Changeset f8ffc43 in mod_gnutls

Timestamp:

Jan 11, 2013, 12:57:17 AM (7 years ago)

Author:

Daniel Kahn Gillmor <dkg@…>

Branches:

debian/master, debian/stretch-backports, jessie-backports, upstream

Children:

4ecf14f, f809816

Parents:

8ce897a

Message:

Imported Upstream version 0.5.3

Files:

• NEWS (modified) (1 diff)
• README (modified) (1 diff)
• configure (modified) (11 diffs)
• configure.ac (modified) (2 diffs)
• src/gnutls_hooks.c (modified) (24 diffs)
• src/gnutls_io.c (modified) (3 diffs)

NEWS

@@ +1 @@
+** Version 0.5.3 (2008-10-16)
+
+- Corrected bug to allow having an OpenPGP-only web site.
+
+- Increased Max handshake tries due to interrupted system calls.
+
 ** Version 0.5.2 (2008-06-29)
 

README

@@ -1 @@
-mod_gnutls 
 
-This module started back in September of 2004 because I was tired of trying to
-fix bugs in mod_ssl.  mod_ssl is a giant beast of a module -- no offense to it's 
-authors is intended -- but I believe it has fallen prey to massive feature bloat.
+                mod_gnutls, Apache GnuTLS module.
+                =================================
 
-When I started hacking on httpd, mod_ssl remained a great mystery to me, and 
-when I actually looked at it, I ran away.  The shear ammount code is huge, and it 
-does not conform to the style guidelines.  It was painful to read, and even harder
-to debug.  I wanted to understand how it worked, and I had recently heard about 
-GnuTLS, so long story short, I decided to implement a mod_gnutls.
+$LastChangedDate: $
 
-Lines of Code in mod_ssl: 15,324
-Lines of Code in mod_gnutls: 3,594
+Contents:
 
-Because of writing mod_gnutls, I now understand how input and output filters work, 
-better than I ever thought possible.  It was a little painful at times, and some parts
-lift code and ideas directly from mod_ssl. Kudos to the original authors of mod_ssl.
+     I. ABOUT
+    II. AUTHORS
+   III. LICENSE
+    IV. STATUS
+     V. BASIC CONFIGURATION
+    VI. CREATE OPENPGP CREDENTIALS FOR THE SERVER
 
-----------------------------
 
-Author: Paul Querna <chip force-elite.com>
 
-Heavily modified by Nikos Mavrogiannopoulos <nmav gnutls.org>
+I.    ABOUT
 
-License: Apache Software License v2.0. (see the LICENSE file for details)
+      This module started back in September of 2004 because I was tired of
+      trying to fix bugs in mod_ssl.  mod_ssl is a giant beast of a module --
+      no offense to it's authors is intended -- but I believe it has fallen
+      prey to massive feature bloat.
 
-Current Status:
-- SSL and TLS connections with all popular browsers work!
-- Sets enviromental vars for scripts (compatible with mod_ssl vars)
-- Supports Memcached as a distributed SSL Session Cache
-- Supports DBM as a local SSL Session Cache
-- Support for Server Name Indication
-- Support for Client Certificates
-- Support for TLS-SRP
+      When I started hacking on httpd, mod_ssl remained a great mystery to me,
+      and when I actually looked at it, I ran away.  The shear amount code is
+      huge, and it does not conform to the style guidelines.  It was painful to
+      read, and even harder to debug.  I wanted to understand how it worked,
+      and I had recently heard about GnuTLS, so long story short, I decided to
+      implement a mod_gnutls.
 
-Basic Configuration:
+         Lines of Code in mod_ssl: 15,324
+         Lines of Code in mod_gnutls: 3,594
 
-LoadModule gnutls_module  modules/mod_gnutls.so
+      Because of writing mod_gnutls, I now understand how input and output
+      filters work, better than I ever thought possible.  It was a little
+      painful at times, and some parts lift code and ideas directly from
+      mod_ssl.  Kudos to the original authors of mod_ssl.
 
