headers
Simon Josefsson | 2 Jul 2008 18:22
Favicon
Gravatar

Re: adding trusted CAs

"Rainer Gerhards" <rgerhards <at> gmail.com> writes:

> Hi all,
>
> this is probably an exceptionally dumb question, but... ;)
>
> I would like to ship a number of trusted roots with the default
> rsyslog install - much like web browsers do. The idea is that I would
> like to be able to automatically verify certificates that have been
> obtained by one of those well-known CA.
>
> Question now: how do I do that? Do I simply add the certificate blocks
> into a single big .pem file? Or do I need to supply multiple files.

Yes, that is typically the simplest.  The
gnutls_certificate_set_x509_trust_file function will read multiple CAs
from a file.

> Also (the probably really dumb one ;)): how do I obtain these
> certificates? Ask the CAs? Or export them from the browser (I've not
> found this option in Firefox).
>
> Advise is appreciated.

Extracting them from a browser has been done:

http://curl.haxx.se/docs/caextract.html

I don't recommend shipping these CAs as "trusted" CAs without verifying
them though.  It is generally safest to ask users to install the CAs
(Continue reading)

Permalink | Reply | 0 comments |
headers
Lennart Koopmann | 3 Jul 2008 18:05
Gravatar

gnutls_priority_set_direct undefined

Hello everyone,

i am currently experimenting with the GNU TLS library. I started with
the TLS anonymous test client from the documentation. When i try to
compile (a slightly modified) version, i get an error message that tells
me that gnutls_priority_set_direct was not defined. (The original
message is in German and i am not sure about the translation)

When i comment out the gnutls_priority_set_direct line the program
compiles fine but i get an "GnuTLS internal error".

I am connecting to the gnutls-serv on localhost. The problem existed
before my modifications to the example.

Could anybody please help me with that problem?

GNU TLS 2.0.4 on Fedora Core 9

Thank you very much!

So long
Lennart Koopmann
Permalink | Reply | 1 comment |
headers
Nikos Mavrogiannopoulos | 3 Jul 2008 22:46

Re: gnutls_priority_set_direct undefined

Hello,
 Note that the manual in the website is for the latest version of
gnutls. Thus in order to use the examples there you should download
the latest available version. So either you need to upgrade or install
the -doc package of gnutls in your distribution and use the older
documentation.

regards,
Nikos

On Thu, Jul 3, 2008 at 7:05 PM, Lennart Koopmann <lennart <at> scopeport.org> wrote:
> Hello everyone,
>
> i am currently experimenting with the GNU TLS library. I started with
> the TLS anonymous test client from the documentation. When i try to
> compile (a slightly modified) version, i get an error message that tells
> me that gnutls_priority_set_direct was not defined. (The original
> message is in German and i am not sure about the translation)
>
> When i comment out the gnutls_priority_set_direct line the program
> compiles fine but i get an "GnuTLS internal error".
>
> I am connecting to the gnutls-serv on localhost. The problem existed
> before my modifications to the example.
> 
> Could anybody please help me with that problem?
> 
> GNU TLS 2.0.4 on Fedora Core 9
>
> Thank you very much!
(Continue reading)

Permalink | Reply | 0 comments |
headers
Lennart Koopmann | 5 Jul 2008 20:11
Gravatar

GNUTLS ERROR: A TLS fatal alert has been received.

Hello everyone,

i installed GNUTLS version 2.5.1 from hand because the one from the
Fedora repository is too old.
When i try to anonymous connect to a "gnutls-server --http" my client
returns:

*** Handshake failed
GNUTLS ERROR: A TLS fatal alert has been received.

The server says:

Error in handshake
Error: Could not negotiate a supported cipher suite.

Could you please help me with that? I don't really know how to proceed
now. I can upload the source code of my test program if you want. It's
mostly a copy & paste from the documentation. (7.3.1 Simple Client
Example with Anonymous Authentication)

[lennart <at> sundaysister Debug]$ ldd GNUTLSTest 
	[...]
	libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0x00111000)
	[...]

Thank you all!

So long
Lennart
(Continue reading)

Permalink | Reply | 3 comments |
headers
Nikos Mavrogiannopoulos | 6 Jul 2008 10:50

Re: GNUTLS ERROR: A TLS fatal alert has been received.

Lennart Koopmann wrote:
> Hello everyone,
> 
> i installed GNUTLS version 2.5.1 from hand because the one from the
> Fedora repository is too old.
> When i try to anonymous connect to a "gnutls-server --http" my client
> returns:
> 
> *** Handshake failed
> GNUTLS ERROR: A TLS fatal alert has been received.
> 
> The server says:
> 
> Error in handshake
> Error: Could not negotiate a supported cipher suite.
> 
> Could you please help me with that? I don't really know how to proceed
> now. I can upload the source code of my test program if you want. It's
> mostly a copy & paste from the documentation. (7.3.1 Simple Client
> Example with Anonymous Authentication)

For debugging you can use the -d 4 (or higher) option to gnutls-serv and
see with details what was the reason of failure. On your own program you
can use gnutls_global_set_log_function and gnutls_global_set_log_level.

regards,
Nikos
Permalink | Reply | 2 comments |
headers
Nikos Mavrogiannopoulos | 6 Jul 2008 11:02

Re: GNUTLS ERROR: A TLS fatal alert has been received.

