mod-gnutls-support — Support, Help & Bug/Patch Submission

[Mod-gnutls-support] mod_gnutls project administrivia

[Daniel K. G. <dk...@fi...>]

Hi folks who are interested in mod_gnutls--

I'm taking on some administrative work for the mod_gnutls project.
There are changes afoot that you might be interested in.

Mailing Lists
-------------

We're moving away from sourceforge, which means i'll be shutting down
the sourceforge mailing lists.  The new canonical mailing list is
mod...@li....  Thanks to Nikos Mavrogiannopoulos
and Werner Koch for doing the back-end work on this.

Any user who was subscribed to any of the -code, -support, or -announce
mailing list is now subscribed to the new list.  If the new list becomes
too heavy with traffic and folks want it to be split out into separate
lists, please say so; i don't think that will be a problem at the moment.

If you're reading this through gmane, i'll be following up with the good
folks there to see if they can consolidate this list with the archives
of the old list(s).

Project Web Site
----------------

The new home of mod_gnutls on the web is https://mod.gnutls.org/ -- we
are moving away from the various sourceforge web sites we've used in the
past.  Our web site is now served using apache with mod_gnutls :)

Bug Tracker
-----------

we're moving off the sourceforge mantis install, since it was deprecated
by sourceforge.  https://mod.gnutls.org/ has a ticketing system, and
i've migrated all the old mantis tickets to the new ticketing system.
If you're interested in old ticket NNN, you should be able to find it at
https://mod.gnutls.org/ticket/NNN.

Revision Control
----------------

We're using git.  The canonical location for mod_gnutls is
git://mod.gnutls.org/mod_gnutls, and it can be browsed on the web at
https://mod.gnutls.org/browser .  More details at
https://mod.gnutls.org/wiki/develop .  I also want to encourage patch
submissions via this mailing list, if anyone has features they want to
add or bugs they want to fix :)

IRC channel
-----------

I'm currently idling on #mod_gnutls on irc.indymedia.org, and welcome
anyone interested to come chat over there.

Release plans
-------------

I'd like to try to roll a new release using the new infrastructure
sometime soon (hopefully in the next week).  This might mean that we
don't have all the outstanding bugs and feature requests resolved, but
we should be able to cover some of them, and i'd like to get it done as
a checkpoint on the way to more frequent releases for the project.

More???
-------

These changes are all done now, but i'm sure there are things that could
be configured better.  Please let me know (on-list is fine, or via
direct e-mail if you prefer) if you see anything that could be improved
or if you want to help out in other ways.

Regards,

        --dkg (for the mod_gnutls project)

Re: [Mod-gnutls-support] [mod-gnutls-devel] git commit review

[Dash S. <neu...@da...>]

* d334f47 Changed pre_connection Hook Order [Try to run before  mod_proxy]

It should actually say "after" [the code does] as we need to detect a
mod_proxy initiated connection.
REF:
http://apache-http-server.18135.n6.nabble.com/mod-gnutls-and-mod-proxy-TLS-termination-td4831028.html

* d32dba4 Change module's contexts for configuration directives

Some of the configuration directives [eg. GnuTLSX509CAFile] should be
also available in <Location>, <Directory>
REF:
http://ci.apache.org/projects/httpd/trunk/doxygen/group__ConfigDirectives.html

* 5f610d0 Added apr_optional.h required for optional functions

AFAIK, mod_proxy looks for and calls some optional functions
(ssl_proxy_enable() and ssl_engine_disable()) to signal a request
handled by mod_proxy.
REF:
http://apache-http-server.18135.n6.nabble.com/mod-gnutls-and-mod-proxy-TLS-termination-td4831028.html

* 63f19cb Changed gnutls_sign_algorithm_get_name() [non-existent in 2.12.x] to gnutls_sign_get_name() URL: http://gnutls.org/reference/gnutls-gnutls.html#gnutls-sign-get-name

I could not compile the module on fc17 using gnutls 2.12.x because of
that functions not being defined.
Now I see:
http://www.gnu.org/software/gnutls/reference/gnutls-gnutls.html#gnutls-sign-algorithm-get-name
<code>#define gnutls_sign_algorithm_get_name gnutls_sign_get_name</code>

I'll try my best to follow the convention from now on, also it'll be a
good idea for you to review any future commits from me, I do appreciate
your feedback.

Dash Shendy
http: dash.za.net
gsm:  (+27) 79 579 179 3
smtp: das...@gm...
voip: dashula2006

On 2013/04/05 06:13 PM, Daniel Kahn Gillmor wrote:
> I'm trying to clean up the scattered repositories we've got right now,
> and two of the sourceforge ones seem to diverge.
>
> I see the following changesets on
> git://git.code.sf.net/p/mod-gnutls/code, but not on
> git://mod-gnutls.git.sourceforge.net/gitroot/mod-gnutls/modgnutls.  some
> of them look good, but some don't make sense to me.  Dash, can you
> clarify some things?
>
> * d334f47 Changed pre_connection Hook Order [Try to run before  mod_proxy]
>
> I don't know what this fixes.  Can you add an example test that fails
> without this change, and then show that this change resolves the
> problem?
>
> * d32dba4 Change module's contexts for configuration directives
>
> The commit message here tells what happens, but not why.  Why are these
> being changed?
>
> * 5f610d0 Added apr_optional.h required for optional functions
>
> What function(s) require this change?  Why add it if the code works
> without it?
>
> * d51befd Changed Default Export Of Full PEM Certificates To FALSE
>
> This looks good to me, because it brings the code in line with the
> documentation. 
>
> * 63f19cb Changed gnutls_sign_algorithm_get_name() [non-existent in 2.12.x] to gnutls_sign_get_name() URL: http://gnutls.org/reference/gnutls-gnutls.html#gnutls-sign-get-name
>
> I'm not sure i understand.  I see gnutls_sign_algorithm_get_name() in
> gnutls 2.12.x:
>
> 0 dkg@alice:~$ grep -r gnutls_sign_algorithm_get_name /usr/include/gnutls
> /usr/include/gnutls/gnutls.h:  const char *gnutls_sign_algorithm_get_name (gnutls_sign_algorithm_t sign);
> 0 dkg@alice:~$ dpkg -l libgnutls-dev
> Desired=Unknown/Install/Remove/Purge/Hold
> | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
> |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
> ||/ Name           Version      Architecture Description
> +++-==============-============-============-=================================
> ii  libgnutls-dev  2.12.23-1    amd64        GNU TLS library - development fil
> 0 dkg@alice:~$ 
>
> What makes you think the function isn't supported?  It hasn't been
> marked deprecated from what i can tell.
>
> Any thoughts or feedback on these changes?
>
> One other note about git commit messages: the first line of the git
> commit message is treated quite differently than all the others.  It's
> good to make it a nice concise summary of the commit, and leave detailed
> explanations and URLs and things to the rest of the (nicely-formatted)
> commit message.  tpope's blog here has more detail:
>
>    http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html
>
> I'm going to make an effort to try to stay with this style of commit
> message where possible.
>
>        --dkg
>
>
> _______________________________________________
> mod-gnutls-devel mailing list
> mod...@li...
> http://lists.gnupg.org/mailman/listinfo/mod-gnutls-devel

