[Help-gnutls] Re: TLS/OpenPGP draft expiring soon

help-gnutls

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Help-gnutls] Re: TLS/OpenPGP draft expiring soon

From:	Simon Josefsson
Subject:	[Help-gnutls] Re: TLS/OpenPGP draft expiring soon
Date:	Fri, 02 Feb 2007 14:50:17 +0100
User-agent:	Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.93 (gnu/linux)

address@hidden (Ludovic Courtès) writes:

> Hi,
>
> Simon Josefsson <address@hidden> writes:
>
>> Also, creating examples and a self test for the OpenPGP stuff would be
>> useful.  Have you managed to get it to work at all?
>
> It took me a while, but I finally found why `gnutls-serv' wouldn't do
> the job as expected (I knew it should work because I have small
> client/server of my own that do work).
>
> First, the patch below must be applied to `serv.c'.  Then, actual DH
> and/or RSA parameters must be provided or generated for the server.  So
> we end up with a command-line like this for the server:
>
>   $ ./gnutls-serv --dhparams tls-dh-params \
>                   --ctypes openpgp --pgpcertfile pub.asc \
>                   --pgpkeyfile sec.asc
>
> And for the client:
>
>   $ gnutls-cli --ctypes openpgp --pgpcertfile pub.asc \
>                --pgpkeyfile sec.asc -p 5556 localhost
>
> And it works like a charm, even with `--require-cert' passed to the
> server.
>
> Can you confirm?

Hi!  Actually, the tools works fine without your patch, IF I use a
newly generated key.

Server:

address@hidden:~$ gnutls-serv --dhparams ~/dh.pem --pgpcertfile 
~/.gnupg-foo/pub.txt --pgpkeyfile ~/.gnupg-foo/sec.txt
Read Diffie Hellman parameters.
Echo Server ready. Listening to port '5556'.


* connection from ::ffff:127.0.0.1, port 48423
- Given server name[1]: localhost
- Certificate type: OpenPGP
 # Key was created at: Fri Feb  2 14:32:23 CET 2007
 # Key expires: Never
 # PGP Key version: 4
 # PGP Key public key algorithm: DSA (1024 bits)
 # PGP Key fingerprint: 
BF:D6:44:C3:26:74:9E:3A:99:1E:D0:B5:C0:85:0D:AD:40:CD:57:C9
 #   NAME: Foo Bar <address@hidden>

- Peer's key is valid
- Could not find a signer of the peer's key
- Version: TLS 1.1
- Key Exchange: DHE DSS
- Cipher: AES 128 CBC
- MAC: SHA
- Compression: DEFLATE

Client:

address@hidden:~$ gnutls-cli  --pgpcertfile ~/.gnupg-foo/pub.txt --pgpkeyfile 
~/.gnupg-foo/sec.txt -p 5556 localhost
Processed 1 client PGP certificate...
Resolving 'localhost'...
Connecting to '127.0.0.1:5556'...
- Certificate type: OpenPGP
 # The hostname in the key does NOT match 'localhost'.
 # Key was created at: Fri Feb  2 14:32:23 CET 2007
 # Key expires: Never
 # PGP Key version: 4
 # PGP Key public key algorithm: DSA (1024 bits)
 # PGP Key fingerprint: 
BF:D6:44:C3:26:74:9E:3A:99:1E:D0:B5:C0:85:0D:AD:40:CD:57:C9
 #   NAME: Foo Bar <address@hidden>

- Peer's key is valid
- Could not find a signer of the peer's key
- Version: TLS 1.1
- Key Exchange: DHE DSS
- Cipher: AES 128 CBC
- MAC: SHA
- Compression: DEFLATE
- Handshake was completed

- Simple Client Mode:

This is quit nice, but there are some things we could do to make
things easier.  I'm thinking that gnutls-serv should use a static
hard-coded D-H parameter if the user didn't supply one on the command
line.

Here is what I get if I test with my own key:

address@hidden:~/src/gnutls/src$ gpg -a --export-secret-keys b565716f > 
~/address@hidden:~/src/gnutls/src$ gpg -a --export b565716f > ~/pubkey.gpg 

Server:

address@hidden:~/src/gnutls/src$ ./gnutls-serv --dhparams dh.pem --pgpcertfile 
~/pubkey.gpg --pgpkeyfile ~/privkey.gpg
Read Diffie Hellman parameters.
Echo Server ready. Listening to port '5556'.

Error in handshake
Error: A TLS packet with unexpected length was received.

Client:

address@hidden:~/src/gnutls/src$ ./gnutls-cli  --pgpcertfile ~/pubkey.gpg 
--pgpkeyfile ~/privkey.gpg -p 5556 localhost
Processed 1 client PGP certificate...
Resolving 'localhost'...
Connecting to '127.0.0.1:5556'...
*** Fatal error: Decryption has failed.
*** Handshake has failed
GNUTLS ERROR: Decryption has failed.
address@hidden:~/src/gnutls/src$

Debugging indicates problems decrypting the challenge, in the client:

|<2>| ASSERT: gnutls_pk.c:283
|<2>| ASSERT: gnutls_pk.c:359
|<2>| ASSERT: gnutls_sig.c:299
|<2>| ASSERT: gnutls_sig.c:468
|<2>| ASSERT: auth_dhe.c:233
|<2>| ASSERT: gnutls_kx.c:346
|<2>| ASSERT: gnutls_handshake.c:2235

I suspect OpenCDK uses the wrong RSA key to encrypt and/or decrypt the
data.  I have several old and expired keys in my private key.  IIRC,
even GnuPG had a similar problem with my key some time ago.

/Simon

[Prev in Thread]

Current Thread

[Next in Thread]

[Help-gnutls] Re: TLS/OpenPGP draft expiring soon, Ludovic Courtès, 2007/02/01
- [Help-gnutls] Re: TLS/OpenPGP draft expiring soon, Ludovic Courtès, 2007/02/01
  - [Help-gnutls] Re: TLS/OpenPGP draft expiring soon, Simon Josefsson <=
    - [Help-gnutls] Re: TLS/OpenPGP draft expiring soon, Ludovic Courtès, 2007/02/02
    - [Help-gnutls] Re: TLS/OpenPGP draft expiring soon, Simon Josefsson, 2007/02/02
- [Help-gnutls] Re: TLS/OpenPGP draft expiring soon, Ludovic Courtès, 2007/02/01

Prev by Date: [Help-gnutls] Re: gnutls with pgp
Next by Date: [Help-gnutls] Re: TLS/OpenPGP draft expiring soon
Previous by thread: [Help-gnutls] Re: TLS/OpenPGP draft expiring soon
Next by thread: [Help-gnutls] Re: TLS/OpenPGP draft expiring soon
Index(es):
- Date
- Thread