gnunet-developers
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Contributing to GNUnet


From: Martin Schanzenbach
Subject: Re: Contributing to GNUnet
Date: Sat, 14 Mar 2020 19:25:06 +0100
User-agent: Evolution 3.36.0

On Sat, 2020-03-14 at 18:20 +0100, Tanguy Le Carrour wrote:
> Hi,
> 
> Le 03/14, Schanzenbach, Martin a écrit :
> > > On 14. Mar 2020, at 14:55, Tanguy Le Carrour <
> > > address@hidden> wrote:
> > > Le 03/14, Schanzenbach, Martin a écrit :
> > > > > On 14. Mar 2020, at 12:00, Tanguy Le Carrour <
> > > > > address@hidden> wrote:
> > > > > Le 03/13, Schanzenbach, Martin a écrit :
> > > > > > > On 13. Mar 2020, at 18:32, Tanguy Le Carrour <
> > > > > > > address@hidden> wrote:
> > > > > > > Le 03/10, Tanguy Le Carrour a écrit :
> > > > > > > > Le 03/09, Christian Grothoff a écrit :
> > > > > > > > > 2) try adding a TLSA record for gnunet.org to GNS,
> > > > > > > > > thereby avoiding
> > > > > > > > > the use of Letsencrypt and really directly verifying
> > > > > > > > > via GNS.
> > > > > […]
> > > ```
> > > $  gnunet-gns --type ANY --lookup gnunet.myself
> > > gnunet.myself:
> > > Got `BOX' record: 6 443 52 3 1 1
> > > 26145f39399c7625a95d290bde5731566a81e1cbe6baf84f37ba60b333b05939
> > > Got `LEHO' record: gnunet.org
> > > Got `A' record: 131.159.74.67
> > > ```
> > > 
> > > But still, when I try to access `gnunet.myself`, I get a blank
> > > page
> > > after 5-10 seconds and the same lines in the log:
> > > 
> > > ```
> > > $ /home/tanguy/.guix-extra-
> > > profiles/gnunet/current/lib/gnunet/libexec/gnunet-gns-proxy --log 
> > > DEBUG
> > > Mar 14 14:48:07-948036 gnunet-gns-proxy-1450 ERROR Download curl
> > > gnunet.org/ failed: SSL peer certificate or SSH remote key was
> > > not OK
> > > Mar 14 14:48:24-877522 gnunet-gns-proxy-1450 ERROR Download curl
> > > gnunet.org/favicon.ico failed: SSL peer certificate or SSH remote
> > > key was not OK
> > > ```
> > > 
> > > The good thing is that you were right! Adding a BOX record was
> > > apparently not needed!
> > > 
> > > Any thing else I can try?
> > > In the meantime, I'll keep on reading the doc, learn some more
> > > and play
> > > with the other components!
> > 
> > Did you compile gnunet from source or are you using a package? Is
> > it possible that the guix gnunet package (or more specifically the
> > guix libgcrypt) does not have DANE support?
> 
> I compiled it from source. I mean, I built it with Guix, from source,
> because I'm working on packaging 0.12.2 which as not yet been
> integrated
> into the official repo.
> 
> 
> > I just tested the same configuration locally and it works. I
> > suspect two issues which are independent from each other:
> > - The guix gnutls does not have DANE support
> 
> I guess it does, because in Guix, the `gnunet` packages depends on
> `gnutls/dane`
> which definition is:
> 
> ```gnu/packages/tls.scm
> 255 (define-public gnutls/dane
> 256   ;; GnuTLS with build libgnutls-dane, implementing DNS-based
> 257   ;; Authentication of Named Entities.  This is required for GNS
> functionality
> 258   ;; by GNUnet and gnURL.  This is done in an extra package
> definition
> 259   ;; to have the choice between GnuTLS with Dane and without
> Dane.
> 260   (package
> 261     (inherit gnutls)
> 262     (name "gnutls-dane")
> 263     (inputs `(("unbound" ,unbound)
> 264               ,@(package-inputs gnutls)))))
> ```
> 
> Due to the way Guix works, I have 2 `gnutls-cli` installed on my
> system.
> One is the "regular" one:
> 
> ```
> $ /gnu/store/hfv[…]p1z-gnutls-3.6.9/bin/gnutls-cli --dane gnunet.org
> […]
> *** DANE error: GnuTLS is not compiled with DANE support.
> *** Fatal error: Error in the certificate.
> ```
> 
> The other one is the "dane" version:
> 
> ```
> $ /gnu/store/nj6n[…]pwg-gnutls-dane-3.6.9/bin/gnutls-cli --dane
> gnunet.org
> […]
> [1584205654] libunbound[9560:0] error: error opening file
> /etc/unbound/root.key: No such file or directory
> [1584205654] libunbound[9560:0] error: error reading trust-anchor-
> file: /etc/unbound/root.key
> [1584205654] libunbound[9560:0] error: validator: error in
> trustanchors config
> [1584205654] libunbound[9560:0] error: validator: could not apply
> configuration settings.
> [1584205654] libunbound[9560:0] error: module init for module
> validator failed
> *** DANE verification error: There was an error while resolving.
> *** Fatal error: Error in the certificate.
> ```
> 
> As you can see, they both fail, but for different reasons. I'll start
> investigating the second one, because I'm confident this is the one
> used. But I might be wrong! ^_^'

Ok. You may want to check the gnunet configure output more closely for
any mention of DANE, then.

> 
> 
> > - The guix curl/gnurl CA certificate location is different and not
> > found (in the case w/o a BOX record)
> 
> `gnurl` also depends on `gnutls/dane`. The package definition
> contains
> something strange, though:
> 
> ```gnu/packages/gnunet.scm
> 202     `(#:configure-flags
> 203       ;; All of these produce errors during configure.
> 204       (list […]
> 216             "--without-ssl"
> ```
> 
> Could this be related to the "SSL peer certificate or SSH remote key
> was not OK"
> error?!

I *think*/hope --without-ssl only compiles w/o openssl. However, you
could try using the gnurl cli to verify you can access gnunet.org
through TLS.

I still kind of think you have both problems: a wrong gnutls version
gnunet links to and possibly a broken gnurl.

> 
> Regards
> 

Attachment: signature.asc
Description: This is a digitally signed message part


reply via email to

[Prev in Thread] Current Thread [Next in Thread]