Lennart Koopmann | 9 Jul 14:11
Favicon
Gravatar

How to correctly set Diffie Hellman prime bits?

Hello again list,

i am continuing experimenting with GNUTLS. I have written a client and a
server that perform anonymous (ANON-DH) TLS negotiation.

I successfully connected to a gnutls-serv --http --priority "NORMAL:
+ANON-DH" instance.

When i tried to connect to my own server (which is mostly an example
from the documentation) i got the following error:

> GNUTLS ERROR: The Diffie Hellman prime sent by the server is not
> acceptable (not long enough).

So i manually set the Diffie Hellman prime bits in the server to 1024
and in the client to 1023 (gnutls_dh_set_prime_bits (session, DH_BITS))
- With no effect. Still the same error. I also tried to set the DH prime
bits in the server to 2048. The server needed longer to start up after
this change so i guess that took effect.

I then set the DH prime bits in the client to 0 and in the server to
1024. Now i can connect:

Output of server:
> [lennart <at> sundaysister Debug]$ ./GNUTLSTest-Server 
> Server ready. Listening to port '5556'.
>
> - Anonymous DH using prime of -50 bits
> - connection from 112.93.99.0, port 50879
> - Handshake was completed
(Continue reading)

Lennart Koopmann | 5 Jul 20:10
Favicon
Gravatar

GNUTLS ERROR: A TLS fatal alert has been received.

Hello everyone,

i installed GNUTLS version 2.5.1 from hand because the one from the
Fedora repository is too old.
When i try to anonymous connect to a "gnutls-server --http" my client
returns:

*** Handshake failed
GNUTLS ERROR: A TLS fatal alert has been received.

The server says:

Error in handshake
Error: Could not negotiate a supported cipher suite.

Could you please help me with that? I don't really know how to proceed
now. I can upload the source code of my test program if you want. It's
mostly a copy & paste from the documentation. (7.3.1 Simple Client
Example with Anonymous Authentication)

[lennart <at> sundaysister Debug]$ ldd GNUTLSTest 
	[...]
	libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0x00111000)
	[...]

Thank you all!

So long
Lennart

(Continue reading)

Lennart Koopmann | 3 Jul 18:02
Favicon
Gravatar

gnutls_priority_set_direct undefined

Hello everyone,

i am currently experimenting with the GNU TLS library. I started with
the TLS anonymous test client from the documentation. When i try to
compile (a slightly modified) version, i get an error message that tells
me that gnutls_priority_set_direct was not defined. (The original
message is in German and i am not sure about the translation)

When i comment out the gnutls_priority_set_direct line the program
compiles fine but i get an "GnuTLS internal error".

I am connecting to the gnutls-serv on localhost. The problem existed
before my modifications to the example.

Could anybody please help me with that problem?

GNU TLS 2.0.4 on Fedora Core 9

Thank you very much!

So long
Lennart Koopmann

Re: not permitted to talk to peer, certificate invalid: no specific reason:

> PS: as a side-note I wonder why certtool does not detect that the wrong
> private key was used - e.g. it could verify the signature after doing
> it. Or am I thinking wrong?

You are right, there should be a check. I'll add it to the todo list
in case someone is interested into implementing it.

regards,
Nikos
Richard Hartmann | 25 Jun 16:45
Picon

List of supported CipherSuite and CompressionMethod

Hi all,

I was wondering if there is a list of all CipherSuite[s] and
CompressionMethod[s] supported by GNUTLS. At this point,
I would prefer not to go through the code to get an answer, but
if you guys would point me at a file name, I would gladly take
that, as well :)

Additionally, I am wondering if the compression API will likely
change at some point as is the case with OpenSSL.

Thanks,
Richard
David Reiser | 24 Jun 04:20
Picon

problems building 2.4.0

I'm trying to build GnuTLS 2.4.0 on a Mac -- OS X 10.5.3, gcc 4.0.1,  
most dependencies supplied with fink packages.

