headers
Simon Josefsson | 5 Mar 2007 08:37
Favicon
Gravatar

GnuTLS and Google Summer of Code 2007

Hi!  GnuTLS will try to participate in the Google Summer of Code, see:

http://www.gnu.org/software/soc-projects/guidelines.html
http://code.google.com/soc/

Right now we are collecting ideas for projects, the ideas from 2006
are <http://www.gnu.org/software/soc-projects/ideas-2006.html#gnutls>:

   1. Datagram TLS support. RFC 4347  describe a UDP version of TLS.

   2. Support for the elliptic curves ciphersuites as an alternative
      authentication method.

      comment: I think I saw some patches for libgcrypt about this
      quite recently, which could be a basis for this work.

   3. Redesign and rewrite libtasn1 (asn.1 parser library). The new
      implementation must be efficient and easy to extend with new
      types and encoding rules (say BER and DER).

   4. Write a crypto backend to perform (symmetric and assymetric
      de/encryption, hash and MAC, key generation, random number
      generation). It should be able to utilize libgcrypt and other
      free libraries, such as libtomcrypt, and should be extendable
      for hardware drivers.

I can immediately add some ideas:

   5. Work on integrating support for some of the newer TLS
      extensions, which can include better TLS 1.2 support.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Simon Josefsson | 5 Mar 2007 13:41
Favicon
Gravatar

Re: SMTP TLS & Thunderbird

David Given <dg <at> cowlark.com> writes:

> Simon Josefsson wrote:
> [...]
>> Many programs refuse to work if the server doesn't have a X.509
>> certificate, so yes, I'm afraid you'll have to add that to your
>> server, or modify a lot of clients.
>
> It's all working now, thanks. Although I will admit that setting all the code
> up was not pretty --- the documentation's very hazy on what the various
> functions return if something goes wrong (such as not being able to read the
> keyfiles), and I've found that in order to make it fall back on anonymous
> authentication if the keys don't work I have to call gnutls_kx_set_priority(),
> which surprises me as the documentation swears blind that it's ignored on servers.

It is clear that both code and documentation is sub-optimal here.
Below is how I will proceed to attempt to improve things.

* Encourage more applications to just use
  gnutls_set_default_priority().

  One part of achieving that is to make all examples use it, and avoid
  any specific calls to gnutls_*_set_priority.  Such uses are not
  future-proof, and should really not be part of the examples, since
  it isn't good practice.  It is better if the library picks sane
  defaults.

* Fix gnutls_set_default_priority to have sane defaults.

  For example, right now it doesn't even include TLS 1.0!  However,
(Continue reading)

Permalink | Reply | 1 comment |
headers
Simon Josefsson | 5 Mar 2007 16:20
Favicon
Gravatar

gnutls-cli with compression against secure.cacert.org

I tried to talk with secure.cacert.org using my cacert
key/certificate, but it doesn't seem to work reliably unless I disable
compression.

The typical errors is:

jas <at> mocca:~/src/gnutls/src$ ./gnutls-cli secure.cacert.org --x509keyfile
~/self/certs/cacert.key --x509certfile ~/self/certs/cacert.pem --x509cafile ~/self/certs/cacert-ca.pem
Processed 1 CA certificate(s).
Processed 1 client certificates...
Processed 1 client X.509 certificates...
Resolving 'secure.cacert.org'...
Connecting to '91.112.11.212:443'...
*** Fatal error: A TLS fatal alert has been received.
*** Received alert [20]: Bad record MAC
*** Handshake has failed
GNUTLS ERROR: A TLS fatal alert has been received.
jas <at> mocca:~/src/gnutls/src$

The workaround is of course to add '--comp null'.

If anyone has time to debug this, that would be useful.

/Simon
Permalink | Reply | 0 comments |
headers
Simon Josefsson | 7 Mar 2007 12:07
Favicon
Gravatar

Re: SMTP TLS & Thunderbird

Simon Josefsson <simon <at> josefsson.org> writes:

>   static const int cipher_priority[] = {
>     GNUTLS_CIPHER_AES_128_CBC,
>     GNUTLS_CIPHER_AES_256_CBC,
>     GNUTLS_CIPHER_3DES_CBC,
>     GNUTLS_CIPHER_ARCFOUR_128,
>     /* GNUTLS_CIPHER_ARCFOUR_40: Insecure, don't add! */
>     0
>   };

It was suggested to alter this into:

  static const int cipher_priority[] = {
    GNUTLS_CIPHER_AES_256_CBC,
    GNUTLS_CIPHER_AES_128_CBC,
    GNUTLS_CIPHER_3DES_CBC,
    GNUTLS_CIPHER_ARCFOUR_128,
    /* GNUTLS_CIPHER_ARCFOUR_40: Insecure, don't add! */
    0
  };

And this has been installed in CVS.

/Simon
Permalink | Reply | 0 comments |
headers
Simon Josefsson | 7 Mar 2007 17:11
Favicon
Gravatar

Libtasn1 0.3.9

First release from GIT instead of CVS...  released some days ago, but
I forgot to send this announcement.

Libtasn1 is a standalone library written in C for manipulating ASN.1
objects including DER/BER encoding and DER/BER decoding.  Libtasn1 is
used by GnuTLS to manipulate X.509 objects and by Shishi to handle
Kerberos V5 packets.

Version 0.3.9 (released 2007-03-02)
- In generated code, config.h is pulled in if HAVE_CONFIG_H.
- Development changes: changed from CVS to GIT as an experiment.
  I push my changes to <http://repo.or.cz/w/libtasn1.git>.
- Autoconf 2.61 and automake 1.10 is required.

