http://blog.gmane.org/gmane.network.gnutls.general hourly 1 1901-01-01T00:00+00:00 http://gmane.org/img/gmane-25t.png http://gmane.org http://comments.gmane.org/gmane.network.gnutls.general/1333 |<3>| HSK[9b5be8]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1 |<3>| HSK[9b5be8]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1 |<3>| HSK[9b5be8]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1 |<3>| HSK[9b5be8]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1 |<3>| HSK[9b5be8]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1 |<3>| HSK[9b5be8]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1 |<3>| HSK[9b5be8]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1 |<3>| HSK[9b5be8]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1 |<3>| HSK[9b5be8]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1 |<3>| HSK[9b5be8]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1 |<3>| HSK[9b5be8]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1 |<3>| HSK[9b5be8]: Keeping ciphersuite: DHE_PSK_SHA_AES_128_CBC_SHA1 |<3>| HSK[9b5be8]: Keeping ciphersuite: DHE_PSK_SHA_AES_256_CBC_SHA1 |<3>| HSK[9b5be8]: Keeping ciphersuite: DHE_PSK_SHA_3DES_EDE_CBC_SHA1 |<3>| HSK[9b5be8]: Keeping ciphersuite: DHE_PSK_SHA_ARCFOUR_SHA1 |< darkdemun 2008-08-26T23:01:21 http://comments.gmane.org/gmane.network.gnutls.general/1330 Thanks for the feedback on the previous questions. I am looking at the docs for selecting different protocols and different ciphersuites. I would like my server connection to attempt ssl3.0 first. I see the command gnutls_priority_init, but I am a little unsure how to tell it to attempt ssl3.0 first. What sort of string should I use for the command? char *error_loc; gnutls_priority_init(&priority_cache, "NORMAL:SSL3.0",**error_loc) brian Brian Lavender 2008-08-20T06:40:41 http://comments.gmane.org/gmane.network.gnutls.general/1326 Dumb question. Can you assign a gnutls_session_t from one variable to another? Say I have the following. What is the implication? gnutls_session_t a; gnutls_session_t b; // create socket accept sock_fd a = initialize_tls_session (); gnutls_transport_set_ptr (a, (gnutls_transport_ptr_t) sock_fd ); b = a; ret = gnutls_record_recv(b, &bufferIn.data[bufferIn.index], bufferIn.remaining); gnutls_bye (b, GNUTLS_SHUT_WR); gnutls_deinit (b); brian Brian Lavender 2008-08-16T03:26:21 http://comments.gmane.org/gmane.network.gnutls.general/1322 Hello all, Living in a country where export regulations makes it so that nothing can be shipped that's above 56 bits, I'd like to know if that path was once taken by any gnutls user and if so, if there are any compile recipes out there that would limit to DES (only DES, not 3DES !). Any comments/suggestions/hints appreciated. Cheers. lanas 2008-08-11T23:27:31 http://comments.gmane.org/gmane.network.gnutls.general/1319 I am trying to take a simple socket program and convert it to use gnutls. Is there an equivalent to fdopen so I can stream my secured socket as an fstream? int sock_fd; FILE *sock_fpi; sock_fd = accept( sock_id, (struct sockaddr *) &sa_cli, &client_len ); sock_fpi = fdopen( sock_fd, "r" )) But when I attempt to convert it to use gnutls, I run into the following. sock_fd = accept( sock_id, (struct sockaddr *) &sa_cli, &client_len ); session = initialize_tls_session (); gnutls_transport_set_ptr (session, (gnutls_transport_ptr_t) sock_fd ); ret = gnutls_handshake (session); And, it appears that I can only read using the following command. ret = gnutls_record_recv (session, buffer, MAX_BUF); Any sugguestions? Is there an fdopen equivalent, so I can still use the fgets and friends? Or, do I have to write my own buffering routine? brian #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> #include <time.h Brian Lavender 2008-08-03T21:11:52 http://comments.gmane.org/gmane.network.gnutls.general/1314 Hello, I am trying to implement TLS over a SCTP association with multiple streams (the final goal is to make an open-source implementation of Diameter). From RFC 3436, it is told that each pair of (bi-directional) stream is an independent TLS session (separate handshake, and so on). The remaining streams have no TLS protection, and will therefore not be used in my implementation. I understand how to specify my own transport-layer handlers in GNU TLS with the set_push_function and set_pull_function, but I think it is not sufficient support to handle the TLS over the multiple streams as expected. We can create a wrapper function to send data on a specific stream, but not to receive only from a given stream. The logic must be: we receive a message, we can retrieve its stream number, and then we know the TLS context (session) this message belongs to. I cannot see a way to achieve this with the API of gnutls. Has someone ran into this issue already and could give me some hints / pointers? The on Sebastien Decugis 2008-07-30T09:24:19 http://comments.gmane.org/gmane.network.gnutls.general/1313 _______________________________________________ Help-gnutls mailing list Help-gnutls< at >gnu.org http://lists.gnu.org/mailman/listinfo/help-gnutls Zach C. 2008-07-29T20:25:41 http://comments.gmane.org/gmane.network.gnutls.general/1312 Hi I pointed out your excellent SSL/TLS lib comparison table to the NSS guys the other day and they seem to have ideas about corrections/updates for it. Here's the thread on the NSS list: http://thread.gmane.org/gmane.comp.mozilla.crypto/9950 Daniel Stenberg 2008-07-25T21:21:50 http://comments.gmane.org/gmane.network.gnutls.general/1308 Hello again list, i am continuing experimenting with GNUTLS. I have written a client and a server that perform anonymous (ANON-DH) TLS negotiation. I successfully connected to a gnutls-serv --http --priority "NORMAL: +ANON-DH" instance. When i tried to connect to my own server (which is mostly an example from the documentation) i got the following error: So i manually set the Diffie Hellman prime bits in the server to 1024 and in the client to 1023 (gnutls_dh_set_prime_bits (session, DH_BITS)) - With no effect. Still the same error. I also tried to set the DH prime bits in the server to 2048. The server needed longer to start up after this change so i guess that took effect. I then set the DH prime bits in the client to 0 and in the server to 1024. Now i can connect: Output of server: Output of client: Notice the "Anonymous DH using prime of -50 bits". This is the output of gnutls_dh_get_prime_bits(session)). No change whereever i place the output in the source code or what i set DH_BITS to. Lennart Koopmann 2008-07-09T12:15:36 http://comments.gmane.org/gmane.network.gnutls.general/1304 Hello everyone, i installed GNUTLS version 2.5.1 from hand because the one from the Fedora repository is too old. When i try to anonymous connect to a "gnutls-server --http" my client returns: *** Handshake failed GNUTLS ERROR: A TLS fatal alert has been received. The server says: Error in handshake Error: Could not negotiate a supported cipher suite. Could you please help me with that? I don't really know how to proceed now. I can upload the source code of my test program if you want. It's mostly a copy & paste from the documentation. (7.3.1 Simple Client Example with Anonymous Authentication) [lennart< at >sundaysister Debug]$ ldd GNUTLSTest [...] libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0x00111000) [...] Thank you all! So long Lennart -- FSF Member #5673 Lennart Koopmann 2008-07-05T18:11:05 http://comments.gmane.org/gmane.network.gnutls.general/1302 Hello everyone, i am currently experimenting with the GNU TLS library. I started with the TLS anonymous test client from the documentation. When i try to compile (a slightly modified) version, i get an error message that tells me that gnutls_priority_set_direct was not defined. (The original message is in German and i am not sure about the translation) When i comment out the gnutls_priority_set_direct line the program compiles fine but i get an "GnuTLS internal error". I am connecting to the gnutls-serv on localhost. The problem existed before my modifications to the example.  Could anybody please help me with that problem?  GNU TLS 2.0.4 on Fedora Core 9 Thank you very much! So long Lennart Koopmann Lennart Koopmann 2008-07-03T16:05:10 http://comments.gmane.org/gmane.network.gnutls.general/1295 Hi all, I was wondering if there is a list of all CipherSuite[s] and CompressionMethod[s] supported by GNUTLS. At this point, I would prefer not to go through the code to get an answer, but if you guys would point me at a file name, I would gladly take that, as well :) Additionally, I am wondering if the compression API will likely change at some point as is the case with OpenSSL. Thanks, Richard Richard Hartmann 2008-06-25T14:46:23 http://comments.gmane.org/gmane.network.gnutls.general/1293 I'm trying to build GnuTLS 2.4.0 on a Mac -- OS X 10.5.3, gcc 4.0.1, most dependencies supplied with fink packages. I get: gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -DLOCALEDIR=\"/sw/share/ locale\" -I../lgl -I../lgl -I../includes -I../includes -I./x509 -I../ libextra -I../lib/openpgp/ -I/sw/include -I./opencdk -I../lib/opencdk - I/sw/include -I/sw/include -I/sw/include -g -O2 -Wno-pointer-sign -c gnutls_openpgp.c -fno-common -DPIC -o .libs/gnutls_openpgp.o gnutls_openpgp.c: In function 'gnutls_openpgp_get_key': gnutls_openpgp.c:219: error: 'cdk_keydb_search_t' undeclared (first use in this function) gnutls_openpgp.c:219: error: (Each undeclared identifier is reported only once gnutls_openpgp.c:219: error: for each function it appears in.) gnutls_openpgp.c:219: error: syntax error before 'st' gnutls_openpgp.c:242: error: 'st' undeclared (first use in this function) gnutls_openpgp.c:242: warning: passing argument 2 of 'cdk_keydb_search_start' makes integer from pointer without a cast gnutls_o David Reiser 2008-06-24T02:22:04 http://comments.gmane.org/gmane.network.gnutls.general/1283 