Algorithms/13' (6 bytes) 1942 GnuTLS<4>: EXT[0x564c6e85c480]: rcvd signature algo (4.1) RSA-SHA256 1942 GnuTLS<4>: EXT[0x564c6e85c480]: rcvd signature algo (6.3) ECDSA-SHA512 1942 GnuTLS<4>: EXT[0x564c6e85c480]: Parsing extension 'Session Ticket/35' (0 bytes) 1942 GnuTLS<4>: EXT[0x564c6e85c480]: Parsing extension 'Record Size Limit/28' (2 bytes) 1942 GnuTLS<2>: checking c0.2c (GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384) for compatibility 1942 GnuTLS<3>: ASSERT: server_name.c[gnutls_server_name_get]:235 1942 GnuTLS<4>: HSK[0x564c6e85c480]: Requested server name: '' 1942 GnuTLS<4>: HSK[0x564c6e85c480]: checking compat of GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384 with certificate[0] (RSA/X.509) 1942 GnuTLS<3>: ASSERT: cert.c[cert_select_sign_algorithm]:1283 1942 GnuTLS<4>: HSK[0x564c6e85c480]: checking compat of GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384 with certificate[1] (EC/ECDSA/X.509) 1942 GnuTLS<4>: checking cert compat with RSA-SHA256 1942 GnuTLS<4>: cannot use privkey of EC/ECDSA with RSA-SHA256 1942 GnuTLS<4>: checking cert compat with ECDSA-SHA512 >>>>>>>>>> 1942 GnuTLS<4>: Selected signature algorithm: ECDSA-SHA512 >>>>>>>>>> 1942 GnuTLS<2>: Selected (EC/ECDSA) cert based on ciphersuite c0.2c: GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384 1942 GnuTLS<4>: HSK[0x564c6e85c480]: Selected group SECP256R1 (2) 1942 GnuTLS<4>: HSK[0x564c6e85c480]: Selected cipher suite: GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384 1942 GnuTLS<4>: HSK[0x564c6e85c480]: Selected version TLS1.2 1942 GnuTLS<4>: HSK[0x564c6e85c480]: Safe renegotiation succeeded -- Thanks, Jeremy From ng0 at n0.is Mon Feb 25 02:48:02 2019 From: ng0 at n0.is (ng0 at n0.is) Date: Mon, 25 Feb 2019 01:48:02 +0000 Subject: [gnutls-help] failing to build the guile bindings on x86_64-netbsd Message-ID: <20190225014802.rhaegxjvdqvn7azy@uptimegirl> Hi, I'm trying to create a variant of the existing pkgsrc package for gnutls by building the guile bindings. With a sed many packagers do, 2.2 series of guile is detected. This is what happens in the guile directory. Can someone tell me why guild detects x86_64--netbsd as invalid target? I am able to build a number of pkgsrc guile modules without this error. Making all in guile gmake[2]: Entering directory '/usr/work/wip/gnutls-guile/work/gnutls-3.6.5/guile' Making all in src gmake[3]: Entering directory '/usr/work/wip/gnutls-guile/work/gnutls-3.6.5/guile/src' GEN enum-map.i.c GEN smob-types.i.c GEN enums.h GEN smobs.h GEN core.x GEN errors.x /usr/pkg/bin/gmake all-am gmake[4]: Entering directory '/usr/work/wip/gnutls-guile/work/gnutls-3.6.5/guile/src' CC guile_gnutls_v_2_la-core.lo core.c:806:19: warning: 'session_record_port_gc_hint' defined but not used [-Wunused-const-variable=] static const char session_record_port_gc_hint[] = ^~~~~~~~~~~~~~~~~~~~~~~~~~~ CC guile_gnutls_v_2_la-errors.lo CC guile_gnutls_v_2_la-utils.lo CCLD guile-gnutls-v-2.la ld: /usr/pkg/guile/2.2/lib/libguile-2.2.so: warning: warning: tmpnam() possibly used unsafely, use mkstemp() or mkdtemp() gmake[4]: Leaving directory '/usr/work/wip/gnutls-guile/work/gnutls-3.6.5/guile/src' gmake[3]: Leaving directory '/usr/work/wip/gnutls-guile/work/gnutls-3.6.5/guile/src' gmake[3]: Entering directory '/usr/work/wip/gnutls-guile/work/gnutls-3.6.5/guile' GEN modules/gnutls.scm GUILEC modules/gnutls.go ;;; note: auto-compilation is enabled, set GUILE_AUTO_COMPILE=0 ;;; or pass the --no-auto-compile argument to disable. ;;; compiling /usr/work/wip/gnutls-guile/work/.buildlink/bin/guild ;;; compiled /usr/work/wip/gnutls-guile/work/.home/.cache/guile/ccache/2.2-LE-8-3.A/usr/pkg/guile/2.2/bin/guild.go Backtrace: 7 (apply-smob/1 #) In ice-9/boot-9.scm: 705:2 6 (call-with-prompt _ _ #) In ice-9/eval.scm: 619:8 5 (_ #(#(#))) In /usr/work/wip/gnutls-guile/work/.buildlink/bin/guild: 72:17 4 (main _) In srfi/srfi-1.scm: 640:9 3 (for-each # ?) In scripts/compile.scm: 259:26 2 (_ _) In system/base/target.scm: 52:2 1 (with-target "x86_64--netbsd" #) In unknown file: 0 (scm-error misc-error #f "~A ~S" ("invalid target" "?") #) ERROR: In procedure scm-error: invalid target "x86_64--netbsd" gmake[3]: *** [Makefile:2318: modules/gnutls.go] Error 1 gmake[3]: Leaving directory '/usr/work/wip/gnutls-guile/work/gnutls-3.6.5/guile' gmake[2]: *** [Makefile:1806: all-recursive] Error 1 gmake[2]: Leaving directory '/usr/work/wip/gnutls-guile/work/gnutls-3.6.5/guile' gmake[1]: *** [Makefile:1539: all-recursive] Error 1 gmake[1]: Leaving directory '/usr/work/wip/gnutls-guile/work/gnutls-3.6.5' gmake: *** [Makefile:1466: all] Error 2 *** Error code 2 Stop. make[1]: stopped in /usr/pkgsrc/wip/gnutls-guile *** Error code 1 Stop. make: stopped in /usr/pkgsrc/wip/gnutls-guile From bpladna at yahoo.com Mon Feb 25 03:11:45 2019 From: bpladna at yahoo.com (Brett Pladna) Date: Mon, 25 Feb 2019 02:11:45 +0000 (UTC) Subject: [gnutls-help] Sending events tls rsyslog from new gnutls version to old gnutls version In-Reply-To: References: Message-ID: <1806011769.4566246.1551060705448@mail.yahoo.com> Does anyone know if there is a setting in rsyslog for gnutls which uses the current version of gnutls to set some backwards compatibility for sending events to a collector server using rsyslog version 5.8.10 which utilizes gnutls?2.12.23? Sent from Yahoo Mail for iPhone -------------- next part -------------- An HTML attachment was scrubbed... URL: