blob: f255fefe206cb4bbc49585d53050a5bf289daaa1 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
\chapter{Included programs}
\section{The ``gnutls-srpcrypt'' program}
\label{srpcrypt}
The ``gnutls-srpcrypt'' is a very simple program that emulates the programs in the libsrp
found in \htmladdnormallink{http://srp.stanford.edu}{http://srp.stanford.edu}.
It is intended for use in places where you don't expect srp
authentication to be the performed for system users.
Traditionaly libsrp used two files. One called 'tpasswd' which holds usernames
and verifiers, and 'tpasswd.conf' which holds generators and primes.
\par
How to use srpcrypt:
\begin{itemize}
\item To create tpasswd.conf which holds the g and n values for
SRP protocol (generator and a large prime), run:
\begin{verbatim}
$ gnutls-srpcrypt --create-conf /etc/tpasswd.conf
\end{verbatim}
\item This command will create /etc/tpasswd and will add user 'test' (you will also
be prompted for a password). Verifiers are stored by default in the
way libsrp expects (using a modified SHA()).
\begin{verbatim}
$ gnutls-srpcrypt --passwd /etc/tpasswd \
--passwd-conf /etc/tpasswd.conf -u test
\end{verbatim}
\item This command will check against a password. If the password matches
the one in /etc/tpasswd you will get an ok.
\begin{verbatim}
$ gnutls-srpcrypt --passwd /etc/tpasswd \
--passwd-conf /etc/tpasswd.conf --verify -u test
\end{verbatim}
\end{itemize}
\section{The ``gnutls-cli-debug'' program}
This program was created to assist in debugging \gnutls{}, but it
might be useful to extract a \tls{} server's capabilities.
It's purpose is to connect onto a \tls{} server, perform
some tests and print the server's capabilities. An example output is:
\begin{verbatim}
crystal:/cvs/gnutls/src$ ./gnutls-cli-debug localhost -p 5556
Resolving 'localhost'...
Connecting to '127.0.0.1:5556'...
Checking for TLS 1.0 support... yes
Checking for SSL 3.0 support... yes
Checking for certificate information...
- Certificate type: X.509
- Certificate info:
# Certificate is valid since: Sat Jul 7 13:18:00 EEST 2001
# Certificate expires: Sun Jul 7 13:18:00 EEST 2002
# Certificate fingerprint: 43 ab a2 a7 d3 6a 28 02 60 73 b4 a5 c3 84 0a 3f
# Certificate serial number: 01
# Certificate version: #3
# Certificate public key algorithm: RSA
# Modulus: 1024 bits
# CN: localhost
# OU: GNUTLS dev.
# O: GNUTLS
# L: Athina
# S: Attiki
# C: GR
# E: root@localhost
# Certificate Issuer's info:
# CN: GNUTLS TEST CA
# OU: GNUTLS dev.
# O: GNUTLS
# L: Athina
# S: Attiki
# C: GR
# E: gnutls-dev@gnupg.org
Checking for version rollback bug in RSA PMS... no
Checking for version rollback bug in Client Hello... no
Checking whether we need to disable TLS 1.0... no
Checking whether the server can accept Hello Extensions... yes
Checking whether the server can accept cipher suites not in SSL 3.0 spec... yes
Checking whether the server understands TLS closure alerts... yes
Checking whether the server supports session resumption... yes
Checking for export-grade ciphersuite support... no
Checking for anonymous authentication support... yes
Checking for ephemeral Diffie Hellman support... yes
Checking for AES cipher support... yes
Checking for 3DES cipher support... yes
Checking for ARCFOUR cipher support... yes
Checking for MD5 MAC support... yes
Checking for SHA1 MAC support... yes
Checking for max record size TLS extension... yes
Checking for SRP authentication support (gnutls extension)... no
Checking for OpenPGP authentication support (gnutls extension)... no
\end{verbatim}
|
