Richard A Nelson <[EMAIL PROTECTED]> writes: > On Sun, 12 Oct 2008, Simon Josefsson wrote: > >> I was wrong, it doesn't work like that. GnuTLS doesn't send the >> server_name extension by default, the application needs to call >> gnutls_server_name_set explicitly to enable it. For gnutls-cli, you can >> use --disable-extensions to avoid sending the server name: >> >> gnutls-cli -p 636 bluepages.ibm.com -d 4711 --priority NORMAL:-VERS-TLS1.1 >> --disable-extensions > > *** Fatal error: A TLS packet with unexpected length was received. > *** Handshake has failed > GNUTLS ERROR: A TLS packet with unexpected length was received.
That means either TLS 1.0 or the cert_type extension is the problem. Since your earlier e-mail tested the case with TLS 1.0 and no cert_type extension (but a server_name extension) we can conclude that either of these two extensions causes trouble. >> To disable both cert_type and server_name use: >> >> gnutls-cli -d 4711 -p 443 yxa.extundo.com --priority >> NORMAL:-VERS-TLS1.1:-CTYPE-OPENPGP --disable-extensions > > works (after substituting bluepages.ibm.com) - which took me a minute to > catch ;) Ah, sorry. Ok, this is good! It means TLS 1.0 without any extensions (neither cert_type nor server_name) works. >> Maybe TLS 1.1 isn't the problem, if so this should work: >> >> gnutls-cli -d 4711 -p 443 yxa.extundo.com --priority NORMAL:-CTYPE-OPENPGP >> --disable-extensions > > *** Fatal error: A TLS packet with unexpected length was received. > *** Handshake has failed > GNUTLS ERROR: A TLS packet with unexpected length was received. Ouch, so the problem appears to have TWO bugs: - Rejects connections where the client advertised support for cert_type or server_name extensions (possibly any extension breaks) - Rejects connections where the client advertised support for TLS 1.1 In other words, to talk with this server you need to: 1) Disable cert_type extension (-CERT-OPENPGP) 2) Disable server_name extension (--disable-extensions with gnutls-cli) 3) Disable TLS 1.1 I have no idea how to achieve 2) in openldap; it can't be done via a priority string. Hopefully openldap doesn't call the gnutls function to set the server name. Hm. It doesn't, I checked the source code. So you should be OK for the time being. Specifically, the NORMAL:-VERS-TLS1.1:-CTYPE-OPENPGP priority string works against the server, assuming server_name extension isn't sent. >> I really hope one of these commands work. I think it would mean we >> understand the server's bug, and know how to work around it without >> resorting to falling back to SSL 3.0. > > So it looks like it is indeed TLS 1.1 that is the problem ? One of the problems, yes. Hurray, I think we can finally close this bug. Or do you think there is anything more that can be done? /Simon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
