[gnutls-help] No supported cipher suites have been found.

Mike Mestnik cheako+gnutls at mikemestnik.net
Sun Dec 13 00:29:10 CET 2015 

Still chipping away at this and I've found a way to get more information.

Here is the Client Hello I'm sending:
Data::Hexdumper: data length isn't an integer multiple of lines
so has been padded with NULLs at the end.
  0x0000 : 16 03 03 00 35 01 00 00 31 03 03 56 6C 90 CA C5 : ....5...1..Vl...
  0x0010 : C5 4D 73 22 ED E3 D9 0E 86 53 CB 94 E6 35 2C 2B : .Ms".....S...5,+
  0x0020 : 91 6F 6D A7 35 D5 2E 6D 7E D6 47 00 00 02 00 2F : .om.5..m~.G..../
  0x0030 : 01 00 00 06 00 09 00 02 01 01 00 00 00 00 00 00 : ................

and the resulting log level 99:
[ 4718| 3] ASSERT: mpi.c:240
[ 4718| 3] ASSERT: gnutls_dh.c:332
[ 4718|13] armor filter: decode
[ 4718| 3] ASSERT: stream.c:952
[ 4718|13] free armor filter
[ 4718|13] armor filter: decode
[ 4718| 3] ASSERT: stream.c:952
[ 4718|13] free armor filter
[ 4718| 3] ASSERT: pgp.c:166
[ 4718| 3] ASSERT: stream.c:952
[ 4718| 3] ASSERT: privkey.c:1230
[ 4718| 3] ASSERT: privkey.c:1230
[ 4718| 3] ASSERT: pgp.c:166
[ 4718| 3] ASSERT: pgp.c:1644
[ 4718| 3] ASSERT: pgp.c:1644
[ 4718| 3] ASSERT: privkey.c:1230
[ 4718| 3] ASSERT: privkey.c:1230
[ 4718| 9] Signing using master PGP key
[ 4718| 3] ASSERT: privkey.c:1230







[ 4718| 5] REC[0x93332b0]: Allocating epoch #0
New connection from localhost on socket 6 index 0
[ 4718| 3] ASSERT: gnutls_constate.c:588
[ 4718| 5] REC[0x93332b0]: Allocating epoch #1
[ 4718| 3] ASSERT: gnutls_buffers.c:1154
[ 4718|10] READ: Got 5 bytes from 0x6
[ 4718|10] READ: read 5 bytes from 0x6
[ 4718|10] RB: Have 0 bytes into buffer. Adding 5 bytes.
[ 4718|10] RB: Requested 5 bytes
[ 4718| 5] REC[0x93332b0]: SSL 3.3 Handshake packet received. Epoch 0,
length: 53
[ 4718| 5] REC[0x93332b0]: Expected Packet Handshake(22)
[ 4718| 5] REC[0x93332b0]: Received Packet Handshake(22) with length: 53
[ 4718|10] READ: Got 53 bytes from 0x6
[ 4718|10] READ: read 53 bytes from 0x6
[ 4718|10] RB: Have 5 bytes into buffer. Adding 53 bytes.
[ 4718|10] RB: Requested 58 bytes
[ 4718| 5] REC[0x93332b0]: Decrypted Packet[0] Handshake(22) with length: 53
[ 4718|13] BUF[REC]: Inserted 53 bytes of Data(22)
[ 4718| 4] HSK[0x93332b0]: CLIENT HELLO (1) was received. Length
49[49], frag offset 0, frag length: 49, sequence: 0
[ 4718| 4] HSK[0x93332b0]: Client's version: 3.3
[ 4718| 4] HSK[0x93332b0]: Selected version TLS1.2
[ 4718| 3] ASSERT: gnutls_db.c:263
[ 4718| 4] EXT[0x93332b0]: Found extension 'CERT TYPE/9'
[ 4718| 4] EXT[0x93332b0]: Found extension 'CERT TYPE/9'
[ 4718| 4] EXT[0x93332b0]: Parsing extension 'CERT TYPE/9' (2 bytes)
[ 4718| 3] ASSERT: cert_type.c:120
[ 4718| 3] ASSERT: cert_type.c:136
[ 4718| 3] ASSERT: server_name.c:307
[ 4718| 4] HSK[0x93332b0]: Requested PK algorithm: RSA (1) -- ctype: X.509 (1)
[ 4718| 3] ASSERT: cert.c:2059
[ 4718| 3] ASSERT: ciphersuites.c:1355
[ 4718| 2] Could not find an appropriate certificate: Insufficient
credentials for that request.
[ 4718| 3] ASSERT: ciphersuites.c:1430
[ 4718| 3] ASSERT: gnutls_handshake.c:964
[ 4718| 3] ASSERT: gnutls_handshake.c:665
[ 4718| 3] ASSERT: gnutls_handshake.c:2277
[ 4718| 3] ASSERT: gnutls_handshake.c:1481
[ 4718| 3] ASSERT: gnutls_handshake.c:3125
[ 4718| 5] REC[0x93332b0]: Start of epoch cleanup
[ 4718| 5] REC[0x93332b0]: End of epoch cleanup
[ 4718| 5] REC[0x93332b0]: Epoch #0 freed
[ 4718| 5] REC[0x93332b0]: Epoch #1 freed


Thus it looks like \x1 isn't a currently loaded cert type.  How can I
tell what type of cert is loaded into the session's credentials?

