Menu
▾
▴
mod-gnutls-support — Support, Help & Bug/Patch Submission
You can subscribe to this list here.
| 2011 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(5) |
Sep
(5) |
Oct
(7) |
Nov
(4) |
Dec
(3) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2012 |
Jan
(1) |
Feb
|
Mar
(3) |
Apr
(2) |
May
(2) |
Jun
|
Jul
(3) |
Aug
|
Sep
|
Oct
(4) |
Nov
(1) |
Dec
|
| 2013 |
Jan
(1) |
Feb
|
Mar
(2) |
Apr
(5) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Kamenik, A. <ale...@kr...> - 2011-12-10 17:38:39
|
Hi, I'm checking out gnutls and trying it out. Got several questions. 1. I'm struggling with the GnuTLSPriorities option. I'm trying to prioritise ARCFOUR-128 for use with TLS1.0 and SSLv3 (BEAST), yet offer other ciphers for use with TLS1.1 and TLS1.2. I know RC4 is good enough and almost nothing supports 1.2, it's more of an academic interest and to get a pretty score on the qualys ssl server test. I tried several approaches yet couldn't find any _only_ TLS1.1/TLS1.2 ciphers I could use. I couldn't prioritise RC4 for TLSv1 either, the better ciphers were always picked up first. mod_ssl offers an option SSLHonorCipherOrder (+ pushes the algorithm to end of the list), could there be something like this for gnutls/mod_gnutls? 2. Any idea why the sslscan tool hangs when scanning a mod_tls server while working OK scanning mod_ssl server? http://sourceforge.net/projects/sslscan/ It looks like mod_ssl has different behaviour, I haven't investigated yet. 3. There's an extra include for extra.h that shouldn't be there: --- mod_gnutls-0.5.10/include/mod_gnutls.h.in 2011-07-09 00:29:46.000000000 +0300 +++ mod_gnutls-0.5.10.extra.h.removed/include/mod_gnutls.h.in 2011-12-09 12:44:01.000000000 +0200 @@ -28,7 +28,6 @@ #include "ap_release.h" #include <gnutls/gnutls.h> -#include <gnutls/extra.h> #include <gnutls/openpgp.h> #include <gnutls/x509.h> libextra is gone since gnutls 3.0.5. I don't think it was used in mod_gnutls. 4. What's the state of TLS1.0 support? It looks everything that supports SSLv3 also supports TLS1.0 too, making SSLv3 redundant. Any exceptions? I couldn't find much info on Google, the two are usually lumped together as SSLv3/TLS1.0. 5. When using mod_ssl one can use %x directive to write the protocol and cipher used in the logfile: https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#logformats With mod_gnutls I get this error: Unrecognized LogFormat directive %x 6. From the documentation for GnuTLSSessionTickets aka session resumption: "Use for servers with limited storage, and don't combine with GnuTLSCache." Why not and where does it store the tickets if not the cache? Anyway session resumption didn't work with GnuTLSCache set to None. When using memcache it works as reported by the qualys ssl test https://www.ssllabs.com/ssldb/index.html I'm testing with the latest versions of the software: nettle 2.4, gnutls 3.0.8 and mod_gnutls 0.5.10 on apache httpd 2.2. Regards, Aleksander Kamenik System Administrator Krediidiinfo AS an Experian Company Phone: +372 665 9649 Email: ale...@kr... |
|
From: Nikos M. <nm...@gn...> - 2011-11-28 20:06:09
|
On 11/28/2011 08:34 AM, Aaron Jones wrote: > Hello. > > I have the following configured in a VirtualHost: [...] > However, I am not being prompted for a certificate when browsing to > /private/ on the website, and if I send one manually with curl: The easiest way to verify that would be to check with wireshark whether there is a certificate request sent by the server to client, and whether the client replies with a certificate. If no certificate request is sent then it is a server issue, otherwise a client one. (note that in order for a client to reply to a certificate request he must have a certificate from one of the CAs set in GnuTLSClientCAFile) regards, Nikos |
|
From: Aaron J. <aar...@gm...> - 2011-11-28 07:34:51
|
Hello.