Commercial support contracts for Libtasn1 are available, and they help
finance continued maintenance.  Simon Josefsson Datakonsult, a
Stockholm based privately held company, is currently funding Libtasn1
maintenance.  We are always looking for interesting development
projects.  See http://josefsson.org/ for more details.

If you need help to use Libtasn1, or want to help others, you are
invited to join our help-gnutls mailing list, see:
<http://lists.gnu.org/mailman/listinfo/help-gnutls>.

Homepage:
  http://josefsson.org/libtasn1/

Manual in many formats:
  http://josefsson.org/gnutls/manual/libtasn1/
(Continue reading)

Permalink | Reply | 0 comments |
headers
devel | 12 Mar 2007 13:06

Error making certificate

Hello, I am trying to use certtool to make certificate, like another
times.
But this time, with another version of gnutls and other arch, my script
do not work. Here is de problem:

> certtool -p > new-user.key

Work
> certtool -q --outfile new-user.csr --load-privkey new-user.key --password $PASS

fail, response of system after input parameters:

> set_dn: ASN1 parser: Element was not found.

Any suggestion?
--

-- 
--
Devel in Precio http://www.pas-world.com
Permalink | Reply | 501 comments |
headers
Simon Josefsson | 12 Mar 2007 13:40
Favicon
Gravatar

Re: Error making certificate

devel <dev001 <at> pas-world.com> writes:

> Hello, I am trying to use certtool to make certificate, like another
> times.
> But this time, with another version of gnutls and other arch, my script
> do not work. Here is de problem:
>
>
>> certtool -p > new-user.key
>
> Work
>> certtool -q --outfile new-user.csr --load-privkey new-user.key --password $PASS
>
> fail, response of system after input parameters:
>
>> set_dn: ASN1 parser: Element was not found.
>
> Any suggestion?

Can you send me the CSR that trigger the problem?  Which version of
GnuTLS are you using, and which version of GnuTLS worked before for
you?

It sounds as if the CSR doesn't contain some field which certtool need
to have.

/Simon
Permalink | Reply | 502 comments |
headers
devel | 12 Mar 2007 16:22

Re: Error making certificate

certtool (GnuTLS) 1.6.1
linux x64

> certtool -q --outfile new-user.csr
Certificate request data input in a shell, certtool ask for it.

El lun, 12-03-2007 a las 13:40 +0100, Simon Josefsson escribió:
> devel <dev001 <at> pas-world.com> writes:
> 
> > Hello, I am trying to use certtool to make certificate, like another
> > times.
> > But this time, with another version of gnutls and other arch, my script
> > do not work. Here is de problem:
> >
> >
> >> certtool -p > new-user.key
> >
> > Work
> >> certtool -q --outfile new-user.csr --load-privkey new-user.key --password $PASS
> >
> > fail, response of system after input parameters:
> >
> >> set_dn: ASN1 parser: Element was not found.
> >
> > Any suggestion?
> 
> Can you send me the CSR that trigger the problem?  Which version of
> GnuTLS are you using, and which version of GnuTLS worked before for
> you?
>
(Continue reading)

Permalink | Reply | 7 comments |
headers
Simon Josefsson | 12 Mar 2007 16:52
Favicon
Gravatar

Re: Error making certificate

devel <dev001 <at> pas-world.com> writes:

> certtool (GnuTLS) 1.6.1
> linux x64
>
>
>> certtool -q --outfile new-user.csr
> Certificate request data input in a shell, certtool ask for it.

Thanks!  I can reproduce it.  It seems pkix_asn1_tab.c wasn't
re-generated after fixing the following problem in 1.6.1:

 ** Encode UID fields in DN's as DirectoryString.  Before GnuTLS
 encoded and parsed UID fields as IA5String.  This was incorrect, it
 should have used DirectoryString.  Now it will use DirectoryString
 for the UID field, but for backwards compatibility it will also
 accept IA5String UID's.  Reported by Max Kellermann
 <max <at> duempel.org>.

I have fixed this in CVS for the 1.6.x branch:

 ** Regenerate the PKIX ASN.1 syntax tree.  For some reason, after
 changing the ASN.1 type of ldap-UID in the last release, the
 generated C file built from the ASN.1 schema was not refreshed.  This
 can cause problems when reading/writing UID components inside X.500
 Distinguished Names.  Reported by devel <dev001 <at> pas-world.com>.

Please test tomorrow's daily build and tell me if it solves the
problem for you, and I can release 1.6.2.
(Continue reading)

Permalink | Reply | 6 comments |
headers
Florian Weimer | 14 Mar 2007 11:03
Picon

gnutls_x509_crt_set_version documentation suggestion

It might be a good idea to add the following information to the
documentation for gnutls_x509_crt_set_version:

  To create well-formed certificates, you must specify version 3 if
  you use any certificate extensions.  Extensions are created by
  functions such as gnutls_x509_crt_set_subject_alternative_name or
  gnutls_x509_crt_set_key_usage.

(I don't know if GNUTLS supports the v2 extensions.)

GNUTLS doesn't check if a v1 certificate contains any extensions, but
other X.509 implementations do.  If you ever run into the "no more
data allowed for version 1 certificate" error message (or,
alternatively, "java.lang.Object cannot be cast to
gnu.java.security.OID"), you know where to look.

--

-- 
Florian Weimer                <fweimer <at> bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99
Permalink | Reply | 1 comment |

Gmane