-# mod_gnutls can optionaly use a memcached server to store it's SSL Sessions.
-# This is useful in a cluster enviroment, where you want all of your servers 
-# to share a single SSL Session Cache.
-#GnuTLSCache memcache "127.0.0.1 server2.example.com server3.example.com"
 
-# The Default method is to use a DBM backed Cache.  It isn't super fast, but 
-# it is portable and does not require another server to be running like memcached.
-GnuTLSCache dbm conf/gnutls_cache
 
-<VirtualHost 1.2.3.4:443>
-    # insert other directives ... here ...
+II.   AUTHORS
 
-    # This enables the mod_gnutls Handlers for this Virtual Host
-    GnuTLSEnable On
+      Paul Querna <chip force-elite.com>
+      Nikos Mavrogiannopoulos <nmav gnutls.org>
 
-    # This is the Private key for your server.
-    GnuTLSX509KeyFile conf/server.key
 
-    # This is the Server Certificate.  
-    GnuTLSX509CertificateFile conf/server.cert
-</VirtualHost>
 
-# a more advanced configuration
-GnuTLSCache dbm "/var/cache/www-tls-cache/cache"
-GnuTLSCacheTimeout 600
-NameVirtualHost 1.2.3.4:443
+III.  LICENSE
 
-<VirtualHost 1.2.3.4:443>
-        Servername server.com:443
+      Apache License, Version 2.0 (see the LICENSE file for details)
+
+
+
+IV.   STATUS
+
+      * SSL and TLS connections with all popular browsers work!
+      * Sets environmental vars for scripts (compatible with mod_ssl vars)
+      * Supports memcached as a distributed SSL session cache
+      * Supports DBM as a local SSL session cache
+      * Support for server name indication (SNI), RFC3546
+      * Support for client certificates
+      * Support for secure remote password (SRP), RFC5054
+
+
+
+V.    BASIC CONFIGURATION
+
+      LoadModule gnutls_module modules/mod_gnutls.so
+      
+      # mod_gnutls can optionally use a memcached server to store it's SSL
+      # Sessions.  This is useful in a cluster environment, where you want all
+      # of your servers to share a single SSL session cache.
+      #GnuTLSCache memcache "127.0.0.1 server2.example.com server3.example.com"
+      
+      # The Default method is to use a DBM backed Cache.  It isn't super fast,
+      # but it is portable and does not require another server to be running
+      # like memcached.
+      GnuTLSCache dbm conf/gnutls_cache
+      
+      <VirtualHost 1.2.3.4:443>
+
+        # Enable mod_gnutls handlers for this virtual host
+        GnuTLSEnable On
+      
+        # This is the private key for your server
+        GnuTLSX509KeyFile conf/server.key
+      
+        # This is the server certificate
+        GnuTLSX509CertificateFile conf/server.cert
+
+      </VirtualHost>
+      
+      # A more advanced configuration
+      GnuTLSCache dbm "/var/cache/www-tls-cache/cache"
+      GnuTLSCacheTimeout 600
+      NameVirtualHost 1.2.3.4:443
+      
+      <VirtualHost 1.2.3.4:443>
+
+        Servername server.com:443
         GnuTLSEnable on
-        GnuTLSPriority NORMAL
-# To export exactly the same environment variables as mod_ssl to CGI scripts.
-        GNUTLSExportCertificates on
+        GnuTLSPriority NORMAL
 
-        GnuTLSX509CertificateFile /etc/apache2/server-cert.pem
-        GnuTLSX509KeyFile /etc/apache2/server-key.pem
+        # Export exactly the same environment variables as mod_ssl to CGI
+        # scripts.
+        GNUTLSExportCertificates on
+      
+        GnuTLSX509CertificateFile /etc/apache2/server-cert.pem
+        GnuTLSX509KeyFile /etc/apache2/server-key.pem
+      
+        # To enable SRP you must have these files installed.  Check the gnutls
+        # srptool.
+        GnuTLSSRPPasswdFile /etc/apache2/tpasswd
+        GnuTLSSRPPasswdConfFile /etc/apache2/tpasswd.conf
+      
+        # In order to verify client certificates.  Other options to
+        # GnuTLSClientVerify could be ignore or require.  The
+        # GnuTLSClientCAFile contains the CAs to verify client certificates.
+        GnuTLSClientVerify request
+        GnuTLSX509CAFile ca.pem
 
