gmane.network.gnutls.general

gnutls fails to verify server sertificate whileopenssl works

Peter Volkov — 2008-10-03T11:45:23

Hello. I found issue that while openssl works, gnutls-cli returns: *** Verifying server certificate failed... I've tried with gnutls 2.2.5 and 2.5.4. Commands I've used to test and their outputs are in attachment. I think this issue is rather important problem as it requires manual intervention during the first build of Metasploit package in Gentoo: Error validating server certificate for 'https://metasploit.com:443': - The certificate is not issued by a trusted authority. Use the fingerprint to validate the certificate manually! Certificate information: - Hostname: metasploit.com - Valid: from Sun, 01 Apr 2007 22:02:24 GMT until Thu, 01 Apr 2010 22:02:24 GMT - Issuer: 07969287, http://certificates.godaddy.com/repository, GoDaddy.com, Inc., Scottsdale, Arizona, US - Fingerprint: 20:a7:2e:df:6d:53:10:6c:dc:2a:ca:33:fd:35:76:2c:0e:62:b1:4d (R)eject, accept (t)emporarily or accept (p)ermanently? Could you help me to find root issue? I have not attached ValiCert Class 2 certificate as I think it's installed on most systems. But if you need that just ask me. Thank you in advance.

compiling without gnutls-extra

Vipul2 Aggarwal — 2008-10-02T14:31:51

_______________________________________________ Help-gnutls mailing list Help-gnutls< at >gnu.org http://lists.gnu.org/mailman/listinfo/help-gnutls

gnutls with unix domain (local) sockets

Arturo Martinez Rubio — 2008-09-29T12:49:47

_______________________________________________ Help-gnutls mailing list Help-gnutls< at >gnu.org http://lists.gnu.org/mailman/listinfo/help-gnutls

Another one: A TLS packet with unexpected length wasreceived.

