iDevice GnuTLS issue with iOS 4.2 - libimobiledevice

Jeffrey Walton noloader at gmail.com
Tue Nov 23 10:29:31 CET 2010 

On Tue, Nov 23, 2010 at 4:08 AM, Nikos Mavrogiannopoulos
<nmav at gnutls.org> wrote:
> I'd suggest that you use the priority_set_direct() function. Check the examples
> in the gnutls documentation for details. Does gnutls-cli work on the server you
> are connecting? What is the output of gnutls-cli-debug?
An FYI.... I have not been able to get the examples* to work. I've
tried connecting to my Windows 2003/IIS 6 machine, and Simon's host at
test.gnutls.org:5556.

Usually, gnutls_handshake() fails with one of the following (I do a
lot of knob turning on failures). In all cases,
gnutls_error_is_fatal() is true.

    GNUTLS_E_UNEXPECTED_PACKET_LENGTH: -9
    GNUTLS_E_INVALID_SESSION: -10
    GNUTLS_E_FATAL_ALERT_RECEIVED: -12

In my case, both gnutls-cli and gnutls-cli-debug connect and probe the
IIS 6.0 host. I seem to recall problem's with Simon's host, though.
When I found problems with both hosts, I stopped using Simon's host.

I've tried different 'priority direct' strings:
"PERFORMANCE:+ANON-DH:!ARCFOUR-128" (from the example)
"PERFORMANCE:+VERS-TLS1.0:+ANON-DH:!ARCFOUR-128"
 "NORMAL:-VERS-TLS1.2:-VERS-TLS1.1:+VERS-TLS1.0:+RSA:+SHA1"
 "NORMAL:-VERS-TLS1.2:-VERS-TLS1.1:+VERS-TLS1.0:+RSA:+SHA1:+ANON-DH"

I've also tried different protocols in calls to
gnutls_protocol_set_priority(). My current array is:
    static const int protocols[] =
        { /*GNUTLS_TLS1_2, GNUTLS_TLS1_1,*/ GNUTLS_TLS1_0, GNUTLS_SSL3, 0 };

Jeff

* Specifically, the first client example (anonymous auth) at
http://www.gnu.org/software/gnutls/manual/html_node/Client-examples.html#Client-examples

> On Mon, Nov 22, 2010 at 12:17 AM, Nikias Bassen <nikias at gmx.li> wrote:
>> Hi,
>>
>> I'm a leading developer of libimobiledevice (http://libimobiledevice.org/) and
>> we are facing a GnuTLS issue. The lockdown protocol is initializing an SSLv3
>> session and since iOS 4.2 the handshake fails when using GnuTLS. Further
>> investigation showed that the error is GNUTLS_E_FATAL_ALERT_RECEIVED -12,
>> Error: Could not negotiate a supported cipher suite.
>> However, I replaced the appropiate ssl code using OpenSSL and got it working.
>> Debugging output showed that the cipher is AES256-SHA, but surprisingly this
>> is the same cipher that we have with pre-4.2 devices using GnuTLS.
>>
>> We have no clue what might be wrong here as it has been working since 4.2b
>> arrived, so I'd like to ask if anyone here might be able to help us
>> investigating this issue? Tell me what info you need and I'll get it for you.
>>
>> The device is the server and libimobiledevice code the client side of the
>> communication.
>>
>> Our code is here: http://cgit.sukimashita.com/libimobiledevice.git/
>> The SSL code is in src/idevice.c, the handshake is implemented in
>> idevice_connection_enable_ssl(). If you have questions about the code just
>> ask. You can reach us in #libimobiledevice on FreeNode too.
>>
>> Regards,
>> Nikias
>>

More information about the Gnutls-devel mailing list