I have the following configured in a VirtualHost:
DocumentRoot /media/websites/<redacted>/htdocs
ErrorLog /media/websites/<redacted>/error.log
LogLevel debug
GnuTLSEnable On
GnuTLSDHFile /etc/apache2/ssl/dh.pem
GnuTLSCertificateFile /etc/apache2/ssl/<redacted>.crt
GnuTLSKeyFile /etc/apache2/ssl/<redacted>.key
GnuTLSClientCAFile /etc/apache2/ssl/<redacted>-bundle.crt
<Directory "/media/websites/<redacted>/htdocs">
AllowOverride All
Order allow,deny
Allow from all
</Directory>
<Directory "/media/websites/<redacted>/htdocs/private">
Options +Indexes
GnuTLSClientVerify require
</Directory>
And HTTPS is working fine.
However, I am not being prompted for a certificate when browsing to
/private/ on the website, and if I send one manually with curl:
$ curl -Isk -E '/path/to/my/client/certificate+key.pem'
'https://<redacted>/private/'
HTTP/1.1 403 Forbidden
Date: Mon, 28 Nov 2011 07:21:39 GMT
Server: Apache
Content-Type: text/html; charset=utf-8
$
I get this in the ErrorLog:
[Mon Nov 28 07:21:39 2011] [debug] gnutls_cache.c(361):
[gnutls_cache] Cleaned up cache
'/var/cache/apache2/gnutls_session_cache'. Deleted 0 and left 3
[Mon Nov 28 07:21:39 2011] [debug] gnutls_hooks.c(850): [client
<redacted>] GnuTLS: Attempting to rehandshake with peer. 0 2
[Mon Nov 28 07:21:39 2011] [info] [client <redacted>] GnuTLS: Failed
to Verify Peer: Client did not submit a certificate
[Mon Nov 28 07:21:39 2011] [info] [client <redacted>] GnuTLS: Failed
to Verify Peer: Client did not submit a certificate
[Mon Nov 28 07:21:39 2011] [debug] mod_headers.c(781): headers:
ap_headers_error_filter()
So it seems it's not being asked for or acknowleged at all.
This worked with mod_ssl and I have not changed the certificate files
since then.
Is there anything more I can provide to help diagnose this?
Thanks in advance.
|
|
From: Nikos M. <nm...@gn...> - 2011-11-03 12:51:04
|
On Thu, Nov 3, 2011 at 10:10 AM, Mike Dilger <mi...@mi...> wrote: > Hello good people, > First, thank you very much for this work. Awesome. > I'm trying to get SRP working on apache in debian squeeze amd64. > Unfortunately the handshake fails with "Internal error" and the server > log gives me an "Error in password file". Are the password files accessible by the web server? Unlike certificates, they should be accessible to the server at any time. > Any keen insight would be helpful: > Am I misconfiguring it? > Are the versions in debian squeeze working? They are very old. > GnuTLSPriorities > NONE:+AES-256-CBC:+AES-128-CBC:+SRP:+SHA1:+COMP-NULL:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0 I'd suggest to use "NORMAL:+SRP". Moreover if your server holds an RSA certificate using "NORMAL:+SRP-RSA" would allow the client to verify that it connected to the legitimate server (otherwise the server is identified only by the knowledge of the user password). regards, Nikos |
|
From: Mike D. <mi...@mi...> - 2011-11-03 09:30:06
|
Hello good people,
First, thank you very much for this work. Awesome.
I'm trying to get SRP working on apache in debian squeeze amd64.
Unfortunately the handshake fails with "Internal error" and the server
log gives me an "Error in password file".
Any keen insight would be helpful:
Am I misconfiguring it?
Are the versions in debian squeeze working?