Lennart Koopmann — 2008-09-18T08:09:16

Hello everyone, i am currently implementing a handshaking procedure. Everything works fine when the client chooses not to use TLS. But when TLS is requested, the gnutls_handshake() fails. The client reports the following error: GNUTLS ERROR: A TLS packet with unexpected length was received. The server reports no error, because gnutls_handshake() seems to wait for something and just blocks. Here is some debug data (loglevel 7). --------------- Server --------------- REC[93558b8]: Expected Packet[0] Handshake(22) with length: 1 REC[93558b8]: Received Packet[0] Handshake(22) with length: 64 ASSERT: gnutls_cipher.c:204 REC[93558b8]: Decrypted Packet[0] Handshake(22) with length: 64 HSK[93558b8]: CLIENT HELLO was received [64 bytes] HSK[93558b8]: Client's version: 3.2 ASSERT: gnutls_db.c:238 EXT[93558b8]: Received extension 'CERT_TYPE/9' EXT[93558b8]: Received extension 'CERT_TYPE/9' ASSERT: ext_cert_type.c:106 ASSERT: ext_cert_type.c:106 ASSERT: ext_cert_type.c:123 HSK[93558b8]: Keeping ciphersuite: ANON_DH_ARCFOUR_MD5 HSK[93558b8]: Keeping ciphersuite: ANON_DH_3DES_EDE_CBC_SHA1 HSK[93558b8]: Keeping ciphersuite: ANON_DH_AES_128_CBC_SHA1 HSK[93558b8]: Keeping ciphersuite: ANON_DH_AES_256_CBC_SHA1 HSK[93558b8]: Keeping ciphersuite: ANON_DH_CAMELLIA_128_CBC_SHA HSK[93558b8]: Keeping ciphersuite: ANON_DH_CAMELLIA_256_CBC_SHA1 HSK[93558b8]: Selected cipher suite: ANON_DH_AES_128_CBC_SHA1 HSK[93558b8]: Selected Compression Method: NULL HSK[93558b8]: SessionID: 259495b9dd31479d1913bed547e77bfedde5f38a4f810a0c79d66b9bd9510f62 HSK[93558b8]: SERVER HELLO was send [74 bytes] REC[93558b8]: Sending Packet[0] Handshake(22) with length: 74 ASSERT: gnutls_cipher.c:204 REC[93558b8]: Sent Packet[1] Handshake(22) with length: 79 -------------------------------------- --------------- Client --------------- HSK[9bf1b58]: Keeping ciphersuite: ANON_DH_AES_128_CBC_SHA1 HSK[9bf1b58]: Keeping ciphersuite: ANON_DH_CAMELLIA_128_CBC_SHA1 HSK[9bf1b58]: Keeping ciphersuite: ANON_DH_AES_256_CBC_SHA1 HSK[9bf1b58]: Keeping ciphersuite: ANON_DH_CAMELLIA_256_CBC_SHA1 HSK[9bf1b58]: Keeping ciphersuite: ANON_DH_3DES_EDE_CBC_SHA1 HSK[9bf1b58]: Keeping ciphersuite: ANON_DH_ARCFOUR_MD5 EXT[9bf1b58]: Sending extension CERT_TYPE HSK[9bf1b58]: CLIENT HELLO was send [64 bytes] REC[9bf1b58]: Sending Packet[0] Handshake(22) with length: 64 ASSERT: gnutls_cipher.c:204 WRITE: Will write 69 bytes to 4. WRITE: wrote 69 bytes to 4. Left 0 bytes. Total 69 bytes. 0000 - 16 03 02 00 40 01 00 00 3c 03 02 48 d2 00 41 bb 0001 - 22 27 d1 ae 80 fd 96 1c e9 81 a2 bc c4 03 95 4b 0002 - f9 10 2f 9a b7 c3 fe 5a e6 58 4a 00 00 0c 00 34 0003 - 00 46 00 3a 00 89 00 1b 00 18 01 00 00 07 00 09 0004 - 00 03 02 00 01 REC[9bf1b58]: Sent Packet[1] Handshake(22) with length: 69 READ: Got 5 bytes from 4 READ: read 5 bytes from 4 0000 - 16 03 02 00 4a RB: Have 0 bytes into buffer. Adding 5 bytes. RB: Requested 5 bytes REC[9bf1b58]: Expected Packet[0] Handshake(22) with length: 1 REC[9bf1b58]: Received Packet[0] Handshake(22) with length: 74 READ: Got 74 bytes from 4 READ: read 74 bytes from 4 0000 - 02 00 00 46 03 02 48 d2 00 41 8e 8a 8d 30 de 33 0001 - 5f 2b f8 3f 93 bf 0e e8 5f 1a 68 ed f0 d6 82 1c 0002 - cd d7 d9 97 8b 64 20 25 94 95 b9 dd 31 47 9d 19 0003 - 13 be d5 47 e7 7b fe dd e5 f3 8a 4f 81 0a 0c 79 0004 - d6 6b 9b d9 51 0f 62 00 34 00 RB: Have 5 bytes into buffer. Adding 74 bytes. RB: Requested 79 bytes ASSERT: gnutls_cipher.c:204 REC[9bf1b58]: Decrypted Packet[0] Handshake(22) with length: 74 HSK[9bf1b58]: SERVER HELLO was received [74 bytes] HSK[9bf1b58]: Server's version: 3.2 HSK[9bf1b58]: SessionID length: 32 HSK[9bf1b58]: SessionID 259495b9dd31479d1913bed547e77bfedde5f38a4f810a0c79d66b9bd9510f62 HSK[9bf1b58]: Selected cipher suite: ANON_DH_AES_128_CBC_SHA1 ASSERT: gnutls_extensions.c:125 READ: Got 0 bytes from 4 READ: read 0 bytes from 4 0000 - ASSERT: gnutls_buffers.c:638 ASSERT: gnutls_record.c:909 ASSERT: gnutls_buffers.c:1150 ASSERT: gnutls_handshake.c:1043 ASSERT: gnutls_kx.c:410 ASSERT: gnutls_handshake.c:2364 -------------------------------------- As there seems to be handshaking conversation and the client starts the conversation I don't know where to search for the error. Client and server and both on the same machine, using the same GNUTLS library. Can anybody help me? Thank you! So long Lennart

GNUTLS in handshake procedure

Lennart Koopmann — 2008-09-14T12:06:55

Hello everyone, i am using GNUTLS in a server i am currently writing on. I am planning to implement a handshaking procedure: 1. Client requests TLS or non-TLS encryption. 2. Server responds if packets are accepted and if TLS is available. 3. Client sends data corresponding to reply from server. Can i just place the gnutls_handshake() when TLS is available and client chose to use TLS? Could there be sync problem because gnutls_handshake() is not the first thing that is done in the socket connection/conversation? Please, i need your experience. :) Thank you! So long Lennart

