gmane.network.gnutls.general

Rainer Gerhards | 21 May 13:44

Re: Re: Authentication during Handshake

Hi Nikos,

On Wed, May 21, 2008 at 1:08 PM, Nikos Mavrogiannopoulos
<n.mavrogiannopoulos <at> gmail.com> wrote:
> Simon Josefsson wrote:
>
>>> I still would see a lot of benefit in being able to check the remote
>>> peers identity BEFORE the Finished message is sent. That way, I could
>>> block access to not permitted peers at the risk of the DoS outlined
>>> above. Am I still overlooking something?
>>
>> No, I think that is correct.  Nikos, any thoughts?  You added some
>> callbacks during the handshake earlier, are any of those useful here?
>
> No unfortunately not. The callbacks I added are called after client
> hello is received. The callbacks you discuss need to be called after the
> certificate message is received.

Could you point me to the file where processing the certificate
message is done? I would be interested to see if I could add a
callback, and may it even just be to know how it is done ;)

Thanks,
Rainer

Nikos Mavrogiannopoulos | 21 May 13:53

Re: Re: Authentication during Handshake

Rainer Gerhards wrote:
> Hi Nikos,
> 
> On Wed, May 21, 2008 at 1:08 PM, Nikos Mavrogiannopoulos
> <n.mavrogiannopoulos <at> gmail.com> wrote:
>> Simon Josefsson wrote:
>>
>>>> I still would see a lot of benefit in being able to check the remote
>>>> peers identity BEFORE the Finished message is sent. That way, I could
>>>> block access to not permitted peers at the risk of the DoS outlined
>>>> above. Am I still overlooking something?
>>> No, I think that is correct.  Nikos, any thoughts?  You added some
>>> callbacks during the handshake earlier, are any of those useful here?
>> No unfortunately not. The callbacks I added are called after client
>> hello is received. The callbacks you discuss need to be called after the
>> certificate message is received.
> 
> Could you point me to the file where processing the certificate
> message is done? I would be interested to see if I could add a
> callback, and may it even just be to know how it is done ;)

The file is gnutls_handshake.c. The functions you're interested in are
_gnutls_handshake_client, _gnutls_handshake_server (if you're doing it
for both of them).

A similar callback is _gnutls_user_hello_func which is the post_hello
callback.

I'd glad to review and commit and patches for this issue.

(Continue reading)

Rainer Gerhards | 30 May 08:20

Re: Re: Authentication during Handshake

Just double-checking:

As far as I have seen openSSL's SSL_CTX_set_cert_verify_callback() is
not implemented inside the compatibility layer? I am asking because of

http://www.ietf.org/mail-archive/web/syslog/current/msg01963.html

Thanks,
Rainer

On Wed, May 21, 2008 at 1:53 PM, Nikos Mavrogiannopoulos
<nmav <at> gnutls.org> wrote:
> Rainer Gerhards wrote:
>> Hi Nikos,
>>
>> On Wed, May 21, 2008 at 1:08 PM, Nikos Mavrogiannopoulos
>> <n.mavrogiannopoulos <at> gmail.com> wrote:
>>> Simon Josefsson wrote:
>>>
>>>>> I still would see a lot of benefit in being able to check the remote
>>>>> peers identity BEFORE the Finished message is sent. That way, I could
>>>>> block access to not permitted peers at the risk of the DoS outlined
>>>>> above. Am I still overlooking something?
>>>> No, I think that is correct.  Nikos, any thoughts?  You added some
>>>> callbacks during the handshake earlier, are any of those useful here?
>>> No unfortunately not. The callbacks I added are called after client
>>> hello is received. The callbacks you discuss need to be called after the
>>> certificate message is received.
>>
>> Could you point me to the file where processing the certificate

(Continue reading)

Simon Josefsson | 30 May 11:34

Re: Authentication during Handshake

No, that is not implemented.  By reading the documentation for this, I
think GnuTLS should provide a similar callback.  Patches welcome. :)

/Simon

"Rainer Gerhards" <rgerhards <at> gmail.com> writes:

> Just double-checking:
>
> As far as I have seen openSSL's SSL_CTX_set_cert_verify_callback() is
> not implemented inside the compatibility layer? I am asking because of
>
> http://www.ietf.org/mail-archive/web/syslog/current/msg01963.html
>
> Thanks,
> Rainer
>
> On Wed, May 21, 2008 at 1:53 PM, Nikos Mavrogiannopoulos
> <nmav <at> gnutls.org> wrote:
>> Rainer Gerhards wrote:
>>> Hi Nikos,
>>>
>>> On Wed, May 21, 2008 at 1:08 PM, Nikos Mavrogiannopoulos
>>> <n.mavrogiannopoulos <at> gmail.com> wrote:
>>>> Simon Josefsson wrote:
>>>>
>>>>>> I still would see a lot of benefit in being able to check the remote
>>>>>> peers identity BEFORE the Finished message is sent. That way, I could
>>>>>> block access to not permitted peers at the risk of the DoS outlined
>>>>>> above. Am I still overlooking something?