[Mod-gnutls-support] git commit review

[Daniel K. G. <dk...@fi...>]

I'm trying to clean up the scattered repositories we've got right now,
and two of the sourceforge ones seem to diverge.

I see the following changesets on
git://git.code.sf.net/p/mod-gnutls/code, but not on
git://mod-gnutls.git.sourceforge.net/gitroot/mod-gnutls/modgnutls.  some
of them look good, but some don't make sense to me.  Dash, can you
clarify some things?

* d334f47 Changed pre_connection Hook Order [Try to run before  mod_proxy]

I don't know what this fixes.  Can you add an example test that fails
without this change, and then show that this change resolves the
problem?

* d32dba4 Change module's contexts for configuration directives

The commit message here tells what happens, but not why.  Why are these
being changed?

* 5f610d0 Added apr_optional.h required for optional functions

What function(s) require this change?  Why add it if the code works
without it?

* d51befd Changed Default Export Of Full PEM Certificates To FALSE

This looks good to me, because it brings the code in line with the
documentation. 

* 63f19cb Changed gnutls_sign_algorithm_get_name() [non-existent in 2.12.x] to gnutls_sign_get_name() URL: http://gnutls.org/reference/gnutls-gnutls.html#gnutls-sign-get-name

I'm not sure i understand.  I see gnutls_sign_algorithm_get_name() in
gnutls 2.12.x:

0 dkg@alice:~$ grep -r gnutls_sign_algorithm_get_name /usr/include/gnutls
/usr/include/gnutls/gnutls.h:  const char *gnutls_sign_algorithm_get_name (gnutls_sign_algorithm_t sign);
0 dkg@alice:~$ dpkg -l libgnutls-dev
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version      Architecture Description
+++-==============-============-============-=================================
ii  libgnutls-dev  2.12.23-1    amd64        GNU TLS library - development fil
0 dkg@alice:~$ 

What makes you think the function isn't supported?  It hasn't been
marked deprecated from what i can tell.

Any thoughts or feedback on these changes?

One other note about git commit messages: the first line of the git
commit message is treated quite differently than all the others.  It's
good to make it a nice concise summary of the commit, and leave detailed
explanations and URLs and things to the rest of the (nicely-formatted)
commit message.  tpope's blog here has more detail:

   http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html

I'm going to make an effort to try to stay with this style of commit
message where possible.

       --dkg

Re: [Mod-gnutls-support] mod-gnutls project cleanup

[Daniel K. G. <dk...@fi...>]

On 04/04/2013 03:15 AM, Daniel Kahn Gillmor wrote:

> F) a "development" mailing list (this list):
> 
>    mod...@li...
> 
>   which has been mostly idle
> 
> G) an "announce" mailing list:
> 
>   mod...@li...
> 
> H) a "support" mailing list: 
> 
>   mod...@li....

sigh.  apparently even these lists changed names and/or disappeared
sometime over the last week.

> I'm still looking into options for the mailing list move and
> consolidation.

Werner Koch has graciously agreed to host a non-sourceforge mailing list
for us at:

 mod...@li...

To make this transition happen, i'd ideally like to get an archive of
the old messages from the existing lists (those that still remain at
least) and the list of subscribers of each list.

Dash, is this something you can help with?  Are you interested in
administering the new mailman list with me?

	--dkg

[Mod-gnutls-support] mod-gnutls project cleanup

[Daniel K. G. <dk...@fi...>]

hey folks--

The mod-gnutls project support resources are currently in a bit of
disarray.  I'd like to clean them up to get the project more focused.
This e-mail contains an assessment of where we are now and a proposal of
where we can go.

Assessment
==========

We currently have:

A) an old sourceforge web site that apparently doesn't have any content:

 http://modgnutls.sourceforge.net

B) a sourceforge web site with content:

 http://mod-gnutls.sourceforge.net

C) a public git repository:

 git://mod-gnutls.git.sourceforge.net/gitroot/mod-gnutls/modgnutls

D) another public git repository (not in sync with C):

 git://git.code.sf.net/p/mod-gnutls/code

E) a ticket tracker (using TLS, but not GnuTLS):

 https://sourceforge.net/apps/mantisbt/modgnutls/

F) a "development" mailing list (this list):

   mod...@li...

  which has been mostly idle

G) an "announce" mailing list:

  mod...@li...

H) a "support" mailing list: 

  mod...@li....

I) there was a sourceforge-custom bugtracker (i don't even remember the
URL).

J) there is a git repository for tracking the data in web site B (i just
made this recently because i realized that the we had no backup or way
to collaborate on the web site.

Note that (B) refers to a third public git repository, but the referred
item doesn't appear to exist.

All of this is pretty confusing and a bit of a mess.  The sourceforge
mailing list archives are difficult to read and search; the mailing
lists themselves are mostly idle/quiet; it's hard to find canonical
copies of old releases, or to know which revision control or bug tracker
to rely on.

Most of our existing tickets (roughly two dozen) are in bugtracker E,
but sourceforge considers this a deprecated "hosted app" which they have
been threatening to deprecate and remove for a couple years now.

Are there other project resources that i'm forgetting about?

Proposal
========

I think we should move off of sourceforge, onto infrastructure that we
host ourselves using free software that we can back up and support
indefinitely.  I'm willing to be responsible for that infrastructure,
and i can commit to maintaining it.  I propose:

 0) we move to a single mailing list.  there isn't enough traffic on the
    project's various mailing list to justify the current set of three
    different lists.  the new mailing list will probably start with a
    union of all the current subscribers to the existing mailing lists.
    If the discussion gets overwhelmingly busy, we can talk about
    splitting it back out again.