Debugging

darkdemun — 2008-09-14T02:54:34

_______________________________________________ Help-gnutls mailing list Help-gnutls< at >gnu.org http://lists.gnu.org/mailman/listinfo/help-gnutls

Multi-domain certificate request

Sylvain Beucler — 2008-09-13T13:09:12

Hi, I'd like to issue a certificate request for multiple domains / virtual hosts, as described here: http://wiki.cacert.org/wiki/VhostTaskForce#A1.Way.3ASubjectAltNameOnly I didn't find how to do it using certtool. Is there something similar to openssl's "subjectAltName"? I found a reference to "dns_name" but it only accepts a single value. Thanks,

Using LGPLv3+ license for libgnutls?

Simon Josefsson — 2008-09-09T12:30:48

RMS asked if there are is reason GnuTLS should remain LGPLv2.1+ instead of using LGPLv3+. The reasons I'm familiar with includes lynx under GPLv2-only. Gnucash is also said to contain GPLv2-only code. Are there other reasons not to use LGPLv3+? I recall hearing about policies that mandate LGPLv2.1+ in some projects, for example the core libraries in GNOME, but I cannot find any reference to this out there. Anyone? /Simon

GNUTLS ERROR: A TLS packet with unexpected length wasreceived.

darkdemun — 2008-08-26T23:01:21

|<3>| HSK[9b5be8]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1 |<3>| HSK[9b5be8]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1 |<3>| HSK[9b5be8]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1 |<3>| HSK[9b5be8]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1 |<3>| HSK[9b5be8]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1 |<3>| HSK[9b5be8]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1 |<3>| HSK[9b5be8]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1 |<3>| HSK[9b5be8]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1 |<3>| HSK[9b5be8]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1 |<3>| HSK[9b5be8]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1 |<3>| HSK[9b5be8]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1 |<3>| HSK[9b5be8]: Keeping ciphersuite: DHE_PSK_SHA_AES_128_CBC_SHA1 |<3>| HSK[9b5be8]: Keeping ciphersuite: DHE_PSK_SHA_AES_256_CBC_SHA1 |<3>| HSK[9b5be8]: Keeping ciphersuite: DHE_PSK_SHA_3DES_EDE_CBC_SHA1 |<3>| HSK[9b5be8]: Keeping ciphersuite: DHE_PSK_SHA_ARCFOUR_SHA1 |<3>| HSK[9b5be8]: Removing ciphersuite: SRP_SHA_RSA_AES_128_CBC_SHA1 |<3>| HSK[9b5be8]: Removing ciphersuite: SRP_SHA_RSA_AES_256_CBC_SHA1 |<3>| HSK[9b5be8]: Removing ciphersuite: SRP_SHA_RSA_3DES_EDE_CBC_SHA1 |<3>| HSK[9b5be8]: Removing ciphersuite: SRP_SHA_DSS_AES_128_CBC_SHA1 |<3>| HSK[9b5be8]: Removing ciphersuite: SRP_SHA_DSS_AES_256_CBC_SHA1 |<3>| HSK[9b5be8]: Removing ciphersuite: SRP_SHA_DSS_3DES_EDE_CBC_SHA1 |<3>| HSK[9b5be8]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1 |<3>| HSK[9b5be8]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1 |<3>| HSK[9b5be8]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1 |<3>| HSK[9b5be8]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1 |<3>| HSK[9b5be8]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1 |<3>| HSK[9b5be8]: Keeping ciphersuite: RSA_ARCFOUR_SHA1 |<3>| HSK[9b5be8]: Keeping ciphersuite: RSA_ARCFOUR_MD5 |<3>| HSK[9b5be8]: Keeping ciphersuite: PSK_SHA_AES_128_CBC_SHA1 |<3>| HSK[9b5be8]: Keeping ciphersuite: PSK_SHA_AES_256_CBC_SHA1 |<3>| HSK[9b5be8]: Keeping ciphersuite: PSK_SHA_3DES_EDE_CBC_SHA1 |<3>| HSK[9b5be8]: Keeping ciphersuite: PSK_SHA_ARCFOUR_SHA1 |<3>| HSK[9b5be8]: Removing ciphersuite: SRP_SHA_AES_128_CBC_SHA1 |<3>| HSK[9b5be8]: Removing ciphersuite: SRP_SHA_AES_256_CBC_SHA1 |<3>| HSK[9b5be8]: Removing