David Given <[EMAIL PROTECTED]> writes: > Simon Josefsson wrote: > [...] >> That error happens if the server doesn't offer a ciphersuite that the >> client can accept. Often this is caused by missing X.509 CA and/or >> server certificate. Check with 'gnutls-cli' what key exchange is >> negotiated. If it is ANON, most clients will refuse to talk to you. >> >> Btw, example 7.4.5 is for anonymous authentication, try 7.4.1 instead. >> It is easy to change things, just add a X.509 credential and assign it >> to the session. > > Thanks. I was rather hoping to do without --- having to create a self-signed > certificate adds quite a lot of complexity to my install procedure --- but if > I have to...
Many programs refuse to work if the server doesn't have a X.509 certificate, so yes, I'm afraid you'll have to add that to your server, or modify a lot of clients. > Incidentally, creating a private key with certtool takes several minutes. > Doing the same with openssl req appears to be more or less instant. Is this > normal? Yes. Certtool calls gcry_pk_genkey in libgcrypt, and it will read from /dev/random which often blocks waiting for more entropy. I really think it should be possible to do things faster, but the Linux kernel people appear to neglect to replace the current broken /dev/random code with something faster and more secure. A strace shows that OpenSSL uses /dev/urandom (and store state in ~/.rnd) for generating private keys. That device doesn't block, and may return data with little entropy. If you run 'openssl genrsa -rand file:/dev/random' it is also quite slow. /Simon _______________________________________________ Help-gnutls mailing list Help-gnutls@gnu.org http://lists.gnu.org/mailman/listinfo/help-gnutls
