Oracle Weblogic 10.3 + gnutls-cli = A TLS fatal...

Simon Josefsson simon at josefsson.org
Wed Feb 17 18:16:41 CET 2010


Michael Meyer <mime at gmx.de> writes:

> *** Simon Josefsson <simon at josefsson.org> wrote:
>> Michael Meyer <mime at gmx.de> writes:
>  
>> > I did. ;) If even one option is away, it no longer works.
>> 
>> Wow.  Then it is the most broken TLS server I've heard of so far.  I
>> wonder what TLS stack that is...
>
> No Idea. I can do any test you suggested.

Identifying that with confidence requires access to the server to look
at the actual server system.  Looking at logs and/or the binaries may
help.

>> > Anybody interested to help? ;)
>> 
>> I'll certainly try to help by answering questions.  Anything in
>> particular you need help with?
>
> I'm not a C-developer, just a plugin-writer. But you can see my
> Bug-Report at
>
> http://wald.intevation.org/tracker/index.php?func=detail&aid=1278&group_id=29&atid=220
>
> I think that one of our developers will subscribe to this list and can
> provide more specific questions. I can't, i have only less knowledge in C.

I don't think defaulting to insecure mode is a good idea.  What we
recommend is to use the default, and expose the "priority string"
interface to configuration.  Then administrators can chose to add
priority strings that may be necessary to talk to some broken server.
The proper solution is always to fix the broken server, but meanwhile
that happens, having a configuration option to work around is useful.
Using GnuTLS in known insecure modes just because there are broken
servers out there doesn't seem like a good idea.  Then you might as well
not use TLS at all, and just use TCP?

Anyway, in general it is not possible to configure GnuTLS to *always*
get a connection up, since some bugs in other components may be severe
enough that it simply isn't possible.

I suspect something in your design needs to reflect these ideas, but I
don't know OpenVAS enough to say what.

/Simon





More information about the Gnutls-help mailing list