[Help-gnutls] Re: Problem starting gnutls-serv with PSK support

[Simon Josefsson]

Sebastian Hans <sebastian_hans at yahoo.com> writes:

> Hi,
>
> I have problems starting gnutls-serv with support for the PSK keyexchange. When I run the gnutls-cli-debug against the server the output shows that no protocol is supported.
>
> To start the gnutls-serv I use the following command
>
> gnutls-serv -d 10 -p 4433 --http --ciphers AES --protocols TLS1.1 --kx PSK --pskpasswd sha16.psk
>
> the output generated by gnutls-cli-debug is:
>
> C:\downloads\SSL-APIs\GnuTLS\bin>gnutls-cli-debug localhost -p 4433
> Resolving 'localhost'...
> Connecting to '127.0.0.1:4433'...
> Checking for TLS 1.1 support... no
> Checking fallback from TLS 1.1 to... failed
> Checking for TLS 1.0 support... no
> Checking for SSL 3.0 support... no
>
> Server does not support none of SSL 3.0, TLS 1.0 and TLS 1.1

Yeah, gnutls-cli-debug doesn't try with that many cipher suites, so it
will fail to negotiate anything if the server only supports strange
ciphers.  This isn't Windows-specific.

I think we could make gnutls-serv always support ANON_DH by using
static DH parameters, unless the user provided real parameters.  But
if a server only supports, say, PSK, gnutls-cli-debug will not be able
to connect unless it knows the PSK details.

> I tried a lot of variations but nothing worked.

Try to use gnutls-cli directly instead:

$ ./gnutls-cli localhost -p 4433 --pskusername jas --pskkey db2d5ef736e7e03a167f25dd2023d19a
Resolving 'localhost'...
Connecting to '127.0.0.1:4433'...
- Version: TLS 1.1
- Key Exchange: PSK
- Cipher: AES 128 CBC
- MAC: SHA
- Compression: DEFLATE
- Handshake was completed

- Simple Client Mode:
...

/Simon