 1) we get off of sourceforge -- the various web sites and git
    repositories and so forth are confusing, and their threat of
    removing the hosted application doesn't sound good to me.  This
    means transferring existing tickets and their commentary into the
    new system.

 2) we start eating our own dogfood -- it would be lovely if the HTTPS
    services we use was actually supplied by mod_gnutls.  This is good
    for several reasons, including getting real-world interaction with
    the system we're supporting and improving intuitions about defaults
    and configuration expectations.
 

Next Steps
==========

I've checked with Nikos Mavrogiannopoulos, and he's fine with mod_gnutls
using the domain name mod.gnutls.org; i'm in the process of setting up a
trac instance and git repository at https://mod.gnutls.org/, which
should provide us with a public-facing web site, a revision control
browser, and an integrated ticketing system that can cross-reference
both the documentation and the revision control history.
(authentication currently doesn't work on that site, and it is not yet
fully-configured).

I'm still looking into options for the mailing list move and
consolidation.

Any suggestions or questions or concerns about this
cleanup/consolidation?

        --dkg

[Mod-gnutls-support] mod_gnutls compatibility with libgcrypt running in FIPS enforce mode

[Jevgenij S. <js...@gm...>]

I was wondering if it's possible to configure 'mod_gnutls' so that it uses
'libgnutls' in a way that does not upset 'libgcrypt' in FIPS enforce mode.

Specifically, my current setup is:
- Red Hat Enterprise Linux 6.3;
- Apache 2.2.15;
- GnuTLS 2.8.5 (release 4.el6_2.2);
- mod_gnutls 0.5.6.

Non-FIPS-compliant ciphers are disabled in 'mod_gnutls' config:

GnuTLSEnable on
GnuTLSPriorities
NONE:+VERS-TLS1.1:+AES-256-CBC:+3DES-CBC:+DHE-RSA:+SHA256:+SHA1:+COMP-NULL


The OS kernel is running in FIPS mode; HTTPS requests over mod_gnutls work
just fine. Now, if I try to enforce FIPS in 'libgcrypt' by issuing:

echo 1 > /etc/gcrypt/fips_enabled

and restart Apache, it throws "handshake failed" errors upon HTTPS
requests. System Audit Log reveals that it's caused by segmentation faults
in Apache processes - which is a typical symptom when violating enforced
FIPS mode.

After echo'ing 0 to that same file and restarting Apache, everything is
back to norm.

Quite likely, the issue is caused by attempts to use MD5 hashing algorithm
which is, of course, prescribed by the very TLS RFC 4346 and unavoidable.

Is there a way to work around this issue? A compile-time configuration
option to force use of 'libgnutls-extra', perhaps?


Thank you,
Help is much appreciated,
Jevgenij

[modgnutls-support] mod_gnutls leaking memory followup

[Daniel K. G. <dk...@fi...>]

Hello Hardy Greich and other folks interested in mod_gnutls --

I am working on tracking down bugs in mod_gnutls so that it can support
new features, and i just ran back across across your message from
September:

  http://lists.outoforder.cc/pipermail/modules/2012-September/000427.html

I'm still able to replicate this bug against the versions you reported;
and i'm working on replicating it against the head of development.

I think the mailing list you were using (mo...@li...) is
no longer the canonical mailing list for the project.  The outoforder
page (http://www.outoforder.cc/projects/httpd/mod_gnutls/) directs to
the project's new homepage:

  http://modgnutls.sourceforge.net/?p=lists

which suggests that the current canonical mailing list for the project
is hosted at sourceforge (this message is cc'ed to both lists; please
follow up to the sourceforge list or me directly).

I have no idea why your initial bug report got deleted, but i've
re-filed it here:

  https://sourceforge.net/apps/mantisbt/modgnutls/bug_view_advanced_page.php?bug_id=17

And i've also gone ahead and recorded the bug the debian BTS:

  http://bugs.debian.org/699211

I hope to have it tracked down and fixed soon.

Regards,

  --dkg

[modgnutls-support] gnutls and haproxy

[tarik c. <tar...@gm...>]

Hello every one,

i just installed mod_gnutls 0.5.10 with apache 2.2.23 on two redhat 5.5

I have is that on one of those machine I have haproxy installed as
loadbalancer which forward all the traffic to the two apache

the problem I'm facing now is that the the apache who run along the haproxy
can't serve the https request.

i configured the apache to listen to the ssl traffic on the port 8443

when i launch a telnet localhost 8443

and i issue a
 GET /

whet i receive is a clair html code

a lot of googling and I found that I need to apply a patch so that
mod_gnutls will serve an encrypted response instead of the html flow.

can you please help me solve this issue


_________________
                    _____________________
| haproxy                |
                              |                                   |
| apache 2.2.23       |
                          |  apache 2.2.23             |
|mod_gnutls 0.5.10  |======================================= |mod_gnutls
0.5.10        |
|gnutls 3.1.4            |
                              |gnutls 3.1.4                  |
------------------------------
                                   ------------------------------------



Tarik CHICHANE

Re: [modgnutls-support] mod_gnutls not stopping traffic when an invalid certificate is sent

[Nikos M. <nm...@gn...>]

On 10/11/2012 09:24 PM, Andre St-Louis wrote:

> Hi Nikos,
> 
> I look at your answer and explored about the environment variablse that you have mentionned. In your response you said that these environments variable can be pass to scripts.
> In our case, we use apache as proxy and load balancer to tomcat servers. I would like to know if those environment variables are pass with the request to tomcat. Are those variables stored in the header of the request.


I don't know your setup and cannot answer that. However, unless you
specifically transfer this information from the proxy the other servers
will not see them.

> I have also done more tests with the GnuTLSClientVerity "request" and "require". Using "require" does not block to request if an invalid certificate is send. I am getting the same behaviour with either option. Is this normal behavior?


No. Are you sure you have the GnuTLSClientVerity option in the
appropriate place? If yes then you should see the connection being
rejected. If not you'll have to check the debugging output.

regards,
Nikos

Re: [modgnutls-support] mod_gnutls not stopping traffic when an invalid certificate is sent

[Andre St-L. <And...@ca...>]

Hi Nikos,

I look at your answer and explored about the environment variablse that you have mentionned. In your response you said that these environments variable can be pass to scripts.

In our case, we use apache as proxy and load balancer to tomcat servers. I would like to know if those environment variables are pass with the request to tomcat. Are those variables stored in the header of the request.