-# To enable SRP you must have these files installed. Check the gnutls srptool.
-        GnuTLSSRPPasswdFile /etc/apache2/tpasswd
-        GnuTLSSRPPasswdConfFile /etc/apache2/tpasswd.conf
+      </VirtualHost>
+      
+      # A setup for OpenPGP and X.509 authentication
+      <VirtualHost 1.2.3.4:443>
 
-# In order to verify client certificates. Other options to
-# GnuTLSClientVerify could be ignore or require. The GnuTLSClientCAFile
-# contains the CAs to verify client certificates.
-        GnuTLSClientVerify request
-        GnuTLSX509CAFile ca.pem
-        ...
-</VirtualHost>
+        Servername crystal.lan:443
+        GnuTLSEnable on
+        GnuTLSPriorities NORMAL:+COMP-NULL
+      
+        # Setup the openpgp keys
+        GnuTLSPGPCertificateFile /etc/apache2/test.pub.asc
+        GnuTLSPGPKeyFile /etc/apache2/test.sec.asc
+      
+        # - and the X.509 keys
+        GnuTLSCertificateFile /etc/apache2/server-cert.pem
+        GnuTLSKeyFile /etc/apache2/server-key.pem
 
-# A setup for OpenPGP and X.509 authentication
-<VirtualHost 1.2.3.4:443>
-        Servername crystal.lan:443
-        GnuTLSEnable on
-        GnuTLSPriorities NORMAL:+COMP-NULL
+        GnuTLSClientVerify ignore
+      
+        # To avoid using the default DH params
+        GnuTLSDHFile /etc/apache2/dh.pem
+      
+        # These are only needed if GnuTLSClientVerify != ignore
+        GnuTLSClientCAFile ca.pem
+        GnuTLSPGPKeyringFile /etc/apache2/ring.asc
 
-# setup the openpgp keys
-        GnuTLSPGPCertificateFile /etc/apache2/test.pub.asc
-        GnuTLSPGPKeyFile /etc/apache2/test.sec.asc
+      </VirtualHost>
 
-# and the X.509 keys
-        GnuTLSCertificateFile /etc/apache2/server-cert.pem
-        GnuTLSKeyFile /etc/apache2/server-key.pem
-        GnuTLSClientVerify ignore
 
-# To avoid using the default DH params
-        GnuTLSDHFile /etc/apache2/dh.pem
 
-# these are only needed if GnuTLSClientVerify != ignore
-        GnuTLSClientCAFile ca.pem
-        GnuTLSPGPKeyringFile /etc/apache2/ring.asc
-</VirtualHost>
+VI.   CREATE OPENPGP CREDENTIALS FOR THE SERVER
+
+      mod_gnutls currently cannot read encrypted OpenPGP credentials.  That is,
+      when you generate a key with gpg and gpg prompts you for a passphrase,
+      just press enter.  Then press enter again, to confirm an empty
+      passphrase.  http://news.gmane.org/gmane.comp.apache.outoforder.modules
+
+      These instructions are from the GnuTLS manual:
+      http://www.gnu.org/software/gnutls/manual/html_node/Invoking-gnutls_002dserv.html#Invoking-gnutls_002dserv
+
+        $ gpg --gen-key
+        ...enter whatever details you want, use 'test.gnutls.org' as name...
+
+      Make a note of the OpenPGP key identifier of the newly generated key,
+      here it was 5D1D14D8.  You will need to export the key for GnuTLS to be
+      able to use it.
+
+         $ gpg -a --export 5D1D14D8 > openpgp-server.txt
+         $ gpg -a --export-secret-keys 5D1D14D8 > openpgp-server-key.txt

configure

@@ -1 +1 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.61 for mod_gnutls 0.5.2.
+# Generated by GNU Autoconf 2.61 for mod_gnutls 0.5.3.
 #
 # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
@@ -727 +727 @@
 PACKAGE_NAME='mod_gnutls'
 PACKAGE_TARNAME='mod_gnutls'
-PACKAGE_VERSION='0.5.2'
-PACKAGE_STRING='mod_gnutls 0.5.2'
+PACKAGE_VERSION='0.5.3'
+PACKAGE_STRING='mod_gnutls 0.5.3'
 PACKAGE_BUGREPORT=''
 
