diff options
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/tex/certificate.tex | 8 | ||||
| -rw-r--r-- | doc/tex/compression.tex | 3 | ||||
| -rw-r--r-- | doc/tex/gnutls.bib | 58 | ||||
| -rw-r--r-- | doc/tex/howto.tex | 2 | ||||
| -rw-r--r-- | doc/tex/programs.tex | 45 |
5 files changed, 77 insertions, 39 deletions
diff --git a/doc/tex/certificate.tex b/doc/tex/certificate.tex index 80475542f1..4210a5dcdc 100644 --- a/doc/tex/certificate.tex +++ b/doc/tex/certificate.tex @@ -155,8 +155,8 @@ A certificate request is a structure, which contain information about an applicant of a certificate service. It usually contains a private key, a distinguished name and secondary data such as a challenge password. \gnutls{} supports the requests -defined in PKCS \#10. Other certificate request's format such as -PKIX's RFC2511 are not currently supported. +defined in PKCS \#10 \cite{RFC2986}. Other certificate request's format such as +PKIX's RFC2511 \cite{RFC2511} are not currently supported. In \gnutls{} the PKCS \#10 structures are handled using the \emph{gnutls\_x509\_crq} type. @@ -164,7 +164,7 @@ An example of a certificate request generation can be found at section \ref{ex:c on page \pageref{ex:crq}. \subsection{PKCS \#12 structures\index{PKCS \#12}} -A PKCS \#12 structure usually contains a user's private keys and +A PKCS \#12 structure \cite{PKCS12} usually contains a user's private keys and certificates. It is commonly used in browsers to export and import the user's identities. \par @@ -210,7 +210,7 @@ signs other people's keys without being sure that they belong to the actual owner. \subsection*{OpenPGP keys} -In \gnutls{} the OpenPGP key structures are handled using the +In \gnutls{} the OpenPGP key structures \cite{RFC2440} are handled using the \emph{gnutls\_openpgp\_key} type and the corresponding private keys with the \emph{gnutls\_openpgp\_privkey} type. All the prototypes for the key handling functions can be found at \emph{gnutls/openpgp.h}. diff --git a/doc/tex/compression.tex b/doc/tex/compression.tex index cd057e027d..508fa07619 100644 --- a/doc/tex/compression.tex +++ b/doc/tex/compression.tex @@ -27,7 +27,8 @@ DEFLATE & Zlib compression, using the deflate algorithm. \\ \hline LZO & LZO is a very fast compression algorithm. This algorithm is only -available if the \gnutlse{} library has been initialized. +available if the \gnutlse{} library has been initialized and the +private extensions are enabled. \\ \hline \end{tabular} diff --git a/doc/tex/gnutls.bib b/doc/tex/gnutls.bib index 942a974ad5..55c265fa0d 100644 --- a/doc/tex/gnutls.bib +++ b/doc/tex/gnutls.bib @@ -1,3 +1,30 @@ +@Misc{RFC2246, + author = "Tim Dierks and Christopher Allen", + title = "The TLS Protocol Version 1.0", + month = "January", + year = {1999}, + note = "Available from http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2246.txt", + url = "http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2246.txt" +} + +@Misc{RFC2440, + author = "Jon Callas and Lutz Donnerhacke and Hal Finney and Rodney Thayer", + title = "OpenPGP Message Format", + month = "November", + year = {1998}, + note = "Available from http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2440.txt", + url = "http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2440.txt" +} + +@Misc{RFC2511, + author = "Michael Myers and Carlisle Adams and Dave Solo and David Kemp", + title = "Internet X.509 Certificate Request Message Format", + month = "March", + year = {1999}, + note = "Available from http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2511.txt", + url = "http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2511.txt" +} + @Misc{RFC2817, author = "Rohit Khare and Scott Lawrence", title = "Upgrading to TLS Within HTTP/1.1", @@ -7,15 +34,16 @@ url = "http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2817.txt" } -@Misc{RFC2246, - author = "Tim Dierks and Christopher Allen", - title = "The TLS Protocol Version 1.0", - month = "January", - year = {1999}, - note = "Available from http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2246.txt", - url = "http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2246.txt" +@Misc{RFC2818, + author = "Eric Rescola", + title = "HTTP Over TLS", + month = "May", + year = {2000}, + note = "Available from http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2818.txt", + url = "http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2818.txt" } + @Misc{RFC2945, author = "Tom Wu", title = "The SRP Authentication and Key Exchange System", @@ -25,6 +53,15 @@ url = "http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2945.txt" } +@Misc{RFC2986, + author = "Magnus Nystrom and Burt Kaliski", + title = "PKCS 10 v1.7: Certification Request Syntax Specification", + month = "November", + year = {2000}, + note = "Available from http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2986.txt", + url = "http://kaizi.viagenie.qc.ca/ietf/rfc/rfc2986.txt" +} + @Misc{RFC3280, author = "Russell Housley and Tim Polk and Warwick Ford and David Solo", title = "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", @@ -43,6 +80,13 @@ url = "http://wp.netscape.com/eng/ssl3/draft302.txt" } +@Misc{PKCS12, + author = "RSA Laboratories", + title = "PKCS 12 v1.0: Personal Information Exchange Syntax", + month = "June", + year = {1999}, +} + @Misc{TLSEXT, author = "Simon Blake-Wilson and Magnus Nystrom and David Hopwood and Jan Mikkelsen and Tim Wright", title = "Transport Layer Security (TLS) Extensions", diff --git a/doc/tex/howto.tex b/doc/tex/howto.tex index d6823848f7..d4ebd935d8 100644 --- a/doc/tex/howto.tex +++ b/doc/tex/howto.tex @@ -17,7 +17,7 @@ that if a user requests a secure session then the client will try to connect to the secure port and fail otherwise. The only possible attack with this method is a denial of service one. The most famous example of this method is the famous ``HTTP over TLS'' or HTTPS\footnote{RFC2818} -protocol. +protocol \cite{RFC2818}. \par Despite its wide use, this method is not as good as it seems. This approach starts the \tls{} Handshake procedure just after the diff --git a/doc/tex/programs.tex b/doc/tex/programs.tex index 922d0ba933..4aea3994cb 100644 --- a/doc/tex/programs.tex +++ b/doc/tex/programs.tex @@ -46,52 +46,45 @@ $ srptool --passwd /etc/tpasswd \ This program was created to assist in debugging \gnutls{}, but it might be useful to extract a \tls{} server's capabilities. It's purpose is to connect onto a \tls{} server, perform -some tests and print the server's capabilities. An example output is: +some tests and print the server's capabilities. If called with the +`-v' parameter a more checks will be performed. An example output is: \begin{verbatim} crystal:/cvs/gnutls/src$ ./gnutls-cli-debug localhost -p 5556 Resolving 'localhost'... Connecting to '127.0.0.1:5556'... +Checking for TLS 1.1 support... yes +Checking fallback from TLS 1.1 to... N/A Checking for TLS 1.0 support... yes Checking for SSL 3.0 support... yes Checking for version rollback bug in RSA PMS... no Checking for version rollback bug in Client Hello... no -Checking whether we need to disable TLS 1.0... no +Checking whether we need to disable TLS 1.0... N/A Checking whether the server ignores the RSA PMS version... no Checking whether the server can accept Hello Extensions... yes Checking whether the server can accept cipher suites not in SSL 3.0 spec... yes Checking whether the server can accept a bogus TLS record version in the client hello... yes -Checking for certificate information... -- Certificate type: X.509 - - Got a certificate list of 1 certificates. - - - Certificate[0] info: - # valid since: Sat Jul 7 13:18:00 EEST 2001 - # expires at: Sun Jul 7 13:18:00 EEST 2002 - # serial number: 01 - # fingerprint: 43 ab a2 a7 d3 6a 28 02 60 73 b4 a5 c3 84 0a 3f - # version: #3 - # public key algorithm: RSA - # Modulus: 1024 bits - # Subject's DN: C=GR,ST=Attiki,L=Athina,O=GNUTLS,OU=GNUTLS dev.,CN=localhost,EMAIL=root@localhost - # Issuer's DN: C=GR,ST=Attiki,L=Athina,O=GNUTLS,OU=GNUTLS dev.,CN=GNUTLS TEST CA,EMAIL=gnutls-dev@gnupg.org - - -Checking for trusted CAs... -- Server's trusted authorities: - [0]: C=GR,ST=Attiki,L=Athina,O=GNUTLS,OU=GNUTLS dev.,CN=GNUTLS TEST CA,EMAIL=gnutls-dev@gnupg.org - +Checking for certificate information... N/A +Checking for trusted CAs... N/A Checking whether the server understands TLS closure alerts... yes -Checking whether the server supports session resumption... no +Checking whether the server supports session resumption... yes Checking for export-grade ciphersuite support... no +Checking RSA-export ciphersuite info... N/A +Checking for anonymous authentication support... no +Checking anonymous Diffie Hellman group info... N/A Checking for ephemeral Diffie Hellman support... no -Checking for ephemeral Diffie Hellman prime size... N/A -Checking for AES cipher support... yes +Checking ephemeral Diffie Hellman group info... N/A +Checking for AES cipher support (TLS extension)... yes Checking for 3DES cipher support... yes -Checking for ARCFOUR cipher support... yes +Checking for ARCFOUR 128 cipher support... yes +Checking for ARCFOUR 40 cipher support... no Checking for MD5 MAC support... yes Checking for SHA1 MAC support... yes +Checking for RIPEMD160 MAC support (TLS extension)... yes +Checking for ZLIB compression support (TLS extension)... yes +Checking for LZO compression support (GnuTLS extension)... yes Checking for max record size (TLS extension)... yes +Checking for SRP authentication support (TLS extension)... yes Checking for OpenPGP authentication support (TLS extension)... no \end{verbatim} |