Error when viewing HTTPS pages with a browser using GnuTLS
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Mar 28 22:13:35 CEST 2012
On 03/28/2012 09:17 AM, Matthew Carter wrote:
> You can see an occurrence of the first error at:
>
> https://time.techni-serve.com
>
> you can also see a similar error ("SSL Handshake Failed") via:
>
> https://www.microsoft.com
>
> The failure is consistent with both the vimprobable2 browser and using
> the gnutls-cli to connect (same error message in output in both cases).
Thanks! I see the same thing you do with gnutls-cli, so i can confirm
this as an issue with their servers. I see those connection failures
even with the priority string NORMAL:+%COMPAT :(
FWIW, i can get connections to work with both of the above using the
following priority string:
NORMAL:-VERS-TLS1.1:-VERS-TLS1.2
That is, it looks like these two servers sending fatal alerts to any
client that advertises support for TLS1.1 or TLS1.2 :(
They both negotiate to TLS1.0, though.
> I would guess it is an IIS issue as both sites are running IIS 6.0.
https://en.wikipedia.org/wiki/Internet_Information_Services suggests
that 6.0 was released with Windows Server 2003, and superceded by IIS
7.0 with the release of Windows Server 2008. I'm a little surprised to
see www.microsoft.com running such an old version on their flagship web
site. other MS sites (e.g. technet.microsoft.com) are using IIS 7.5 by now.
I'm not sure the right way to deal with this from GnuTLS is. Should we
be doing anything differently to accommodate these non-compliant servers?
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20120328/7ddeec2b/attachment.pgp>
More information about the Gnutls-devel
mailing list