Nikos Mavrogiannopoulos wrote:
> Lennart Koopmann wrote:
>> Hello everyone,
>>
>> i installed GNUTLS version 2.5.1 from hand because the one from the
>> Fedora repository is too old.
>> When i try to anonymous connect to a "gnutls-server --http" my client
>> returns:
>>
>> *** Handshake failed
>> GNUTLS ERROR: A TLS fatal alert has been received.
>>
>> The server says:
>>
>> Error in handshake
>> Error: Could not negotiate a supported cipher suite.
>>
>> Could you please help me with that? I don't really know how to proceed
>> now. I can upload the source code of my test program if you want. It's
>> mostly a copy & paste from the documentation. (7.3.1 Simple Client
>> Example with Anonymous Authentication)
> 
> For debugging you can use the -d 4 (or higher) option to gnutls-serv and
> see with details what was the reason of failure. On your own program you
> can use gnutls_global_set_log_function and gnutls_global_set_log_level.

But probably what you need is to run gnutls-serv with the option
--priority "NORMAL:+ANON-DH". To see other possibilities use the
gnutls-serv -l.
(Continue reading)

Permalink | Reply | 1 comment |
headers
Lennart Koopmann | 6 Jul 2008 16:48
Gravatar

Re: GNUTLS ERROR: A TLS fatal alert has been received.

Thank you again, Nikos! :)

The --priority "NORMAL:+ANON-DH" allows a connection with my anonymous
test client!

* connection from ::ffff:127.0.0.1, port 43292
- Anonymous Diffie-Hellman parameters
 - Using prime: 1032 bits
 - Secret key: 1023 bits
 - Peer's public key: 1024 bits
- Version: TLS1.1
- Key Exchange: ANON-DH
- Cipher: CAMELLIA-256-CBC
- MAC: SHA1
- Compression: NULL

Best regards
Lennart

Am Sonntag, den 06.07.2008, 12:02 +0300 schrieb Nikos Mavrogiannopoulos:
> Nikos Mavrogiannopoulos wrote:
> > Lennart Koopmann wrote:
> >> Hello everyone,
> >>
> >> i installed GNUTLS version 2.5.1 from hand because the one from the
> >> Fedora repository is too old.
> >> When i try to anonymous connect to a "gnutls-server --http" my client
> >> returns:
> >>
> >> *** Handshake failed
(Continue reading)

Permalink | Reply | 0 comments |
headers
Lennart Koopmann | 9 Jul 2008 14:15
Gravatar

How to correctly set Diffie Hellman prime bits?

Hello again list,

i am continuing experimenting with GNUTLS. I have written a client and a
server that perform anonymous (ANON-DH) TLS negotiation.

I successfully connected to a gnutls-serv --http --priority "NORMAL:
+ANON-DH" instance.

When i tried to connect to my own server (which is mostly an example
from the documentation) i got the following error:

> GNUTLS ERROR: The Diffie Hellman prime sent by the server is not
> acceptable (not long enough).

So i manually set the Diffie Hellman prime bits in the server to 1024
and in the client to 1023 (gnutls_dh_set_prime_bits (session, DH_BITS))
- With no effect. Still the same error. I also tried to set the DH prime
bits in the server to 2048. The server needed longer to start up after
this change so i guess that took effect.

I then set the DH prime bits in the client to 0 and in the server to
1024. Now i can connect:

Output of server:
> [lennart <at> sundaysister Debug]$ ./GNUTLSTest-Server 
> Server ready. Listening to port '5556'.
>
> - Anonymous DH using prime of -50 bits
> - connection from 112.93.99.0, port 50879
> - Handshake was completed
(Continue reading)

Permalink | Reply | 752 comments |
headers
Ludovic Courtès | 9 Jul 2008 23:19
Picon

Re: How to correctly set Diffie Hellman prime bits?

Hi,

Lennart Koopmann <lennart <at> scopeport.org> writes:

> When i tried to connect to my own server (which is mostly an example
> from the documentation) i got the following error:
>
>> GNUTLS ERROR: The Diffie Hellman prime sent by the server is not
>> acceptable (not long enough).

The solution may be to apply this patch:

  http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=b32735e1e275c4a2dbf544c04cdf344181fea555

Thanks,
Ludovic.
Permalink | Reply | 1 comment |
headers
Lennart Koopmann | 10 Jul 2008 11:12
Gravatar

Re: Re: How to correctly set Diffie Hellman prime bits?

Hey Ludovic,

thank you very much! Seems like this was fixed in GnuTLS 2.5.2? I
installed it and everything works fine with 1024 DH bits :)

Have a nice day!

Best regards
Lennart Koopmann

Am Mittwoch, den 09.07.2008, 23:19 +0200 schrieb Ludovic Courtès:
> Hi,
> 
> Lennart Koopmann <lennart <at> scopeport.org> writes:
> 
> > When i tried to connect to my own server (which is mostly an example
> > from the documentation) i got the following error:
> >
> >> GNUTLS ERROR: The Diffie Hellman prime sent by the server is not
> >> acceptable (not long enough).
> 
> The solution may be to apply this patch:
> 
>   http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=b32735e1e275c4a2dbf544c04cdf344181fea555
> 
> Thanks,
> Ludovic.
> 
> 
>
(Continue reading)

Permalink | Reply | 0 comments |

Gmane