I get:
  gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -DLOCALEDIR=\"/sw/share/ 
locale\" -I../lgl -I../lgl -I../includes -I../includes -I./x509 -I../ 
libextra -I../lib/openpgp/ -I/sw/include -I./opencdk -I../lib/opencdk - 
I/sw/include -I/sw/include -I/sw/include -g -O2 -Wno-pointer-sign -c  
gnutls_openpgp.c  -fno-common -DPIC -o .libs/gnutls_openpgp.o
gnutls_openpgp.c: In function 'gnutls_openpgp_get_key':
gnutls_openpgp.c:219: error: 'cdk_keydb_search_t' undeclared (first  
use in this function)
gnutls_openpgp.c:219: error: (Each undeclared identifier is reported  
only once
gnutls_openpgp.c:219: error: for each function it appears in.)
gnutls_openpgp.c:219: error: syntax error before 'st'
gnutls_openpgp.c:242: error: 'st' undeclared (first use in this  
function)
gnutls_openpgp.c:242: warning: passing argument 2 of  
'cdk_keydb_search_start' makes integer from pointer without a cast
gnutls_openpgp.c:242: error: incompatible type for argument 3 of  
'cdk_keydb_search_start'
gnutls_openpgp.c:242: error: too many arguments to function  
'cdk_keydb_search_start'
gnutls_openpgp.c:244: warning: passing argument 2 of  
'cdk_keydb_search' from incompatible pointer type
gnutls_openpgp.c:244: error: too many arguments to function  
'cdk_keydb_search'
gnutls_openpgp.c:246: warning: implicit declaration of function  
'cdk_keydb_search_release'
(Continue reading)

Rainer Gerhards | 20 Jun 10:26
Picon

Re: Re: gnutls_certificate_verify_peers2() / GNUTLS_CERT_INVALID

I mangled the names (## in their places) because this is a cert I
received from a user:

[root <at> rgf9dev nick]# certtool -i < cert.pem
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 485a73f4
	Issuer: C=US,O=###Host,OU=Online,L=##,ST=##,CN=######.com
	Validity:
		Not Before: Thu Jun 19 14:57:58 UTC 2008
		Not After: Wed Mar 16 14:58:01 UTC 2011
	Subject: C=US,O=######,OU=Online,L=######,ST=##,CN=######.com
	Subject Public Key Algorithm: RSA
		Modulus (bits 2048):
			ac:ad:f0:eb:35:6b:9e:41:e9:6a:67:03:ed:2c:12:6e
			00:ea:ae:ea:10:2a:bd:52:00:4a:2d:d3:55:77:20:b6
			dd:78:97:e3:83:4d:19:f8:64:af:7d:58:e7:b3:bb:92
			05:92:0e:38:9b:98:2e:55:44:74:3b:af:24:65:33:f8
			42:d6:76:b5:f2:97:dc:8c:e8:b5:ae:a6:1d:17:71:62
			16:cc:db:1c:78:ae:a2:53:78:7a:88:3e:b0:85:ce:4f
			3b:e9:76:53:db:6f:f4:40:99:24:91:ec:b9:ab:40:76
			66:de:21:3e:36:1b:7c:ff:7e:ca:0c:9f:e8:5c:52:84
			3d:cb:51:41:db:30:89:c9:0c:95:f1:da:d2:d7:4f:30
			73:2b:00:a5:e2:a0:da:27:84:6c:db:03:11:8c:a3:16
			3c:2d:48:30:c7:a3:0a:26:ea:68:4a:c2:e8:7e:e0:ae
			6a:66:c3:80:d3:38:66:8f:49:37:c8:af:01:10:aa:f0
			cf:59:73:55:44:e9:99:ba:a2:9f:3c:42:91:06:02:04
			6b:f8:76:da:21:31:66:77:af:64:1b:48:59:62:59:7e
			28:bd:4e:99:76:6d:bf:b1:09:78:32:6e:e2:16:4b:67
			fc:06:5f:86:e4:18:54:cb:01:5a:5f:74:81:b5:98:5f
(Continue reading)

Rainer Gerhards | 20 Jun 08:15
Picon

gnutls_certificate_verify_peers2() / GNUTLS_CERT_INVALID

Hi,

I receive *just* GUTLS_CERT_INVALID after calling
gnutls_certificate_verify_peers2(), no specific error state. Do you
have any idea what may cause this?

