[gnutls-devel] GnuTLS | Connection problems with older servers (record packet with invalid length was received) (#811)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Wed Jul 31 17:20:06 CEST 2019
Hanno Stock commented:
gnutls-cli-debug output for the server:
```
GnuTLS debug client 3.6.7
Checking ldap.indurad.x:5556
unknown protocol 'freeciv'
whether we need to disable TLS 1.2... no
whether we need to disable TLS 1.1... no
whether we need to disable TLS 1.0... no
whether %NO_EXTENSIONS is required... no
whether %COMPAT is required... no
for TLS 1.0 (RFC2246) support... yes
for TLS 1.1 (RFC4346) support... yes
for TLS 1.2 (RFC5246) support... yes
for TLS 1.3 (RFC8446) support... no
|<1>| FFDHE groups advertised, but server didn't support it; falling back to server's choice
TLS1.2 neg fallback from TLS 1.6 to... TLS1.2
for inappropriate fallback (RFC7507) support... no
for certificate chain order... sorted
for safe renegotiation (RFC5746) support... yes
for encrypt-then-MAC (RFC7366) support... no
for ext master secret (RFC7627) support... no
for heartbeat (RFC6520) support... no
for version rollback bug in RSA PMS... dunno
for version rollback bug in Client Hello... no
whether the server ignores the RSA PMS version... no
whether small records (512 bytes) are tolerated on handshake... yes
whether cipher suites not in SSL 3.0 spec are accepted... yes
whether a bogus TLS record version in the client hello is accepted... yes
whether the server understands TLS closure alerts... yes
whether the server supports session resumption... yes
for anonymous authentication support... no
|<1>| FFDHE groups advertised, but server didn't support it; falling back to server's choice
for ephemeral Diffie-Hellman support... yes
|<1>| FFDHE groups advertised, but server didn't support it; falling back to server's choice
for RFC7919 Diffie-Hellman support... no
for ephemeral EC Diffie-Hellman support... no
for curve SECP256r1 (RFC4492)... no
for curve SECP384r1 (RFC4492)... no
for curve SECP521r1 (RFC4492)... no
for curve X25519 (RFC8422)... no
for AES-GCM cipher (RFC5288) support... no
for AES-CCM cipher (RFC6655) support... no
for AES-CCM-8 cipher (RFC6655) support... no
for AES-CBC cipher (RFC3268) support... yes
for CAMELLIA-GCM cipher (RFC6367) support... no
for CAMELLIA-CBC cipher (RFC5932) support... yes
for 3DES-CBC cipher (RFC2246) support... yes
for ARCFOUR 128 cipher (RFC2246) support... yes
for CHACHA20-POLY1305 cipher (RFC7905) support... no
for MD5 MAC support... yes
for SHA1 MAC support... yes
for SHA256 MAC support... yes
for max record size (RFC6066) support... yes
for OCSP status response (RFC6066) support... no
```
OpenSSL (libssl1.1 1.1.1c-1) does work:
echo -e "`pwgen 16383`\n" | openssl s_client -crlf -quiet -connect server:5556
Result:
```
depth=0 CN = server
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = ldap-master
verify return:1
ephua4HeeG8I [...]
```
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/811#note_198343722
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20190731/91b085b9/attachment.html>
More information about the Gnutls-devel
mailing list