[Help-gnutls] gnutls-cli with compression against secure.cacert.org

Simon Josefsson simon at josefsson.org
Mon Mar 5 16:20:54 CET 2007

I tried to talk with secure.cacert.org using my cacert
key/certificate, but it doesn't seem to work reliably unless I disable

The typical errors is:

jas at mocca:~/src/gnutls/src$ ./gnutls-cli secure.cacert.org --x509keyfile ~/self/certs/cacert.key --x509certfile ~/self/certs/cacert.pem --x509cafile ~/self/certs/cacert-ca.pem
Processed 1 CA certificate(s).
Processed 1 client certificates...
Processed 1 client X.509 certificates...
Resolving 'secure.cacert.org'...
Connecting to ''...
*** Fatal error: A TLS fatal alert has been received.
*** Received alert [20]: Bad record MAC
*** Handshake has failed
GNUTLS ERROR: A TLS fatal alert has been received.
jas at mocca:~/src/gnutls/src$

The workaround is of course to add '--comp null'.

If anyone has time to debug this, that would be useful.


More information about the Gnutls-help mailing list