@@ -1436 +1436 @@
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures mod_gnutls 0.5.2 to adapt to many kinds of systems.
+\`configure' configures mod_gnutls 0.5.3 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1507 +1507 @@
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of mod_gnutls 0.5.2:";;
+     short | recursive ) echo "Configuration of mod_gnutls 0.5.3:";;
    esac
   cat <<\_ACEOF
@@ -1622 +1622 @@
 if $ac_init_version; then
   cat <<\_ACEOF
-mod_gnutls configure 0.5.2
+mod_gnutls configure 0.5.3
 generated by GNU Autoconf 2.61
 
@@ -1636 +1636 @@
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by mod_gnutls $as_me 0.5.2, which was
+It was created by mod_gnutls $as_me 0.5.3, which was
 generated by GNU Autoconf 2.61.  Invocation command line was
 
@@ -2007 +2007 @@
   chmod +x config.nice
 
-MOD_GNUTLS_VERSION=0.5.2
+MOD_GNUTLS_VERSION=0.5.3
 
 
@@ -2508 +2508 @@
 # Define the identity of the package.
  PACKAGE=mod_gnutls
- VERSION=0.5.2
+ VERSION=0.5.3
 
 
@@ -21700 +21700 @@
 
 
-MODULE_CFLAGS="${LIBGNUTLS_EXTRA_CFLAGS} ${SRP_CFLAGS} ${APR_MEMCACHE_CFLAGS} ${APXS_CFLAGS} ${AP_INCLUDES} ${APR_INCLUDES} ${APU_INCLUDES}"
-MODULE_LIBS="${APR_MEMCACHE_LIBS} ${LIBGNUTLS_EXTRA_LIBS}"
+MODULE_CFLAGS="${LIBGNUTLS_CFLAGS} ${SRP_CFLAGS} ${APR_MEMCACHE_CFLAGS} ${APXS_CFLAGS} ${AP_INCLUDES} ${APR_INCLUDES} ${APU_INCLUDES}"
+MODULE_LIBS="${APR_MEMCACHE_LIBS} ${LIBGNUTLS_LIBS}"
 
 
@@ -22132 +22132 @@
 # values after options handling.
 ac_log="
-This file was extended by mod_gnutls $as_me 0.5.2, which was
+This file was extended by mod_gnutls $as_me 0.5.3, which was
 generated by GNU Autoconf 2.61.  Invocation command line was
 
@@ -22185 +22185 @@
 cat >>$CONFIG_STATUS <<_ACEOF
 ac_cs_version="\\
-mod_gnutls config.status 0.5.2
+mod_gnutls config.status 0.5.3
 configured by $0, generated by GNU Autoconf 2.61,
   with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\"

configure.ac

@@ -1 +1 @@
 dnl 
-AC_INIT(mod_gnutls, 0.5.2)
+AC_INIT(mod_gnutls, 0.5.3)
 OOO_CONFIG_NICE(config.nice)
 MOD_GNUTLS_VERSION=AC_PACKAGE_VERSION
@@ -56 +56 @@
 AC_SUBST(have_apr_memcache)
 
-MODULE_CFLAGS="${LIBGNUTLS_EXTRA_CFLAGS} ${SRP_CFLAGS} ${APR_MEMCACHE_CFLAGS} ${APXS_CFLAGS} ${AP_INCLUDES} ${APR_INCLUDES} ${APU_INCLUDES}"
-MODULE_LIBS="${APR_MEMCACHE_LIBS} ${LIBGNUTLS_EXTRA_LIBS}"
+MODULE_CFLAGS="${LIBGNUTLS_CFLAGS} ${SRP_CFLAGS} ${APR_MEMCACHE_CFLAGS} ${APXS_CFLAGS} ${AP_INCLUDES} ${APR_INCLUDES} ${APU_INCLUDES}"
+MODULE_LIBS="${APR_MEMCACHE_LIBS} ${LIBGNUTLS_LIBS}"
 
