[gnutls-dev] SRP compatibility problem between different GnuTLS version

Simon Josefsson simon at josefsson.org
Thu Jan 25 11:21:55 CET 2007

Yoann Vandoorselaere <yoann at prelude-ids.org> writes:

> Hi,
> It appear there are compatibility issues with SRP between different
> GnuTLS version. As an example, peers using GnuTLS-1.4.0 are not able to
> proceed authentication with peers using GnuTLS-1.4.5: the handshake
> terminate with a "GnuTLS internal error".
> I suspect this is due to the following change in GnuTLS-1.4.2: 
> ** Change SRP and Cert-Type extensions to match IANA registry.

Hi!  Ah, yes, I can see how that becomes an interoperability problem.

It seems bad if it causes internal errors though.  If I read you
correctly, this only happens on the GnuTLS 1.4.0 side?  Does a 1.4.5
peer terminate with an internal error when it tries to negotiate with
a 1.4.0 peer?

> The problem is that this randomly break things for the end-user although
> there are other authentication method usable (the client/server we are
> using both support SRP and Anonymous authentication, which are supposed
> to be negotiated when the communication start).
> In this specific case, I would expect GnuTLS to use another
> authentication method, if any, rather than failing.

Right, that's what I'd expect too.

> My question is whether such breakage are predictable, and whether a
> change in the application code might permit us to revert to another
> authentication method in case it happen.

Tracking down (i.e., debugging) exactly what triggers the internal
error message would be useful, and might help you answer that.

You could also try to add the old values into the 1.4.5 peer, and see
if the 1.4.0 client then successfully negotiate SRP.  We should still
use the official IANA value, but we could support the old ones for
compatibility too.  That could go into future versions...


More information about the Gnutls-devel mailing list