Introduction to GnuTLS
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
Title |
| |
Title of Series | ||
Number of Parts | 70 | |
Author | ||
License | CC Attribution 2.0 Belgium: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
Identifiers | 10.5446/39522 (DOI) | |
Publisher | ||
Release Date | ||
Language |
Content Metadata
Subject Area | |
Genre |
FOSDEM 200941 / 70
3
4
6
16
17
18
19
20
21
22
23
24
25
26
27
29
30
31
32
33
35
40
41
44
46
47
48
50
51
54
55
57
58
59
60
62
65
67
68
69
70
00:00
Boom (sailing)ImplementationSimilarity (geometry)TransportschichtLevel (video gaming)Transport Layer SecurityCommunications protocolLibrary (computing)MereologyRevision controlEncryptionBranch (computer science)Library (computing)Basis <Mathematik>Data compressionOpen setComputer hardwareParsingLine (geometry)Projective planeKeyboard shortcutCodeWrapper (data mining)AuthenticationMereologySoftware maintenanceRevision controlCryptographyInternet service providerMultiplication signMathematicsTheory of relativityExtension (kinesiology)Product (business)Core dumpReverse engineeringInformation securitySoftware testingCommunications protocolCommon Language InfrastructureUtility softwareCodePoint (geometry)CurveStability theorySimilarity (geometry)Transport Layer SecurityInstallation artCompilerWindowHacker (term)Computer programmingIntegrated development environmentPatch (Unix)Sign (mathematics)NumberFlow separationSoftware developerGraph (mathematics)Programming languagePower (physics)Personal digital assistantLabour Party (Malta)Level (video gaming)Implementation40 (number)Atomic nucleusOffice suiteCellular automatonBitStapeldateiRight angleSpeech synthesisGroup actionSineComputerVideo gameSystem callExecution unitOrder (biology)XMLLecture/Conference
08:03
Server (computing)Extension (kinesiology)PasswordAuthenticationServer (computing)Object-oriented programmingInformationKey (cryptography)Multiplication signWebsiteWeb browserInternetworkingAuthenticationMultiplicationExtension (kinesiology)Case moddingPasswordPublic key certificateFluid staticsParsingFood energyModule (mathematics)Line (geometry)Computer programmingBenutzerhandbuchInterface (computing)IP addressLibrary (computing)WeightMetropolitan area networkCellular automatonPay televisionProcess (computing)Endliche ModelltheoriePrice indexBitOpen setTouch typingWordComputer animation
11:02
PasswordInformation securityAreaComputer networkImplementationExistenceSoftwareExtension (kinesiology)Extension (kinesiology)Self-organizationAuthorization40 (number)ImplementationView (database)Particle systemFreewareSystem callMultiplication signPoint (geometry)Library (computing)Communications protocolEntire functionComputer animationLecture/Conference
13:20
PasswordAuthenticationServer (computing)Extension (kinesiology)Revision controlDisk read-and-write headMereologyPattern languageControl flowLibrary (computing)Software testingCodeGradientImplementationInformation securityAreaComputer animationLecture/Conference
15:28
XML
Transcript: English(auto-generated)
00:07
okay hello thanks for being here so early so I'm going to talk about gnutls and gnutls maintainer let's see if this works so gnutls is a TLS or
00:35
SSL library TLS and SSL or mutualx go it's the acronyms for for the same
00:43
protocol SSL was invented by Netscape a long time ago and standardized within the ITFS TLS there has been some changes in the protocol but not not very large changes so TLS is the security protocol used in HTTPS which you may be
01:09
familiar with so gnutls is like OpenSSL but the philosophy is to to strip away all the non TLS related stuff like smime like low-level crypto gnutls doesn't
01:26
provide AES encryption or similar it's just a TLS library so hopefully gnutls will be less bloated than OpenSSL still it would be nice to make things more modular but but at least it's smaller than OpenSSL the x509
01:47
stuff like OSSP is not supported either I'll talk about this later so so gnutls is part of the gnu project protected by Stahlman's GPL
02:06
shield and the copyrights is assigned to the FSF so they can protect us in if there are some problems in some some company takes gnutls and puts in some product and doesn't follow the license so the core library is the
02:27
lesser GPL version 2.1 we have been thinking about moving to lgpl version 3 but a lot of dependent or reverse dependencies on gnutls test that
02:42
still are using lgpl v version 2.1 so it will probably take some time before we can upgrade it the core library or the tools and the surrounding utilities are under the GPL v3 like the util gnutls and dash CLI
03:06
the command line interface there is also an extra library in gnutls called you know to lib gnutls dash extra which contains some right now it
03:22
contains minor things like L set O compression and it used to contain more things but we have remote things from it it used to contain the open PGP authentication but that has moved into the lgpl part so the majority of
03:42
the library is lgpl version 2.1 so gnutls depends on vernacochs lib gcrypt for low-level encryption in the latest stable branch it's possible to replace
04:01
lib gcrypt on a per encryption algorithm basis so if you want to plug in your favorite implementation of AES that's possible or if you want to use hardware assisted encryption that's also possible we're using libtason
04:22
1.1 for asm1 parsing it's a very small library written for gnutls it's I believe it's below 10,000 lines of codes which is fairly small for asm1 library and that's required for the x509 parsing
04:48
it's not used for any TLS protocol parsing for compression there is we support libset and lib LSO actually and the LSO L set O compression is not
05:04
standardized for TLS so it's a non-standard extension but we support it for for experimentation anyway that's part of the GPL v3 version 3 extra library there are bindings for guile the gnu lisp extension
