iDevice GnuTLS issue with iOS 4.2 - libimobiledevice

Nikias Bassen nikias at gmx.li
Wed Nov 24 06:25:20 CET 2010


Hi,

we found out that the certificate checking is more strict now as it seems. I
have the following question. Using openssl, we do the following:

if (SSL_CTX_use_certificate_file(ssl_ctx,
  "/path/to/certificate.pem",
  SSL_FILETYPE_PEM) != 1) {
	debug_info("WARNING: Could not load RootCertificate");
}
if (SSL_CTX_use_RSAPrivateKey_file(ssl_ctx,
  "/path/to/privatekey.pem",
  SSL_FILETYPE_PEM) != 1) {
	debug_info("WARNING: Could not load RootPrivateKey");
}

What is the equivalent to this when using gnutls?

Thanks
Nikias

On Tue, 23 Nov 2010 10:08:20 +0100
Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:

> I'd suggest that you use the priority_set_direct() function. Check the examples
> in the gnutls documentation for details. Does gnutls-cli work on the server you
> are connecting? What is the output of gnutls-cli-debug?
> 
> regards,
> Nikos
> 
> On Mon, Nov 22, 2010 at 12:17 AM, Nikias Bassen <nikias at gmx.li> wrote:
> > Hi,
> >
> > I'm a leading developer of libimobiledevice (http://libimobiledevice.org/) and
> > we are facing a GnuTLS issue. The lockdown protocol is initializing an SSLv3
> > session and since iOS 4.2 the handshake fails when using GnuTLS. Further
> > investigation showed that the error is GNUTLS_E_FATAL_ALERT_RECEIVED -12,
> > Error: Could not negotiate a supported cipher suite.
> > However, I replaced the appropiate ssl code using OpenSSL and got it working.
> > Debugging output showed that the cipher is AES256-SHA, but surprisingly this
> > is the same cipher that we have with pre-4.2 devices using GnuTLS.
> >
> > We have no clue what might be wrong here as it has been working since 4.2b
> > arrived, so I'd like to ask if anyone here might be able to help us
> > investigating this issue? Tell me what info you need and I'll get it for you.
> >
> > The device is the server and libimobiledevice code the client side of the
> > communication.
> >
> > Our code is here: http://cgit.sukimashita.com/libimobiledevice.git/
> > The SSL code is in src/idevice.c, the handshake is implemented in
> > idevice_connection_enable_ssl(). If you have questions about the code just
> > ask. You can reach us in #libimobiledevice on FreeNode too.
> >
> > Regards,
> > Nikias
> >
> > _______________________________________________
> > Gnutls-devel mailing list
> > Gnutls-devel at gnu.org
> > http://lists.gnu.org/mailman/listinfo/gnutls-devel
> >
> 




More information about the Gnutls-devel mailing list