headers
Adda Rathbone | 8 Apr 2010 12:32

Bug: Use of srp with gnutlsxx

Hello,
if you compile version 2.8.5 or 2.8.6 and try to use
gnutls::srp_server_credentials or gnutls::srp_client_credentials
the compiler will complain about the constructor and
destructor of the srp class

Fix is descriped here: http://markmail.org/message/vu3da76lrlz6icvl

For people who don't follow links in an email:

diff -u a/lib/gnutlsxx.cpp b/lib/gnutlsxx.cpp 
--- a/lib/gnutlsxx.cpp  2010-04-08 12:22:37.000000000 +0200
+++ b/lib/gnutlsxx.cpp  2010-04-08 00:27:08.000000000 +0200
 <at>  <at>  -1,3 +1,7  <at>  <at> 
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif 
+
 #include <gnutls/gnutlsxx.h>

 namespace gnutls

diff -u a/lib/libgnutlsxx.map b/lib/libgnutlsxx.map 
--- a/lib/libgnutlsxx.map       2010-04-08 12:22:28.000000000 +0200
+++ b/lib/libgnutlsxx.map       2010-04-08 00:29:18.000000000 +0200
 <at>  <at>  -24,7 +24,9  <at>  <at> 
 {
   global:
     extern "C++" {
-      gnutls*;
(Continue reading)

Permalink | Reply | 1 comment |
headers
gonzagueddr | 13 Apr 2010 19:18
Picon
Favicon

nOOb Error : No certificates found!

Hi all, and first excuse me to be totaly noob about gnutls.
It's one week i'm trying to stream an mp3 over https using vlc, and i 
get the error "TLS handshake error: The peer did not send any certificate".
So after a week on the vlc forum, i thing you're my only hope now (they 
say it's a gnutls' bug, but i can't believe that).
Trying to understand how to test gnutls, i ran "gnutls-serv -p 22222 -d 
1 --x509certfile /path/servercert.pem --x509keyfile /path/serverkey.pem 
--x509cafile /path/cacert.pem" and then on another box "gnutls-cli -d 1 
-p 22222 --x509certfile /path/servercert.pem --x509cafile 
/path/cacert.pem domain.org" and get  from the client :

Processed 1 CA certificate(s).
Resolving 'domain.org'...
Connecting to 'xxx.xxx.xxx.xxx:22222'...
- Successfully sent 0 certificate(s) to server.
- Certificate type: X.509
 - Got a certificate list of 1 certificates.

 - Certificate[0] info:
 # The hostname in the certificate matches 'domain.org'.
 # valid since: Wed Apr  7 18:39:46 CEST 2010
 # expires at: Thu Apr  7 18:39:46 CEST 2011
 # fingerprint: 37:12:84:F2:E2:0C:A6:DC:4C:93:B1:18:57:8E:8A:0C
 # Subject's DN: O=domain.org,CN=domain.org
 # Issuer's DN: CN=domain.org

- Peer's certificate is trusted
- Version: TLS1.1
- Key Exchange: RSA
- Cipher: AES-128-CBC
(Continue reading)

Permalink | Reply | 11 comments |
headers
Nikos Mavrogiannopoulos | 13 Apr 2010 19:57

Re: Bug: Use of srp with gnutlsxx

Adda Rathbone wrote:
> Hello,
> if you compile version 2.8.5 or 2.8.6 and try to use
> gnutls::srp_server_credentials or gnutls::srp_client_credentials
> the compiler will complain about the constructor and
> destructor of the srp class
> 
> Fix is descriped here: http://markmail.org/message/vu3da76lrlz6icvl
> 
> For people who don't follow links in an email:

Hi,
 Thanks. I see that a similar patch is applied on 2.9.x. Does 2.9.x
works for you?

regards,
Nikos
Permalink | Reply | 0 comments |
headers
Nikos Mavrogiannopoulos | 13 Apr 2010 20:03

Re: nOOb Error : No certificates found!

gonzagueddr wrote:

> Hi all, and first excuse me to be totaly noob about gnutls.
> It's one week i'm trying to stream an mp3 over https using vlc, and i
> get the error "TLS handshake error: The peer did not send any certificate".
> So after a week on the vlc forum, i thing you're my only hope now (they
> say it's a gnutls' bug, but i can't believe that).

