Menu
▾
▴
Re: [Ocamlnet-devel] Missing TLS features in OCamlnet 4.x
|
From: Gerd S. <in...@ge...> - 2015-05-10 12:15:50
|
Hi, I could track the problem down. Since GnuTLS-3.2 the library keeps /dev/urandom all the time open. This conflicts with how netplex manages file descriptors (namely closing any unknown when forking), and is also a known security problem because the child processes do not reinitialize the random number generators. If you happen to have GnuTLS-3.4 (btw. avoid 3.4.0, there's a bug causing GNUTLS_E_PUSH_ERROR all the time), and Linux kernel >= 3.17 it will use the new getrandom() system call instead. This fixes it. We probably cannot wait for that. In svn there's now a workaround: after fork(), GnuTLS is forcedly reinitialized. Also, the call of gnutls_global_init is now delayed until the first use of the library. I've attached an ssl scan (ssllabs.com) of the https server (with GnuTLS-3.4.1), and a priority string "SECURE128:+SECURE192". Looks quite good (that forward secrecy is not supported everywhere has more to do with the outdated clients). Gerd Am Donnerstag, den 07.05.2015, 15:19 +0200 schrieb Thomas Calderon: > Hi again, > > > I have tried using OCamlnet 4.x TLS on a recent setup (Ubuntu 15.04 > amd64 VM) with GnuTLS version being 3.3.8-3ubuntu3. > I am unable to have a valid TLS exchange using this setup. I have the > following trace: > > > > [Thu May 7 15:07:38 2015] [debug] [3476:0] Uq_engines: > cancel_reading socket_multiplex_controller mplex=807 fd=3 > [Thu May 7 15:07:38 2015] [debug] [3476:0] Uq_engines: > input_done socket_multiplex_controller mplex=807 fd=3 > [Thu May 7 15:07:38 2015] [debug] [3476:0] Uq_engines: > tls_multiplex_controller: update > [Thu May 7 15:07:38 2015] [debug] [3476:0] Uq_engines: > tls_multiplex_controller: config_adapter recv=true > [Thu May 7 15:07:38 2015] [debug] [3476:0] Uq_engines: > tls_multiplex_controller: cont_handshake (re)start > [Thu May 7 15:07:38 2015] [debug] [3476:0] Netsys_tls: > Netsys_tls: hello > [Thu May 7 15:07:38 2015] [debug] [3476:0] Uq_engines: > tls_adapter: recv caller_size=5 avail_size=305 n=5 > [Thu May 7 15:07:38 2015] [debug] [3476:0] Uq_engines: > tls_adapter: recv caller_size=300 avail_size=300 n=300 > [Thu May 7 15:07:38 2015] [debug] [3476:0] Netsys_tls: > Exception in function Netsys_tls.state_driven_action: > Nettls_gnutls.TLS.Error(GNUTLS_E_RANDOM_DEVICE_ERROR) - > backtrace: > [Thu May 7 15:07:38 2015] [debug] [3476:0] Uq_engines: > tls_multiplex_controller: cont_handshake > exn=Nettls_gnutls.TLS.Error(GNUTLS_E_RANDOM_DEVICE_ERROR) > > > Other C programs linked to GnuTLS work fine on this setup. > Any ideas? > > > Cheers. > > On Thu, May 7, 2015 at 10:47 AM, Thomas Calderon > <cal...@gm...> wrote: > > Hi Gerd, > > > On Wed, May 6, 2015 at 10:51 PM, Gerd Stolpmann > <in...@ge...> wrote: > Hi Thomas, > > Am Mittwoch, den 06.05.2015, 16:31 +0200 schrieb > Thomas Calderon: > > Hi, > > > > > > I have started working towards supporting OCamlnet > 4.x in our project. > > > > > > I had to completely rewrite the TLS code, this was > expected due to > > OCamlnet switching to GnuTLS. > > > > > > I have noticed the following issues with the current > TLS code: > > * dh_params is not used in the code therefore > DHE-* suites are not > > enabled > > - Using the *gnutls_certificate_set_dh_params* > solves the issue > > (see attachment for example) > > Well spotted. I have some concerns about the side > effect, though. There > is no function to copy a certificate. > > > I am not following you on this. Why would you want to copy the > certificate? > > > > > * support for elliptic curve key exchange seems > disabled (ECDHE-* > > suites), I have not tried an ECC certificate. > > * support for GCM algorithms is not enabled > > I'm quite sure that I saw ECDHE and GCM in tests. I'll > retest tomorrow. > It might be related to the GnuTLS version mess on my machine > (Ubuntu has two versions installed). > > Let me know the results of your test. > > > > > It is possible to de-configure these features in > GnuTLS. > > > * sample TLS netplex configuration is missing some > ";" for each > > sections > > > > > > Do you have the same behavior? It might be linked to > my GnuTLS > > version. > > Did you manage to enable higher-end ciphersuites and > PFS suites? > > Gerd > > > > > Thanks for the feedback. > > > > > > Thomas. > > > > > > > > > > > ------------------------------------------------------------------------------ > > One dashboard for servers and applications across > Physical-Virtual-Cloud > > Widest out-of-the-box monitoring support with 50+ > applications > > Performance metrics, stats and reports that give you > Actionable Insights > > Deep dive visibility with transaction tracing using > APM Insight. > > > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y > > _______________________________________________ > > Ocamlnet-devel mailing list > > Oca...@li... > > > https://lists.sourceforge.net/lists/listinfo/ocamlnet-devel > > -- > ------------------------------------------------------------ > Gerd Stolpmann, Darmstadt, Germany > ge...@ge... > My OCaml site: http://www.camlcity.org > Contact details: > http://www.camlcity.org/contact.html > Company homepage: http://www.gerd-stolpmann.de > ------------------------------------------------------------ > > > > > -- ------------------------------------------------------------ Gerd Stolpmann, Darmstadt, Germany ge...@ge... My OCaml site: http://www.camlcity.org Contact details: http://www.camlcity.org/contact.html Company homepage: http://www.gerd-stolpmann.de ------------------------------------------------------------ |
