[Help-gnutls] gnutls_handshake fails with an alert
Sam Varshavchik
mrsam at courier-mta.com
Mon Oct 22 00:29:51 CEST 2007
Nikos Mavrogiannopoulos writes:
> On Saturday 20 October 2007, Sam Varshavchik wrote:
>> I've taken the "Simple client example" from the 1.6.3 pages, and supplied a
>> tcp_connect() that connects to ssl-enabled apache on localhost. Running the
>> code results in:
>>
>> *** Handshake failed
>> GNUTLS ERROR: A TLS fatal alert has been received.
>
> What you say doesn't help anyone who might want to help. It can be an error in
> your tcp functions, or you might be using the anonymous client to connect to
> a X.509 authenticated server.
No, I'm running a default Apache install with mod_ssl.
I finally ended up looking at elinks's source to see how it sets up gnutls.
It turned out that I needed to create a gnutls_certificate_credentials_t
using gnutls_certificate_allocate_credentials(), and put it into the session
using gnutls_credentials_set(). Once I did that, the example given in the
info docs worked correctly, both with my stock Apache, and other external
SSL servers.
I am NOT using X.509 authentication, I'm running just a basic, plain-vanilla
Apache+mod_ssl, using a self-signed test cert, without any X.509
authentication set up. It looks to me like the simple client example won't
really work with garden-variety SSL servers. Looks like I need to put a
GNUTLS_CRD_CERTIFICATE into a client session structure even if the server
does not use or require X.509 authentication, in order for the handshake to
work. I couldn't find anything in info docs that pointed me in that
direction, I had to look at some other code to figure it out.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: </pipermail/attachments/20071021/2195d6a9/attachment.pgp>
More information about the Gnutls-help
mailing list