[gnutls-dev] Re: dh_param's required in client for anonymous kx in 1.1?

Simon Josefsson simon+gnutls-dev at josefsson.org
Sat Dec 20 19:34:56 CET 2003 

Nikos Mavroyanopoulos <nmav at gnutls.org> writes:

> On Sat, Dec 20, 2003 at 02:21:03PM +0100, Simon Josefsson wrote:
>
>> I'm using the anonymous key exchange, and I generate dh_param's in the
>> server, and it works fine with 1.0.  With 1.1 (from CVS) however, I
>> get an error in the server:
>> shishi: TLS handshake failed (-32): Insufficient credentials for that request.
>
> gnutls-cli works fine in 1.1.0. Do you allocate and set the anon
> client credentials? 

Yes.

  err = gnutls_anon_allocate_server_credentials (&anoncred);
  if (err)
    error (EXIT_FAILURE, 0, "Cannot allocate GNUTLS credential: %s (%d)",
	   gnutls_strerror (err), err);


  err = gnutls_dh_params_init (&dh_params);
  if (err)
    error (EXIT_FAILURE, 0, "Cannot initialize GNUTLS DH parameters: %s (%d)",
	   gnutls_strerror (err), err);

  if (!arg.quiet_flag)
    printf ("Generating Diffie-Hellman parameters...\n");

  err = gnutls_dh_params_generate2 (dh_params, DH_BITS);
  if (err)
    error (EXIT_FAILURE, 0, "Cannot generate GNUTLS DH parameters: %s (%d)",
	   gnutls_strerror (err), err);

  gnutls_anon_set_server_dh_params (anoncred, dh_params);
...

      rc = gnutls_credentials_set (ls->session, GNUTLS_CRD_ANON, anoncred);
      if (rc != GNUTLS_E_SUCCESS)
	{
	  syslog (LOG_ERR, "TLS failed, gnutls_cs %d: %s", rc,
		  gnutls_strerror (rc));
	  return -1;
	}

> If yes, please enable debugging(with level 2)
> and send me the output.

shishid: Trying STARTTLS
tls 2: ASSERT: gnutls_db.c:217
 
tls 2: EXT[8079568]: Received extension 'SERVER_NAME'
 
tls 2: ASSERT: auth_cert.c:1488
 
tls 2: ASSERT: gnutls_handshake.c:2440
 
tls 2: ASSERT: gnutls_handshake.c:550
 
tls 2: ASSERT: gnutls_handshake.c:351
 
tls 2: ASSERT: gnutls_handshake.c:1747
 
tls 2: ASSERT: gnutls_handshake.c:2184
 
shishid: TLS handshake failed (-32): Insufficient credentials for that request.

The interesting thing is that if I also set a X.509 credential in the
session:

      rc = gnutls_credentials_set (ls->session, GNUTLS_CRD_CERTIFICATE,
				   x509cred);
      if (rc != GNUTLS_E_SUCCESS)
	{
	  syslog (LOG_ERR, "TLS failed, gnutls_cs X.509 %d: %s", rc,
		  gnutls_strerror (rc));
	  return -1;
	}

The negotiation works, and negotiate anonymous TLS fine:

shishid: Trying STARTTLS
tls 2: ASSERT: gnutls_db.c:217
 
tls 2: EXT[8079608]: Received extension 'SERVER_NAME'
 
tls 2: ASSERT: gnutls_x509.c:1019
 
shishid: TLS handshake negotiated protocol `TLS 1.0', key exchange `Anon DH', certficate type `X.509', cipher `AES 256 CBC', mac `SHA', compression `NULL'

The KX's are:

      const int kx_prio[] = { GNUTLS_KX_ANON_DH, 0 };

So I don't understand how adding the x.509 credential help, although
the gnutls_handshake code seem to have changed between 1.0.2 (which
works) and CVS (which doesn't) so perhaps the trace above help you.

Thanks.

More information about the Gnutls-devel mailing list