I have also done more tests with the GnuTLSClientVerity "request" and "require". Using "require" does not block to request if an invalid certificate is send. I am getting the same behaviour with either option. Is this normal behavior?

Thanks,

Andre St-Louis


________________________________
From: Andre St-Louis [And...@ca...]
Sent: Wednesday, October 10, 2012 8:24 AM
To: mod...@li...
Cc: Kory McAndrew; Lisa Khoury; Ron Masson; Buddy Tatlock; Aurele Alain; Bu...@fu...
Subject: [modgnutls-support] mod_gnutls not stopping traffic when an invalid certificate is sent

We have configured mod_gnutsl.

We have an un-expected behavior when providing an invalid certificate.

When we provide a valid certificate we get the following into our log:

[Wed Oct 10 10:11:19 2012] [debug] gnutls_hooks.c(1181): [client 192.168.0.183] GnuTLS: A Chain of 1 certificate(s) was provided for validation
[Wed Oct 10 10:11:19 2012] [debug] gnutls_hooks.c(1236): [client 192.168.0.183] GnuTLS: Verifying list of  1 certificate(s)
===> [Wed Oct 10 10:11:20 2012] [error] [client 192.168.0.183] GnuTLS: Handshake Failed. Hit Maximum Attempts

And the test page get displayed.


When we provide an invalid certificate we get the following into our log:

[Wed Oct 10 10:14:14 2012] [debug] gnutls_hooks.c(1181): [client 192.168.0.183] GnuTLS: A Chain of 1 certificate(s) was provided for validation
[Wed Oct 10 10:14:14 2012] [debug] gnutls_hooks.c(1236): [client 192.168.0.183] GnuTLS: Verifying list of  1 certificate(s)
[Wed Oct 10 10:14:14 2012] [info] [client 192.168.0.183] GnuTLS: Could not find Signer for Peer Certificate
[Wed Oct 10 10:14:14 2012] [info] [client 192.168.0.183] GnuTLS: Peer Certificate is invalid.
===>[Wed Oct 10 10:14:14 2012] [error] [client 192.168.0.183] GnuTLS: Handshake Failed. Hit Maximum Attempts


Question:


1)     Should we worry about the error: GnuTLS: Handshake Failed. Hit Maximum Attempts

2)     What is the expected behavior when an invalid certificate is sent back to the server? Should mod-gnutls denies the request or the denial of the request should be handled by another mean?

Configuration file:

#
# When we also provide SSL we have to listen to the
# standard HTTP port (see above) and to the HTTPS port
#
# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
#       Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"
#
Listen 443

#
#   Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

<VirtualHost _default_:443>

    #   General setup for the virtual host
    DocumentRoot "/opt/apache2.2.23/htdocs"
    ServerName trbptest.com:443
    ServerAdmin yo...@ex...
    ErrorLog "/opt/apache2.2.23/logs/error_log"
    TransferLog "/opt/apache2.2.23/logs/access_log"

    #
    #   GNUTLS
    #

    GnuTLSEnable on
    GnuTLSPriorities NONE:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0:+COMP-NULL:+SHA1:+MD5:+RSA:+DHE-RSA:+CAMELLIA-128-CBC:+ARCFOUR-128:+AES-128-CBC:+3DES-CBC
    #GnuTLSPriorities SECURE:+VERS-TLS1.1:+AES-128-CBC:+RSA:+SHA1

    GnuTLSClientCAFile conf/ssl/andre1.cer
    GnuTLSCertificateFile conf/ssl/trbptest_com_server.crt
    GnuTLSKeyFile conf/ssl/test.entrust.com.key

    GnuTLSClientVerify request



</VirtualHost>


Versions of softwares:

Apache 2.2.23 – compiled and installed locally
gmp.i686                            4.3.1-7.el6_2.2        rhel-x86_64-server-6
nettle 2.5 – compiled and installed locally
libxml2.i686                        2.7.6-8.el6_3.3        rhel-x86_64-server-6
mod_gnutls-0.5.10

Thanks,

A

Re: [modgnutls-support] mod_gnutls not stopping traffic when an invalid certificate is sent

[Nikos M. <nm...@gn...>]

On 10/10/2012 02:24 PM, Andre St-Louis wrote:

> 1)     Should we worry about the error: GnuTLS: Handshake Failed. Hit Maximum Attempts
> 2)     What is the expected behavior when an invalid certificate is sent back to the server? Should mod-gnutls denies the request or the denial of the request should be handled by another mean?

Hello,
 Check README.ENV in the distribution. There is a variable
SSL_CLIENT_VERIFY that contains the client certificate verification
status. You can check this variable from a web server script.

If on the other hand you want to prevent clients to connect without a
certificate, then set the GnuTLSClientVerify configure option with the
"require" value.

regards,
Nikos

[modgnutls-support] mod_gnutls not stopping traffic when an invalid certificate is sent

[Andre St-L. <And...@ca...>]

We have configured mod_gnutsl.

We have an un-expected behavior when providing an invalid certificate.

When we provide a valid certificate we get the following into our log:

[Wed Oct 10 10:11:19 2012] [debug] gnutls_hooks.c(1181): [client 192.168.0.183] GnuTLS: A Chain of 1 certificate(s) was provided for validation
[Wed Oct 10 10:11:19 2012] [debug] gnutls_hooks.c(1236): [client 192.168.0.183] GnuTLS: Verifying list of  1 certificate(s)
===> [Wed Oct 10 10:11:20 2012] [error] [client 192.168.0.183] GnuTLS: Handshake Failed. Hit Maximum Attempts

And the test page get displayed.


When we provide an invalid certificate we get the following into our log:

[Wed Oct 10 10:14:14 2012] [debug] gnutls_hooks.c(1181): [client 192.168.0.183] GnuTLS: A Chain of 1 certificate(s) was provided for validation
[Wed Oct 10 10:14:14 2012] [debug] gnutls_hooks.c(1236): [client 192.168.0.183] GnuTLS: Verifying list of  1 certificate(s)
[Wed Oct 10 10:14:14 2012] [info] [client 192.168.0.183] GnuTLS: Could not find Signer for Peer Certificate
[Wed Oct 10 10:14:14 2012] [info] [client 192.168.0.183] GnuTLS: Peer Certificate is invalid.
===>[Wed Oct 10 10:14:14 2012] [error] [client 192.168.0.183] GnuTLS: Handshake Failed. Hit Maximum Attempts


Question:


1)     Should we worry about the error: GnuTLS: Handshake Failed. Hit Maximum Attempts

2)     What is the expected behavior when an invalid certificate is sent back to the server? Should mod-gnutls denies the request or the denial of the request should be handled by another mean?

