[gnutls-dev] starttls
Nikos Mavroyanopoulos
nmav at gnutls.org
Sat Feb 16 00:42:01 CET 2002
On Fri, Feb 15, 2002 at 07:14:54PM +0000, Andrew McDonald wrote:
> > RSA key exchange. The drawback is that DHE_RSA requires more
> > calculations, than plain RSA, thus many servers disable it.
> Well, the mutt/gnutls patch gives:
> const int kx_priority[] =
> {GNUTLS_KX_X509PKI_DHE_RSA, GNUTLS_KX_X509PKI_RSA, 0};
> as the priority, is it worth suggesting he tries swapping them?
They are fine, no need for swap.
> Looking up HOSTNAME...
> Connecting to HOSTNAME...
> *** Keeping ciphersuite: X509PKI_DHE_RSA_3DES_EDE_CBC_SHa
> *** Keeping ciphersuite: X509PKI_DHE_RSA_RIJNDAEL_128_CBC_SHA
> *** Keeping ciphersuite: X509PKI_RSA_3DES_EDE_CBC_SHA
> *** Keeping ciphersuite: X509PKI_RSA_RIJNDAEL_128_CBC_SHA
> Handshake: CLIENT HELLO was send [52 bytes]
> GNUTLS_ASSERT: gnutls_buffers.c:853
> GNUTLS_ASSERT: gnutls_handshake.c:752
> GNUTLS_ASSERT: gnutls_handshake.c:880
> GNUTLS_ASSERT: gnutls_handshake.c:1757
> GNUTLS Error: recv hello (-12)
> gnutls_handshake: FATAL_ALERT_RECEIVED
Wow that's strange. I can think some reasons though:
1. The server only accepts SSLv2 hellos
- If this is the case (i wouldn't vote for this), the server
is broken. Try connecting with openssl s_client -tls1 to
check this.
2. The server has one certificate with DSS parameters
- This can be solved only by updating to gnutls 0.4.0
(when it's released)
3. The server does not like our extensions.
- can be solved by disabling SRP and not using the max_record_size
extension.
4. We send a broken hello message
- Can be tested by enabling WRITE_DEBUG and sending me the
output.
> Andrew
> --
> Andrew McDonald
> E-mail: andrew at mcdonald.org.uk
> http://www.mcdonald.org.uk/andrew/
--
Nikos Mavroyanopoulos
mailto:nmav at gnutls.org
More information about the Gnutls-devel
mailing list