[Help-gnutls] gnutls_handshake fails with an alert

Sam Varshavchik mrsam at courier-mta.com
Mon Oct 22 00:29:51 CEST 2007


Nikos Mavrogiannopoulos writes:

> On Saturday 20 October 2007, Sam Varshavchik wrote:
>> I've taken the "Simple client example" from the 1.6.3 pages, and supplied a
>> tcp_connect() that connects to ssl-enabled apache on localhost. Running the
>> code results in:
>>
>> *** Handshake failed
>> GNUTLS ERROR: A TLS fatal alert has been received.
> 
> What you say doesn't help anyone who might want to help. It can be an error in 
> your tcp functions, or you might be using the anonymous client to connect to 
> a X.509 authenticated server.

No, I'm running a default Apache install with mod_ssl.

I finally ended up looking at elinks's source to see how it sets up gnutls. 
It turned out that I needed to create a gnutls_certificate_credentials_t 
using gnutls_certificate_allocate_credentials(), and put it into the session 
using gnutls_credentials_set(). Once I did that, the example given in the 
info docs worked correctly, both with my stock Apache, and other external 
SSL servers.

I am NOT using X.509 authentication, I'm running just a basic, plain-vanilla 
Apache+mod_ssl, using a self-signed test cert, without any X.509 
authentication set up. It looks to me like the simple client example won't 
really work with garden-variety SSL servers. Looks like I need to put a 
GNUTLS_CRD_CERTIFICATE into a client session structure even if the server 
does not use or require X.509 authentication, in order for the handshake to 
work. I couldn't find anything in info docs that pointed me in that 
direction, I had to look at some other code to figure it out.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: </pipermail/attachments/20071021/2195d6a9/attachment.pgp>


More information about the Gnutls-help mailing list