Configuration file:

#
# When we also provide SSL we have to listen to the
# standard HTTP port (see above) and to the HTTPS port
#
# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
#       Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"
#
Listen 443

#
#   Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

<VirtualHost _default_:443>

    #   General setup for the virtual host
    DocumentRoot "/opt/apache2.2.23/htdocs"
    ServerName trbptest.com:443
    ServerAdmin yo...@ex...
    ErrorLog "/opt/apache2.2.23/logs/error_log"
    TransferLog "/opt/apache2.2.23/logs/access_log"

    #
    #   GNUTLS
    #

    GnuTLSEnable on
    GnuTLSPriorities NONE:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0:+COMP-NULL:+SHA1:+MD5:+RSA:+DHE-RSA:+CAMELLIA-128-CBC:+ARCFOUR-128:+AES-128-CBC:+3DES-CBC
    #GnuTLSPriorities SECURE:+VERS-TLS1.1:+AES-128-CBC:+RSA:+SHA1

    GnuTLSClientCAFile conf/ssl/andre1.cer
    GnuTLSCertificateFile conf/ssl/trbptest_com_server.crt
    GnuTLSKeyFile conf/ssl/test.entrust.com.key

    GnuTLSClientVerify request



</VirtualHost>


Versions of softwares:

Apache 2.2.23 - compiled and installed locally
gmp.i686                            4.3.1-7.el6_2.2        rhel-x86_64-server-6
nettle 2.5 - compiled and installed locally
libxml2.i686                        2.7.6-8.el6_3.3        rhel-x86_64-server-6
mod_gnutls-0.5.10

Thanks,

A

Re: [modgnutls-support] Second VHost: Domain without www. doesnt work

[Jan S. <jst...@gm...>]

Fixed the load problem by using memcache instead of dbm (had to compile on
my own).
Fixed the problem with www Prefix by installing this patch
https://github.com/jast/mod_gnutls


*close*


2012/7/10 Jan Stuhlmann <jst...@gm...>

> Hi,
>
> I've just configured mod_gnutls (Thanks for that great work!) and mostly
> everything works fine.
> There is only a small problem left:
>
> I've configured 2 VHosts each with an own domain and an own SSL
> Certificate. For the 1st VHost everything works correct - I can reach
> the domain with- or without the www. Prefix (the right SSL Certificate
> is delivered).
> For the 2nd VHost, I can use the Domain with www. prefix and I get the
> right cert. But if I'm trying to use the Domain WITHOUT www. the browser
> gets the certificate from the 1st VHost (and therefore issues a SSL
> Warning).
> If I change the order of defining the VHosts, I have the problem on the
> other Vhost (always the last defined), so I guess my certificates works
> for both domains with- and without www.
>
> I have serveral other VHosts with other SSL certificates but only one
> Domain (sub.domain.tld) which should be used - they work fine too.
> There is also nothing written in apache's error log :(
>
> I would be very thankful for any help. You'll find my Vhost config
> attached (and you can test the domains used in that config as they are
> all public reachable).
>
> Best regards
> Jan
>
> # the http variant for domain1
> <VirtualHost *:80>
>     ServerName mitbringen.net
>     ServerAlias www.mitbringen.net
>     DocumentRoot "..."
> </VirtualHost>
>
> # the https variant for domain1 (works fine)
> <VirtualHost *:443>
>     ServerName mitbringen.net
>     ServerAlias www.mitbringen.net
>     DocumentRoot "..."
>
>     GnuTLSEnable on
>     GnuTLSCertificateFile /var/www/mitbringen.crt
>     GnuTLSKeyFile /var/www/mitbringen.key
>     GnuTLSPriorities SECURE:!MD5
> </VirtualHost>
>
> # the mobile vhost for domain1 (works fine but has only one domain which
> should be used)
> <VirtualHost *:443>
>     ServerName mobil.mitbringen.net
>     DocumentRoot "..."
>
>     GnuTLSEnable on
>     GnuTLSCertificateFile /var/www/mobil.mitbringen..crt
>     GnuTLSKeyFile /var/www/mobil.mitbringen.key
>     GnuTLSPriorities SECURE:!MD5
> </VirtualHost>
>
> # the http variant for domain2
> <VirtualHost *:80>
>     ServerName garaflo.de
>     ServerAlias www.garaflo.de
>     DocumentRoot "..."
> </VirtualHost>
>
> # the https variant for domain2 (www.garaflo.de works fine, garaflo.de
> returns the wrong certificate (for mitbringen.net)
> <VirtualHost *:443>
>     ServerName garaflo.de
>     ServerAlias www.garaflo.de
>     DocumentRoot "..."
>
>     GnuTLSEnable on
>     GnuTLSCertificateFile /var/www/garaflo.de.crt
>     GnuTLSKeyFile /var/www/garaflo.de.key
>     GnuTLSPriorities SECURE:!MD5
> </VirtualHost>
>
> # the mobile https variant for domain2 (works fine but has only 1 domain)
> <VirtualHost *:443>
>     ServerName mobil.garaflo.de
>     DocumentRoot "..."
>
>     GnuTLSEnable on
>     GnuTLSCertificateFile /var/www/mobil.garaflo.crt
>     GnuTLSKeyFile /var/www/mobil.garaflo.key
>     GnuTLSPriorities SECURE:!MD5
> </VirtualHost>
>
>
>

Re: [modgnutls-support] Second VHost: Domain without www. doesnt work

[Jan S. <jst...@gm...>]

Sorry for the self reply, but you can't use the given domains for testing
anymore.

I had to switch back to mod_ssl as apache2 processes forced a CPU load of
100% after a while.
Something seems to be terrible wrong..?


Jan

[modgnutls-support] Second VHost: Domain without www. doesnt work

[Jan S. <jst...@gm...>]

Hi,

I've just configured mod_gnutls (Thanks for that great work!) and mostly
everything works fine.
There is only a small problem left:

I've configured 2 VHosts each with an own domain and an own SSL
Certificate. For the 1st VHost everything works correct - I can reach
the domain with- or without the www. Prefix (the right SSL Certificate
is delivered).
For the 2nd VHost, I can use the Domain with www. prefix and I get the
right cert. But if I'm trying to use the Domain WITHOUT www. the browser
gets the certificate from the 1st VHost (and therefore issues a SSL
Warning).
If I change the order of defining the VHosts, I have the problem on the
other Vhost (always the last defined), so I guess my certificates works
for both domains with- and without www.

