<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>
<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">
<p style="color: #777777;">
<a href="https://gitlab.com/hstock">Hanno Stock</a>
commented:
</p>
<div style="">
<p dir="auto">gnutls-cli-debug output for the server:</p>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">GnuTLS debug client 3.6.7</span>
<span id="LC2" class="line" lang="plaintext">Checking ldap.indurad.x:5556</span>
<span id="LC3" class="line" lang="plaintext">unknown protocol 'freeciv'</span>
<span id="LC4" class="line" lang="plaintext"> whether we need to disable TLS 1.2... no</span>
<span id="LC5" class="line" lang="plaintext"> whether we need to disable TLS 1.1... no</span>
<span id="LC6" class="line" lang="plaintext"> whether we need to disable TLS 1.0... no</span>
<span id="LC7" class="line" lang="plaintext"> whether %NO_EXTENSIONS is required... no</span>
<span id="LC8" class="line" lang="plaintext"> whether %COMPAT is required... no</span>
<span id="LC9" class="line" lang="plaintext"> for TLS 1.0 (RFC2246) support... yes</span>
<span id="LC10" class="line" lang="plaintext"> for TLS 1.1 (RFC4346) support... yes</span>
<span id="LC11" class="line" lang="plaintext"> for TLS 1.2 (RFC5246) support... yes</span>
<span id="LC12" class="line" lang="plaintext"> for TLS 1.3 (RFC8446) support... no</span>
<span id="LC13" class="line" lang="plaintext">|<1>| FFDHE groups advertised, but server didn't support it; falling back to server's choice</span>
<span id="LC14" class="line" lang="plaintext"> TLS1.2 neg fallback from TLS 1.6 to... TLS1.2</span>
<span id="LC15" class="line" lang="plaintext"> for inappropriate fallback (RFC7507) support... no</span>
<span id="LC16" class="line" lang="plaintext"> for certificate chain order... sorted</span>
<span id="LC17" class="line" lang="plaintext"> for safe renegotiation (RFC5746) support... yes</span>
<span id="LC18" class="line" lang="plaintext"> for encrypt-then-MAC (RFC7366) support... no</span>
<span id="LC19" class="line" lang="plaintext"> for ext master secret (RFC7627) support... no</span>
<span id="LC20" class="line" lang="plaintext"> for heartbeat (RFC6520) support... no</span>
<span id="LC21" class="line" lang="plaintext"> for version rollback bug in RSA PMS... dunno</span>
<span id="LC22" class="line" lang="plaintext"> for version rollback bug in Client Hello... no</span>
<span id="LC23" class="line" lang="plaintext"> whether the server ignores the RSA PMS version... no</span>
<span id="LC24" class="line" lang="plaintext">whether small records (512 bytes) are tolerated on handshake... yes</span>
<span id="LC25" class="line" lang="plaintext"> whether cipher suites not in SSL 3.0 spec are accepted... yes</span>
<span id="LC26" class="line" lang="plaintext">whether a bogus TLS record version in the client hello is accepted... yes</span>
<span id="LC27" class="line" lang="plaintext"> whether the server understands TLS closure alerts... yes</span>
<span id="LC28" class="line" lang="plaintext"> whether the server supports session resumption... yes</span>
<span id="LC29" class="line" lang="plaintext"> for anonymous authentication support... no</span>
<span id="LC30" class="line" lang="plaintext">|<1>| FFDHE groups advertised, but server didn't support it; falling back to server's choice</span>
<span id="LC31" class="line" lang="plaintext"> for ephemeral Diffie-Hellman support... yes</span>
<span id="LC32" class="line" lang="plaintext">|<1>| FFDHE groups advertised, but server didn't support it; falling back to server's choice</span>
<span id="LC33" class="line" lang="plaintext"> for RFC7919 Diffie-Hellman support... no</span>
<span id="LC34" class="line" lang="plaintext"> for ephemeral EC Diffie-Hellman support... no</span>
<span id="LC35" class="line" lang="plaintext"> for curve SECP256r1 (RFC4492)... no</span>
<span id="LC36" class="line" lang="plaintext"> for curve SECP384r1 (RFC4492)... no</span>
<span id="LC37" class="line" lang="plaintext"> for curve SECP521r1 (RFC4492)... no</span>
<span id="LC38" class="line" lang="plaintext"> for curve X25519 (RFC8422)... no</span>
<span id="LC39" class="line" lang="plaintext"> for AES-GCM cipher (RFC5288) support... no</span>
<span id="LC40" class="line" lang="plaintext"> for AES-CCM cipher (RFC6655) support... no</span>
<span id="LC41" class="line" lang="plaintext"> for AES-CCM-8 cipher (RFC6655) support... no</span>
<span id="LC42" class="line" lang="plaintext"> for AES-CBC cipher (RFC3268) support... yes</span>
<span id="LC43" class="line" lang="plaintext"> for CAMELLIA-GCM cipher (RFC6367) support... no</span>
<span id="LC44" class="line" lang="plaintext"> for CAMELLIA-CBC cipher (RFC5932) support... yes</span>
<span id="LC45" class="line" lang="plaintext"> for 3DES-CBC cipher (RFC2246) support... yes</span>
<span id="LC46" class="line" lang="plaintext"> for ARCFOUR 128 cipher (RFC2246) support... yes</span>
<span id="LC47" class="line" lang="plaintext"> for CHACHA20-POLY1305 cipher (RFC7905) support... no</span>
<span id="LC48" class="line" lang="plaintext"> for MD5 MAC support... yes</span>
<span id="LC49" class="line" lang="plaintext"> for SHA1 MAC support... yes</span>
<span id="LC50" class="line" lang="plaintext"> for SHA256 MAC support... yes</span>
<span id="LC51" class="line" lang="plaintext"> for max record size (RFC6066) support... yes</span>
<span id="LC52" class="line" lang="plaintext"> for OCSP status response (RFC6066) support... no</span></code></pre>
<p dir="auto">OpenSSL (libssl1.1 1.1.1c-1) does work:</p>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">echo -e "`pwgen 16383`\n" | openssl s_client -crlf -quiet -connect server:5556</span></code></pre>
<p dir="auto">Result:</p>
<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">depth=0 CN = server</span>
<span id="LC2" class="line" lang="plaintext">verify error:num=18:self signed certificate</span>
<span id="LC3" class="line" lang="plaintext">verify return:1</span>
<span id="LC4" class="line" lang="plaintext">depth=0 CN = ldap-master</span>
<span id="LC5" class="line" lang="plaintext">verify return:1</span>
<span id="LC6" class="line" lang="plaintext">ephua4HeeG8I [...]</span></code></pre>
</div>
</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #777;">
—
<br>
Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/issues/811#note_198343722">view it on GitLab</a>.
<br>
You're receiving this email because of your account on gitlab.com.
If you'd like to receive fewer emails, you can
<a href="https://gitlab.com/sent_notifications/72101d972eee8dbfddb2667c9caecf67/unsubscribe">unsubscribe</a>
from this thread or
adjust your notification settings.
<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/issues/811#note_198343722"}}</script>
</p>
</div>
</body>
</html>