(NOTE: some of the following messages have been edited, e.g. with
IP.IP.IP.IP and blahblahblah instead of
real hostnames, paths, etc).
Debian squeeze ships with these versions:
libgnutls 2.8.6-1
libapache2-mod-gnutls 0.5.6-1
I used srttool to create tpasswd and tpasswd.conf with user=test,
password=test.
$ srptool --create-conf tpasswd.conf
$ srptool --passwd tpasswd --passwd-conf tpasswd.conf -u test
password: test
Apache has these already (essentially):
LoadModule gnutls_module /usr/lib/apache2/modules/mod_gnutls.so
<IfModule mod_gnutls.c>
GnuTLSCache dbm /var/cache/apache2/gnutls_cache
</IfModule>
I configured apache vhost like this:
GnuTLSEnable on
# Here we use ONLY SRP for key exchange:
GnuTLSPriorities
NONE:+AES-256-CBC:+AES-128-CBC:+SRP:+SHA1:+COMP-NULL:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0
# GnuTLSPriorities NORMAL
# Server still has a certificate
GnuTLSCertificateFile /blah/blah/blah/certchain.pem
GnuTLSKeyFile /blah/blah/blah/serverkey.pem
# Also we have a password file for client authentication
GnuTLSSRPPasswdFile /blah/blah/blah/tpasswd
GnuTLSSRPPasswdConfFile /blah/blah/blah/tpasswd.conf
I used this as a client test:
$ gnutls-cli -V --srpusername test --srppasswd test blahblahblah.com
Which yielded:
Resolving 'blahblahblah.com'...
Connecting to 'IP.IP.IP.IP:443'...
*** Fatal error: A TLS fatal alert has been received.
*** Received alert [80]: Internal error
*** Handshake has failed
GnuTLS error: A TLS fatal alert has been received.
Apache logs give:
[Thu Nov 03 21:28:01 2011] [error] [client IP.IP.IP.IP] GnuTLS:
Handshake Failed (-31) 'Error in password file.'
|
|
From: Nikos M. <nm...@gn...> - 2011-10-28 16:16:59
|
On 10/27/2011 02:41 PM, fakessh @ wrote: > gnutls is it vulnerable to the flaw last to openssl is called renegotiation If you are asking on the safe renegotiation vulnerability it has been countered since 2.10.x. You can check the security advisories for more information at: http://www.gnu.org/software/gnutls/security.html regards, Nikos |
|
From: Jesse R. <je...@el...> - 2011-10-27 17:55:13
|
You want to read this thread. http://lists.gnu.org/archive/html/gnutls-devel/2011-09/msg00064.html It's a protocol problem, but there are workarounds. On 10/27/2011 08:41, fakessh @ wrote: > hi guru > hi list > > gnutls is it vulnerable to the flaw last to openssl is called renegotiation > > all testimonials are welcome > > > > ------------------------------------------------------------------------------ > The demand for IT networking professionals continues to grow, and the > demand for specialized networking skills is growing even more rapidly. > Take a complimentary Learning@Cisco Self-Assessment and learn > about Cisco certifications, training, and career opportunities. > http://p.sf.net/sfu/cisco-dev2dev > > > > _______________________________________________ > modgnutls-support mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/modgnutls-support |
|
From: fakessh @ <ml...@sm...> - 2011-10-27 12:41:52
|
hi guru hi list gnutls is it vulnerable to the flaw last to openssl is called renegotiation all testimonials are welcome -- http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7 gpg --keyserver pgp.mit.edu --recv-key 092164A7 http://urlshort.eu fakessh @ |
|
From: dreamwvr <dre...@dr...> - 2011-10-24 23:29:46
|
Hi, Would like to confirm that I have the right tool for the role. I would like to use modgnutls in httpd to provide access to memcached enabled with sasl as a vehicle to use SRP authentication via the browser. This would be way cool and extremely educational. Do I have the right screwdriver for the job? TIA, Best Regards, dre...@dr... |
|
From: Lyle S. <gnu...@le...> - 2011-10-02 03:47:28
|