(Continue reading)

Rainer Gerhards | 30 May 14:32

Re: Authentication during Handshake

I am hearing the hint ;) I already pulled the git archive, let me see
if I can do anything. Looks like this becomes more important than I
originally thought...

Rainer

On Fri, May 30, 2008 at 11:34 AM, Simon Josefsson <simon <at> josefsson.org> wrote:
> No, that is not implemented.  By reading the documentation for this, I
> think GnuTLS should provide a similar callback.  Patches welcome. :)
>
> /Simon
>
> "Rainer Gerhards" <rgerhards <at> gmail.com> writes:
>
>> Just double-checking:
>>
>> As far as I have seen openSSL's SSL_CTX_set_cert_verify_callback() is
>> not implemented inside the compatibility layer? I am asking because of
>>
>> http://www.ietf.org/mail-archive/web/syslog/current/msg01963.html
>>
>> Thanks,
>> Rainer
>>
>> On Wed, May 21, 2008 at 1:53 PM, Nikos Mavrogiannopoulos
>> <nmav <at> gnutls.org> wrote:
>>> Rainer Gerhards wrote:
>>>> Hi Nikos,
>>>>
>>>> On Wed, May 21, 2008 at 1:08 PM, Nikos Mavrogiannopoulos

(Continue reading)

Simon Josefsson | 30 May 14:42

Re: Authentication during Handshake

"Rainer Gerhards" <rgerhards <at> gmail.com> writes:

> I am hearing the hint ;) I already pulled the git archive, let me see
> if I can do anything. Looks like this becomes more important than I
> originally thought...

Keep in mind that if you want to get bigger patches (more than 10 lines
of code) added to gnutls, you'll need to sign papers to transfer the
copyright to the FSF.  I can send you the forms privately.

/Simon

Rainer Gerhards | 30 May 15:15

Re: Authentication during Handshake

Simon,

On Fri, May 30, 2008 at 2:42 PM, Simon Josefsson <simon <at> josefsson.org> wrote:
> "Rainer Gerhards" <rgerhards <at> gmail.com> writes:
>
>> I am hearing the hint ;) I already pulled the git archive, let me see
>> if I can do anything. Looks like this becomes more important than I
>> originally thought...
>
> Keep in mind that if you want to get bigger patches (more than 10 lines
> of code) added to gnutls, you'll need to sign papers to transfer the
> copyright to the FSF.  I can send you the forms privately.

That's not a problem for me, but let me see first if I can find
sufficient time to actually do it. I so far have no idea how much of
the code/philosophy of GnuTLS I need to understand before I can do a
good enough patch. In any case, if I can, I will happily sign the
papers.

Rainer

Simon Josefsson | 30 May 15:20

Re: Authentication during Handshake

"Rainer Gerhards" <rgerhards <at> gmail.com> writes:

> Simon,
>
> On Fri, May 30, 2008 at 2:42 PM, Simon Josefsson <simon <at> josefsson.org> wrote:
>> "Rainer Gerhards" <rgerhards <at> gmail.com> writes:
>>
>>> I am hearing the hint ;) I already pulled the git archive, let me see
>>> if I can do anything. Looks like this becomes more important than I
>>> originally thought...
>>
>> Keep in mind that if you want to get bigger patches (more than 10 lines
>> of code) added to gnutls, you'll need to sign papers to transfer the
>> copyright to the FSF.  I can send you the forms privately.
>
> That's not a problem for me, but let me see first if I can find
> sufficient time to actually do it. I so far have no idea how much of
> the code/philosophy of GnuTLS I need to understand before I can do a
> good enough patch. In any case, if I can, I will happily sign the
> papers.

Great.  I fear you may need to gain a fair bit of understanding of some
rather messy internals to cook up this patch, but nothing is
impossible. ;)

/Simon

Rainer Gerhards | 30 May 15:23

Re: Authentication during Handshake

On Fri, May 30, 2008 at 3:20 PM, Simon Josefsson <simon <at> josefsson.org> wrote:
> "Rainer Gerhards" <rgerhards <at> gmail.com> writes:
> Great.  I fear you may need to gain a fair bit of understanding of some
> rather messy internals to cook up this patch, but nothing is
> impossible. ;)

Yeah ... this is what I fear, too, and thus I am uncertain I can complete it ;)

Rainer

Return

Return to gmane.network.gnutls.general.

Advertisement

Search Archive

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane