[gnutls-devel] gnutls-cli vs service name

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[gnutls-devel] gnutls-cli vs service name

James Cloos-9
I tried to use gnutls-cli to test out my xmpp server, but was unable to
do so because the --starttls-proto=xmpp support uses the server name in
the jabber:client bit of xml rather than a service name.

And the server vs service issue is more generic.  All of the SRV protos
of course require supplying both service and server, but even https can
need both, such as when testing a new server before switching the A RRs.

How do you feel about a --service-name option?  Or maybe just --service?

-JimC
--
James Cloos <[hidden email]>         OpenPGP: 0x997A9F17ED7DAEA6

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] gnutls-cli vs service name

Nikos Mavrogiannopoulos
On Sat, May 6, 2017 at 6:41 PM, James Cloos <[hidden email]> wrote:
> I tried to use gnutls-cli to test out my xmpp server, but was unable to
> do so because the --starttls-proto=xmpp support uses the server name in
> the jabber:client bit of xml rather than a service name.
>
> And the server vs service issue is more generic.  All of the SRV protos
> of course require supplying both service and server, but even https can
> need both, such as when testing a new server before switching the A RRs.
>
> How do you feel about a --service-name option?  Or maybe just --service?

Would that be useful on any other option than xmpp? If it is only
related with xmpp, would the option of using
--starttls-proto=xmpp:service work?

regards,
Nikos

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] gnutls-cli vs service name

Thomas Klute
Am 07.05.2017 um 03:03 schrieb Nikos Mavrogiannopoulos:

> On Sat, May 6, 2017 at 6:41 PM, James Cloos <[hidden email]> wrote:
>> I tried to use gnutls-cli to test out my xmpp server, but was unable to
>> do so because the --starttls-proto=xmpp support uses the server name in
>> the jabber:client bit of xml rather than a service name.
>>
>> And the server vs service issue is more generic.  All of the SRV protos
>> of course require supplying both service and server, but even https can
>> need both, such as when testing a new server before switching the A RRs.
>>
>> How do you feel about a --service-name option?  Or maybe just --service?
>
> Would that be useful on any other option than xmpp? If it is only
> related with xmpp, would the option of using
> --starttls-proto=xmpp:service work?

I don't use gnutls-cli with STARTTLS, I but would like to have a similar
feature to set the host name for SNI, e.g. for testing HTTPS servers
with name based virtual hosts. If I want to test such a server at the
moment, I have to make sure that gnutls-cli can actually resolve the
virtual host names I want to use in a way that points to the test
system. Something like

  gnutls-cli --sni-host=test.example.com -p 443 ::1

would be very helpful.

Regards,
Thomas

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] gnutls-cli vs service name

James Cloos-9
In reply to this post by Nikos Mavrogiannopoulos
>>>>> "NM" == Nikos Mavrogiannopoulos <[hidden email]> writes:

JC>> I tried to use gnutls-cli to test out my xmpp server, but was unable to
JC>> do so because the --starttls-proto=xmpp support uses the server name in
JC>> the jabber:client bit of xml rather than a service name.

JC>> And the server vs service issue is more generic.  All of the SRV protos
JC>> of course require supplying both service and server, but even https can
JC>> need both, such as when testing a new server before switching the A RRs.

JC>> How do you feel about a --service-name option?  Or maybe just --service?

NM> Would that be useful on any other option than xmpp? If it is only
NM> related with xmpp, would the option of using
NM> --starttls-proto=xmpp:service work?

I see startls support for sip is missing (as are postgres and rfc2817),
so for now xmpp is the only SRV protocol.  But as I (and a followup)
mentioned, there are times when one needs to pass a different name for
tls than one needs for dns.

For xmpp, --starttls-proto=xmpp:service is enough.

But a more general option remains welcome.

-JimC
--
James Cloos <[hidden email]>         OpenPGP: 0x997A9F17ED7DAEA6

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] gnutls-cli vs service name

Nikos Mavrogiannopoulos
On Sun, 2017-05-07 at 11:05 -0400, James Cloos wrote:

> > > > > > "NM" == Nikos Mavrogiannopoulos <[hidden email]> writes:
>
> JC>> I tried to use gnutls-cli to test out my xmpp server, but was
> unable to
> JC>> do so because the --starttls-proto=xmpp support uses the server
> name in
> JC>> the jabber:client bit of xml rather than a service name.
>
> JC>> And the server vs service issue is more generic.  All of the SRV
> protos
> JC>> of course require supplying both service and server, but even
> https can
> JC>> need both, such as when testing a new server before switching
> the A RRs.
>
> JC>> How do you feel about a --service-name option?  Or maybe just --
> service?
>
> NM> Would that be useful on any other option than xmpp? If it is only
> NM> related with xmpp, would the option of using
> NM> --starttls-proto=xmpp:service work?
>
> I see startls support for sip is missing (as are postgres and
> rfc2817),
> so for now xmpp is the only SRV protocol.  But as I (and a followup)
> mentioned, there are times when one needs to pass a different name
> for
> tls than one needs for dns.
>
> For xmpp, --starttls-proto=xmpp:service is enough.
>
> But a more general option remains welcome.

I do not see much connection between SNI and SRV. How do you see the
general option? Would you like to propose one via a merge request?

regards,
Nikos


_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] gnutls-cli vs service name

Nikos Mavrogiannopoulos-2
In reply to this post by Thomas Klute
On Sun, 2017-05-07 at 12:40 +0200, Thomas Klute wrote:

> Am 07.05.2017 um 03:03 schrieb Nikos Mavrogiannopoulos:
> > On Sat, May 6, 2017 at 6:41 PM, James Cloos <[hidden email]>
> > wrote:
> > > I tried to use gnutls-cli to test out my xmpp server, but was
> > > unable to
> > > do so because the --starttls-proto=xmpp support uses the server
> > > name in
> > > the jabber:client bit of xml rather than a service name.
> > >
> > > And the server vs service issue is more generic.  All of the SRV
> > > protos
> > > of course require supplying both service and server, but even
> > > https can
> > > need both, such as when testing a new server before switching the
> > > A RRs.
> > >
> > > How do you feel about a --service-name option?  Or maybe just --
> > > service?
> >
> > Would that be useful on any other option than xmpp? If it is only
> > related with xmpp, would the option of using
> > --starttls-proto=xmpp:service work?
>
> I don't use gnutls-cli with STARTTLS, I but would like to have a
> similar
> feature to set the host name for SNI, e.g. for testing HTTPS servers
> with name based virtual hosts. If I want to test such a server at the
> moment, I have to make sure that gnutls-cli can actually resolve the
> virtual host names I want to use in a way that points to the test
> system. Something like
>
>   gnutls-cli --sni-host=test.example.com -p 443 ::1
>
> would be very helpful.

Right. I thought gnutls-cli had such an option but I mistook it for the
option in gnutls-serv.

An option like that seems trivial to add so I've made a merge request
at [0], however, I'll wait in case Jim has a better option that can
merge both SNI and SRV.

regards,
Nikos

[0]. https://gitlab.com/gnutls/gnutls/merge_requests/377


_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] gnutls-cli vs service name

James Cloos-9
The starttls support can be done on top of that pull.

All it needs is to use OPT_ARG(SNI_HOSTNAME) instead of socket->hostname
when HAVE_OPT(SNI_HOSTNAME).  And only smtp, lmtp and xmpp use that.

I'm not sure of the best way to pass OPT_ARG(SNI_HOSTNAME) to socket_open()
and on to socket_starttls().  Would another const char* and another FLAG
work?  Or just a const char* which is ignored if NULL?

(Inclidently, my earlier note of missing pg support was daft.  It is not
mentioned in the man page, but seeing it in the code reminds me that it
was announced some time back, and I thing I congradulated that announce.)

-JimC
--
James Cloos <[hidden email]>         OpenPGP: 0x997A9F17ED7DAEA6

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] gnutls-cli vs service name

Nikos Mavrogiannopoulos-2
On Mon, May 8, 2017 at 7:38 PM, James Cloos <[hidden email]> wrote:

> The starttls support can be done on top of that pull.
>
> All it needs is to use OPT_ARG(SNI_HOSTNAME) instead of socket->hostname
> when HAVE_OPT(SNI_HOSTNAME).  And only smtp, lmtp and xmpp use that.
>
> I'm not sure of the best way to pass OPT_ARG(SNI_HOSTNAME) to socket_open()
> and on to socket_starttls().  Would another const char* and another FLAG
> work?  Or just a const char* which is ignored if NULL?
> (Inclidently, my earlier note of missing pg support was daft.  It is not
> mentioned in the man page, but seeing it in the code reminds me that it
> was announced some time back, and I thing I congradulated that announce.)

Maybe splitting socket_open() to socket_init() and socket_open() would
allow simplifying that. We can then have:
socket_init()
socket_set_sni_hostname()
socket_open()

and socket_starttls() could read the sni hostname when needed. What do
you think?

regards,
Nikos

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] gnutls-cli vs service name

James Cloos-9
>>>>> "NM" == Nikos Mavrogiannopoulos <[hidden email]> writes:

NM> Maybe splitting socket_open() to socket_init() and socket_open() would
NM> allow simplifying that. We can then have:
NM> socket_init()
NM> socket_set_sni_hostname()
NM> socket_open()

Did I reply to this?  If not, I like that.

-JimC
--
James Cloos <[hidden email]>         OpenPGP: 0x997A9F17ED7DAEA6

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [gnutls-devel] gnutls-cli vs service name

Nikos Mavrogiannopoulos-2
On Tue, May 16, 2017 at 10:31 PM, James Cloos <[hidden email]> wrote:
>>>>>> "NM" == Nikos Mavrogiannopoulos <[hidden email]> writes:
>
> NM> Maybe splitting socket_open() to socket_init() and socket_open() would
> NM> allow simplifying that. We can then have:
> NM> socket_init()
> NM> socket_set_sni_hostname()
> NM> socket_open()
>
> Did I reply to this?  If not, I like that.

Thanks. Could you submit an MR with that change?

_______________________________________________
Gnutls-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnutls-devel
Loading...