[Help-gnutls] Re: gnutls_handshake fails with an alert

Simon Josefsson simon at josefsson.org
Mon Oct 22 07:51:39 CEST 2007


Sam Varshavchik <mrsam at courier-mta.com> writes:

> Nikos Mavrogiannopoulos writes:
>
>> On Saturday 20 October 2007, Sam Varshavchik wrote:
>>> I've taken the "Simple client example" from the 1.6.3 pages, and supplied a
>>> tcp_connect() that connects to ssl-enabled apache on localhost. Running the
>>> code results in:
>>>
>>> *** Handshake failed
>>> GNUTLS ERROR: A TLS fatal alert has been received.
>>
>> What you say doesn't help anyone who might want to help. It can be
>> an error in your tcp functions, or you might be using the anonymous
>> client to connect to a X.509 authenticated server.
>
> No, I'm running a default Apache install with mod_ssl.
>
> I finally ended up looking at elinks's source to see how it sets up
> gnutls. It turned out that I needed to create a
> gnutls_certificate_credentials_t using
> gnutls_certificate_allocate_credentials(), and put it into the session
> using gnutls_credentials_set(). Once I did that, the example given in
> the info docs worked correctly, both with my stock Apache, and other
> external SSL servers.
>
> I am NOT using X.509 authentication, I'm running just a basic,
> plain-vanilla Apache+mod_ssl, using a self-signed test cert, without
> any X.509 authentication set up. It looks to me like the simple client
> example won't really work with garden-variety SSL servers. Looks like
> I need to put a GNUTLS_CRD_CERTIFICATE into a client session structure
> even if the server does not use or require X.509 authentication, in
> order for the handshake to work. I couldn't find anything in info docs
> that pointed me in that direction, I had to look at some other code to
> figure it out.

I believe that Apache/mod_ssl requires X.509, and refuses to handshake
an anonymous cipher.  There is a simple X.509 client GnuTLS example:

http://www.gnu.org/software/gnutls/manual/html_node/Simple-client-example-with-X_002e509-certificate-support.html

Generally, there are many servers out there that refuses to negotiate
anonymous ciphers.  So you typically need to configure X.509 to use TLS,
even if it is just a self-signed test cert.

/Simon





More information about the Gnutls-help mailing list