[EMAIL PROTECTED] (Ludovic Courtès) writes: > Hi, > > Simon Josefsson <[EMAIL PROTECTED]> writes: > >> Also, creating examples and a self test for the OpenPGP stuff would be >> useful. Have you managed to get it to work at all? > > It took me a while, but I finally found why `gnutls-serv' wouldn't do > the job as expected (I knew it should work because I have small > client/server of my own that do work). > > First, the patch below must be applied to `serv.c'. Then, actual DH > and/or RSA parameters must be provided or generated for the server. So > we end up with a command-line like this for the server: > > $ ./gnutls-serv --dhparams tls-dh-params \ > --ctypes openpgp --pgpcertfile pub.asc \ > --pgpkeyfile sec.asc > > And for the client: > > $ gnutls-cli --ctypes openpgp --pgpcertfile pub.asc \ > --pgpkeyfile sec.asc -p 5556 localhost > > And it works like a charm, even with `--require-cert' passed to the > server. > > Can you confirm?
Hi! Actually, the tools works fine without your patch, IF I use a newly generated key. Server: [EMAIL PROTECTED]:~$ gnutls-serv --dhparams ~/dh.pem --pgpcertfile ~/.gnupg-foo/pub.txt --pgpkeyfile ~/.gnupg-foo/sec.txt Read Diffie Hellman parameters. Echo Server ready. Listening to port '5556'. * connection from ::ffff:127.0.0.1, port 48423 - Given server name[1]: localhost - Certificate type: OpenPGP # Key was created at: Fri Feb 2 14:32:23 CET 2007 # Key expires: Never # PGP Key version: 4 # PGP Key public key algorithm: DSA (1024 bits) # PGP Key fingerprint: BF:D6:44:C3:26:74:9E:3A:99:1E:D0:B5:C0:85:0D:AD:40:CD:57:C9 # NAME: Foo Bar <[EMAIL PROTECTED]> - Peer's key is valid - Could not find a signer of the peer's key - Version: TLS 1.1 - Key Exchange: DHE DSS - Cipher: AES 128 CBC - MAC: SHA - Compression: DEFLATE Client: [EMAIL PROTECTED]:~$ gnutls-cli --pgpcertfile ~/.gnupg-foo/pub.txt --pgpkeyfile ~/.gnupg-foo/sec.txt -p 5556 localhost Processed 1 client PGP certificate... Resolving 'localhost'... Connecting to '127.0.0.1:5556'... - Certificate type: OpenPGP # The hostname in the key does NOT match 'localhost'. # Key was created at: Fri Feb 2 14:32:23 CET 2007 # Key expires: Never # PGP Key version: 4 # PGP Key public key algorithm: DSA (1024 bits) # PGP Key fingerprint: BF:D6:44:C3:26:74:9E:3A:99:1E:D0:B5:C0:85:0D:AD:40:CD:57:C9 # NAME: Foo Bar <[EMAIL PROTECTED]> - Peer's key is valid - Could not find a signer of the peer's key - Version: TLS 1.1 - Key Exchange: DHE DSS - Cipher: AES 128 CBC - MAC: SHA - Compression: DEFLATE - Handshake was completed - Simple Client Mode: This is quit nice, but there are some things we could do to make things easier. I'm thinking that gnutls-serv should use a static hard-coded D-H parameter if the user didn't supply one on the command line. Here is what I get if I test with my own key: [EMAIL PROTECTED]:~/src/gnutls/src$ gpg -a --export-secret-keys b565716f > ~/[EMAIL PROTECTED]:~/src/gnutls/src$ gpg -a --export b565716f > ~/pubkey.gpg Server: [EMAIL PROTECTED]:~/src/gnutls/src$ ./gnutls-serv --dhparams dh.pem --pgpcertfile ~/pubkey.gpg --pgpkeyfile ~/privkey.gpg Read Diffie Hellman parameters. Echo Server ready. Listening to port '5556'. Error in handshake Error: A TLS packet with unexpected length was received. Client: [EMAIL PROTECTED]:~/src/gnutls/src$ ./gnutls-cli --pgpcertfile ~/pubkey.gpg --pgpkeyfile ~/privkey.gpg -p 5556 localhost Processed 1 client PGP certificate... Resolving 'localhost'... Connecting to '127.0.0.1:5556'... *** Fatal error: Decryption has failed. *** Handshake has failed GNUTLS ERROR: Decryption has failed. [EMAIL PROTECTED]:~/src/gnutls/src$ Debugging indicates problems decrypting the challenge, in the client: |<2>| ASSERT: gnutls_pk.c:283 |<2>| ASSERT: gnutls_pk.c:359 |<2>| ASSERT: gnutls_sig.c:299 |<2>| ASSERT: gnutls_sig.c:468 |<2>| ASSERT: auth_dhe.c:233 |<2>| ASSERT: gnutls_kx.c:346 |<2>| ASSERT: gnutls_handshake.c:2235 I suspect OpenCDK uses the wrong RSA key to encrypt and/or decrypt the data. I have several old and expired keys in my private key. IIRC, even GnuPG had a similar problem with my key some time ago. /Simon _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
