TLS1.1 handshake problem (demonstrated with gnutls-cli)

Vivek Dasmohapatra vivek at collabora.co.uk
Thu Oct 15 20:13:04 CEST 2009


While investigating a report of a problem connecting to a particular 
server when using the gnutls backend of our XMPP library, we (collabora)
stumbled across this problem :

/usr/local/src/gnutls26-2.8.4/src/gnutls-cli --priority "NORMAL:%COMPAT" \
     -p 5223 stbeehive.oracle.com
Resolving 'stbeehive.oracle.com'...
Connecting to '141.146.118.11:5223'...
proto  [0] = 3 TLS1.1
        [1] = 2 TLS1.0
        [2] = 1 SSL3.0
*** Fatal error: A TLS fatal alert has been received.
*** Received alert [10]: Unexpected message
*** Handshake has failed
GNUTLS ERROR: A TLS fatal alert has been received.

(the proto lines are some extra debugging I added myself)
Whereas:

/usr/local/src/gnutls26-2.8.4/src/gnutls-cli \
     --priority "NORMAL:%COMPAT:-VERS-TLS1.1"  -p 5223 stbeehive.oracle.com
Resolving 'stbeehive.oracle.com'...
Connecting to '141.146.118.11:5223'...
proto  [0] = 1 SSL3.0
        [1] = 2 TLS1.0
- The hostname in the certificate matches 'stbeehive.oracle.com'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.0
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed

Now I'm not sure who's in the wrong here, the server or the client 
library: fwiw openssl negotiates TLS1 with the server out of the box,
but s_client doesn't state which explicit TLS minor version it's using,
so it could just be that it doesn't implement TLS 1.1 or 1.2 yet.

Enabling 1.2 and disablinng 1.1 also causes the error above (Unexpected 
message).

Disabling %COMPAT (padding) triggers:

*** Received alert [20]: Bad record MAC

instead.

So, is this a bug in the TLS1.1/TLS1.2 implementation in gnutls, or
is it the server doing something wrong, or both?






More information about the Gnutls-devel mailing list