ciphersuite: SRP_SHA_3DES_EDE_CBC_SHA1 |<2>| EXT[9b5be8]: Sending extension CERT_TYPE |<2>| EXT[9b5be8]: Sending extension SERVER_NAME |<3>| HSK[9b5be8]: CLIENT HELLO was send [43775681070366843 bytes] |<6>| BUF[HSK]: Peeked 0 bytes of Data |<6>| BUF[HSK]: Emptied buffer |<4>| REC[9b5be8]: Sending Packet[0] Handshake(22) with length: 123 |<2>| ASSERT: ../../../src/gnutls-2.4.1/lib/gnutls_cipher.c:205 |<7>| WRITE: Will write 128 bytes to 1916. |<7>| WRITE: wrote 128 bytes to 1916. Left 0 bytes. Total 128 bytes. |<7>| 0000 - 16 03 02 00 7b 01 00 00 77 03 02 48 b4 89 0f b9 |<7>| 0001 - 0d df c7 eb cc af b0 8e 9d 29 91 64 c1 ce 40 03 |<7>| 0002 - b9 21 91 44 11 f0 2d 19 5c 26 bc 00 00 34 00 33 |<7>| 0003 - 00 45 00 39 00 88 00 16 00 32 00 44 00 38 00 87 |<7>| 0004 - 00 13 00 66 00 90 00 91 00 8f 00 8e 00 2f 00 41 |<7>| 0005 - 00 35 00 84 00 0a 00 05 00 04 00 8c 00 8d 00 8b |<7>| 0006 - 00 8a 01 00 00 1a 00 09 00 03 02 00 01 00 00 00 |<7>| 0007 - 0f 00 0d 00 00 0a 74 6c 73 65 72 76 2e 63 6f 6d |<7>| 0008 - |<4>| REC[9b5be8]: Sent Packet[1] Handshake(22) with length: 128 |<7>| READ: Got 5 bytes from 1916 |<7>| READ: read 5 bytes from 1916 |<7>| 0000 - 45 52 52 4f 52 |<7>| RB: Have 0 bytes into buffer. Adding 5 bytes. |<7>| RB: Requested 5 bytes |<2>| ASSERT: ../../../src/gnutls-2.4.1/lib/gnutls_record.c:506 |<4>| REC[9b5be8]: Expected Packet[0] Handshake(22) with length: 1 |<4>| REC[9b5be8]: Received Packet[0] Unknown Packet(69) with length: 20306 |<4>| REC[9b5be8]: FATAL ERROR: Received packet with length: 20306 |<2>| ASSERT: ../../../src/gnutls-2.4.1/lib/gnutls_record.c:959 |<2>| ASSERT: ../../../src/gnutls-2.4.1/lib/gnutls_buffers.c:1152 |<2>| ASSERT: ../../../src/gnutls-2.4.1/lib/gnutls_handshake.c:1032 |<2>| ASSERT: ../../../src/gnutls-2.4.1/lib/gnutls_handshake.c:2331 |<6>| BUF[HSK]: Cleared Data from buffer *** Fatal error: A TLS packet with unexpected length was received. *** Handshake has failed GNUTLS ERROR: A TLS packet with unexpected length was received._______________________________________________ Help-gnutls mailing list Help-gnutls< at >gnu.org http://lists.gnu.org/mailman/listinfo/help-gnutls

support for ssl3.0 connection

Brian Lavender — 2008-08-20T06:40:41

Thanks for the feedback on the previous questions. I am looking at the docs for selecting different protocols and different ciphersuites. I would like my server connection to attempt ssl3.0 first. I see the command gnutls_priority_init, but I am a little unsure how to tell it to attempt ssl3.0 first. What sort of string should I use for the command? char *error_loc; gnutls_priority_init(&priority_cache, "NORMAL:SSL3.0",**error_loc) brian

Can you assign a gnutls_session_t from one variableto another?

Brian Lavender — 2008-08-16T03:26:21

Dumb question. Can you assign a gnutls_session_t from one variable to another? Say I have the following. What is the implication? gnutls_session_t a; gnutls_session_t b; // create socket accept sock_fd a = initialize_tls_session (); gnutls_transport_set_ptr (a, (gnutls_transport_ptr_t) sock_fd ); b = a; ret = gnutls_record_recv(b, &bufferIn.data[bufferIn.index], bufferIn.remaining); gnutls_bye (b, GNUTLS_SHUT_WR); gnutls_deinit (b); brian

Export restrictions

lanas — 2008-08-11T23:27:31

Hello all, Living in a country where export regulations makes it so that nothing can be shipped that's above 56 bits, I'd like to know if that path was once taken by any gnutls user and if so, if there are any compile recipes out there that would limit to DES (only DES, not 3DES !). Any comments/suggestions/hints appreciated. Cheers.

