iDevice GnuTLS issue with iOS 4.2 - libimobiledevice
Nikos Mavrogiannopoulos
nmav at gnutls.org
Wed Nov 24 12:24:59 CET 2010
On Wed, Nov 24, 2010 at 11:04 AM, Jeffrey Walton <noloader at gmail.com> wrote:
>> Web servers do not support anonymous authentication, thus receiving an
>> alert that might indicate that would be the expected behavior.
> Ah. I see - we're not on the same page. I'm not using the correct
> terms. My apologies. That would explain why I thought "anonymous
> authentication" [1, 2] meant "no client credentials" or similar.
> What term should I use to mean "no client credentials"? The best I can
> explain "no client credentials" is how a standard web server operates;
> and the inverse of "client authentication" introduced in SSL 3.0.
The authentication in TLS most commonly used is certificate authentication.
This can be server-side only (only server is authenticated) or client and server
authentication (where both are authenticated to each other). A client thus such
as the client in 7.3.2 that does not set a certificate would work for you.
>> (use the gnutls_alert_* functions to read the actual alert).
> The error code and gnutls_alert_get()/gnutls_alert_get_name() were not
> very useful. Confer: {GNUTLS_E_UNEXPECTED_PACKET_LENGTH, "Close
> notify"} and {GNUTLS_E_FATAL_ALERT_RECEIVED, "Error in protocol
> version"}
In what sense? Did you use something like:
http://www.gnu.org/software/gnutls/manual/html_node/Checking-for-an-alert.html#Checking-for-an-alert
?
> Googling for the error defines and alert strings usually state
> something like, "let's get the GnuTLS guys involved with this" and
> "GnuTLS is broken, use {OpenSSL|NSS}".
Sometimes error alerts from TLS can be quite cryptic. Maybe we can
improve the documentation for the common cases.
> [1] IIS Authentication, "Anonymous authentication gives users access
> to the public areas of your Web site without prompting them for a user
> name or password. Although listed as an authentication scheme, it is
> not technically performing any client authentication because the
> client is not required to supply any credentials."
> http://msdn.microsoft.com/en-us/library/aa292114%28VS.71%29.aspx
Ouch. Here they abuse the terminology of TLS. Anonymous authentication
is authentication where neither the client nor the server are authenticated
to each other.
> [2] Apache 2 with SSL/TLS, "It is also recommended to disable all
> cipher suites that support anonymous authentication (aNULL)."
> http://www.symantec.com/connect/articles/apache-2-ssltls-step-step-part-2
Here is correct usage of anonymous authentication.
regards,
Nikos
More information about the Gnutls-devel
mailing list