[gnutls-devel] gnutls ASSERT lines even when not using TLS on knot-resolver

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[gnutls-devel] gnutls ASSERT lines even when not using TLS on knot-resolver

Daniel Kahn Gillmor-7
Hi GnuTLS folks--

Over on:

https://gitlab.labs.nic.cz/knot/resolver/merge_requests/287#note_48109

Vladimír Čunát (cc'ed here) reports that the following log messages
appear even when knot-resolver isn't listening on TLS:

     [tls] gnutls: (3) ASSERT: pk.c[_wrap_nettle_pk_verify]:750
     [tls] gnutls: (3) ASSERT: pubkey.c[pubkey_verify_hashed_data]:1913

Presumably this has to do with the fact that knot-resolver is using
nettle to do DNSSEC verification, but i don't understand the linkage
between GnuTLS and nettle well enough to know why this would be
happening just because the gnutls logging function is set.

Any ideas about how to explain this?

Regards,

    --dkg

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel

signature.asc (847 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] gnutls ASSERT lines even when not using TLS on knot-resolver

Nikos Mavrogiannopoulos
On Thu, Jun 8, 2017 at 8:11 PM, Daniel Kahn Gillmor
<[hidden email]> wrote:

> Hi GnuTLS folks--
>
> Over on:
>
> https://gitlab.labs.nic.cz/knot/resolver/merge_requests/287#note_48109
>
> Vladimír Čunát (cc'ed here) reports that the following log messages
> appear even when knot-resolver isn't listening on TLS:
>
>      [tls] gnutls: (3) ASSERT: pk.c[_wrap_nettle_pk_verify]:750
>      [tls] gnutls: (3) ASSERT: pubkey.c[pubkey_verify_hashed_data]:1913
>
> Presumably this has to do with the fact that knot-resolver is using
> nettle to do DNSSEC verification, but i don't understand the linkage
> between GnuTLS and nettle well enough to know why this would be
> happening just because the gnutls logging function is set.

My guess is that it uses the gnutls signing/verification functions
rather than nettle directly. The knot developers may be in better
position to answer that.

regards,
Nikos

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] gnutls ASSERT lines even when not using TLS on knot-resolver

Nikos Mavrogiannopoulos
On Sat, Jun 10, 2017 at 11:58 AM, Vladimír Čunát <[hidden email]> wrote:

> On 06/10/2017 11:26 AM, Nikos Mavrogiannopoulos wrote:
>
> On Thu, Jun 8, 2017 at 8:11 PM, Daniel Kahn Gillmor
> <[hidden email]> wrote:
>
>      [tls] gnutls: (3) ASSERT: pk.c[_wrap_nettle_pk_verify]:750
>      [tls] gnutls: (3) ASSERT: pubkey.c[pubkey_verify_hashed_data]:1913
>
> Presumably this has to do with the fact that knot-resolver is using
> nettle to do DNSSEC verification, but i don't understand the linkage
> between GnuTLS and nettle well enough to know why this would be
> happening just because the gnutls logging function is set.
>
> My guess is that it uses the gnutls signing/verification functions
> rather than nettle directly. The knot developers may be in better
> position to answer that.
>
> Right, I didn't realize that gnutls is used indirectly for DNSSEC stuff
> (through libdnssec), so we started catching messages from more than just
> TLS.
>
> Still, how can I/we check if such assertion messages mean anything "wrong"
> is happening?  I can't see any pointers in the documentation around
> http://gnutls.org/manual/gnutls.html#Debugging-and-auditing

Only the messages through the audit interface may indicate something
wrong. Everything else is debugging information to assist when
something goes wrong.

regards,
Nikos

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Loading...