Thanks,
Rainer
Simon Josefsson | 19 Jun 11:16
Favicon
Gravatar

GnuTLS 2.4.0

We are proud to announce a new stable GnuTLS release: Version 2.4.0.

GnuTLS is a modern C library that implement the standard network
security protocol Transport Layer Security (TLS), for use by network
applications.  GnuTLS is developed for GNU/Linux, but works on many
Unix-like systems and comes with a binary installer for Windows.

The core GnuTLS library is distribute under the terms of the GNU Lesser
General Public License version 2.1 (or later).  The "extra" GnuTLS
libraries -- which contains TLS/IA support, LZO compression -- and the
OpenSSL compatibility library self tests and command line tools are
distributed under the GNU General Public License version 3.0 (or later).
The manual is distributed under the GNU Free Documentation License
version 1.2 (or later).

The project page of the library is available at:
  http://www.gnutls.org/
  http://www.gnu.org/software/gnutls/
  http://josefsson.org/gnutls/

What's New
==========

Major end-user visible changes compared to the v2.2 branch:

* The OpenPGP sub-system has been improved and now supports subkeys.

* The PSK sub-system has been improved and now supports password
  derivation and PSK identity hints.

(Continue reading)

Simon Josefsson | 15 Jun 23:56
Favicon
Gravatar

GnuTLS 2.3.15 - fourth and final (?) release candidate for 2.4.0

Version 2.3.15 will hopefully be the final release candidate for the
next stable release v2.4.0.  Please test v2.3.15 as if it were a stable
release!  I'm cc'ing help-gnutls as well, to reach wider audience.
Please report problems to gnutls-devel only.

See below for the v2.4.0 release notes, comments and suggestions are
welcome!

This weekend is Midsommar in Sweden, and I'm leaving town on Thursday,
thus expect the final 2.4.0 release on Thursday.

Here are the compressed sources:
  http://alpha.gnu.org/gnu/gnutls/gnutls-2.3.15.tar.bz2
  ftp://alpha.gnu.org/gnu/gnutls/gnutls-2.3.15.tar.bz2

Here is the Windows binaries:
  http://josefsson.org/gnutls4win/gnutls-2.3.15.exe
  http://josefsson.org/gnutls4win/gnutls-2.3.15.zip

Thanks to Enrico Tassi, we also have mingw32 *.deb's available:
  http://josefsson.org/gnutls4win/mingw32-gnutls_2.3.15-1_all.deb

What's New
==========

Major end-user visible changes compared to the v2.2 branch:

* The PSK sub-system has been improved and now supports password
  derivation and PSK identity hints.

(Continue reading)

Arkadiusz Miskiewicz | 15 Jun 15:11
Picon

multiple "gnutlses" in single binary

Hello,

Take a look at this example. 

There is one program (let be it php interpreter) that is able to load external 
modules (so modules).

Now we have two external modules - curl and postgresql [1]. Assume both curl 
and postgresql use external libraries (libcurl and libpq) that internally 
also use gnutls.

Both these libraries initialize and deinitialize gnutls on it's own. 
Separately they work fine.

Now it php loads them both at the same time then gnutls initialization happens 
twice (once called by curl module and second time by postgres module) and the 
same happens for deinitialization. In openssl for example double deinit 
causes segfault and is now allowed (a real problem with php + modules btw).

How things look in gnutls? I assume init/deinit also can't be called multiple 
times safely, right?

What can be done in such example to correctly handle gnutls requirements for 
init/deinit? There is only one important thing - the only place where you can 
do anything is php itself, curl and postgresql module but not in libcurl and 
libpq libraries.

My guess is probably that nothing can be done without altering libcurl and 
libpq but even with modifications - does gnutls have api that would handle 
such situation in generic way? Some callbacks maybe...
(Continue reading)


Gmane