[SCM] GNU gnutls branch, gnutls_2_12_x, updated. gnutls_2_12

gnutls-commit
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, gnutls_2_12_x, updated. gnutls_2_12_5-15-ga427e

From:	Nikos Mavrogiannopoulos
Subject:	[SCM] GNU gnutls branch, gnutls_2_12_x, updated. gnutls_2_12_5-15-ga427ebb
Date:	Tue, 31 May 2011 19:49:52 +0000
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".

http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=a427ebb75a2da65f2fa11c6dc5e095e49da40b7e

The branch, gnutls_2_12_x has been updated
       via  a427ebb75a2da65f2fa11c6dc5e095e49da40b7e (commit)
       via  eae928fb56bdf2f756e649bcec92207399fca507 (commit)
      from  da4429a901c021d70eec9d2372d36efbcc963c4f (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit a427ebb75a2da65f2fa11c6dc5e095e49da40b7e
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Tue May 31 11:33:50 2011 +0200

    Added parameter generation section.

commit eae928fb56bdf2f756e649bcec92207399fca507
Author: Nikos Mavrogiannopoulos <address@hidden>
Date:   Tue May 31 11:29:15 2011 +0200

    Compatibility text updated.

-----------------------------------------------------------------------

Summary of changes:
 doc/cha-gtls-app.texi  |   78 ++++++++++++++++++++++++++++++++++++++----------
 doc/cha-intro-tls.texi |   31 ++++++++++---------
 2 files changed, 78 insertions(+), 31 deletions(-)

diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi
index fe12f61..27a4ff7 100644
--- a/doc/cha-gtls-app.texi
+++ b/doc/cha-gtls-app.texi
@@ -9,9 +9,10 @@
 * Client examples::
 * Server examples::
 * Miscellaneous examples::
-* Compatibility with the OpenSSL library::
+* Parameter generation::
 * Keying Material Exporters::
 * Channel Bindings::
+* Compatibility with the OpenSSL library::
 @end menu
 
 @node Preparation
@@ -394,29 +395,50 @@ structure.
 
 @verbatiminclude examples/ex-pkcs12.c
 
address@hidden Compatibility with the OpenSSL library
address@hidden Compatibility with the OpenSSL Library
address@hidden OpenSSL
address@hidden Parameter generation
address@hidden Parameter generation
address@hidden parameter generation
address@hidden generating parameters
+
+Several TLS ciphersuites require additional parameters that
+need to be generated or provided by the application. The
+Diffie-Hellman based ciphersuites (ANON-DH or DHE), require
+the group information to be provided. This information can be either
+be generated on the fly using @ref{gnutls_dh_params_generate2}
+or imported from some pregenerated value using 
@ref{gnutls_dh_params_import_pkcs3}.
+The parameters can be used in a session by calling
address@hidden or
address@hidden for anonymous sessions.
+
+Due to the time-consuming calculations required for the generation
+of Diffie-Hellman parameters we suggest against performing generation
+of them within an application. The @code{certtool} tool can be used to 
+generate or export known safe values that can be stored in code
+or in a configuration file to provide the ability to replace. We also
+recommend the usage of @ref{gnutls_sec_param_to_pk_bits} to determine
+the bit size of the parameters to be generated.
+
+The ciphersuites that involve the RSA-EXPORT key exchange require
+additional parameters. Those ciphersuites are rarely used today
+because they are by design insecure, thus if you have no requirement
+for them, this section should be skipped. The RSA-EXPORT key exchange
+requires 512-bit RSA keys to be generated. It is recommended those
+parameters to be refreshed (regenerated) in short intervals. The
+following functions can be used for these parameters.
 
-To ease @acronym{GnuTLS}' integration with existing applications, a
-compatibility layer with the widely used OpenSSL library is included
-in the @code{gnutls-openssl} library. This compatibility layer is not
-complete and it is not intended to completely reimplement the OpenSSL
-API with @acronym{GnuTLS}.  It only provides source-level
-compatibility. There is currently no attempt to make it
-binary-compatible with OpenSSL.
address@hidden
 
-The prototypes for the compatibility functions are in the
address@hidden/openssl.h} header file.
address@hidden @ref{gnutls_rsa_params_generate2}
 
-Current limitations imposed by the compatibility layer include:
address@hidden @ref{gnutls_certificate_set_rsa_export_params}
 
address@hidden
address@hidden @ref{gnutls_rsa_params_import_pkcs1}
 
address@hidden Error handling is not thread safe.
address@hidden @ref{gnutls_rsa_params_export_pkcs1}
 