I have serveral other VHosts with other SSL certificates but only one
Domain (sub.domain.tld) which should be used - they work fine too.
There is also nothing written in apache's error log :(

I would be very thankful for any help. You'll find my Vhost config
attached (and you can test the domains used in that config as they are
all public reachable).

Best regards
Jan

# the http variant for domain1
<VirtualHost *:80>
    ServerName mitbringen.net
    ServerAlias www.mitbringen.net
    DocumentRoot "..."
</VirtualHost>

# the https variant for domain1 (works fine)
<VirtualHost *:443>
    ServerName mitbringen.net
    ServerAlias www.mitbringen.net
    DocumentRoot "..."

    GnuTLSEnable on
    GnuTLSCertificateFile /var/www/mitbringen.crt
    GnuTLSKeyFile /var/www/mitbringen.key
    GnuTLSPriorities SECURE:!MD5
</VirtualHost>

# the mobile vhost for domain1 (works fine but has only one domain which
should be used)
<VirtualHost *:443>
    ServerName mobil.mitbringen.net
    DocumentRoot "..."

    GnuTLSEnable on
    GnuTLSCertificateFile /var/www/mobil.mitbringen..crt
    GnuTLSKeyFile /var/www/mobil.mitbringen.key
    GnuTLSPriorities SECURE:!MD5
</VirtualHost>

# the http variant for domain2
<VirtualHost *:80>
    ServerName garaflo.de
    ServerAlias www.garaflo.de
    DocumentRoot "..."
</VirtualHost>

# the https variant for domain2 (www.garaflo.de works fine, garaflo.de
returns the wrong certificate (for mitbringen.net)
<VirtualHost *:443>
    ServerName garaflo.de
    ServerAlias www.garaflo.de
    DocumentRoot "..."

    GnuTLSEnable on
    GnuTLSCertificateFile /var/www/garaflo.de.crt
    GnuTLSKeyFile /var/www/garaflo.de.key
    GnuTLSPriorities SECURE:!MD5
</VirtualHost>

# the mobile https variant for domain2 (works fine but has only 1 domain)
<VirtualHost *:443>
    ServerName mobil.garaflo.de
    DocumentRoot "..."

    GnuTLSEnable on
    GnuTLSCertificateFile /var/www/mobil.garaflo.crt
    GnuTLSKeyFile /var/www/mobil.garaflo.key
    GnuTLSPriorities SECURE:!MD5
</VirtualHost>

[modgnutls-support] Setting the preferred order for ciphers

[Benny B. <Ben...@gm...>]

Hi,

is there a way with the latest stable release to set the order of
preferrence of ciphers simular to mod_ssl as shown here[1]?

Currently the best I've come up was
---
GnuTLSPriorities
SECURE:!MD5:!ANON-DH:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:-VERS-SSL3.0:+COMP-DEFLATE:-AES-128-CBC:-CAMELLIA-128-CBC:-3DES-CBC:-ARCFOUR-40:+DHE-RSA:+RSA:+SHA256:-AES-256-CBC:-CAMELLIA-256-CBC
---

which is basically disable every cipher except RC4-SHA but clearly not
the thing you'd want as a mitigation.

I've been experimenting also with
NONE:!MD5:!ANON-DH:+RC4-SHA:+everything else but always get a syntax
error on the RC4 part. Any ideas?

Regards,
BenBE.

[1]
https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls

[modgnutls-support] Support for GnuTLS 3.0

[Benny B. <Ben...@gm...>]

Hi,

are there plans for support of linking mod_gnutls with GnuTLS 3.0 and
above? I've only seen GnuTLS 2.12 which lacks some current ciphers and
operation modes.

Regards,
BenBE.

Re: [modgnutls-support] Differentiation X509 Client-Auth with different VHosts doesn work?

[ml <ml...@sm...>]

!DSPAM:4f7dc2a1258166066616477!

Re: [modgnutls-support] Differentiation X509 Client-Auth with different VHosts doesn work?

[Silvio M. <sil...@pr...>]

I have deleted the _default_ VHost but it doesn work. 
And i tried one VHost with 2 different locations -> doesn work.

But i can use two different VHosts with different content, so mod_gnutls 
is active and it works with TLS SNI suppot, but i cant troggle the 
Client-Authentication to more then one VHost.

What else can i do? 
Maybe i have to using mod_ssl with SNI support yet again.


Regards,
Silvio M

Message: 2
Date: Fri, 30 Mar 2012 23:07:22 +0200
From: ml <ml...@sm...>
Subject: Re: [modgnutls-support] Differentiation X509 Client-Auth with
                 different VHosts doesn work?
To: <mod...@li...>
Message-ID: <2b2...@ro...>
Content-Type: text/plain; charset=UTF-8; format=flowed


it seems that this is a problem of choosing the vhosts apache by 
default
ProGOV Suite - der zentrale Allrounder für Effizienz und Sicherheit.
Besuchen Sie die neue Produktwebsite www.progov.de und erfahren Sie mehr über die Integrationsplattform aus dem Hause procilon.

procilon IT-Solutions GmbH

Leipziger Straße 110
04425 Taucha bei Leipzig
tel: +49 34298 4878-10
fax: +49 34298 4878-11

www.procilon.de
----------------------------------------------------------------------------------------------------------------------------------------
Sitz der Gesellschaft: Leipziger Straße 110, 04425 Taucha bei Leipzig
Amtsgericht Leipzig HRB 18003 , Geschäftsführer Steffen Scholz
----------------------------------------------------------------------------------------------------------------------------------------
Diese E-Mail kann Betriebs- oder Geschäftsgeheimnisse oder sonstige vertrauliche Informationen enthalten. 
Sollten Sie diese E-Mail irrtümlich erhalten haben, ist Ihnen eine Kenntnisnahme des Inhalts,
eine Vervielfältigung oder Weitergabe der E-Mail ausdrücklich untersagt.
Bitte benachrichtigen Sie uns und vernichten Sie die empfangene E-Mail. Vielen Dank.
----------------------------------------------------------------------------------------------------------------------------------------
This e-mail may contain trade secrets or privileged, undisclosed, or otherwise confidential information. 
If you have received this e-mail in error, you are hereby notified that any review,
copying, or distribution of it is strictly prohibited. 
Please inform us immediately and destroy the original transmittal. Thank you for your cooperation.

Re: [modgnutls-support] Differentiation X509 Client-Auth with different VHosts doesn work?

[ml <ml...@sm...>]

it seems that this is a problem of choosing the vhosts apache by 
default


Le 2012-03-30 18:12, Silvio Mink a écrit :
> Hi,
>
>  this configuration maybe doesn work with Apache/2.2.10 and gnutls 
> 0.5.10:
>
>  <VirtualHost 1.2.3.4:443>
>  Servername test1.local:443
>  GnuTLSEnable on
>  GnuTLSPriorities Normal
>  GNUTLSExportCertificates on
>  GnuTLSX509CertificateFile /etc/apache2/ssl/server.cer
>  GnuTLSX509KeyFile /etc/apache2/ssl/server.key
>
>  GnuTLSClientVerify ignore
>
>  Documentroot /test
>  </VirtualHost>
>
>  <VirtualHost 1.2.3.4:443>
>  Servername test2.local:443
>  GnuTLSEnable on
>  GnuTLSPriorities Normal
>  GNUTLSExportCertificates on
>  GnuTLSX509CertificateFile /etc/apache2/ssl/server.cer
>  GnuTLSX509KeyFile /etc/apache2/ssl/server.key
>
>  GnuTLSClientVerify require
>
>  Documentroot /test2
>  </VirtualHost>
>
>  My Browser (Chrome, Firefox 11) is only requesting a client
> certificate, when the first VHost use also the directive
> "GnuTLSClientVerify require".
>
>  Is this a bug or am I doing something wrong?
>
>  Thanks
>
>  Regards,
>  Silvio M
>
>  ProGOV Suite - der zentrale Allrounder für Effizienz und Sicherheit.
>  Besuchen Sie die neue Produktwebsite www.progov.de und erfahren Sie
> mehr über die Integrationsplattform aus dem Hause procilon.
>
>  PROCILON IT-SOLUTIONS GMBH
>
>  Leipziger Straße 110
>  04425 Taucha bei Leipzig
>  tel: +49 34298 4878-10
>  fax: +49 34298 4878-11
>
>  www.procilon.de [2]
>
> -------------------------
>  Sitz der Gesellschaft: Leipziger Straße 110, 04425 Taucha bei 
> Leipzig
>  Amtsgericht Leipzig HRB 18003 , Geschäftsführer Steffen Scholz
> -------------------------
>  Diese E-Mail kann Betriebs- oder Geschäftsgeheimnisse oder sonstige
> vertrauliche Informationen enthalten.
> Sollten Sie diese E-Mail irrtümlich erhalten haben, ist Ihnen eine
> Kenntnisnahme des Inhalts,
>  eine Vervielfältigung oder Weitergabe der E-Mail ausdrücklich 
> untersagt.
>  Bitte benachrichtigen Sie uns und vernichten Sie die empfangene
> E-Mail. Vielen Dank.
> -------------------------
>  This e-mail may contain trade secrets or privileged, undisclosed, or
> otherwise confidential information.
> If you have received this e-mail in error, you are hereby notified
> that any review,
>  copying, or distribution of it is strictly prohibited.
> Please inform us immediately and destroy the original transmittal.
> Thank you for your cooperation.
>
>
> Links:
> ------
> [1] http://www.procilon.de
>
> 
> ------------------------------------------------------------------------------
> This SF email is sponsosred by:
> Try Windows Azure free for 90 days Click Here
> http://p.sf.net/sfu/sfd2d-msazure
>
> _______________________________________________
> modgnutls-support mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/modgnutls-support

-- 
  http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC2626742
  gpg --keyserver pgp.mit.edu --recv-key C2626742

  http://urlshort.eu fakessh @
  http://gplus.to/sshfake
  http://gplus.to/sshswilting
  http://gplus.to/john.swilting
  https://lists.fakessh.eu/mailman/
  This list is moderated by me, but all applications will be accepted
  provided they receive a note of presentation

[modgnutls-support] Differentiation X509 Client-Auth with different VHosts doesn work?

[Silvio M. <sil...@pr...>]

Hi,

this configuration maybe doesn work with Apache/2.2.10 and gnutls 0.5.10:


<VirtualHost 1.2.3.4:443>
Servername test1.local:443
GnuTLSEnable on
GnuTLSPriorities Normal
GNUTLSExportCertificates on
GnuTLSX509CertificateFile /etc/apache2/ssl/server.cer
GnuTLSX509KeyFile /etc/apache2/ssl/server.key

GnuTLSClientVerify ignore

Documentroot /test
</VirtualHost>

<VirtualHost 1.2.3.4:443>
Servername test2.local:443
GnuTLSEnable on
GnuTLSPriorities Normal
GNUTLSExportCertificates on
GnuTLSX509CertificateFile /etc/apache2/ssl/server.cer
GnuTLSX509KeyFile /etc/apache2/ssl/server.key

GnuTLSClientVerify require

Documentroot /test2
</VirtualHost>

My Browser (Chrome, Firefox 11) is only requesting a client certificate,
when the first VHost use also the directive "GnuTLSClientVerify require".

Is this a bug or am I doing something wrong?

Thanks

Regards,
Silvio M
ProGOV Suite - der zentrale Allrounder für Effizienz und Sicherheit.
Besuchen Sie die neue Produktwebsite www.progov.de und erfahren Sie mehr über die Integrationsplattform aus dem Hause procilon.

procilon IT-Solutions GmbH

Leipziger Straße 110
04425 Taucha bei Leipzig
tel: +49 34298 4878-10
fax: +49 34298 4878-11

www.procilon.de
----------------------------------------------------------------------------------------------------------------------------------------
Sitz der Gesellschaft: Leipziger Straße 110, 04425 Taucha bei Leipzig
Amtsgericht Leipzig HRB 18003 , Geschäftsführer Steffen Scholz
----------------------------------------------------------------------------------------------------------------------------------------
Diese E-Mail kann Betriebs- oder Geschäftsgeheimnisse oder sonstige vertrauliche Informationen enthalten. 
Sollten Sie diese E-Mail irrtümlich erhalten haben, ist Ihnen eine Kenntnisnahme des Inhalts,
eine Vervielfältigung oder Weitergabe der E-Mail ausdrücklich untersagt.
Bitte benachrichtigen Sie uns und vernichten Sie die empfangene E-Mail. Vielen Dank.
----------------------------------------------------------------------------------------------------------------------------------------
This e-mail may contain trade secrets or privileged, undisclosed, or otherwise confidential information. 
If you have received this e-mail in error, you are hereby notified that any review,
copying, or distribution of it is strictly prohibited. 
Please inform us immediately and destroy the original transmittal. Thank you for your cooperation.