Equivalent to fdopen?

Brian Lavender — 2008-08-03T21:11:52

I am trying to take a simple socket program and convert it to use gnutls. Is there an equivalent to fdopen so I can stream my secured socket as an fstream? int sock_fd; FILE *sock_fpi; sock_fd = accept( sock_id, (struct sockaddr *) &sa_cli, &client_len ); sock_fpi = fdopen( sock_fd, "r" )) But when I attempt to convert it to use gnutls, I run into the following. sock_fd = accept( sock_id, (struct sockaddr *) &sa_cli, &client_len ); session = initialize_tls_session (); gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sock_fd ); ret = gnutls_handshake (session); And, it appears that I can only read using the following command. ret = gnutls_record_recv (session, buffer, MAX_BUF); Any sugguestions? Is there an fdopen equivalent, so I can still use the fgets and friends? Or, do I have to write my own buffering routine? brian #include #include #include #include #include #include #include #include #include #include #include /* for gcry_control */ #define PORTNUM 15000 #define HOSTLEN 256 #define DH_BITS 2048 #define oops(msg) { perror(msg); exit(1); } #define KEYFILE "key.pem" #define CERTFILE "cert.pem" #define CAFILE "ca.pem" #define CRLFILE "crl.pem" /* These are global */ gnutls_certificate_credentials_t x509_cred; gnutls_priority_t priority_cache; gnutls_session_t initialize_tls_session (void) { gnutls_session_t session; gnutls_init (&session, GNUTLS_SERVER); gnutls_priority_set (session, priority_cache); gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, x509_cred); /* request client certificate if any. */ gnutls_certificate_server_set_request (session, GNUTLS_CERT_REQUEST); /* Set maximum compatibility mode. This is only suggested on public webservers * that need to trade security for compatibility */ gnutls_session_enable_compatibility_mode( session); return session; } static gnutls_dh_params_t dh_params; static int generate_dh_params (void) { /* Generate Diffie Hellman parameters - for use with DHE * kx algorithms. When short bit length is used, it might * be wise to regenerate parameters. * * Check the ex-serv-export.c example for using static * parameters. */ gnutls_dh_params_init (&dh_params); gnutls_dh_params_generate2 (dh_params, DH_BITS); return 0; } int main(int ac, char *av[] ) { int ret; // return value struct sockaddr_in saddr; struct sockaddr_in sa_cli; int client_len; struct hostent *hp; char hostname[HOSTLEN]; int sock_id, sock_fd; FILE *sock_fpi, *sock_fpo; FILE *pipe_fp; char topbuf[512]; char dirname[BUFSIZ]; char command[BUFSIZ]; int dirlen, c; gnutls_session_t session; /* to disallow usage of the blocking /dev/random */ /*gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0);*/ /* this must be called once in the program */ gnutls_global_init (); gnutls_certificate_allocate_credentials (&x509_cred); gnutls_certificate_set_x509_trust_file (x509_cred, CAFILE, GNUTLS_X509_FMT_PEM); gnutls_certificate_set_x509_crl_file (x509_cred, CRLFILE, GNUTLS_X509_FMT_PEM); gnutls_certificate_set_x509_key_file (x509_cred, CERTFILE, KEYFILE, GNUTLS_X509_FMT_PEM); generate_dh_params (); gnutls_priority_init( &priority_cache, "NORMAL", NULL); gnutls_certificate_set_dh_params (x509_cred, dh_params); /* step 1 */ sock_id = socket( PF_INET, SOCK_STREAM, 0 ); if ( sock_id == -1 ) oops("socket"); /* step 2 */ bzero( (void *)&saddr, sizeof(saddr) ); gethostname( hostname, HOSTLEN ); hp = gethostbyname( hostname ); //bcopy( (void *)hp->h_addr, (void *)&saddr.sin_addr, hp->h_length); saddr.sin_addr.s_addr = INADDR_ANY; saddr.sin_port = htons(PORTNUM); saddr.sin_family = AF_INET; if( bind(sock_id, (struct sockaddr *)&saddr, sizeof(saddr)) != 0 ) oops( "bind" ); /* step 3 */ if ( listen(sock_id, 1) != 0 ) oops("listen"); printf ("Server ready. Listening to port '%d'.\n\n", PORTNUM); /* main loop: accept, write, close */ client_len = sizeof (sa_cli); while(1) { session = initialize_tls_session (); sock_fd = accept( sock_id, (struct sockaddr *) &sa_cli, &client_len ); if ( sock_fd == -1 ) oops("accept"); printf ("- connection from %s, port %d\n", inet_ntop (AF_INET, &sa_cli.sin_addr, topbuf, sizeof (topbuf)), ntohs (sa_cli.sin_port)); gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sock_fd ); ret = gnutls_handshake (session); if (ret < 0) { close (sock_fd); gnutls_deinit (session); fprintf (stderr, "*** Handshake has failed (%s)\n\n", gnutls_strerror (ret)); continue; } printf ("- Handshake was completed\n"); /* STOP here. PARE aca. :) Now we have a tls_session that we read from. It's not a file descriptor anymore. Can't use fdopen on session :( */ /* open reading direction as buffered stream */ if ( ( sock_fpi = fdopen( sock_fd, "r" )) == NULL ) oops("fdopen reading "); if ( fgets( dirname, BUFSIZ - 5, sock_fpi) == NULL ) oops("reading dirname"); sanitize(dirname); /* open writing direction as buffered stream */ if ( (sock_fpo = fdopen(sock_fd,"w")) == NULL ) oops("fdopen writing"); sprintf( command, "ls %s", dirname); if ( (pipe_fp = popen(command, "r")) == NULL) oops("popen"); /* transfer data from ls to socket */ while ( ( c = getc(pipe_fp)) != EOF ) putc( c , sock_fpo ); pclose(pipe_fp); fclose(sock_fpo); fclose(sock_fpi); } return 0; } sanitize( char *str ) { char *src, *dest; for( src = dest = str; *src; src++ ) if ( *src == '/' || isalnum(*src) ) *dest++ = *src; *dest = '\0'; }

