Re: [libmicrohttpd] Using GnuTLS with GNUTLS_CRD_PSK and AES-256-GCM, SHA384

[Christian Grothoff]

Dear Tal,

If you look at daemon.c:580, you can see that so far we only implemented
the CRD_CERTIFICATE type.  There is no fundamental reason why PSK could
not be supported, but the respective data structures would need to be
added to 'struct MHD_Daemon' and the case filled in here with the right
call to gnutls.

I've never used the PSK API of GnuTLS, so some (likely small) digging
might be required to figure out what exactly should be called.  Also,
another MHD_OPTION_HTTPS_PSK_KEY or something like that would likely be
needed.

I don't mind adding support, but I'm pretty busy so unless I receive a
patch (or say a donation to GNUnet e.V, too small for "real" funding)
this is unlikely to happen super-quickly.


Happy hacking!

Christian

On 05/22/2018 07:58 PM, Tal Maoz (tmaoz) wrote:
> Hey guys,
> 
>  
> 
> I hope someone can help with this as it is pretty urgent.
> 
> I’m trying to build a simple secure server over libmicrohttpd.
> 
> I compiled version 0.9.59 with libgnutls 3.5.18.
> 
> I’m trying to use TLS-PSK with AES-256-GCM and SHA384 but I get an error:
> 
> Ø  Error: invalid credentials type 4 specified.
> 
>  
> 
> My code:
> 
>  
> 
> *daemon = MHD_start_daemon(MHD_USE_THREAD_PER_CONNECTION | MHD_USE_SSL |
> MHD_USE_DEBUG,*
> 
> *                                   arguments.port_arg,*
> 
> *                                   NULL,*
> 
> *                                   NULL,*
> 
> *                                   &request_handler,*
> 
> *                                   NULL,*
> 
> *                                   MHD_OPTION_CONNECTION_TIMEOUT, 256,*
> 
> *                                   MHD_OPTION_HTTPS_CRED_TYPE,
> GNUTLS_CRD_PSK,*
> 
> *                                   MHD_OPTION_HTTPS_PRIORITIES,
> "NONE:+AES-256-GCM:+SHA384",*
> 
> *                                   MHD_OPTION_HTTPS_MEM_KEY, key_pem,*
> 
> *                                   MHD_OPTION_HTTPS_MEM_CERT, cert_pem,*
> 
> *                                   MHD_OPTION_END);*
> 
>  
> 
> I looked into the source code of libmicrohttps and in
> microhttpd/daemon.c:576 I see that, for some reason, if anything other
> than GNUTLS_CRD_CERTIFICATE is used, this error message is given. The
> documentation says:
> 
>  
> 
> MHD_OPTION_HTTPS_CRED_TYPE
> 
> Daemon credentials type. Either certificate or anonymous, this option
> should be followed by one of the values listed in "enum
> gnutls_credentials_type_t".
> 
> Any Idea on what to do with this? Is there some other config I need to
> use/change for this to work? When I remove the
> “*MHD_OPTION_HTTPS_CRED_TYPE*“ and “*MHD_OPTION_HTTPS_PRIORITIES*” , the
> server works (but not in the mode I need, obviously).
> 
>  
> 
> If this is simply not supported, any idea if there are any plans to ever
> support this?
> 
>  
> 
> Any help will be very much appreciated.
> 
>  
> 
> Thanks,
> 
>  
> 
> Tal
> 
>  
> 
> http://www.cisco.com/c/dam/m/en_us/employee-connection/signaturetool/images/banners/Photography/banner7.png
> 
>  
> 
>               
> 
> *Tal Maoz*
> 
> Senior Software Engineer
> 
> CTAO Innovation Group
> 
> address@hidden <mailto:address@hidden>
> 
> Tel: *+972-2-5886289*
> 
>       
> 
> *Cisco Systems Israel Ltd.*
> 
> 5 Shlomo Halevi Street
> 
> Har Hotzvim High Tech Park
> 
> Jerusalem
> 
> 9777019
> 
> Israel
> 
> Cisco.com <http://www.cisco.com/web/IL/>
> 
>       
> 
> http://www.cisco.com/c/dam/m/en_us/signaturetool/images/linkedin-16x16.png
> <https://il.linkedin.com/in/tal-maoz-7247693>
> 
>  
> 
> http://www.cisco.com/assets/swa/img/thinkbeforeyouprint.gif Think before
> you print.
> 
>  
> 
>  
> 
>  
>

signature.asc
Description: OpenPGP digital signature