- Package:
- src:gnutls28
- Source:
- gnutls28
- Submitter:
- root
- Date:
- 2015-06-30 05:12:05 UTC
- Severity:
- normal
libgnutls7 has some problems to talk to older servers which do not support tlsv1 I found the problem while accessing an NDS 8 LDAP server gnutls-cli -p 636 ldap Resolving 'ldap'... Connecting to '134.93.226.34:636'... *** Received alert [40]: Handshake failed *** Handshake has failed GNUTLS ERROR: A TLS fatal alert has been received. gnutls-cli --protocols ssl3 -p 636 ldap and openssl s_client --port ldaps --host ldap are both successfull. While I can include the ssl3 option with gnutls-cli, I can't do so with other applications like ldapsearch or nss_ldap which link to libgnutls7. So please fix the bug or intoduce a config file where one can configure the used protocols. The problem is also discussed on http://mail.gnu.org/archive/html/help-gnutls/2003-03/msg00000.html Christoph
root wrote: Can you give the output of gnutls-cli-debug as well? It uses the same parameters. I tried it, but I guess my traffic is filtered out :) Ivo
Ivo Timmermans schrieb: The box is behind a firewall. But you can get the same behavior with gnutls-cli -p 563 news.mozilla.org This is the output of -debug: gnutls-cli-debug -p 636 ldap Resolving 'ldap'... Connecting to '134.93.226.34:636'... Checking for TLS 1.0 support... no Checking for SSL 3.0 support... yes Checking for certificate information... - Certificate type: X.509 Checking for version rollback bug in RSA PMS... no Checking for version rollback bug in Client Hello... dunno Checking whether we need to disable TLS 1.0... yes Checking whether the server can accept Hello Extensions... no Checking whether the server can accept cipher suites not in SSL 3.0 spec... no Checking whether the server understands TLS closure alerts... no Checking whether the server supports session resumption... yes Checking for export-grade ciphersuite support... no Checking for anonymous authentication support... no Checking for ephemeral Diffie Hellman support... no Checking for AES cipher support... no Checking for 3DES cipher support... no Checking for ARCFOUR cipher support... no Checking for MD5 MAC support... no Checking for SHA1 MAC support... no Checking for max record size TLS extension... no Checking for SRP authentication support (gnutls extension)... no Checking for OpenPGP authentication support (gnutls extension)... no Christoph
Christoph Martin wrote: For this server gnutls-cli-debug from 0.8.12 reports something else than 0.9.98, so maybe it's a bug that's been fixed already. I think this is the problem. I'll ask upstream. Ivo
severity 222230 normal tags 222230 = upstream,wontfix thanks According to the author of gnutls, this is because the server doesn't understand the handshake that gnutls sends by default: The error is in the "Netscape-Collabra/3.52" server. It should be a really ancient server. Try gnutls-cli on www.verisign.com (an ssl 3.0 server). It works fine there. The problem with the specific (netscape) server is that it cannot handle an SSL 3.0 with a TLS version number. That kind of servers only works fine if an SSL 2.0 hello is sent (that what openssl does). Since gnutls does not send an SSL 2.0 hello there is no way it can properly communicate with this server, unless TLS 1.0 is disabled. HTH. Ivo