Hi, I receive *just* GUTLS_CERT_INVALID after calling gnutls_certificate_verify_peers2(), no specific error state. Do you have any idea what may cause this? Thanks, Rainer Rainer Gerhards 2008-06-20T06:16:39 http://comments.gmane.org/gmane.network.gnutls.general/1282 _______________________________________________ Help-gnutls mailing list Help-gnutls< at >gnu.org http://lists.gnu.org/mailman/listinfo/help-gnutls Simon Josefsson 2008-06-19T09:18:38 http://comments.gmane.org/gmane.network.gnutls.general/1280 _______________________________________________ Help-gnutls mailing list Help-gnutls< at >gnu.org http://lists.gnu.org/mailman/listinfo/help-gnutls Simon Josefsson 2008-06-15T21:59:45 http://comments.gmane.org/gmane.network.gnutls.general/1279 Hello, Take a look at this example. There is one program (let be it php interpreter) that is able to load external modules (so modules). Now we have two external modules - curl and postgresql [1]. Assume both curl and postgresql use external libraries (libcurl and libpq) that internally also use gnutls. Both these libraries initialize and deinitialize gnutls on it's own. Separately they work fine. Now it php loads them both at the same time then gnutls initialization happens twice (once called by curl module and second time by postgres module) and the same happens for deinitialization. In openssl for example double deinit causes segfault and is now allowed (a real problem with php + modules btw). How things look in gnutls? I assume init/deinit also can't be called multiple times safely, right? What can be done in such example to correctly handle gnutls requirements for init/deinit? There is only one important thing - the only place where you can do anything is php itself, curl and postgresq Arkadiusz Miskiewicz 2008-06-15T13:13:00 http://comments.gmane.org/gmane.network.gnutls.general/1273 Hi, I am now working on sorting the nits out of my syslog/tls implementation. I am now running the app under valgrind [1]. I see a number of valgrind errors, for example this memory leak here: ==22504== 256 bytes in 2 blocks are definitely lost in loss record 14 of 31 ==22504== at 0x4A0739E: malloc (vg_replace_malloc.c:207) ==22504== by 0x304AE328F6: _gnutls_mpi_dprint_lz (in /usr/lib64/libgnutls.so.13.9.1) ==22504== by 0x304AE3E47C: _gnutls_dh_set_peer_public (in /usr/lib64/libgnutls.so.13.9.1) ==22504== by 0x304AE43819: _gnutls_proc_dh_common_server_kx (in /usr/lib64/libgnutls.so.13.9.1) ==22504== by 0x304AE3BB4F: (within /usr/lib64/libgnutls.so.13.9.1) ==22504== by 0x304AE2AF81: _gnutls_recv_server_kx_message (in /usr/lib64/libgnutls.so.13.9.1) ==22504== by 0x304AE273DF: _gnutls_handshake_client (in /usr/lib64/libgnutls.so.13.9.1) ==22504== by 0x304AE27F77: gnutls_handshake (in /usr/lib64/libgnutls.so.13.9.1) ==22504== by 0x7249300: Connect (nsd_gtls.c:1465) ==22504== by 0x Rainer Gerhards 2008-06-04T06:52:19 http://comments.gmane.org/gmane.network.gnutls.general/1260 _______________________________________________ Help-gnutls mailing list Help-gnutls< at >gnu.org http://lists.gnu.org/mailman/listinfo/help-gnutls Alex Samad 2008-05-29T04:35:15 http://comments.gmane.org/gmane.network.gnutls.general/1259 Hi all, how do I check if a certificate is revoked? I created a test CA, signed a certificate, revoked it, and created a CRL file with this information. Then I use gnutls_certificate_set_x509_crl_file() in the client program to set the CRL file. The function returns 1, as expected. After calling gnutls_certificate_verify_peers2(), I check if the status contains GNUTLS_CERT_REVOKED, but this is not the case. Neither openssl s_client nor gnutls-cli seem to support CRL files, so I was not able to double check that my test setup is correct. Martin Martin Lambers 2008-05-28T20:01:03 http://comments.gmane.org/gmane.network.gnutls.general/1257 Hi folks, I would like to say a big thank you! Thanks to your excellent help (and well-designed API), I have been able to complete the world's first implementation of ietf-syslog-transport-tls-12. There is one thing dangling, and that is the callback I would like to have for certificate validation during the handshake. However, I will look into providing a patch if that turns out to become a real problem. Please note that I have chosen GnuTLS over NSS because of its much better documentation (at least for non-Netscape stand alone projects). What I did not know at the time I made the decision was the ultra-fast speed with which you provided support on the mailing list. This is an even better feature :) I know all of this is quite off-topic, but I thought it should still be said ;) If you are interested, you may have a look at my implementation report: http://blog.gerhards.net/2008/05/syslog-transport-tls-12-implementation.html Keep up the good work :) Rainer Rainer Gerhards 2008-05-28T08:13:39 Search the mailing list at Gmane query http://search.gmane.org/?group=$group=gmane.network.gnutls.general