gmane.network.gnutls.general

Re: Which CA Management Software Are Based On Last Stable GnuTLS

Daniel Kahn Gillmor — 2013-05-23T22:58:29


i'm not aware of any that have been built explicitly against gnutls 3.2.0.


If you like the basic interface of gnomint already but want to see these
features added to it, it sounds to me like patching gnomint would be the
right direction to take.  I imagine the original authors of gnomint
would welcome patches!

I am personally interested in seeing a dual-stack CA management tool,
one which produces concurrent X.509 and OpenPGP certificates using the
same key material, but i don't have time to work on it right now :(

--dkg

_______________________________________________
Gnutls-help mailing list
Gnutls-help< at >lists.gnutls.org
http://lists.gnupg.org/mailman/listinfo/gnutls-help

Which CA Management Software Are Based On Last StableGnuTLS

Bry8 Star — 2013-05-22T00:06:14

Hi,

Which CA Management software are based on last stable release of
GnuTLS ?

gnoMint was last released on Aug, 2010.
http://gnomint.sf.net/

Its missing many many newer features which exist today.

Want to create+use+support : newer algorithms, ciphers, etc based
certs, OCSP, DANE (DNSSEC) authentication, more bits, etc.

Last stable GnuTLS supports DANE (DNSSEC) protocols.

And want to know,
which CA Mgmt softwr can verify and indicate IF a Cert's/Key's
authenticity (and chain of Cert's authenticity) was
checked/done/passed more correctly OR not, ... (by obtaining
cert's/key's hash/checksum or full cert from domain-name's owner
approved/declared DNS records, like: TLSA, CERT, etc, using DANE
(DNSSEC) and other PKIX protocols/standards).

Thanks in advance,

gnutls 3.2.0

Nikos Mavrogiannopoulos — 2013-05-10T16:38:45

Hello,
 I've just released gnutls 3.2.0. This release significantly
improves the performance of gnutls in two ways. The new elliptic curve
implementation of nettle 2.7 is used which improves performance by a
factor of 2 (thanks to Niels Moeller), and on the ciphersuite level
the (currently) private ciphersuites with Salsa20 and UMAC-96 are
defined, giving a performance boost compared to any ARCFOUR or AES 
based ciphersuites. The new ciphersuites also provide a solution to the
recent attacks in TLS that compromise the security of CBC-based
ciphersuites and ARCFOUR. Note that since these are private --i.e.,
gnutls-specific-- ciphersuites they are not enabled by default.

In addition on this release all support for the so-called EXPORT
ciphersuites is dropped.


* Version 3.2.0 (released 2013-05-10)

** libgnutls: Use nettle's elliptic curve implementation.

** libgnutls: Added Salsa20 cipher

** libgnutls: Added UMAC-96 and UMAC-128

** libgnutls: Added ciphersuites involving Salsa20 and UMAC-96.
As they are

gnutls 3.1.11

Nikos Mavrogiannopoulos — 2013-05-10T09:45:42

Hello,
 I've just released gnutls 3.1.11. This release adds new features and
fixed bugs on the current stable branch. 

* Version 3.1.11 (released 2013-05-10)

** libgnutls: Added priority string VERS-DTLS-ALL.

** libgnutls: When in compatibility mode allow for a wrong version in
the RSA PMS.

** libgnutls: Corrected issues in DTLS heartbeat parsing. Reported by
Joke de Buhr.

** libgnutls: Heartbeat support is enabled by default.

** libgnutls: Added GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA which allows 
gnutls_privkey_sign_hash() to operate as with
gnutls_privkey_sign_raw_data(). This makes it consistent with
verification with GNUTLS_PUBKEY_VERIFY_FLAG_TLS1_RSA flag.

