[gnutls-dev] [Pkg-gnutls-maint] Re: Possible bug in GnuTLS AES/SHA1

James Westby jw+debian at jameswestby.net
Tue Feb 6 08:31:59 CET 2007

On (06/02/07 08:19), Simon Josefsson wrote:
> Until someone proves me wrong, I assume that the GnuTLS behaviour is
> correct.  It seems better to try to disprove that assumption, by
> finding some flaw.  If OpenSSL works and GnuTLS doesn't, there
> reasonably must be _some_ kind of difference.  It might be that the
> behaviour is permitted by the standard, and the phone doesn't handle
> that correctly, but then at least we know what to document.  And let
> Nokia know about it.  Maybe we could even make that behaviour in
> GnuTLS configurable.

That sounds reasonable. I will try and get you a proof if there is one.

> James Westby <jw+debian at jameswestby.net> writes:
> > Marc has also provided me with a dump of an OpenSSL transaction. the
> > differences that I saw with a quick look was that the client certificate
> > wasn't requested, and that the 256 variant of TLS_RSA_AES_CBC_SHA was
> > picked by the server. The first can be done with the -verify option to
> > s_server, the second can be done with the -ciphers option, somehow, but
> > it is not clear what the format of this option is. In a private exchange
> > with Marc he is helping me to get the traces as similar as possible.
> Oh!  A client certificate request could easily bug out a poorly
> written TLS implementation.  See if you can make OpenSSL request a
> client certificate as well.
> Getting both programs to send exactly the same parameters is
> important.  Otherwise it will be difficult to track down exactly what
> change is causing the problem.

Yes, I realise this. Last night I sent Marc the correct parameters to
get OpenSSL s_server to request a client certificate and to select the
same cipher suite. At least I hope they were correct this time.

When I get the dump of that session from Marc I will look for any
differences in the configuration, and if I can't see any I'll start
looking for problems in the numbers.

I have found the code in OpenSSL that calculates the finished message,
so I think I should be able to use that. The hard part after that is to
work out how do the hashes, and to get the data to go in them.

I am assuming that the handshake messages that must be hashed refers to
the data that the SSL library sent over the wire, excluding the headers
like type of packet, version and length. Or does it include those? I
don't imagine that it is the whole packets with TCP/IP headers etc.



  James Westby   --    GPG Key ID: B577FE13    --     http://jameswestby.net/
  seccure key - (3+)k7|M*edCX/.A:n*N!>|&7U.L#9E)Tu)T0>AM - secp256r1/nistp256

More information about the Gnutls-devel mailing list