iDevice GnuTLS issue with iOS 4.2 - libimobiledevice

Jeffrey Walton noloader at gmail.com
Wed Nov 24 11:04:49 CET 2010


On Wed, Nov 24, 2010 at 3:23 AM, Nikos Mavrogiannopoulos
<nmav at gnutls.org> wrote:
> On 11/24/2010 06:50 AM, Jeffrey Walton wrote:
>> On Tue, Nov 23, 2010 at 4:44 AM, Nikos Mavrogiannopoulos
>> <nmav at gnutls.org> wrote:
>>> On Tue, Nov 23, 2010 at 10:29 AM, Jeffrey Walton <noloader at gmail.com> wrote:
>>>
>>>>> I'd suggest that you use the priority_set_direct() function. Check the examples
>>>>> in the gnutls documentation for details. Does gnutls-cli work on the server you
>>>>> are connecting? What is the output of gnutls-cli-debug?
>>>> An FYI.... I have not been able to get the examples* to work. I've
>>>> tried connecting to my Windows 2003/IIS 6 machine, and Simon's host at
>>>> test.gnutls.org:5556.
>>>> Usually, gnutls_handshake() fails with one of the following (I do a
>>>> lot of knob turning on failures). In all cases,
>>>> gnutls_error_is_fatal() is true.
>>>
>>> Which client example did you try?
>> First example - anonymous client authentication at [1]. I attached my
>> test code for convenience.
>
> Web servers do not support anonymous authentication, thus receiving an
> alert that might indicate that would be the expected behavior.
Ah. I see - we're not on the same page. I'm not using the correct
terms. My apologies. That would explain why I thought "anonymous
authentication" [1, 2] meant "no client credentials" or similar.

What term should I use to mean "no client credentials"? The best I can
explain "no client credentials" is how a standard web server operates;
and the inverse of "client authentication" introduced in SSL 3.0.

The take away: how do I set up a secure channel, which requires server
authentication, but not [necessarily] client authentication?

> (use the gnutls_alert_* functions to read the actual alert).
The error code and gnutls_alert_get()/gnutls_alert_get_name() were not
very useful. Confer: {GNUTLS_E_UNEXPECTED_PACKET_LENGTH, "Close
notify"} and {GNUTLS_E_FATAL_ALERT_RECEIVED, "Error in protocol
version"}

Googling for the error defines and alert strings usually state
something like, "let's get the GnuTLS guys involved with this" and
"GnuTLS is broken, use {OpenSSL|NSS}".

Jeff

[1] IIS Authentication, "Anonymous authentication gives users access
to the public areas of your Web site without prompting them for a user
name or password. Although listed as an authentication scheme, it is
not technically performing any client authentication because the
client is not required to supply any credentials."
http://msdn.microsoft.com/en-us/library/aa292114%28VS.71%29.aspx

[2] Apache 2 with SSL/TLS, "It is also recommended to disable all
cipher suites that support anonymous authentication (aNULL)."
http://www.symantec.com/connect/articles/apache-2-ssltls-step-step-part-2




More information about the Gnutls-devel mailing list