[Help-gnutls] Re: gnutls-serv command line problem

Simon Josefsson simon at josefsson.org
Wed Feb 13 13:17:01 CET 2008


joseph.ng at symbian.com writes:

> Hi 
>
> I am new to GnuTLS. On my PC I have installed Window GnuTLS 2.2.1. 
>
> When I issue the following command: 
>
> G:\my_server>gnutls-serv --http --x509fmtder --x509cafile IM-11-cert.der 
> --x509certfile EU-0-cert.der --x509keyfile EU-0-key.txt -g --comp NULL 
> --protocols TLS1.0 SSL3.0 -a --kx RSA 
>
> I got: 
>
> This method of specifying algorithms is deprecated. Please use the 
> --priority option. 
>
> Q1. I have tried a number of things but couldn't figure out what's wrong 
> with the command line. Could you please tell me what is deprecated? 

Hi!  The --comp, --protocols, and --kx parameters.  With the new style,
you could type those as:

 --priority NORMAL:-VERS_TLS1_1

Compression is disabled by default.  I'm not sure how to force RSA key
exchange, but maybe you could try various strings, starting from NONE
and adding things instead of going from NORMAL and removing them.

However, the old style should continue to work, so you don't need to do
this.  But you can't use SPC to delimit protocols, try TLS1.0,SSL3.0
instead.

> Started up the server with the above command, I then try to start a client 
> with: 
>
> G:\my_client>gnutls-cli -p 5556 localhost --crlf 
>
> and I got the following from the server: 
>
> ..... 
> |<2>| ASSERT: ../../../src/gnutls-2.2.1/lib/gnutls_x509.c:1087 
> |<3>| HSK[a32570]: Removing ciphersuite: RSA_ARCFOUR_SHA1 
> |<3>| HSK[a32570]: Removing ciphersuite: RSA_ARCFOUR_MD5 
> |<3>| HSK[a32570]: Removing ciphersuite: RSA_3DES_EDE_CBC_SHA1 
> |<3>| HSK[a32570]: Removing ciphersuite: RSA_AES_128_CBC_SHA1 
> |<3>| HSK[a32570]: Removing ciphersuite: RSA_AES_256_CBC_SHA1 
> |<3>| HSK[a32570]: Removing ciphersuite: RSA_CAMELLIA_128_CBC_SHA1 
> |<3>| HSK[a32570]: Removing ciphersuite: RSA_CAMELLIA_256_CBC_SHA1 
> |<2>| ASSERT: ../../../src/gnutls-2.2.1/lib/gnutls_handshake.c:704 
> |<2>| ASSERT: ../../../src/gnutls-2.2.1/lib/gnutls_handshake.c:462 
> |<2>| ASSERT: ../../../src/gnutls-2.2.1/lib/gnutls_handshake.c:2014 
> |<2>| ASSERT: ../../../src/gnutls-2.2.1/lib/gnutls_handshake.c:2542 
> |<6>| BUF[HSK]: Cleared Data from buffer 
> Error in handshake 
> Error: Could not negotiate a supported cipher suite. 
> |<4>| REC: Sending Alert[2|40] - Handshake failed 
> |<4>| REC[a32570]: Sending Packet[0] Alert(21) with length: 2 
> .... 
>
> and the following from the client: 
>
> ... 
> *** Fatal error: A TLS fatal alert has been received. 
> *** Received alert [40]: Handshake failed 
> *** Handshake has failed 
> GNUTLS ERROR: A TLS fatal alert has been received. 
> ... 
>
> Q2. I thought it would finished with TLS_RSA_AES_128_CBC_SHA1 (0x00, 
> 0x2f), but it didn't. Could you please tell me what's gone wrong with 
> that? 

I tried the same command line parameters, and it worked fine here.
However, the first line:

 ASSERT: ../../../src/gnutls-2.2.1/lib/gnutls_x509.c:1087 

reveals that your key likely doesn't have the key encipherment bit set,
from the code:

	  if (encipher_type == CIPHER_ENCRYPT)
	    {
	      /* If the key exchange method requires an encipher
	       * type algorithm, and key's usage does not permit
	       * encipherment, then fail.
	       */
	      if (!(key_usage & KEY_KEY_ENCIPHERMENT))
		{
		  gnutls_assert ();
		  return GNUTLS_E_KEY_USAGE_VIOLATION;
		}
	    }

So you need to fix the certificate to permit encryption.

Does this help?  If you believe the certificate should work anyway,
please include it too so we can see it.

/Simon


>
>
> Thank you very much in anticipation. 
>
>
> Regards, 
> ---------------
> Joseph Ng
>
> Discover tomorrow's technology on today's phones... Visit the
> Symbian Stand, 8A77, Hall 8, at Mobile World Congress 2008, 11-14
> February, Barcelona, Spain.
> **********************************************************************
>  Symbian Software Ltd is a company registered in England and Wales
> with registered number 4190020 and registered office at 2-6
> Boundary Row, Southwark, London,  SE1 8HP, UK. This message is
> intended only for use by the named addressee and may contain
> privileged and/or confidential information. If you are not the
> named addressee you should not disseminate, copy or take any action
> in reliance on it. If you have received this message in error
> please notify postmaster at symbian.com and delete the message and any
> attachments accompanying it immediately. Neither Symbian nor any of
> its Affiliates accepts liability for any corruption, interception,
> amendment, tampering or viruses occurring to this message in
> transit or for any message sent by its employees which is not in
> compliance with Symbian corporate policy.
> **********************************************************************_______________________________________________
> Help-gnutls mailing list
> Help-gnutls at gnu.org
> http://lists.gnu.org/mailman/listinfo/help-gnutls





More information about the Gnutls-help mailing list