GnuTLS 1.2.8 with TLS Inner Application (TLS/IA) support

Simon Josefsson jas at extundo.com
Fri Dec 16 08:20:49 EST 2005


Jouni Malinen <jkmaline at cc.hut.fi> writes:

> On Thu, Dec 15, 2005 at 05:47:47PM +0100, Simon Josefsson wrote:
>
>> Right.  How you looked at other TLS implementations for Windows?
>> SecureW2 include one, and even has a EAP-TTLS client:
>> 
>> http://www.securew2.com/uk/index.htm
>> 
>> Perhaps it is possible to re-use some of the code.  I did find a huge
>> security hole when I looked at it briefly a while ago, so I understand
>> if you wouldn't want to incorporate that code.
>
> I did take a look at that when researching what can be done with
> Schannel and other native Windows mechanisms. However, SecureW2 looked
> like a complete TLS implementation that just used CAPI for low-level
> functions. If I remember correctly, the source code did not look very
> clean to me and I did not feel like implementing yet another TLS library
> at that point since the goal was to get native TLS code into use without
> having to use any additional libraries.

Ok.  Of course, the native TLS implementation on Windows doesn't
permit extracting the master secret or client/server random fields, so
there is a trade-off.

I believe GnuTLS on Windows would be a better solution than SecureW2
anyway, so it doesn't matter.

>> Has wpa-supplicant with GnuTLS been tested under Windows?
>
> I'm not aware of such test. For some reason, I did not even think that
> GnuTLS had already been ported to Windows, but now that I take a look at
> what google finds on that topic, there was indeed some discussion about
> MinGW build in August. If the results of that discussion are now
> included in 1.3.x versions, it should be quite easy to run
> wpa_supplicant tests with GnuTLS under Windows.

Older version of GnuTLS (1.0.x) were built using Mingw32.  There has
been some regressions in later releases, because I don't test the
builds for mingw32, but the problems should be possible to fix.  I
have not been able to spend any time on this though.

> Do you happen to know, whether the code can be built with MSVC or
> just MinGW/gcc?

Mingw32 is what I've tried.  Fortunately, I haven't been working with
MSVC in a long time.  Can you tell if there is any practical
difference?  I.e., if I make GnuTLS work under Mingw32, what reasons
would there be for anyone to build it under MSVC too?

>> Perhaps it would be useful to separate the CAPI stuff in
>> tls_openssl.c, so that retrieving the certificate and keys from the
>> Windows store isn't OpenSSL specific.
>
> Agreed, that sounds like a very good idea. I haven't looked into how
> low-level private key operations could be replaced in GnuTLS, but I
> would expect it to end up using something very similar to the code used
> in tls_openssl.c. Private keys are not exported, so this requires
> somewhat low-level code to be replaced in the TLS library.

Right, and that may actually involve quite some work.

Thanks,
Simon



More information about the HostAP mailing list