TLS and SCTP

Sebastien Decugis — 2008-07-30T09:24:19

Hello, I am trying to implement TLS over a SCTP association with multiple streams (the final goal is to make an open-source implementation of Diameter). From RFC 3436, it is told that each pair of (bi-directional) stream is an independent TLS session (separate handshake, and so on). The remaining streams have no TLS protection, and will therefore not be used in my implementation. I understand how to specify my own transport-layer handlers in GNU TLS with the set_push_function and set_pull_function, but I think it is not sufficient support to handle the TLS over the multiple streams as expected. We can create a wrapper function to send data on a specific stream, but not to receive only from a given stream. The logic must be: we receive a message, we can retrieve its stream number, and then we know the TLS context (session) this message belongs to. I cannot see a way to achieve this with the API of gnutls. Has someone ran into this issue already and could give me some hints / pointers? The only workaround I can see yet is to use only 1 stream in my SCTP association, but this is not very satisfactory... Thank you in advance! Best regards, Sebastien.

X.509 certificates around JUST A PUBLIC key... can itbe done?

Zach C. — 2008-07-29T20:25:41

_______________________________________________ Help-gnutls mailing list Help-gnutls< at >gnu.org http://lists.gnu.org/mailman/listinfo/help-gnutls

NSS info for the comparison table

Daniel Stenberg — 2008-07-25T21:21:50

Hi I pointed out your excellent SSL/TLS lib comparison table to the NSS guys the other day and they seem to have ideas about corrections/updates for it. Here's the thread on the NSS list: http://thread.gmane.org/gmane.comp.mozilla.crypto/9950

How to correctly set Diffie Hellman prime bits?

