[gnutls-devel] GnuTLS 3.1.7 can't connect to Google Talk

Nikos Mavrogiannopoulos nmav at gnutls.org
Sat Feb 9 18:48:45 CET 2013


On 02/09/2013 01:20 PM, Diego Elio Pettenò wrote:

> This I reported in Gentoo's bugzilla last night:
> https://bugs.gentoo.org/show_bug.cgi?id=456250 and somebody later
> reported that the problem affects specifically version 3.1.7.
> 
> flame at saladin ~ % gnutls-cli -p 5223 talk.google.com
> Processed 160 CA certificate(s).
> Resolving 'talk.google.com'...
> Connecting to '173.194.65.125:5223'...

[...]

> *** Fatal error: The Diffie-Hellman prime sent by the server is not
> acceptable (not long enough).


Ouch. The security level chosen (i.e. NORMAL in that case), enforces
limits in the DH prime as well starting from 3.1.7.

I added a debugging message which now mentions for that site:
* Received a prime of 768 bits, limit is 816

So the DHE prime used is pretty low. A quick workaround is to use the
PERFORMANCE security level (if the application allows you to switch).
The work-around will not reduce the acceptable security level, but it
would prefer the RSA ciphersuites and their level depends only on the
RSA key in the certificate (which is of acceptable size).

regards,
Nikos




More information about the Gnutls-devel mailing list