[gnutls-devel] [PATCH] gnutls-cli-debug should accept TLS 1.2-only servers

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Jan 8 21:57:59 CET 2014


Without this patch, a TLS 1.2-only server will not be properly
investigated by gnutls-cli-debug.

e.g. a server like:

  gnutls-serv --x509keyfile=server/secret.key --x509certfile=server/x509.pem --priority 'NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2'

gets this failed analysis:

0 dkg at alice:~$ gnutls-cli-debug --port 5556 localhostrt 5556 localhost
Resolving 'localhost'...
Connecting to '::1:5556'...
Checking for SSL 3.0 support... no
Checking whether %COMPAT is required... yes
Checking for TLS 1.0 support... no
Checking for TLS 1.1 support... no
Checking fallback from TLS 1.1 to... failed
Checking for TLS 1.2 support... yes
Checking whether we need to disable TLS 1.2... N/A
Checking whether we need to disable TLS 1.1... no

Server does not support any of SSL 3.0, TLS 1.0 and TLS 1.1
0 dkg at alice:~$
---
 src/cli-debug.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/cli-debug.c b/src/cli-debug.c
index 6110184..f6e4c16 100644
--- a/src/cli-debug.c
+++ b/src/cli-debug.c
@@ -63,6 +63,7 @@ unsigned int verbose = 0;
 
 extern int tls1_ok;
 extern int tls1_1_ok;
+extern int tls1_2_ok;
 extern int ssl3_ok;
 
 static void tls_log_func(int level, const char *str)
@@ -248,10 +249,10 @@ int main(int argc, char **argv)
 
 		/* if neither of SSL3 and TLSv1 are supported, exit
 		 */
-		if (i > 6 && tls1_1_ok == 0 && tls1_ok == 0
+		if (i > 6 && tls1_2_ok == 0 && tls1_1_ok == 0 && tls1_ok == 0
 		    && ssl3_ok == 0) {
 			fprintf(stderr,
-				"\nServer does not support any of SSL 3.0, TLS 1.0 and TLS 1.1\n");
+				"\nServer does not support any of SSL 3.0, TLS 1.0 and TLS 1.1 and TLS 1.2\n");
 			break;
 		}
 
-- 
1.8.5.2




More information about the Gnutls-devel mailing list