Lennart Koopmann — 2008-07-09T12:15:36

Hello again list, i am continuing experimenting with GNUTLS. I have written a client and a server that perform anonymous (ANON-DH) TLS negotiation. I successfully connected to a gnutls-serv --http --priority "NORMAL: +ANON-DH" instance. When i tried to connect to my own server (which is mostly an example from the documentation) i got the following error: So i manually set the Diffie Hellman prime bits in the server to 1024 and in the client to 1023 (gnutls_dh_set_prime_bits (session, DH_BITS)) - With no effect. Still the same error. I also tried to set the DH prime bits in the server to 2048. The server needed longer to start up after this change so i guess that took effect. I then set the DH prime bits in the client to 0 and in the server to 1024. Now i can connect: Output of server: Output of client: Notice the "Anonymous DH using prime of -50 bits". This is the output of gnutls_dh_get_prime_bits(session)). No change whereever i place the output in the source code or what i set DH_BITS to. I guess a DH prime of 8 bits will not provide strong encryption, right? ;) Could you please help me with that? So long Lennart

GNUTLS ERROR: A TLS fatal alert has been received.

Lennart Koopmann — 2008-07-05T18:11:05

Hello everyone, i installed GNUTLS version 2.5.1 from hand because the one from the Fedora repository is too old. When i try to anonymous connect to a "gnutls-server --http" my client returns: *** Handshake failed GNUTLS ERROR: A TLS fatal alert has been received. The server says: Error in handshake Error: Could not negotiate a supported cipher suite. Could you please help me with that? I don't really know how to proceed now. I can upload the source code of my test program if you want. It's mostly a copy & paste from the documentation. (7.3.1 Simple Client Example with Anonymous Authentication) [lennart< at >sundaysister Debug]$ ldd GNUTLSTest [...] libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0x00111000) [...] Thank you all! So long Lennart -- FSF Member #5673

gnutls_priority_set_direct undefined

Lennart Koopmann — 2008-07-03T16:05:10

Hello everyone, i am currently experimenting with the GNU TLS library. I started with the TLS anonymous test client from the documentation. When i try to compile (a slightly modified) version, i get an error message that tells me that gnutls_priority_set_direct was not defined. (The original message is in German and i am not sure about the translation) When i comment out the gnutls_priority_set_direct line the program compiles fine but i get an "GnuTLS internal error". I am connecting to the gnutls-serv on localhost. The problem existed before my modifications to the example. Could anybody please help me with that problem? GNU TLS 2.0.4 on Fedora Core 9 Thank you very much! So long Lennart Koopmann

List of supported CipherSuite and CompressionMethod

Richard Hartmann — 2008-06-25T14:46:23

Hi all, I was wondering if there is a list of all CipherSuite[s] and CompressionMethod[s] supported by GNUTLS. At this point, I would prefer not to go through the code to get an answer, but if you guys would point me at a file name, I would gladly take that, as well :) Additionally, I am wondering if the compression API will likely change at some point as is the case with OpenSSL. Thanks, Richard

problems building 2.4.0

David Reiser — 2008-06-24T02:22:04

I'm trying to build GnuTLS 2.4.0 on a Mac -- OS X 10.5.3, gcc 4.0.1, most dependencies supplied with fink packages. I get: gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -DLOCALEDIR=\"/sw/share/ locale\" -I../lgl -I../lgl -I../includes -I../includes -I./x509 -I../ libextra -I../lib/openpgp/ -I/sw/include -I./opencdk -I../lib/opencdk - I/sw/include -I/sw/include -I/sw/include -g -O2 -Wno-pointer-sign -c gnutls_openpgp.c -fno-common -DPIC -o .libs/gnutls_openpgp.o gnutls_openpgp.c: In function 'gnutls_openpgp_get_key': gnutls_openpgp.c:219: error: 'cdk_keydb_search_t' undeclared (first use in this function) gnutls_openpgp.c:219: error: (Each undeclared identifier is reported only once gnutls_openpgp.c:219: error: for each function it appears in.) gnutls_openpgp.c:219: error: syntax error before 'st' gnutls_openpgp.c:242: error: 'st' undeclared (first use in this function) gnutls_openpgp.c:242: warning: passing argument 2 of 'cdk_keydb_search_start' makes integer from pointer without a cast gnutls_openpgp.c:242: error: incompatible type for argument 3 of 'cdk_keydb_search_start' gnutls_openpgp.c:242: error: too many arguments to function 'cdk_keydb_search_start' gnutls_openpgp.c:244: warning: passing argument 2 of 'cdk_keydb_search' from incompatible pointer type gnutls_openpgp.c:244: error: too many arguments to function 'cdk_keydb_search' gnutls_openpgp.c:246: warning: implicit declaration of function 'cdk_keydb_search_release' make[3]: *** [gnutls_openpgp.lo] Error 1 Suggestions? Dave -- David Reiser dbreiser< at >gmail.com