On Fri, Dec 11, 2015 at 2:22 PM, Mike Mestnik
<cheako+gnutls at mikemestnik.net> wrote:
> Is there a way to figure out more specifically what is wrong with a
> ClientHello?  I've been toying with the idea of implementing the
> handshake portion in perl, but currently I've no working client to
> copy and no way of knowing what's wrong it would be pointless.
>
> Here is what I have so far:
> #!/usr/bin/env perl
>
> use IO::Socket::INET;
>
> my $socket = new IO::Socket::INET(
> PeerHost => '127.0.0.1',
> PeerPort => '4458',
> Proto    => 'tcp',
> );
>
> sub r{rand()*0xffffffff};
>
> my$a=sprintf'\x3\x3%s\x0%s%s\x0%s%s',pack('NL7',time(),r(),r(),r(),r(),r(),r(),r()),
> pack("n",8),sprintf'\x0\x40\x0\x6a\x0\x9',pack('C',1),sprintf'';
> my$b=sprintf'\x1\x0%s%s',pack('n',length$a),$a;
> $socket->send(sprintf'\x16\x3\x3%s%s',pack('n',length$b),$b);
> $socket->recv(my$r,4096);
> print $r;
>
> =pod
> 000005e0  16 03 01 00 fc 01 00 00  f8 03 03 56 69 bf 40 cc  |...........Vi. at .|
> 000005f0  ef 1c b1 5e 81 af cc 3c  4f a9 ca fe 05 a6 6c 0c  |...^...<O.....l.|
> 00000600  ae e5 24 fc 18 38 5f a0  bd 2b db 00 00 6c c0 2b  |..$..8_..+...l.+|
> 00000610  c0 2c c0 86 c0 87 c0 09  c0 23 c0 0a c0 24 c0 72  |.,.......#...$.r|
> 00000620  c0 73 c0 ac c0 ad c0 08  c0 2f c0 30 c0 8a c0 8b  |.s......./.0....|
> 00000630  c0 13 c0 27 c0 14 c0 28  c0 76 c0 77 c0 12 00 9c  |...'...(.v.w....|
> 00000640  00 9d c0 7a c0 7b 00 2f  00 3c 00 35 00 3d 00 41  |...z.{./.<.5.=.A|
> 00000650  00 ba 00 84 00 c0 c0 9c  c0 9d 00 0a 00 9e 00 9f  |................|
> 00000660  c0 7c c0 7d 00 33 00 67  00 39 00 6b 00 45 00 be  |.|.}.3.g.9.k.E..|
> 00000670  00 88 00 c4 c0 9e c0 9f  00 16 01 00 00 63 00 17  |.............c..|
> 00000680  00 00 00 16 00 00 00 05  00 05 01 00 00 00 00 00  |................|
> 00000690  09 00 03 02 00 01 00 00  00 0e 00 0c 00 00 09 6c  |...............l|
> 000006a0  6f 63 61 6c 68 6f 73 74  ff 01 00 01 00 00 23 00  |ocalhost......#.|
> 000006b0  00 00 0a 00 0c 00 0a 00  17 00 18 00 19 00 15 00  |................|
> 000006c0  13 00 0b 00 02 01 00 00  0d 00 16 00 14 04 01 04  |................|
> 000006d0  03 05 01 05 03 06 01 06  03 03 01 03 03 02 01 02  |................|
> 000006e0  03 00 00
>
>
> On Mon, Dec 7, 2015 at 2:30 AM, Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:
>> You can test gnutls-serv and gnutls-cli in the gnutls distribution
>> with the following options:
>> cd doc/credentials && ./../src/gnutls-serv --pgpkeyfile
>> openpgp/sec.asc --pgpcertfile openpgp/pub.asc --dhparams params.pem
>> --priority "NORMAL:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:+CTYPE-OPENPGP"
>>
>> cd src && ./gnutls-cli localhost -p 5556 --insecure --priority
>> "NORMAL:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:+CTYPE-OPENPGP"
>>
>>
>> regards,
>> Nikos
>>
>> On Mon, Dec 7, 2015 at 7:49 AM, Mike Mestnik
>> <cheako+gnutls at mikemestnik.net> wrote:
>>> From a tip on IRC, I've included the results of a test from the
>>> gnutls-cli application.  This is to rule out an issue where a non cert
>>> type supporting client might be causing problems.
>>>
>>> https://travis-ci.org/cheako/ihlt/builds/95292899
>>>
>>> At the end, when the other connections from perl fail, there is a test
>>> from gnutls-client.  Same failure.
>>>
>>> Is there an issue with non cert type clients?  Would that also be
>>> mapped to "No supported cipher suites..." error?  Can i have a patch
>>> where this error has it's own message?
>>>
>>> On Wed, Dec 2, 2015 at 7:54 PM, Mike Mestnik
>>> <cheako+gnutls at mikemestnik.net> wrote:
>>>> I'm writing an example application using gnutls and I'm wondering how
>>>> to get SSL support for RFC 6091, as found in gnutls.
>>>>
>>>> https://github.com/cheako/ihlt/tree/24f6f08cf7c4c118550858718f0a3bb07d3bfa6b
>>>>
>>>> # This gives the same error as [1]perl, so I'm thinking I've a genuine
>>>> problem with my implementation of the echo server.
>>>> gnutls-cli -p 4458 --pgpkeyfile=example/openpgp-secret.txt
>>>> --pgpcertfile=example/openpgp-server.txt localhost
>>>>
>>>> See also:
>>>> 1. http://www.perlmonks.org/?node_id=1149241
>>>
>>> _______________________________________________
>>> Gnutls-help mailing list
>>> Gnutls-help at lists.gnutls.org
>>> http://lists.gnupg.org/mailman/listinfo/gnutls-help

More information about the Gnutls-help mailing list