** libgnutls: Fixes in unknown DN string printing. Issues reported and
patches by Stef Walter.

** certtool: When generating certificates the default answer for
marking the key for signing and encryption is yes.

** API and ABI modifications:
gnutls_certificate_set_x509_key_mem2: Added
gnutls_certificate_set_x509_key_file2: Added
gnutls_sign_algori

Re: Connecting Apache with client certificates

Frédéric Dreier — 2013-05-02T21:38:11

Hi,

Actually you answer me the 12 feb already :-) and you were right: updating
gnutls solved this problem.

Best regards,

Frederic


2013/5/2 Nikos Mavrogiannopoulos <nmav< at >gnutls.org>

_______________________________________________
Gnutls-help mailing list
Gnutls-help< at >lists.gnutls.org
http://lists.gnupg.org/mailman/listinfo/gnutls-help

Re: can't find libnettle

Nikos Mavrogiannopoulos — 2013-05-02T19:30:23

You should check config.log for the actual error.

regards,
Nikos

Re: Signature scheme for RSA signatures usinggnutls_x509_crt_sign2

Nikos Mavrogiannopoulos — 2013-05-02T19:31:40

Hello,
 Only RSASSA-PKCS1-V1_5 is supported. Since this is the version used
in all TLS versions there isn't much of an incentive to change that.

regards,
Nikos

_______________________________________________
Gnutls-help mailing list
Gnutls-help< at >lists.gnutls.org
http://lists.gnupg.org/mailman/listinfo/gnutls-help

Re: about SSL VPN

Nikos Mavrogiannopoulos — 2013-05-02T19:29:39

The term SSL VPN is often used by marketing departments to describe
totally different technologies. The closest protocol to that term is
CISCO's SSL VPN and there is the openconnect client and server
implementations at:
http://www.infradead.org/ocserv/
http://www.infradead.org/openconnect/

regards,
Nikos

Re: Connecting Apache with client certificates

Nikos Mavrogiannopoulos — 2013-05-02T19:25:57

On Mon, Feb 11, 2013 at 5:44 PM, Frédéric Dreier
<frederic.dreier< at >gmail.com> wrote:

Hello,
 Sorry for the late reply, it seems several posts were held by the
mailing list and I missed them.


Not really. The issue looks like a bug in old gnutls versions. Should
you use a recent gnutls versions you wouldn't have the issue.

regards,
Nikos

_______________________________________________
Gnutls-help mailing list
Gnutls-help< at >lists.gnutls.org
http://lists.gnupg.org/mailman/listinfo/gnutls-help

Signature scheme for RSA signatures usinggnutls_x509_crt_sign2

René Korthaus — 2013-04-16T13:19:13

Hi,

I need to know which signature scheme for RSA signatures from PKCS#1
v2.1 is used when signing a certificate using gnutls_x509_crt_sign2.
Unfortunately, I couldn't find an answer through source code analysis.
From the Google Summer of Code page (http://gnutls.org/soc.html) it
seems that RSASSA-PSS is not yet supported and RSASSA-PKCS1-V1_5 is
currently used. Is this information still accurate?

Best regards,
René

can't find libnettle

Shahar Barak — 2013-04-11T17:24:38

Hi,

When I run ./configure I get the following error:
checking for libnettle... no
configure: error:
  ***
  *** Libnettle 2.5 was not found. Note that you must compile nettle with
gmp support.

Even though I have libnettle. It is in:
/usr/local/lib/libnettle.a

Please help. I'm a novice in these things.


Thanks,

Shahar
_______________________________________________
Gnutls-help mailing list
Gnutls-help< at >lists.gnutls.org
http://lists.gnupg.org/mailman/listinfo/gnutls-help

about SSL VPN

Austin — 2013-04-09T02:58:12

Hello,

 

I want to find library (SSL VPN) for my company.

Could any products support SSL VPN which the function like openVPN?

 

If support this function, please contact to me.

