[Help-gnutls] Re: GnuTLS 1.5.1 for Windows

Simon Josefsson jas at extundo.com
Wed Sep 27 10:29:46 CEST 2006 

Ralf Angeli <angeli at caeruleus.net> writes:

> * Simon Josefsson (2006-09-26) writes:
>
>> No, you'll need to start gnutls-cli, wait for the server to respond
>> ("220 smtp08...") then type:
>>
>> starttls
>>
>> wait for the server to ack the request to start TLS ("220 OpenSSL...")
>> and then type C-d to invoke the TLS layer.  Once it finishes, you are
>> talking to the server under the encrypted layer.  If you could then
>> type:
>>
>> EHLO foo
>>
>> at that point, and show me the output, I'll know that the TLS layer
>> actually works properly.
>
> Doesn't seem like it works.  I get the following output.  `C-d' was
> typed after the line with "220 OpenSSL...".  After I inserted "EHLO
> foo <RET>" about 20 seconds passed and then the indicated error was
> thrown.

Ok.  I wasn't able to reproduce everything you could, even after
downloading the same Emacs.  After some experimenting, it seems the
select() call in gnutls-cli triggers too soon when gnutls-cli is run
under Emacs.  It waits for input from the user, when there is none.

I think I'll add some debug messages to gnutls-cli's select()
replacement, so it is possible to see if that's the cause or not.
Since we get different results even with the same gnutls and emacs, it
would help if you could try that version too, I'll get back with the
details when I've added this debug stuff.

> c:\foo>gnutls-cli --port 25 --starttls smtp.web.de
> gnutls-cli --port 25 --starttls smtp.web.de
> Resolving 'smtp.web.de'...
> Connecting to '217.72.192.157:25'...
>
> - Simple Client Mode:
>
> 220 smtp07.web.de ESMTP WEB.DE V4.107#114 Tue, 26 Sep 2006 19:05:24 +0200
> starttls
> 220 OpenSSL/0.9.7beta go ahead
> *** Starting TLS handshake
> - Certificate type: X.509
>  - Got a certificate list of 1 certificates.
>
>  - Certificate[0] info:
>  # The hostname in the certificate matches 'smtp.web.de'.
>  # valid since: Tue Feb  15:51:50 Westeurop\344ische Normalzeit 2007
>  # expires at: Wed Feb  15:51:50 Westeurop\344ische Normalzeit 2007
>  # fingerprint: D1:7A:1B:CB:4E:96:CD:DC:E2:D0:39:41:D5:F7:CC:B6
>  # Subject's DN: C=DE,ST=Baden-Wuerttemberg,L=Karlsruhe,O=WEB.DE GmbH,CN=smtp.web.de
>  # Issuer's DN: C=ZA,ST=Western Cape,L=Cape Town,O=Thawte Consulting cc,OU=Certification Services Division,CN=Thawte Premium Server CA,EMAIL=premium-server at thawte.com
>
>
> - Peer's certificate issuer is unknown
> - Peer's certificate is NOT trusted
> - Version: TLS 1.0
> - Key Exchange: RSA
> - Cipher: AES 256 CBC
> - MAC: SHA
> - Compression: NULL
> EHLO foo
> *** gnutls_bye() error: A record packet with illegal version was received.
>
> c:\foo>
> Process shell finished

Interesting, I haven't seen this so far.

Thanks,
Simon

More information about the Gnutls-help mailing list