[gnutls-dev] SRP compatibility problem between different GnuTLS version
Yoann Vandoorselaere
yoann at prelude-ids.org
Thu Jan 25 12:17:08 CET 2007
Le jeudi 25 janvier 2007 à 11:21 +0100, Simon Josefsson a écrit :
> Yoann Vandoorselaere <yoann at prelude-ids.org> writes:
>
> > Hi,
> >
> > It appear there are compatibility issues with SRP between different
> > GnuTLS version. As an example, peers using GnuTLS-1.4.0 are not able to
> > proceed authentication with peers using GnuTLS-1.4.5: the handshake
> > terminate with a "GnuTLS internal error".
> >
> > I suspect this is due to the following change in GnuTLS-1.4.2:
> > ** Change SRP and Cert-Type extensions to match IANA registry.
>
> Hi! Ah, yes, I can see how that becomes an interoperability problem.
>
> It seems bad if it causes internal errors though. If I read you
> correctly, this only happens on the GnuTLS 1.4.0 side? Does a 1.4.5
> peer terminate with an internal error when it tries to negotiate with
> a 1.4.0 peer?
[1.4.5 changed to 1.4.4].
It happen both way around:
- 1.4.0 client connecting to 1.4.4 server: fail.
- 1.4.4 client connecting to 1.4.0 server: fail.
gnutls_handshake() fail on both end of the peer returning -59 (GnuTLS
internal error).
When looking at the TLS debug log, one can see that a TLS alert is
raised (although it is never returned by gnutls_handshake): "The SRP
username was not sent".
See attached srp-server.log and srp-client.log TLS debug file.
[...]
--
Yoann Vandoorselaere <yoann at prelude-ids.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: srp-client.log
Type: text/x-log
Size: 3861 bytes
Desc: not available
Url : /pipermail/attachments/20070125/feaed161/attachment.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: srp-server.log
Type: text/x-log
Size: 4723 bytes
Desc: not available
Url : /pipermail/attachments/20070125/feaed161/attachment-0001.bin
More information about the Gnutls-dev
mailing list