Thanks

 

Austin Chi 
R&D Engineer 
Advance Multimedia Internet Technology Inc. 
+886-6-5058026 Ext. 630 
Skype: austin.chi.amit.com.tw

 

_______________________________________________
Gnutls-help mailing list
Gnutls-help< at >lists.gnutls.org
http://lists.gnupg.org/mailman/listinfo/gnutls-help

Connecting Apache with client certificates

Frédéric Dreier — 2013-02-11T15:44:00

Hi,

I try since some hours deploy a webdav server using apache under ubuntu
12.4 using client certificates.

I already setup apache+webdav and I can access it through firefox using the
client certificate.

Now I want to use davfs2 which use gnutls but it exits with an gnutls error
(handshake failed, no details)

I tried with gnutls-cli and I also get an error (with more details), but I
am not able to understand it (or what is incorrect).

gnutls-cli -d 9 --x509cafile ca.crt --x509keyfile client.key --x509certfile
client.crt -p 443 myserver
Processed 1 CA certificate(s).
Processed 1 client certificates...
Processed 1 client X.509 certificates...
Resolving 'myserver'...
Connecting to '192.168.1.10:443'...
|<4>| REC[0x1495a80]: Allocating epoch #0
|<2>| ASSERT: gnutls_constate.c:695
|<4>| REC[0x1495a80]: Allocating epoch #1
|<3>| HSK[0x1495a80]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1
|<3>| HSK[0x1495a80]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA256
|<3>| HSK[0x1495a80]: Keeping ciphersuite: DHE_RSA_

Compiling example programs

Marcel Wijnen — 2013-01-17T13:28:43

Hi All,

Currently I'm looking at the different examples that are available on the
website.When I try to compile the example code several errors appear.

In 9.1.1 Simple client example with X.509 certificate support
(
https://www.gnu.org/software/gnutls/manual/html_node/Simple-client-example-with-X_002e509-certificate-support.html#Simple-client-example-with-X_002e509-certificate-support
 )

#include "example.h" causes the error : No such file or directory

In 9.1.3 Simple client example with anonymous authentication
(
https://www.gnu.org/software/gnutls/manual/html_node/Simple-client-example-with-anonymous-authentication.html#Simple-client-example-with-anonymous-authentication
 )

undefined reference to 'tcp_connect'
undefined reference to 'gnutls_handshake_set_timeout'
undefined reference to 'tcp_close'

I'm compiling with: *gcc <filename>.c -l gnutls*

I was wondering whether someone can point me in the right direction to move
forward.

Any help is greatly appreciated. Thanks in advance.

Best,
Marcel
____

Re: Support for via quadcore SHA512 hw acceleration

Nikos Mavrogiannopoulos — 2013-04-21T10:22:13

On Sat, Apr 20, 2013 at 10:23 PM, Daniel Kahn Gillmor
<dkg< at >fifthhorseman.net> wrote:

Unfortunately that is not the case, even though I'd prefer that :(
Nettle does not provide accelerated code for AES-NI and via padlock,
thus that is currently done in gnutls.

regards,
Nikos

Re: Support for via quadcore SHA512 hw acceleration

Nikos Mavrogiannopoulos — 2013-04-21T10:20:32

Hello Shaun,
 I am not aware of this kind of CPUs. Do they use similar instructions
and detection as in nano? If yes, the current detection mechanism is
in lib/accelerated/x86/aes-padlock.c in check_phe_sha512() function.
It could be that a different capability bit is now enabled.

regards,
Nikos

Re: Support for via quadcore SHA512 hw acceleration

Daniel Kahn Gillmor — 2013-04-20T19:23:21

I suggest following up on the nettle mailing list about this; gnutls
should be able to use whatever acceleration nettle can provide:

  Nettle Crypto Library <nettle-bugs< at >lists.lysator.liu.se>

hth,

--dkg

_______________________________________________
Gnutls-help mailing list
Gnutls-help< at >lists.gnutls.org
http://lists.gnupg.org/mailman/listinfo/gnutls-help

