gnunet-developers
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Contributing to GNUnet


From: Schanzenbach, Martin
Subject: Re: Contributing to GNUnet
Date: Sat, 14 Mar 2020 16:13:41 +0100

Hi,

> On 14. Mar 2020, at 14:55, Tanguy Le Carrour <address@hidden> wrote:
> 
> Hi,
> 
> 
> Le 03/14, Schanzenbach, Martin a écrit :
>>> On 14. Mar 2020, at 12:00, Tanguy Le Carrour <address@hidden> wrote:
>>> Le 03/13, Schanzenbach, Martin a écrit :
>>>>> On 13. Mar 2020, at 18:32, Tanguy Le Carrour <address@hidden> wrote:
>>>>> Le 03/10, Tanguy Le Carrour a écrit :
>>>>>> Le 03/09, Christian Grothoff a écrit :
>>>>>>> 2) try adding a TLSA record for gnunet.org to GNS, thereby avoiding
>>>>>>> the use of Letsencrypt and really directly verifying via GNS.
>>>>>> I'll try this and let you know, thanks!
>>>>> So, I did my homework, used a generator [1][] and ended up with this:
>>>>> ```
>>>>> _443._tcp.gnunet.org. IN TLSA 3 1 1 
>>>>> 26145f39399c7625a95d290bde5731566a81e1cbe6baf84f37ba60b333b05939
>>>>> ```
>>>>> [1]: https://www.huque.com/bin/gen_tlsa
>>>>> So I now have:
>>>>> ```
>>>>> $ gnunet-namestore -z myself -a -e "1 d" -p -t TLSA -n gnunet -V "3 1 1 
>>>>> 26145f39399c7625a95d290bde5731566a81e1cbe6baf84f37ba60b333b05939"
>>>>> $ gnunet-gns --type ANY --lookup gnunet.myself
>>>>> gnunet.myself:
>>>>> Got `TLSA' record: 3 1 1 
>>>>> 26145f39399c7625a95d290bde5731566a81e1cbe6baf84f37ba60b333b05939
>>>>> Got `LEHO' record: gnunet.org
>>>>> Got `A' record: 131.159.74.67
>>>>> ```
>>>>> I didn't know where to put the `_443._tcp` part. `gnunet-namestore` 
>>>>> complained
>>>>> about the name containing a `.`.
>>>>> There's something in the doc [2][] about `_port._proto.`, but it's for
>>>>> BOX records only.
>>>> 
>>>> Indeed, instead of a TLSA records, for GNS, you should add a box record 
>>>> that contains a TLSA record. Like so:
>>>> $ gnunet-namestore -z myself -a -e "1 d" -p -t BOX -n gnunet -V "6 443 3 1 
>>>> 1 26145f39399c7625a95d290bde5731566a81e1cbe6baf84f37ba60b333b05939"
>>>> 6 is the protocol (tcp), 443 is the service (https).
>>> 
>>> Unfortunately…
>>> 
>>> ```
>>> $ gnunet-namestore -z myself -a -e "1 d" -p -t BOX -n gnunet -V "6 443 3 1 
>>> 1 26145f39399c7625a95d290bde5731566a81e1cbe6baf84f37ba60b333b05939"
>>> Value `6 443 3 1 1 
>>> 26145f39399c7625a95d290bde5731566a81e1cbe6baf84f37ba60b333b05939' invalid 
>>> for record type `BOX'
>>> 
>>> $ gnunet-namestore --version
>>> gnunet-namestore v0.12.2 release
>>> ```
>>> 
>>> From the code [1][], I could not guess what the correct format should be.
>>> 
>>> [1]: src/gnsrecord/plugin_gnsrecord_dns.c:656
>>>    src/include/gnunet_gnsrecord_lib.h:297
>> 
>> Ah, the record type is missing, sorry I did that out of my head. Try:
>> 
>> $
> 
> Much better, thanks!
> 
> ```
> $  gnunet-gns --type ANY --lookup gnunet.myself
> gnunet.myself:
> Got `BOX' record: 6 443 52 3 1 1 
> 26145f39399c7625a95d290bde5731566a81e1cbe6baf84f37ba60b333b05939
> Got `LEHO' record: gnunet.org
> Got `A' record: 131.159.74.67
> ```
> 
> 
> But still, when I try to access `gnunet.myself`, I get a blank page
> after 5-10 seconds and the same lines in the log:
> 
> ```
> $ 
> /home/tanguy/.guix-extra-profiles/gnunet/current/lib/gnunet/libexec/gnunet-gns-proxy
>  --log DEBUG
> Mar 14 14:48:07-948036 gnunet-gns-proxy-1450 ERROR Download curl gnunet.org/ 
> failed: SSL peer certificate or SSH remote key was not OK
> Mar 14 14:48:24-877522 gnunet-gns-proxy-1450 ERROR Download curl 
> gnunet.org/favicon.ico failed: SSL peer certificate or SSH remote key was not 
> OK
> ```
> 
> The good thing is that you were right! Adding a BOX record was
> apparently not needed!
> 
> 
> Any thing else I can try?
> In the meantime, I'll keep on reading the doc, learn some more and play
> with the other components!

Did you compile gnunet from source or are you using a package? Is it possible 
that the guix gnunet package (or more specifically the guix libgcrypt) does not 
have DANE support?

I just tested the same configuration locally and it works. I suspect two issues 
which are independent from each other:

- The guix curl/gnurl CA certificate location is different and not found (in 
the case w/o a BOX record)
- The guix gnutls does not have DANE support

You can check if gnutls supports DANE by checking the gnunet ./configure output 
at the end I think.

> 
> Regards
> 
> --
> Tanguy

Attachment: signature.asc
Description: Message signed with OpenPGP


reply via email to

[Prev in Thread] Current Thread [Next in Thread]