[gnutls-dev] gnutls-cli fallback to ssl3

Nikos Mavroyanopoulos nmav at gnutls.org
Fri Dec 5 22:56:05 CET 2003


On Fri, Dec 05, 2003 at 07:00:22PM +0100, Ivo Timmermans wrote:

> Hi,
> It seems that gnutls-cli can't fall back on SSL3 if TLS1 is not
> available, is this an error in the program or in the library?
The error is in the "Netscape-Collabra/3.52" server. It should
be a really ancient server. Try gnutls-cli on www.verisign.com 
(an ssl 3.0 server). It works fine there. 

The problem with the specific (netscape) server is that it
cannot handle an SSL 3.0 with a TLS version number. That kind
of servers only works fine if an SSL 2.0 hello is sent 
(that what openssl does). Since gnutls does not send an SSL 2.0
hello there is no way it can properly communicate with this
server, unless TLS 1.0 is disabled.

> For example:
> 
> > gnutls-cli --protocols ssl3 -p 563 news.mozilla.org
> Resolving 'news.mozilla.org'...
> Connecting to '204.29.187.156:563'...
> - Certificate type: X.509
>  - Got a certificate list of 3 certificates.
> [...]
> 200 secnews.netscape.com Netscape-Collabra/3.52 03615 NNRP ready
> (posting ok).
> > gnutls-cli -p 563 news.mozilla.org
> Resolving 'news.mozilla.org'...
> Connecting to '204.29.187.156:563'...
> *** Fatal error: A TLS fatal alert has been received.
> *** Received alert [40]: Handshake failed
> *** Handshake has failed
> GNUTLS ERROR: A TLS fatal alert has been received.

> 	Ivo
> -- 
> /* I can't stand it anymore!  Please can't we just write the
>    whole Unix system in lisp or something? */
> 	- bash-2.02/unwind_prot.c

-- 
Nikos Mavroyanopoulos



More information about the Gnutls-dev mailing list