Thanks for your response. I have submitted a bug report at https://sourceforge.net/apps/mantisbt/modgnutls/view.php?id=5 If the information in that report is insufficient let me know. On 10/1/2011 2:05 AM, Dash Shendy wrote: > Hi Lyle, > > Apologies for the late reply. > > I would suggest you use the SSL Cache as it is there for a reason. > > eg. GnuTLSCache dbm /var/cache/mod_gnutls > > Other than that I notice that Apache's seg-faulting once the client > certificate has been verified, if this is happens with 0.5.10, please > log a bug report @ https://sourceforge.net/apps/mantisbt/modgnutls/ > > mod_gnutls 0.6 is due out soon, there has been a major cleanup of the > code as well as numerous bugfixes. > > You can always get the latest (unreleased yet) code from the repository > at https://sourceforge.net/scm/?type=git&group_id=566163 > > Hope I have helped, although I have the feeling that this is another > 'new bug', as I have actually never had the chance to properly test > client-certificate verification...yet! > > All the best, > Dash Shendy<Coder/Pentester/Security-Analyst> > http://dash.za.net/?smtpsig > gtalk: das...@gm... > skype: dashula2006 > > > > ------------------------------------------------------------------------------ > All of the data generated in your IT infrastructure is seriously valuable. > Why? It contains a definitive record of application performance, security > threats, fraudulent activity, and more. Splunk takes this data and makes > sense of it. IT sense. And common sense. > http://p.sf.net/sfu/splunk-d2dcopy2 > > > > _______________________________________________ > modgnutls-support mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/modgnutls-support |
|
From: Adam L. <ad...@st...> - 2011-10-02 03:45:51
|
Thanks for your response. I have submitted a bug report at https://sourceforge.net/apps/mantisbt/modgnutls/view.php?id=5 If the information in that report is insufficient let me know. On 10/1/2011 2:05 AM, Dash Shendy wrote: > Hi Lyle, > > Apologies for the late reply. > > I would suggest you use the SSL Cache as it is there for a reason. > > eg. GnuTLSCache dbm /var/cache/mod_gnutls > > Other than that I notice that Apache's seg-faulting once the client > certificate has been verified, if this is happens with 0.5.10, please > log a bug report @ https://sourceforge.net/apps/mantisbt/modgnutls/ > > mod_gnutls 0.6 is due out soon, there has been a major cleanup of the > code as well as numerous bugfixes. > > You can always get the latest (unreleased yet) code from the repository > at https://sourceforge.net/scm/?type=git&group_id=566163 > > Hope I have helped, although I have the feeling that this is another > 'new bug', as I have actually never had the chance to properly test > client-certificate verification...yet! > > All the best, > Dash Shendy<Coder/Pentester/Security-Analyst> > http://dash.za.net/?smtpsig > gtalk: das...@gm... > skype: dashula2006 > > > > ------------------------------------------------------------------------------ > All of the data generated in your IT infrastructure is seriously valuable. > Why? It contains a definitive record of application performance, security > threats, fraudulent activity, and more. Splunk takes this data and makes > sense of it. IT sense. And common sense. > http://p.sf.net/sfu/splunk-d2dcopy2 > > > > _______________________________________________ > modgnutls-support mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/modgnutls-support |
|
From: Dash S. <neu...@da...> - 2011-10-01 09:04:11
|
