iDevice GnuTLS issue with iOS 4.2 - libimobiledevice

Jeffrey Walton noloader at
Tue Nov 23 10:29:31 CET 2010

On Tue, Nov 23, 2010 at 4:08 AM, Nikos Mavrogiannopoulos
<nmav at> wrote:
> I'd suggest that you use the priority_set_direct() function. Check the examples
> in the gnutls documentation for details. Does gnutls-cli work on the server you
> are connecting? What is the output of gnutls-cli-debug?
An FYI.... I have not been able to get the examples* to work. I've
tried connecting to my Windows 2003/IIS 6 machine, and Simon's host at

Usually, gnutls_handshake() fails with one of the following (I do a
lot of knob turning on failures). In all cases,
gnutls_error_is_fatal() is true.


In my case, both gnutls-cli and gnutls-cli-debug connect and probe the
IIS 6.0 host. I seem to recall problem's with Simon's host, though.
When I found problems with both hosts, I stopped using Simon's host.

I've tried different 'priority direct' strings:
"PERFORMANCE:+ANON-DH:!ARCFOUR-128" (from the example)

I've also tried different protocols in calls to
gnutls_protocol_set_priority(). My current array is:
    static const int protocols[] =
        { /*GNUTLS_TLS1_2, GNUTLS_TLS1_1,*/ GNUTLS_TLS1_0, GNUTLS_SSL3, 0 };


* Specifically, the first client example (anonymous auth) at

> On Mon, Nov 22, 2010 at 12:17 AM, Nikias Bassen <nikias at> wrote:
>> Hi,
>> I'm a leading developer of libimobiledevice ( and
>> we are facing a GnuTLS issue. The lockdown protocol is initializing an SSLv3
>> session and since iOS 4.2 the handshake fails when using GnuTLS. Further
>> investigation showed that the error is GNUTLS_E_FATAL_ALERT_RECEIVED -12,
>> Error: Could not negotiate a supported cipher suite.
>> However, I replaced the appropiate ssl code using OpenSSL and got it working.
>> Debugging output showed that the cipher is AES256-SHA, but surprisingly this
>> is the same cipher that we have with pre-4.2 devices using GnuTLS.
>> We have no clue what might be wrong here as it has been working since 4.2b
>> arrived, so I'd like to ask if anyone here might be able to help us
>> investigating this issue? Tell me what info you need and I'll get it for you.
>> The device is the server and libimobiledevice code the client side of the
>> communication.
>> Our code is here:
>> The SSL code is in src/idevice.c, the handshake is implemented in
>> idevice_connection_enable_ssl(). If you have questions about the code just
>> ask. You can reach us in #libimobiledevice on FreeNode too.
>> Regards,
>> Nikias

More information about the Gnutls-devel mailing list