On Aug 11, 2013, David Klann wrote: > Hi Michael, > > Thanks for the quick response! > > My experimentation so far is consistent with your assessment of my > situation. The recipient key is 4096 bits. I'll need to create a shorter > key. > > The confusing thing to me is that the other systems from which I'm > creating and sending the SPA packets is working (same public key for the > remote user, same destination host, etc., etc. I am sure there is something > that's different, I simply have not stumbled on what it is. > > I concur with Radi in the related post. Documentation with hints would be > helpful in diagnosing problems like this. Count me in for helping with > that.
Additional test suite support for these scenarios is coming up. Glad that both you and Radi have made progress. --Mike > Thanks again for your help! > > Best regards, > > ~David > > On Sun, 11 Aug 2013 14:23:24 -0400 you corralled some electrons and wrote: > > > > ... > > Cool, that is the latest commit on github. This includes Hank > > Leininger's patch for better libfko error codes, and the > > FKO_ERROR_INVALID_DATA_ENCRYPT_GPG_RESULT_MSGLEN_VALIDFAIL error is > > quite instructive. It is being called as follows: > > > > https://github.com/mrash/fwknop/blob/master/lib/fko_encryption.c#L399 > > > > That error code is only returned when is_valid_encoded_msg_len() fails, > > and in this case that is because the encrypted SPA payload coming back > > from gpg is longer than 1500 bytes. > > > > I'd say there are couple of things to try: > > > > - Add the line "compress-level 9" to your ~/.gnupg/options file. > > Assuming that gpg-agent picks this up, then I think it will apply to > > SPA packets that are encrypted via libgpgme (used by fwknop). The > > server side might need this option added too - not sure about that. > > - Add "DIGEST_TYPE md5" to your ~/.fwknoprc file under the [default] > > stanza section (towards the top). Even though md5 is not secure, you > > are still using gpg which should eliminate this as a problem although > > I'd still recommend using an HMAC since libgpgme functions aren't even > > executed unless the HMAC check passes. > > ... > > > > If the suggestions don't work above, then you may need to reduce your > > gpg key sizes. > > > > Thanks, > > > > --Mike > ------------------------------------------------------------------------------ > Get 100% visibility into Java/.NET code with AppDynamics Lite! > It's a free troubleshooting tool designed for production. > Get down to code-level detail for bottlenecks, with <2% overhead. > Download for free and get started troubleshooting in minutes. > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk > _______________________________________________ > Fwknop-discuss mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk _______________________________________________ Fwknop-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