Hi Lyle, Apologies for the late reply. I would suggest you use the SSL Cache as it is there for a reason. eg. GnuTLSCache dbm /var/cache/mod_gnutls Other than that I notice that Apache's seg-faulting once the client certificate has been verified, if this is happens with 0.5.10, please log a bug report @ https://sourceforge.net/apps/mantisbt/modgnutls/ mod_gnutls 0.6 is due out soon, there has been a major cleanup of the code as well as numerous bugfixes. You can always get the latest (unreleased yet) code from the repository at https://sourceforge.net/scm/?type=git&group_id=566163 Hope I have helped, although I have the feeling that this is another 'new bug', as I have actually never had the chance to properly test client-certificate verification...yet! All the best, Dash Shendy <Coder/Pentester/Security-Analyst> http://dash.za.net/?smtpsig gtalk: das...@gm... skype: dashula2006 |
|
From: Lyle S. <gnu...@le...> - 2011-09-27 13:36:47
|
We have a site that iOS devices (iPhone, iPad, etc.) need to access for mobile management purposes. Due to a limitation with iOS5 we need to use TLS 1.2 which is why we are using mod_gnutls. We are running Apache 2.2 on a Debian squeeze server. We are seeing these sorts of errors in the Apache error log: [Mon Sep 26 16:41:03 2011] [notice] child pid 9179 exit signal Segmentation fault (11) [Mon Sep 26 16:41:07 2011] [crit] [GnuTLS] - No Cache Configured. Hint: GnuTLSCache Verification successful [Mon Sep 26 16:41:08 2011] [notice] child pid 9220 exit signal Segmentation fault (11) [Mon Sep 26 16:41:29 2011] [crit] [GnuTLS] - No Cache Configured. Hint: GnuTLSCache [Mon Sep 26 16:41:41 2011] [error] [client 192.168.1.18] GnuTLS: Handshake Failed (-38) 'TLS Application data were received, while expecting handshake data.' Here is our Apache configuration: GnuTLSCache none - <VirtualHost myserver.example.com:443> GnuTLSEnable On GnuTLSPriorities NORMAL:!DHE-RSA:!DHE-DSS:!AES-256-CBC:%COMPAT GnuTLSCertificateFile /etc/ssl/certs/myserver-gnutls.pem GnuTLSKeyFile /etc/ssl/private/myserver.key GnuTLSClientCAFile /etc/ssl/certs/ca-chain.pem GnuTLSExportCertificates On GnuTLSClientVerify ignore <LocationMatch /device.*/checkin> GnuTLSClientVerify require </LocationMatch> <VirtualHost /> |
|
From: Dash S. <neu...@da...> - 2011-09-03 03:34:50
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi List, mod_gnutls PGP Signatures can be downloaded from: http://modgnutls.sourceforge.net/downloads/ To verify a signed tarball, use: gpg --verify tarball.sig tarball You'll need to import & trust my DSA public key (key ID 1F109B38). Hope this helps. - -- Dash Shendy <Coder/Pentester/Security-Analyst> http://dash.za.net/?smtpsig gtalk: das...@gm... skype: dashula2006 mopho: (+27) 72 23 75 199 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAk5hoMQACgkQm1c/Xh8QmzilCgCglmTr3PXa4QcoEhkKr7ljle3J hZkAoIEM/324fpgspjOpp11FvQ+6cSHc =Eyom -----END PGP SIGNATURE----- |
|
From: <ml...@sm...> - 2011-08-30 00:24:42
|
hello folks the mod_gnutls 0.5.10 tarball does not have a signature. it is not growing use can not verify the -- http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7 gpg --keyserver pgp.mit.edu --recv-key 092164A7 |
|
From: Jesse R. <je...@ad...> - 2011-08-02 23:54:18
|
As I just joined this list I can't reply directly, so sorry for the new thread. Steve Moulton, GnuTLSClientCAFile is the CA chain for verifying your SSL clients, not for your intermediate CAs. You chould concatenate your cert with the verification chain in reverse order and specify that as the GnuTLSCertificateFile. I like to do something like this: # cat server.pem intermediate.pem ca.pem > server.bnd Then point GnuTLSCertificateFile at the bundle. This should fix your certificate chain errors. Jesse Ruffin |
|
From: Steve M. <mou...@or...> - 2011-08-01 21:54:22
|
Additional information: The certificate and CA certificates work
correctly (and verify correctly) when using conventional SSL (rather
than mod_gnutls).
- Steve
-------- Original Message --------
Subject: [Modgnutls-support] problems getting mod_gnutls working with
apache.
Date: Mon, 1 Aug 2011 17:00:47 -0400
From: Steve Moulton <mou...@or...>
To: mod...@li...
<mod...@li...>
I must be missing something obvious ... anyone have any ideas?
SUSE Linux Enterprise Server 11 (x86_64)
Apache/2.2.10 (Linux/SUSE)
mod_ssl/2.2.10
OpenSSL/0.9.8h
PHP/5.3.7RC3-dev
mod_gnutls/0.5.10
I have the following configuration in my vhosts-ssl.conf file
GnuTLSCertificateFile /etc/ssl/certs/hostname.crt
GnuTLSClientCAFile /etc/ssl/certs/SSL_CA_Bundle.pem
GnuTLSKeyFile /etc/ssl/private/hostname.key
When I test against this site, the following things occur:
. Firefox: will accept the certificate, after considerable delay
(first time). Afterwords connects immediately. The page info shows
reasonable looking certificate heirarchy.
. Verisign's verification page:
hxxps://knowledge.verisign.com/support/ssl-certificates-support/index?page=cont
fails the page saying
status: invalid chain
The Intermediate CA certificates cannot be found for the following
certificate chain.
Yet it shows (in red) certificates that match what is on the server.
. Chrome disallows the page without decent explanation, but this is
Chrome on linux, which may well not do SNI.
. IE says that there is a certificate problem with the page.
. The instructions at
hxxp://www.cyberciti.biz/faq/verify-ssl-certificate-openssl/ succeed,
indicating the certificate chain is OK.
I would rather use mod_gnutls than maintain a release of apache on this
system other than that automatically maintained by the SLES folks.
However, judging by the lack of email in the sourceforge email
repository, I'm wondering how many people are using this.
- Steve
------------------------------------------------------------------------------
BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts.
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos& much more. Register early& save!
hxxp://p.sf.net/sfu/rim-blackberry-1
_______________________________________________
Modgnutls-support mailing list
Mod...@li...
hxxps://lists.sourceforge.net/lists/listinfo/modgnutls-support
|
|
From: Steve M. <mou...@or...> - 2011-08-01 21:00:54
|
I must be missing something obvious ... anyone have any ideas?
SUSE Linux Enterprise Server 11 (x86_64)
Apache/2.2.10 (Linux/SUSE)
mod_ssl/2.2.10
OpenSSL/0.9.8h
PHP/5.3.7RC3-dev
mod_gnutls/0.5.10
I have the following configuration in my vhosts-ssl.conf file
GnuTLSCertificateFile /etc/ssl/certs/hostname.crt
GnuTLSClientCAFile /etc/ssl/certs/SSL_CA_Bundle.pem
GnuTLSKeyFile /etc/ssl/private/hostname.key
When I test against this site, the following things occur:
. Firefox: will accept the certificate, after considerable delay
(first time). Afterwords connects immediately. The page info shows
reasonable looking certificate heirarchy.
. Verisign's verification page:
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=cont
fails the page saying
status: invalid chain
The Intermediate CA certificates cannot be found for the following
certificate chain.
Yet it shows (in red) certificates that match what is on the server.
. Chrome disallows the page without decent explanation, but this is
Chrome on linux, which may well not do SNI.
. IE says that there is a certificate problem with the page.
. The instructions at
http://www.cyberciti.biz/faq/verify-ssl-certificate-openssl/ succeed,
indicating the certificate chain is OK.
I would rather use mod_gnutls than maintain a release of apache on this
system other than that automatically maintained by the SLES folks.
However, judging by the lack of email in the sourceforge email
repository, I'm wondering how many people are using this.
- Steve
|
5 messages has been excluded from this view by a project administrator.