[modgnutls-support] Using client cert auth in directory context

[Kamenik, A. <ale...@kr...>]

I'm trying to setup client certificate auth on a server for a sub directory.

The root dir is currently also htpasswd and/or IP procteted during development.

<Directory "/srv/www/vhosts/rootdir">
    Options SymLinksifOwnerMatch
    AllowOverride AuthConfig
    AuthUserFile /srv/www/vhosts/demo.passwd
    AuthType Basic
    AuthName "demo"
    Require valid-user
    Order allow,deny
    Allow from 192.168
    Satisfy any
</Directory>

<Directory "/srv/www/vhosts/rootdir/subdir">
    GnuTLSClientVerify request
</Directory>

First, GnuTLSClientVerify does not work. I'm not asked to choose a certificate with any browser and SSL_CLIENT_VERIFY always reports NONE. It works when I put it in the Virtual Host context, but not in the directory context.

Second, when I change "request" to "require" I'm presented with the user+passwd dialog, as if I'm not connecting from the allowed IP range anymore. After entering correct credentials I still get NONE. I tried removing all the auths from the rootdir, client auth in subdir still didn't work.

Third, Firefox says "SSL peer was unable to negotiate an acceptable set of security parameters. (Error code: ssl_error_handshake_failure_alert)" on the first request to host/subdir, refreshing however fixes the issue (I see my empty index.php). ctrl+shift+r however produces the error again. Other browser don't have this issue. Tested with Firefox on Linux and Windows.

What am I missing?

Regards,

Aleksander Kamenik
System Administrator
Krediidiinfo AS
an Experian Company
Phone: +372 665 9649
Email: ale...@kr...

[modgnutls-support] about dropping SSLv3 support WAS: various questions concerning using mod_gnutls instead of mod_ssl

[Kamenik, A. <ale...@kr...>]

> > What's the state of TLS1.0 support? It looks everything that supports
> SSLv3 also supports TLS1.0 too, making SSLv3 redundant. Any exceptions?
> I couldn't find much info on Google, the two are usually lumped
> together as SSLv3/TLS1.0.
> 
> There are really ancient products that only support SSL 3.0. If you
> don't care about them you may disable SSL 3.0 completely.

I disabled SSLv3 and only allowed TLSv1 on a mod_ssl apache server and discovered a few clients that actually broke. The connection didn't succeed at all as if TLSv1 was disabled as well or something like that.

I got to talk to two clients over the phone. One was using at least Windows Vista with some IE version and the other was Windows 7 Ultimate with IE9. At the same time the website worked fine with Firefox on the affected PCs, so it was an IE only issue modern Windows PCs.

I have no idea what caused the issue for these few clients especially as they used up to date software. And I tried using IE on various Windowses and it always worked for me.

Let this be a warning to others though, Internet Explorer may still surprise you.

Unfortunately I didn't get a chance to test this with mod_gnutls TLSv1 only.

Regards,

Aleksander Kamenik
System Administrator
Krediidiinfo AS
an Experian Company
Phone: +372 665 9649
Email: ale...@kr...

[modgnutls-support] SNI + apache2 + mod_gnutls problem

[<ipa...@gm...>]

Hello,
I've got problem with two diffrent domains on one IP:
certificate from first domains/virtualhost is assigned to the secound  
domain but only to the alernative domain for this cert

Example:

virtualhost1:
ServerName www.testA.com
ServerAlias testA.com
cert1 for virtualhost1:
Common Name = www.testA.com
Subject Alternative Names = www.testA.com, testA.com

virtualhost2:
ServerName www.testB.com
ServerAlias testB.com
cert2 for virtualhost2:
Common Name = www.testB.com
Subject Alternative Names = www.testB.com, testB.com

there is no problem with https://www.testB.com domains,
but when I run https://testB.com browser returns an error:  
ssl_error_bad_cert_domain
becouse cert1 in returned instead of cert2
Ive got the same problem with many cases.

my software: Apache 2.2.9 and mod_gnults 0.5.6

What am I doing wrong ?
Please help.

Best Regards,
Konrad Kraszy

Re: [modgnutls-support] various questions concerning using mod_gnutls instead of mod_ssl

[Nikos M. <nm...@gn...>]

On 12/10/2011 06:11 PM, Kamenik, Aleksander wrote:
> Hi,
> 
> I'm checking out gnutls and trying it out. Got several questions.
> 1.
> I'm struggling with the GnuTLSPriorities option.
> I'm trying to prioritise ARCFOUR-128 for use with TLS1.0 and SSLv3 (BEAST), yet offer other ciphers for use with TLS1.1 and TLS1.2. I know RC4 is good enough and almost nothing supports 1.2, it's more of an academic interest and to get a pretty score on the qualys ssl server test.
> I tried several approaches yet couldn't find any _only_ TLS1.1/TLS1.2 ciphers I could use. I couldn't prioritise RC4 for TLSv1 either, the better ciphers were always picked up first.

The gnutls priority strings cannot be used to set ciphersuites per
version. Moreover the ordering does not change any priorities on the
server. The client sets the priorities and the server selects the
highest asked by the client (this might change in the future though).

> What's the state of TLS1.0 support? It looks everything that supports SSLv3 also supports TLS1.0 too, making SSLv3 redundant. Any exceptions? I couldn't find much info on Google, the two are usually lumped together as SSLv3/TLS1.0.

There are really ancient products that only support SSL 3.0. If you
don't care about them you may disable SSL 3.0 completely.

>>From the documentation for GnuTLSSessionTickets aka session resumption:
> "Use for servers with limited storage, and don't combine with GnuTLSCache."
> Why not and where does it store the tickets if not the cache? 

The tickets are stored in the client :) The idea is to avoid all local
storage and delegate storing to your clients. Google uses that extensively.

> Anyway session resumption didn't work with GnuTLSCache set to None.

If you enabled tickets, then it might be that you tested with a client
that doesn't support tickets.

regards,
Nikos