 AC_SUBST(MODULE_CFLAGS)

src/gnutls_hooks.c

@@ -55 +55 @@
     apr_file_printf(debug_log_fp, "<%d> %s\n", level, str);
 }
+#define _gnutls_log apr_file_printf
+#else
+# define _gnutls_log(...) 
 #endif
 
@@ -62 +65 @@
 {
 int ret;
+
+#if MOD_GNUTLS_DEBUG
+    apr_file_open(&debug_log_fp, "/tmp/gnutls_debug",
+                  APR_APPEND | APR_WRITE | APR_CREATE, APR_OS_DEFAULT,
+                  pconf);
+
+    _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
+
+    gnutls_global_set_log_level(9);
+    gnutls_global_set_log_function(gnutls_debug_log_all);
+    _gnutls_log(debug_log_fp, "gnutls: %s\n", gnutls_check_version(NULL));
+#endif
 
 #if APR_HAS_THREADS
@@ -73 +88 @@
 
     if (gnutls_check_version(LIBGNUTLS_VERSION)==NULL) {
-        fprintf(stderr, "gnutls_check_version() failed. Required: gnutls-%s Found: gnutls-%s\n", 
+        _gnutls_log(debug_log_fp, "gnutls_check_version() failed. Required: gnutls-%s Found: gnutls-%s\n", 
           LIBGNUTLS_VERSION, gnutls_check_version(NULL));
         return -3;
@@ -80 +95 @@
     ret = gnutls_global_init();
     if (ret < 0) {
-        fprintf(stderr, "gnutls_global_init: %s\n", gnutls_strerror(ret));
+        _gnutls_log(debug_log_fp, "gnutls_global_init: %s\n", gnutls_strerror(ret));
         return -3;
     }
@@ -87 +102 @@
                               apr_pool_cleanup_null);
 
-#if MOD_GNUTLS_DEBUG
-    apr_file_open(&debug_log_fp, "/tmp/gnutls_debug",
-                  APR_APPEND | APR_WRITE | APR_CREATE, APR_OS_DEFAULT,
-                  pconf);
-
-    gnutls_global_set_log_level(9);
-    gnutls_global_set_log_function(gnutls_debug_log_all);
-    apr_file_printf(debug_log_fp, "gnutls: %s\n", gnutls_check_version(NULL));
-#endif
 
     return OK;
@@ -106 +112 @@
     int ret;
     int cprio[2];
+
+    _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
 
     ctxt = gnutls_transport_get_ptr(session);
@@ -163 +171 @@
     mgs_handle_t *ctxt;
 
+    _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
     ctxt = gnutls_transport_get_ptr(session);
+
+    if (ctxt == NULL)
+        return GNUTLS_E_INTERNAL_ERROR;
 
     if (gnutls_certificate_type_get( session) == GNUTLS_CRT_X509) {
@@ -211 +223 @@
 
 
+    _gnutls_log(debug_log_fp,   "%s: %d\n", __func__, __LINE__);
     *cert_cn = NULL;
 
@@ -262 +275 @@
 
 
+    _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
     *cert_cn = NULL;
 
@@ -294 +308 @@
     const char *userdata_key = "mgs_init";
 
+    _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
     apr_pool_userdata_get(&data, userdata_key, base_server->process->pool);
     if (data == NULL) {
@@ -395 +410 @@
 #endif
 
-            if (sc->certs_x509[0] == NULL
-                && sc->enabled == GNUTLS_ENABLED_TRUE) {
+            if (sc->certs_x509[0] == NULL &&
+                sc->cert_pgp == NULL &&
+                sc->enabled == GNUTLS_ENABLED_TRUE) {
                 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
                              "[GnuTLS] - Host '%s:%d' is missing a "
@@ -404 +420 @@
             }
 
