[gnutls-dev] Possible bug in GnuTLS AES/SHA1

James Westby jw+debian at jameswestby.net
Thu Dec 21 19:33:23 CET 2006


Marc Haber (on CC) the Debian Exim maintainer reported a bug against
GnuTLS in Debian on behalf of users who were having trouble using their
mobile phones with Exim using an SSL connection. YOu can read the full
story here:


Marc has been very helpful in trying to investigate what the cause of
the bug is. We now know the following things:

  Linking Exim against OpenSSL works.
  The phones fail when run against gnutls-serv and it's default options.
  Forcing SSL3.0 works, the phones don't support TLS1.2.
  Disallowing SHA1 means RC4 is negotiated, and works.
  There is no compression involved as the phones do not support it.

I am not sure how to proceed now. Marc has provided plenty of debugging
info, including dumps of debuggin output from -serv, and he sent me
privately tcpdumps of the transactions.

Can you suggest anyway for us to proceed? Do you have any more tools
that can help us work out what is going on? Unfortuanately there is
nothing we can do from the phone end as we have no idea what is going on



  James Westby   --    GPG Key ID: B577FE13    --     http://jameswestby.net/
  seccure key - (3+)k7|M*edCX/.A:n*N!>|&7U.L#9E)Tu)T0>AM - secp256r1/nistp256

More information about the Gnutls-devel mailing list