Please be more precise. What is your scenario, who is the tls server and
who is the client.

[...]
> * connection from xx.xx.xx.xxx, port 50091
> - Given server name[1]: domain.org
> - Certificate type: X.509
> No certificates found!
> - Could not verify certificate (err: The peer did not send any
> certificate.)
> - Version: TLS1.1
> - Key Exchange: RSA
> - Cipher: AES-128-CBC
> - MAC: SHA1
> - Compression: NULL
> 
> I can not find help about this on the web, i mean something that i can
> understand ...
> If someone know what can i do for this, it would be very apreciate.

The peer did not send any certificate is normal. A TLS client is not
obliged to send a certificate and in your case didn't. That's why
(Continue reading)

Permalink | Reply | 0 comments |
headers
gonzagueddr | 14 Apr 2010 09:15
Picon
Favicon

Re: nOOb Error : No certificates found!

Hi, the server (gnutls 2.8.6) is running on a debian sid distrib 
(domain.org ), in my home, and the client (2.4.2 ) is on a debian lenny 
in my office, both commands were ran over ssh. I also tried to run serv 
and cli on the same machine, for the same result ...
I used certtool to make the .pem :

certtool --generate-privkey > cakey.pem
certtool --generate-self-signed --load-privkey cakey.pem --template 
ca.info --outfile cacert.pem
certtool --generate-privkey > serverkey.pem
certtool --generate-certificate --load-privkey serverkey.pem 
--load-ca-certificate cacert.pem --load-ca-privkey cakey.pem --template 
server.info --outfile servercert.pem

Here is my ca.info :

cn = domain.org
ca
cert_signing_key

and the server.info :

organization = domain.org
cn = domain.org
tls_www_server
encryption_key
signing_key

Looking the log whith the "-d 9" option, i notice a packet's length 
trouble, but don't know what it's mean.
(Continue reading)

Permalink | Reply | 0 comments |
headers
gonzagueddr | 14 Apr 2010 11:51
Picon
Favicon

Re: nOOb Error : No certificates found!

I've tried "gnutls-cli -d 1 -p 22222 --x509certfile /path/servercert.pem 
--x509cafile /path/cacert.pem --x509keyfile /path/serverkey.pem domain.org "

and the client returns :

*** Fatal error: Key usage violation in certificate has been detected.
*** Handshake has failed
GNUTLS ERROR: Key usage violation in certificate has been detected.

I've also tried with clientcert.pem and clientkey.pem, acording to an 
example i found on the web ( http://libvirt.org/remote.html ), because i 
understood that the cert and key can/must be different on the server and 
client, but i get the same error.

Regards
Gonzague

Nikos Mavrogiannopoulos a écrit :
> On Tue, Apr 13, 2010 at 7:18 PM, gonzagueddr <gonzagueddr <at> yahoo.fr> wrote:
>
>   
>> "gnutls-cli -d 1 -p
>> 22222 --x509certfile /path/servercert.pem --x509cafile /path/cacert.pem
>>     
>
> The issue is here. You must also specify the --x509keyfile parameter.
> Otherwise the
> x509certfile parameter is being ignored.
>
> regards,
(Continue reading)

Permalink | Reply | 7 comments |
headers
lfinsto | 14 Apr 2010 12:17
Picon
Favicon

Re: nOOb Error : No certificates found!

Is your private key encrypted?  This may be the problem.  At any rate, it
was a problem I ran into when I was trying to get my server-client pair
working.  I don't recall all of the details I learned at the time, so I
apologize if this suggestion is wrong or of no use.

However, if this is the problem, you'll have to generate an unencrypted
key. This is how I generated an unencrypted key from a p12 file using
openssl.  I'd have to look up whether it's possible to do it with a
command from the GNUTLS package and if so, how:

openssl pkcs12 -nodes -nocerts -in usercred.p12 -out userkey.pem

I would expect that it would be possible to generate an unencrypted key
from an encrypted one.