-            if (sc->privkey_x509 == NULL
-                && sc->enabled == GNUTLS_ENABLED_TRUE) {
+            if (sc->enabled == GNUTLS_ENABLED_TRUE && 
+              ((sc->certs_x509[0] != NULL && sc->privkey_x509 == NULL) ||
+              (sc->cert_pgp != NULL && sc->privkey_pgp == NULL))) {
                 ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s,
                              "[GnuTLS] - Host '%s:%d' is missing a "
@@ -440 +457 @@
                                                &gnutls_module);
 
+    _gnutls_log(debug_log_fp,   "%s: %d\n", __func__, __LINE__);
     if (sc->cache_type != mgs_cache_none) {
         rv = mgs_cache_child_init(p, s, sc);
@@ -458 +476 @@
                                                  &gnutls_module);
 
+    _gnutls_log(debug_log_fp,   "%s: %d\n", __func__, __LINE__);
     if (sc->enabled == GNUTLS_ENABLED_FALSE) {
         return NULL;
@@ -471 +490 @@
                                                  &gnutls_module);
 
+    _gnutls_log(debug_log_fp,   "%s: %d\n", __func__, __LINE__);
     if (sc->enabled == GNUTLS_ENABLED_FALSE) {
         return 0;
@@ -492 +512 @@
     vhost_cb_rec *x = baton;
 
+    _gnutls_log(debug_log_fp,   "%s: %d\n", __func__, __LINE__);
     tsc = (mgs_srvconf_rec *) ap_get_module_config(s->module_config,
                                                    &gnutls_module);
@@ -544 +565 @@
 #endif
 
+    _gnutls_log(debug_log_fp,   "%s: %d\n", __func__, __LINE__);
     ctxt = gnutls_transport_get_ptr(session);
 
@@ -621 +643 @@
                                                  &gnutls_module);
 
+    _gnutls_log(debug_log_fp,   "%s: %d\n", __func__, __LINE__);
     ctxt = apr_pcalloc(pool, sizeof(*ctxt));
     ctxt->c = c;
@@ -659 +682 @@
                                                  &gnutls_module);
 
+    _gnutls_log(debug_log_fp,   "%s: %d\n", __func__, __LINE__);
     if (!(sc && (sc->enabled == GNUTLS_ENABLED_TRUE))) {
         return DECLINED;
@@ -688 +712 @@
     int rv = OK;
 
+    _gnutls_log(debug_log_fp,   "%s: %d\n", __func__, __LINE__);
     apr_table_t *env = r->subprocess_env;
 
@@ -762 +787 @@
                                                &gnutls_module);
 
+    _gnutls_log(debug_log_fp,   "%s: %d\n", __func__, __LINE__);
     ctxt =
         ap_get_module_config(r->connection->conn_config, &gnutls_module);
@@ -823 +849 @@
     apr_table_t *env = r->subprocess_env;
 
+    _gnutls_log(debug_log_fp,   "%s: %d\n", __func__, __LINE__);
     if (export_certificates_enabled != 0) {
         char cert_buf[10 * 1024];
@@ -929 +956 @@
     int ret;
 
+    _gnutls_log(debug_log_fp,   "%s: %d\n", __func__, __LINE__);
     apr_table_t *env = r->subprocess_env;
 
@@ -995 +1023 @@
     apr_time_t activation_time, expiration_time, cur_time;
 
+    _gnutls_log(debug_log_fp, "%s: %d\n", __func__, __LINE__);
     cert_list =
         gnutls_certificate_get_peers(ctxt->session, &cert_list_size);

src/gnutls_io.c

@@ -73 +73 @@
     if (buffer->length > inl) {
         /* we have have enough to fill the caller's buffer */
-        memcpy(in, buffer->value, inl);
+        memmove(in, buffer->value, inl);
         buffer->value += inl;
         buffer->length -= inl;
@@ -79 +79 @@
     else {
         /* swallow remainder of the buffer */
-        memcpy(in, buffer->value, buffer->length);
+        memmove(in, buffer->value, buffer->length);
         inl = buffer->length;
         buffer->value = NULL;
@@ -354 +354 @@
 }
 
-#define HANDSHAKE_MAX_TRIES 100
+#define HANDSHAKE_MAX_TRIES 1024
 static int gnutls_do_handshake(mgs_handle_t * ctxt)
 {