[gnutls-dev] Possible bug in GnuTLS AES/SHA1

Simon Josefsson simon at josefsson.org
Tue Feb 6 08:19:01 CET 2007

James Westby <jw+debian at jameswestby.net> writes:

> Simon, can I ask when you would be satisfied that GnuTLS is behaving
> correctly? Would calculations of all values do it? Anything more or less?

Until someone proves me wrong, I assume that the GnuTLS behaviour is
correct.  It seems better to try to disprove that assumption, by
finding some flaw.  If OpenSSL works and GnuTLS doesn't, there
reasonably must be _some_ kind of difference.  It might be that the
behaviour is permitted by the standard, and the phone doesn't handle
that correctly, but then at least we know what to document.  And let
Nokia know about it.  Maybe we could even make that behaviour in
GnuTLS configurable.

>> Comparing with a successful OpenSSL handshake would be best.
>> IIRC, OpenSSL could negotiate successfully with SHA-1?  Then there
>> must be some kind of difference in what is sent over the wire.
> Marc has also provided me with a dump of an OpenSSL transaction. the
> differences that I saw with a quick look was that the client certificate
> wasn't requested, and that the 256 variant of TLS_RSA_AES_CBC_SHA was
> picked by the server. The first can be done with the -verify option to
> s_server, the second can be done with the -ciphers option, somehow, but
> it is not clear what the format of this option is. In a private exchange
> with Marc he is helping me to get the traces as similar as possible.

Oh!  A client certificate request could easily bug out a poorly
written TLS implementation.  See if you can make OpenSSL request a
client certificate as well.

Getting both programs to send exactly the same parameters is
important.  Otherwise it will be difficult to track down exactly what
change is causing the problem.

>> Btw, it might be better to compare against the OpenSSL dump rather
>> than comparing against the RFC.  Following the RFC isn't guaranteed to
>> work against the client, but if OpenSSL works against the client, it
>> is doing something that the client likes.  We could mimic that
>> behaviour if we know what it is.
> That sounds fair. If I can see a difference then I will try and pinpoint
> it to allow you to decide what to do.

Yes, I think that is the best approach.  The goal here seems to be
interoperability, not standards-compliance, after all.

Good luck,

More information about the Gnutls-devel mailing list