Support for via quadcore SHA512 hw acceleration

Shaun Murphy — 2013-04-20T17:48:16

The limited literature for the newer VIA QuadCore E-Series embedded platform says that it now supports "Secure Hash Algorithm: SHA-1, SHA-256, SHA-384, SHA-512" but I'm not seeing any acceleration for SHA512 in the kernel modules or gnutls. I would appreciate some pointers on what I need to do to access that SHA512 acceleration in gnutls.
Here's my setup:Via Artigo A1250 Ubuntu 12.04 x86_64Gnutls - built from git (built nettle from source, everything else installed from apt)Kernel modules: padlock_aes, padlock_sha
Here's my dmesg output for the loaded modules:[    2.345061] padlock_aes: Using VIA PadLock ACE for AES algorithm.[    2.364105] padlock_sha: Using VIA PadLock ACE for SHA1/SHA256 algorithms.
Benchmark Soft Ciphers:Checking SHA1 (16kb payload)...  Processed 464.73 MB in 5.00 secs: 92.95 MB/secChecking SHA256 (16kb payload)...  Processed 180.04 MB in 5.00 secs: 36.01 MB/secChecking SHA512 (16kb payload)...  Processed 267.39 MB in 5.00 secs: 53.48 MB/sec
Benchmark Ciphers:Checking SHA1 (16kb payload)

Re: gnutls_certificate_set_x509_trust_file and Cygwin

Alexander Ausserstorfer — 2013-04-20T06:03:51

Zitat von Alexander Ausserstorfer <bavariasound< at >chiemgau-net.de>:


Yesterday the staff kicked me out the computer room, and today the  
wireless network access here doesn't work, so sorry for the  
circumstances.

The first question is if I use the right certificates. The file  
ca-bundle.trust.crt at cygwin/usr/ssl/certs/ sais:

############################################################################

This is a bundle of X.509 certificates of public Certificate  
Authorities. It was generated from the Mozilla root CA list. These  
certificates are in the OpenSSL "TRUSTED CERTIFICATE" format and have  
trust bits accordingly.

Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt

[...]

############################################################################

Then I use the function

gnutls_certificate_set_x509_trust_file (cert_cred, CAFILE,  
GNUTLS_X509_FMT_PEM)

to add the list but the function returns zero. It is the first time I  
try GnuTLS. It seems to me that the function does nothing

gnutls_certificate_set_x509_trust_file and Cygwin

Alexander Ausserstorfer — 2013-04-19T08:10:08

Under Cygwin I set gnutls_certificate_set_x509_trust_file to

#define CAFILE "/usr/ssl/certs/ca-bundle.trust.crt"

gnutls_certificate_set_x509_trust_file (cert_cret, CAFILE,  
GNUTLS_X509_FMT_PEM);

ca-bundle.trust.crt was part of Cygwin. Now, the function  
gnutls_certificate_set_x509_trust_file returns 0 and all later  
verification of certificates fails. I suppose that the function should  
return another number as 0. Is that mind right?

A.

Corrupted data when reading from gnutls input buffer

2013-04-18T17:49:57

Hello,

I am developing a software using gnutls 3.1.0 and got a little problem,
which I hope somebody can help me get rid of.

On client side I am using a non-blocking socket and to check it for 
read readiness
I call "gnutls_record_check_pending" to see if there is data in the 
input buffer
remaining from the last read process. If not I call "select" on the 
socket to
see if data is available to be read by "gnutls_record_recv".

Every time when data is read from the internal input buffer of gnutls
I get corrupted data.

It seems to be sporadically that data is read into the input buffer of 
gnutls,
and varies in size.

Here some code:

bool Client::readable(uint32_t ms)
{
     // check for data to be read from the gnutls input buffer

     uint32_t r = gnutls_record_check_pending(m_session);

     if (r > 0) {

         return true;
     }

     // check for socket read readiness

     fd_set fds;
     FD_ZERO(&fds);
     FD_SET(m_socket, &fds);

     struct timeval tv;
     tv.tv_sec = 0;
     tv.tv_usec =