Laurence Finston

On Wed, April 14, 2010 11:51 am, gonzagueddr wrote:
> I've tried "gnutls-cli -d 1 -p 22222 --x509certfile /path/servercert.pem
--x509cafile /path/cacert.pem --x509keyfile /path/serverkey.pem
domain.org
> "
>
> and the client returns :
>
> *** Fatal error: Key usage violation in certificate has been detected.
*** Handshake has failed
> GNUTLS ERROR: Key usage violation in certificate has been detected.
>
> I've also tried with clientcert.pem and clientkey.pem, acording to an
(Continue reading)

Permalink | Reply | 1 comment |
headers
Nikos Mavrogiannopoulos | 14 Apr 2010 12:22

Re: nOOb Error : No certificates found!

On Wed, Apr 14, 2010 at 11:51 AM, gonzagueddr <gonzagueddr <at> yahoo.fr> wrote:
> I've tried "gnutls-cli -d 1 -p 22222 --x509certfile /path/servercert.pem
> --x509cafile /path/cacert.pem --x509keyfile /path/serverkey.pem domain.org "
>
> and the client returns :
>
> *** Fatal error: Key usage violation in certificate has been detected.
> *** Handshake has failed
> GNUTLS ERROR: Key usage violation in certificate has been detected.

In the creation of the server keys you specifically asked for a tls
www server, thus
it is normal for gnutls to detect a violation. However I believe
something is missing
here. What do you actually want to do? (not what you did, but what you
want to do).
If you simply want to stream an mp3 over https you don't really need a
client certificate.
Given that, what is the actual error you see?

regards,
Nikos
Permalink | Reply | 4 comments |
headers
Nikos Mavrogiannopoulos | 14 Apr 2010 09:28

Re: nOOb Error : No certificates found!

On Tue, Apr 13, 2010 at 7:18 PM, gonzagueddr <gonzagueddr <at> yahoo.fr> wrote:

> "gnutls-cli -d 1 -p
> 22222 --x509certfile /path/servercert.pem --x509cafile /path/cacert.pem

The issue is here. You must also specify the --x509keyfile parameter.
Otherwise the
x509certfile parameter is being ignored.

regards,
Nikos
Permalink | Reply | 8 comments |
headers
gonzagueddr | 14 Apr 2010 14:05
Picon
Favicon

Re: nOOb Error : No certificates found!


> In the creation of the server keys you specifically asked for a tls
> www server, thus it is normal for gnutls to detect a violation. 
Yes, but i also tried "gnutls-serv --http", so it supose to act as an 
http server isn't it ?, and using a netbrowser to get 
https://domain.org:22222/ returns the same error from the server ("No 
certificates found!")

> What do you actually want to do? (not what you did, but what you
> want to do).
> If you simply want to stream an mp3 over https you don't really need a
> client certificate.
> Given that, what is the actual error you see?
>   
That's it : stream an mp3 over https using vlc , so the vlc server's 
command is "vlc --sout-http-cert="/path/servercert.pem" 
--sout-http-key="/path/serverkey.pem" --sout-http-ca="/path/cacert.pem 
--sout '#standard{access=https,mux=ts,dst=192.168.1.15:22222/test.mp3}' 
my.mp3" ( vlc server must be run with the ca, cert and key files, or it 
returns fatal error (cannot set certificate chain or private key))
And when i open the stream, vlc server returns  "TLS handshake error: 
The peer did not send any certificate", while the client returns "TLS 
handshake error: Error in the push function".
I've been said on the vlc's forum that the CA file must be present on 
the client's machine, so i've copy/paste the cacert.pem to 
ca-certificates.crt (if this file is not present, client returns a 
warning (can not add credidential x509 ), and then the same TLS 
handshake error

If i run the vlc server without the "--sout-http-ca", client returns :
(Continue reading)

Permalink | Reply | 3 comments |

Gmane