[gnutls-dev] SRP compatibility problem between different GnuTLS version

Yoann Vandoorselaere yoann at prelude-ids.org
Thu Jan 25 12:17:08 CET 2007


Le jeudi 25 janvier 2007 à 11:21 +0100, Simon Josefsson a écrit :
> Yoann Vandoorselaere <yoann at prelude-ids.org> writes:
> 
> > Hi,
> >
> > It appear there are compatibility issues with SRP between different
> > GnuTLS version. As an example, peers using GnuTLS-1.4.0 are not able to
> > proceed authentication with peers using GnuTLS-1.4.5: the handshake
> > terminate with a "GnuTLS internal error".
> >
> > I suspect this is due to the following change in GnuTLS-1.4.2: 
> > ** Change SRP and Cert-Type extensions to match IANA registry.
> 
> Hi!  Ah, yes, I can see how that becomes an interoperability problem.
> 
> It seems bad if it causes internal errors though.  If I read you
> correctly, this only happens on the GnuTLS 1.4.0 side?  Does a 1.4.5
> peer terminate with an internal error when it tries to negotiate with
> a 1.4.0 peer?

[1.4.5 changed to 1.4.4].

It happen both way around: 
 - 1.4.0 client connecting to 1.4.4 server: fail. 
 - 1.4.4 client connecting to 1.4.0 server: fail.

gnutls_handshake() fail on both end of the peer returning -59 (GnuTLS
internal error).

When looking at the TLS debug log, one can see that a TLS alert is
raised (although it is never returned by gnutls_handshake): "The SRP
username was not sent".

See attached srp-server.log and srp-client.log TLS debug file.

[...]

-- 
Yoann Vandoorselaere <yoann at prelude-ids.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: srp-client.log
Type: text/x-log
Size: 3861 bytes
Desc: not available
Url : /pipermail/attachments/20070125/feaed161/attachment.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: srp-server.log
Type: text/x-log
Size: 4723 bytes
Desc: not available
Url : /pipermail/attachments/20070125/feaed161/attachment-0001.bin 


More information about the Gnutls-dev mailing list