Hi, > On 14. Mar 2020, at 14:55, Tanguy Le Carrour <tan...@bioneland.org> wrote: > > Hi, > > > Le 03/14, Schanzenbach, Martin a écrit : >>> On 14. Mar 2020, at 12:00, Tanguy Le Carrour <tan...@bioneland.org> wrote: >>> Le 03/13, Schanzenbach, Martin a écrit : >>>>> On 13. Mar 2020, at 18:32, Tanguy Le Carrour <tan...@bioneland.org> wrote: >>>>> Le 03/10, Tanguy Le Carrour a écrit : >>>>>> Le 03/09, Christian Grothoff a écrit : >>>>>>> 2) try adding a TLSA record for gnunet.org to GNS, thereby avoiding >>>>>>> the use of Letsencrypt and really directly verifying via GNS. >>>>>> I'll try this and let you know, thanks! >>>>> So, I did my homework, used a generator [1][] and ended up with this: >>>>> ``` >>>>> _443._tcp.gnunet.org. IN TLSA 3 1 1 >>>>> 26145f39399c7625a95d290bde5731566a81e1cbe6baf84f37ba60b333b05939 >>>>> ``` >>>>> [1]: https://www.huque.com/bin/gen_tlsa >>>>> So I now have: >>>>> ``` >>>>> $ gnunet-namestore -z myself -a -e "1 d" -p -t TLSA -n gnunet -V "3 1 1 >>>>> 26145f39399c7625a95d290bde5731566a81e1cbe6baf84f37ba60b333b05939" >>>>> $ gnunet-gns --type ANY --lookup gnunet.myself >>>>> gnunet.myself: >>>>> Got `TLSA' record: 3 1 1 >>>>> 26145f39399c7625a95d290bde5731566a81e1cbe6baf84f37ba60b333b05939 >>>>> Got `LEHO' record: gnunet.org >>>>> Got `A' record: 131.159.74.67 >>>>> ``` >>>>> I didn't know where to put the `_443._tcp` part. `gnunet-namestore` >>>>> complained >>>>> about the name containing a `.`. >>>>> There's something in the doc [2][] about `_port._proto.`, but it's for >>>>> BOX records only. >>>> >>>> Indeed, instead of a TLSA records, for GNS, you should add a box record >>>> that contains a TLSA record. Like so: >>>> $ gnunet-namestore -z myself -a -e "1 d" -p -t BOX -n gnunet -V "6 443 3 1 >>>> 1 26145f39399c7625a95d290bde5731566a81e1cbe6baf84f37ba60b333b05939" >>>> 6 is the protocol (tcp), 443 is the service (https). >>> >>> Unfortunately… >>> >>> ``` >>> $ gnunet-namestore -z myself -a -e "1 d" -p -t BOX -n gnunet -V "6 443 3 1 >>> 1 26145f39399c7625a95d290bde5731566a81e1cbe6baf84f37ba60b333b05939" >>> Value `6 443 3 1 1 >>> 26145f39399c7625a95d290bde5731566a81e1cbe6baf84f37ba60b333b05939' invalid >>> for record type `BOX' >>> >>> $ gnunet-namestore --version >>> gnunet-namestore v0.12.2 release >>> ``` >>> >>> From the code [1][], I could not guess what the correct format should be. >>> >>> [1]: src/gnsrecord/plugin_gnsrecord_dns.c:656 >>> src/include/gnunet_gnsrecord_lib.h:297 >> >> Ah, the record type is missing, sorry I did that out of my head. Try: >> >> $ > > Much better, thanks! > > ``` > $ gnunet-gns --type ANY --lookup gnunet.myself > gnunet.myself: > Got `BOX' record: 6 443 52 3 1 1 > 26145f39399c7625a95d290bde5731566a81e1cbe6baf84f37ba60b333b05939 > Got `LEHO' record: gnunet.org > Got `A' record: 131.159.74.67 > ``` > > > But still, when I try to access `gnunet.myself`, I get a blank page > after 5-10 seconds and the same lines in the log: > > ``` > $ > /home/tanguy/.guix-extra-profiles/gnunet/current/lib/gnunet/libexec/gnunet-gns-proxy > --log DEBUG > Mar 14 14:48:07-948036 gnunet-gns-proxy-1450 ERROR Download curl gnunet.org/ > failed: SSL peer certificate or SSH remote key was not OK > Mar 14 14:48:24-877522 gnunet-gns-proxy-1450 ERROR Download curl > gnunet.org/favicon.ico failed: SSL peer certificate or SSH remote key was not > OK > ``` > > The good thing is that you were right! Adding a BOX record was > apparently not needed! > > > Any thing else I can try? > In the meantime, I'll keep on reading the doc, learn some more and play > with the other components!
Did you compile gnunet from source or are you using a package? Is it possible that the guix gnunet package (or more specifically the guix libgcrypt) does not have DANE support? I just tested the same configuration locally and it works. I suspect two issues which are independent from each other: - The guix curl/gnurl CA certificate location is different and not found (in the case w/o a BOX record) - The guix gnutls does not have DANE support You can check if gnutls supports DANE by checking the gnunet ./configure output at the end I think. > > Regards > > -- > Tanguy
signature.asc
Description: Message signed with OpenPGP