05:29
programming language and C++ the C++ libraries or wrappers are not heavily used I haven't seen any large projects use them yet hopefully it will take up
05:46
there are some unofficial wrappers like Python as well I haven't used them myself they are out there as far as I know there are no Perl bindings so if anyone here is a Perl hacker there's a nice project for you there's
06:06
also a Windows installer built using the ming-wee cross compiler and the msis installer which are very nice tools to create Windows programs from
06:24
from Linux environment so some history about gnutls it's a eight-year-old project Nikos wrote it initially and was the maintainer for several years I
06:46
maintain it since I think 2005 or something like that because you know totally Nikos didn't have enough time to to work on it and Nikos is still around and is the largest contributor today besides myself there's
07:06
a fairly small development team over the time 15 people have been contributing patches to gnutls large patches so they had to sign copyright papers for the FSF that's fairly small number of people so if you're
07:25
interested to work on our security project it's a good chance to join the team so this this graph is from OLL on the code size so fairly stable increase of code I'd like to reduce that code at some point but still this
07:45
inevitable curve to just increase another way to increase the code would be to modulize things further that's something we'll do in the next branches
08:03
oops so another goal with gnutls is to have good documentation I talked with a lot of OpenSSL users that are frustrated with lack of documentation so gnutls has good there's a text info manual which can be read like just a
08:24
user manual or a programming manual there's also the GTK doc interface used by gnome for documenting libraries used by GTK and glib so we put a lot of
08:42
energy in in making things documented and if it's not documented it's not supported officially so so everything that is in gnutls has good documentation so some of the features you know in gnutls which you might not be familiar with you if you are familiar with TLS is gnutls supports
09:05
OpenPGP authentication so you can use your OpenPGP or gnupg key to authenticate yourselves to a server and vice versa the server can use a gnupg key to authenticate the server to you as a user it's an interesting
09:27
feature that I hope will be used more there is an Apache module that supports it so other features there's support for SRP authentication which is
09:45
if you are not using certificates but want to use a password instead you can use SRP it's a good way to authenticate TLS sessions with a password and
10:01
another TLS extension that has been published or standardized relatively recently is PSK it's it's TLS authentication with pre shared keys like if you have a static AS key or desk key you can authenticate the channel using that key another feature in gnutls has been the server name extension
10:27
which allows you to use multiple TLS servers on the same IP address which has been a problem in Apache with mod SSL for a long time that you have to use a unique IP per SSL site it's still of course you need the support
10:43
in the browsers but recent Firefox and Internet Explorer supports it gnutls also includes x5 line tools so you can create certificates CA sign them and parse certificate requests and so on so also working with the gnutls is
11:09
challenging from a patent point of view first of all the entire TLS protocol is patented it's patented by Netscape a long time ago fortunately
11:22
they are not doing anything with their patent so it's possible to make a free implementation of it and the RSA of course has been the historic problem with the RSA patent but there's always been free implementation of RSA
11:42
available the RSA patent has expired so it's no longer a problem the SRP patent is patented by Stanford they have actually released that as a free patent and encourage free implementation of it there are also
12:03
some rumors about other eCanSpeak patents that may apply to the SRP technology so some organizations are concerned with using SRP I know that the red hats gnutls builds disable all the SRP stuff in it and there's also an
12:26
authorization extension for TLS being defined actually it's been through four last calls in the ITF and it hasn't passed so far there's a last call for it right now and it might pass this time there is a patent on the
12:45
technology by the draft authors and it's not clear whether that license is free enough to be useful okay that I have some time left so I can take some
13:09
questions if there are any and I think the library isn't growing like
13:28
they say it's mostly tools and examples and self-tests there's a very large self-test part of gnutls and I think that's a big part of it I believe the library itself is below 100,000 so auxiliary code yep more
13:48
questions I don't have the license from Stanford ready or clear in my head
14:04
but they have been encouraging free implementation and they have been supplying the community with an implementation of SRP under a BST license as well so it looks like Stanford is not going to sue anyone but of course this is a patent area so you never know what happens to patents
14:24
the SRP patents that's more problematic is probably the speak or eek patents because they are owned by Lucent or some other components and but then it's a problem of thinking of whether that patent applies to this SRP technology
14:41
or not and that's that's lawyer territory so it's it's difficult to answer but I believe the Stanford patent grant is is fine that's the best we can hope for any more questions yep yeah so so we have had I think five
15:08
or six security announcements for you know tell us and some some have been okay I can answer that in the break