[gnutls-dev] Re: dh_param's required in client for anonymous kx in
1.1?
Simon Josefsson
simon+gnutls-dev at josefsson.org
Sat Dec 20 19:34:56 CET 2003
Nikos Mavroyanopoulos <nmav at gnutls.org> writes:
> On Sat, Dec 20, 2003 at 02:21:03PM +0100, Simon Josefsson wrote:
>
>> I'm using the anonymous key exchange, and I generate dh_param's in the
>> server, and it works fine with 1.0. With 1.1 (from CVS) however, I
>> get an error in the server:
>> shishi: TLS handshake failed (-32): Insufficient credentials for that request.
>
> gnutls-cli works fine in 1.1.0. Do you allocate and set the anon
> client credentials?
Yes.
err = gnutls_anon_allocate_server_credentials (&anoncred);
if (err)
error (EXIT_FAILURE, 0, "Cannot allocate GNUTLS credential: %s (%d)",
gnutls_strerror (err), err);
err = gnutls_dh_params_init (&dh_params);
if (err)
error (EXIT_FAILURE, 0, "Cannot initialize GNUTLS DH parameters: %s (%d)",
gnutls_strerror (err), err);
if (!arg.quiet_flag)
printf ("Generating Diffie-Hellman parameters...\n");
err = gnutls_dh_params_generate2 (dh_params, DH_BITS);
if (err)
error (EXIT_FAILURE, 0, "Cannot generate GNUTLS DH parameters: %s (%d)",
gnutls_strerror (err), err);
gnutls_anon_set_server_dh_params (anoncred, dh_params);
...
rc = gnutls_credentials_set (ls->session, GNUTLS_CRD_ANON, anoncred);
if (rc != GNUTLS_E_SUCCESS)
{
syslog (LOG_ERR, "TLS failed, gnutls_cs %d: %s", rc,
gnutls_strerror (rc));
return -1;
}
> If yes, please enable debugging(with level 2)
> and send me the output.
shishid: Trying STARTTLS
tls 2: ASSERT: gnutls_db.c:217
tls 2: EXT[8079568]: Received extension 'SERVER_NAME'
tls 2: ASSERT: auth_cert.c:1488
tls 2: ASSERT: gnutls_handshake.c:2440
tls 2: ASSERT: gnutls_handshake.c:550
tls 2: ASSERT: gnutls_handshake.c:351
tls 2: ASSERT: gnutls_handshake.c:1747
tls 2: ASSERT: gnutls_handshake.c:2184
shishid: TLS handshake failed (-32): Insufficient credentials for that request.
The interesting thing is that if I also set a X.509 credential in the
session:
rc = gnutls_credentials_set (ls->session, GNUTLS_CRD_CERTIFICATE,
x509cred);
if (rc != GNUTLS_E_SUCCESS)
{
syslog (LOG_ERR, "TLS failed, gnutls_cs X.509 %d: %s", rc,
gnutls_strerror (rc));
return -1;
}
The negotiation works, and negotiate anonymous TLS fine:
shishid: Trying STARTTLS
tls 2: ASSERT: gnutls_db.c:217
tls 2: EXT[8079608]: Received extension 'SERVER_NAME'
tls 2: ASSERT: gnutls_x509.c:1019
shishid: TLS handshake negotiated protocol `TLS 1.0', key exchange `Anon DH', certficate type `X.509', cipher `AES 256 CBC', mac `SHA', compression `NULL'
The KX's are:
const int kx_prio[] = { GNUTLS_KX_ANON_DH, 0 };
So I don't understand how adding the x.509 credential help, although
the gnutls_handshake code seem to have changed between 1.0.2 (which
works) and CVS (which doesn't) so perhaps the trace above help you.
Thanks.
More information about the Gnutls-dev
mailing list