 @end itemize
 
+
 @node Keying Material Exporters
 @section Keying Material Exporters
 @cindex Keying Material Exporters
@@ -484,3 +506,27 @@ Note that it must be run after a successful TLS handshake.
     @}
 @}
 @end smallexample
+
address@hidden Compatibility with the OpenSSL library
address@hidden Compatibility with the OpenSSL Library
address@hidden OpenSSL
+
+To ease @acronym{GnuTLS}' integration with existing applications, a
+compatibility layer with the widely used OpenSSL library is included
+in the @code{gnutls-openssl} library. This compatibility layer is not
+complete and it is not intended to completely reimplement the OpenSSL
+API with @acronym{GnuTLS}.  It only provides source-level
+compatibility. There is currently no attempt to make it
+binary-compatible with OpenSSL.
+
+The prototypes for the compatibility functions are in the
address@hidden/openssl.h} header file.
+
+Current limitations imposed by the compatibility layer include:
+
address@hidden
+
address@hidden Error handling is not thread safe.
+
address@hidden itemize
+
diff --git a/doc/cha-intro-tls.texi b/doc/cha-intro-tls.texi
index 693d562..e081951 100644
--- a/doc/cha-intro-tls.texi
+++ b/doc/cha-intro-tls.texi
@@ -355,7 +355,7 @@ To initiate the handshake.
 * Client Authentication::       Requesting a certificate from the client.
 * Resuming Sessions::           Reusing previously established keys.
 * Resuming Internals::          More information on reusing previously 
established keys.
-* Compatibility Issues::        Issues on compatibility with other 
implementations.
+* Interoperability Issues::     Interoperability issues with other 
implementations.
 @end menu
 
 @node TLS Cipher Suites
@@ -617,31 +617,32 @@ It might also be useful to be able to check for expired 
sessions in
 order to remove them, and save space. The function
 @ref{gnutls_db_check_entry} is provided for that reason.
 
address@hidden Compatibility Issues
address@hidden Compatibility Issues
address@hidden Interoperability Issues
address@hidden Interoperability Issues
 
 The @acronym{TLS} handshake is a complex procedure that negotiates all
 required parameters for a secure session. @acronym{GnuTLS} supports
-several @acronym{TLS} extensions, as well as the latest known published
-version being @acronym{TLS} 1.2. However few implementations are not able to
+several @acronym{TLS} extensions, as well as the latest @acronym{TLS} protocol 
+version 1.2. However few implementations are not able to
 properly interoperate once faced with extensions or version protocols
-they do not support and understand. The @acronym{TLS} protocol allows for 
-graceful downgrade to the commonly supported options, but practice shows that 
+they do not support and understand. The @acronym{TLS} protocol allows for a
+graceful downgrade to the commonly supported options, but practice shows 
 it is not always implemented correctly. 
 
-Because there is no way to handle maximum compatibility with broken peers
+Because there is no way to achieve maximum interoperability with broken peers
 without sacrificing security, @acronym{GnuTLS} ignores such peers by default. 
-This might not be acceptable in several cases, where maximum compatibility
-is required, thus we allow enabling compatibility with broken peers using
-priority strings (see @ref{Priority Strings}). An example priority string that 
will
-disable all supported  @acronym{TLS} protocol versions except for
-the widely supported @acronym{SSL} 3.0 and @acronym{TLS} 1.0
+This might not be acceptable in cases where maximum compatibility
+is required. Thus we allow enabling compatibility with broken peers using
+priority strings (see @ref{Priority Strings}). An example priority string that
+is known to provide wide compatibility even with broken peers
 is shown below:
 @example
 NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:+VERS-SSL3.0:%COMPAT
 @end example
-This priority string provides the wider possible compatibility with broken 
peers. 
-We suggest however only to use that compatibility mode if such issues occur.
+This priority string will only enable SSL 3.0 and TLS 1.0 as protocols and
+will disable, via the @code{%COMPAT} keyword, several @acronym{TLS} protocol
+options that are known to cause compatibility problems.
+We suggest however only to use this mode if compatibility issues occur.
 
 @node TLS Extensions
 @section TLS Extensions


hooks/post-receive
-- 
GNU gnutls
[Prev in Thread]
Current Thread
[Next in Thread]
[SCM] GNU gnutls branch, gnutls_2_12_x, updated. gnutls_2_12_5-15-ga427ebb, Nikos Mavrogiannopoulos <=
Prev by Date: Hydra job gnu:gnutls-master:tarball build 1102824: Success
Next by Date: [SCM] GNU gnutls branch, master, updated. gnutls_2_99_2-30-gdc760be
Previous by thread: Hydra job gnu:gnutls-master:tarball build 1102824: Success
Next by thread: [SCM] GNU gnutls branch, master, updated. gnutls_2_99_2-30-gdc760be
Index(es):
- Date
- Thread