Menu
▾
▴
Re: [Ocamlnet-devel] Missing TLS features in OCamlnet 4.x
|
From: Thomas C. <cal...@gm...> - 2015-05-07 13:20:10
|
Hi again, I have tried using OCamlnet 4.x TLS on a recent setup (Ubuntu 15.04 amd64 VM) with GnuTLS version being 3.3.8-3ubuntu3. I am unable to have a valid TLS exchange using this setup. I have the following trace: [Thu May 7 15:07:38 2015] [debug] [3476:0] Uq_engines: cancel_reading socket_multiplex_controller mplex=807 fd=3 [Thu May 7 15:07:38 2015] [debug] [3476:0] Uq_engines: input_done socket_multiplex_controller mplex=807 fd=3 [Thu May 7 15:07:38 2015] [debug] [3476:0] Uq_engines: tls_multiplex_controller: update [Thu May 7 15:07:38 2015] [debug] [3476:0] Uq_engines: tls_multiplex_controller: config_adapter recv=true [Thu May 7 15:07:38 2015] [debug] [3476:0] Uq_engines: tls_multiplex_controller: cont_handshake (re)start [Thu May 7 15:07:38 2015] [debug] [3476:0] Netsys_tls: Netsys_tls: hello [Thu May 7 15:07:38 2015] [debug] [3476:0] Uq_engines: tls_adapter: recv caller_size=5 avail_size=305 n=5 [Thu May 7 15:07:38 2015] [debug] [3476:0] Uq_engines: tls_adapter: recv caller_size=300 avail_size=300 n=300 [Thu May 7 15:07:38 2015] [debug] [3476:0] Netsys_tls: Exception in function Netsys_tls.state_driven_action: Nettls_gnutls.TLS.Error(GNUTLS_E_RANDOM_DEVICE_ERROR) - backtrace: [Thu May 7 15:07:38 2015] [debug] [3476:0] Uq_engines: tls_multiplex_controller: cont_handshake exn=Nettls_gnutls.TLS.Error(GNUTLS_E_RANDOM_DEVICE_ERROR) Other C programs linked to GnuTLS work fine on this setup. Any ideas? Cheers. On Thu, May 7, 2015 at 10:47 AM, Thomas Calderon <cal...@gm...> wrote: > > Hi Gerd, > > > On Wed, May 6, 2015 at 10:51 PM, Gerd Stolpmann <in...@ge...> > wrote: > >> Hi Thomas, >> >> Am Mittwoch, den 06.05.2015, 16:31 +0200 schrieb Thomas Calderon: >> > Hi, >> > >> > >> > I have started working towards supporting OCamlnet 4.x in our project. >> > >> > >> > I had to completely rewrite the TLS code, this was expected due to >> > OCamlnet switching to GnuTLS. >> > >> > >> > I have noticed the following issues with the current TLS code: >> > * dh_params is not used in the code therefore DHE-* suites are not >> > enabled >> > - Using the *gnutls_certificate_set_dh_params* solves the issue >> > (see attachment for example) >> >> Well spotted. I have some concerns about the side effect, though. There >> is no function to copy a certificate. >> > > I am not following you on this. Why would you want to copy the certificate? > > >> >> > * support for elliptic curve key exchange seems disabled (ECDHE-* >> > suites), I have not tried an ECC certificate. >> > * support for GCM algorithms is not enabled >> >> I'm quite sure that I saw ECDHE and GCM in tests. I'll retest tomorrow. >> > It might be related to the GnuTLS version mess on my machine (Ubuntu has > two versions installed). > Let me know the results of your test. > > >> It is possible to de-configure these features in GnuTLS. >> >> > * sample TLS netplex configuration is missing some ";" for each >> > sections >> > >> > >> > Do you have the same behavior? It might be linked to my GnuTLS >> > version. >> > Did you manage to enable higher-end ciphersuites and PFS suites? >> >> Gerd >> >> > >> > Thanks for the feedback. >> > >> > >> > Thomas. >> > >> > >> > >> > >> > >> ------------------------------------------------------------------------------ >> > One dashboard for servers and applications across Physical-Virtual-Cloud >> > Widest out-of-the-box monitoring support with 50+ applications >> > Performance metrics, stats and reports that give you Actionable Insights >> > Deep dive visibility with transaction tracing using APM Insight. >> > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y >> > _______________________________________________ >> > Ocamlnet-devel mailing list >> > Oca...@li... >> > https://lists.sourceforge.net/lists/listinfo/ocamlnet-devel >> >> -- >> ------------------------------------------------------------ >> Gerd Stolpmann, Darmstadt, Germany ge...@ge... >> My OCaml site: http://www.camlcity.org >> Contact details: http://www.camlcity.org/contact.html >> Company homepage: http://www.gerd-stolpmann.de >> ------------------------------------------------------------ >> >> > |
