iDevice GnuTLS issue with iOS 4.2 - libimobiledevice

Nikos Mavrogiannopoulos nmav at
Wed Nov 24 12:24:59 CET 2010

On Wed, Nov 24, 2010 at 11:04 AM, Jeffrey Walton <noloader at> wrote:

>> Web servers do not support anonymous authentication, thus receiving an
>> alert that might indicate that would be the expected behavior.
> Ah. I see - we're not on the same page. I'm not using the correct
> terms. My apologies. That would explain why I thought "anonymous
> authentication" [1, 2] meant "no client credentials" or similar.
> What term should I use to mean "no client credentials"? The best I can
> explain "no client credentials" is how a standard web server operates;
> and the inverse of "client authentication" introduced in SSL 3.0.

The authentication in TLS most commonly used is certificate authentication.
This can be server-side only (only server is authenticated) or client and server
authentication (where both are authenticated to each other). A client thus such
as the client in 7.3.2 that does not set a certificate would work for you.

>> (use the gnutls_alert_* functions to read the actual alert).
> The error code and gnutls_alert_get()/gnutls_alert_get_name() were not
> very useful. Confer: {GNUTLS_E_UNEXPECTED_PACKET_LENGTH, "Close
> notify"} and {GNUTLS_E_FATAL_ALERT_RECEIVED, "Error in protocol
> version"}

In what sense? Did you use something like:

> Googling for the error defines and alert strings usually state
> something like, "let's get the GnuTLS guys involved with this" and
> "GnuTLS is broken, use {OpenSSL|NSS}".
Sometimes error alerts from TLS can be quite cryptic. Maybe we can
improve the documentation for the common cases.

> [1] IIS Authentication, "Anonymous authentication gives users access
> to the public areas of your Web site without prompting them for a user
> name or password. Although listed as an authentication scheme, it is
> not technically performing any client authentication because the
> client is not required to supply any credentials."

Ouch. Here they abuse the terminology of TLS. Anonymous authentication
is authentication where neither the client nor the server are authenticated
to each other.

> [2] Apache 2 with SSL/TLS, "It is also recommended to disable all
> cipher suites that support anonymous authentication (aNULL)."

Here is correct usage of anonymous authentication.


More information about the Gnutls-devel mailing list