handshake fails (unimplemented/disabled feature requested?)

Wed Jul 21 00:34:43 CEST 2010

On Tue, July 20, 2010 11:51 pm, Christian Parpart wrote:
> Hey all,
>
> I've written a little http server, also providing SSL,
> but while the ssl andshake, I now get the following
> (it once worked but sometimes failed with the trace below):
[....]

I found out, that this was due to an unresolved SNI name, however, I was
lucky in finding the reason.
So now I am back in my *old* behaviour of "unimplemented/disabled feature
requested"-message, that only happens when using chromium/chrome:
1279664834.087054: ssl: gnutls [3] HSK[0x24a4e70]: CLIENT HELLO was
received [193 bytes]
1279664834.087054: ssl: gnutls [3] HSK[0x24a4e70]: Client's version: 3.1
1279664834.087054: ssl: gnutls [2] EXT[0x24a4e70]: Found extension
'SERVER_NAME/0'
1279664834.087054: ssl: gnutls [2] EXT[0x24a4e70]: Found extension
'SAFE_RENEGOTIATION/65281'
1279664834.087054: ssl: gnutls [2] EXT[0x24a4e70]: Found extension
'(null)/10'
1279664834.087054: ssl: gnutls [2] EXT[0x24a4e70]: Found extension
'(null)/11'
1279664834.087054: ssl: gnutls [2] EXT[0x24a4e70]: Found extension
'SESSION_TICKET/35'
1279664834.087054: ssl: gnutls [2] ASSERT: gnutls_handshake.c:376
1279664834.087054: ssl: gnutls [2] ASSERT: gnutls_handshake.c:2335
1279664834.087054: ssl: gnutls [2] ASSERT: gnutls_handshake.c:3000
1279664834.087054: SslSocket: SSL handshake failed (-1250): An
unimplemented or disabled feature has been requested.
1279664834.088050: ssl: gnutls [3] HSK[0x24a4e70]: CLIENT HELLO was
received [85 bytes]
1279664834.088050: ssl: gnutls [3] HSK[0x24a4e70]: Client's version: 3.0
1279664834.088050: ssl: gnutls [2] ASSERT: gnutls_db.c:326
1279664834.088050: ssl: gnutls [2] ASSERT: gnutls_db.c:246
1279664834.088050: ssl: gnutls [2] ASSERT: gnutls_extensions.c:140
1279664834.088050: ssl: gnutls [2] ASSERT: gnutls_handshake.c:376
1279664834.088050: ssl: gnutls [2] ASSERT: gnutls_handshake.c:535
1279664834.088050: ssl: gnutls [2] ASSERT: gnutls_handshake.c:2335
1279664834.088050: ssl: gnutls [2] ASSERT: gnutls_handshake.c:3000
1279664834.088050: SslSocket: SSL handshake failed (-1250): An
unimplemented or disabled feature has been requested.

Now, pressing F5 (once or twice) on the same resource results into the
expected result:

1279664874.629215: ssl: gnutls [3] HSK[0x24b0470]: CLIENT HELLO was
received [161 bytes]
1279664874.629215: ssl: gnutls [3] HSK[0x24b0470]: Client's version: 3.1
1279664874.629215: ssl: gnutls [2] ASSERT: gnutls_db.c:326
1279664874.629215: ssl: gnutls [2] ASSERT: gnutls_db.c:246
1279664874.629215: ssl: gnutls [2] EXT[0x24b0470]: Found extension
'SERVER_NAME/0'
1279664874.629215: ssl: gnutls [2] EXT[0x24b0470]: Found extension
'SAFE_RENEGOTIATION/65281'
1279664874.629215: ssl: gnutls [2] EXT[0x24b0470]: Found extension
'(null)/10'
1279664874.629215: ssl: gnutls [2] EXT[0x24b0470]: Found extension
'(null)/11'
1279664874.629215: ssl: gnutls [2] EXT[0x24b0470]: Found extension
'SESSION_TICKET/35'
1279664874.629215: ssl: select SslContext: CN:trapni.de, dnsName:shougar
1279664874.629215: SslContext: bind() (cn="trapni.de")
1279664874.629215: ssl: gnutls [2] EXT[0x24b0470]: Found extension
'SERVER_NAME/0'
1279664874.629215: ssl: gnutls [2] EXT[0x24b0470]: Found extension
'SAFE_RENEGOTIATION/65281'
1279664874.629215: ssl: gnutls [2] EXT[0x24b0470]: Found extension
'(null)/10'
1279664874.629215: ssl: gnutls [2] EXT[0x24b0470]: Found extension
'(null)/11'
1279664874.629215: ssl: gnutls [2] EXT[0x24b0470]: Found extension
'SESSION_TICKET/35'
1279664874.629215: ssl: gnutls [2] EXT[0x24b0470]: Found extension
'SERVER_NAME/0'
1279664874.629215: ssl: gnutls [2] EXT[0x24b0470]: Found extension
'SAFE_RENEGOTIATION/65281'
1279664874.629215: ssl: gnutls [2] EXT[0x24b0470]: Found extension
'(null)/10'
1279664874.629215: ssl: gnutls [2] EXT[0x24b0470]: Found extension
'(null)/11'
1279664874.629215: ssl: gnutls [2] EXT[0x24b0470]: Found extension
'SESSION_TICKET/35'
1279664874.629215: SslContext: onRetrieveCert()
1279664874.629215: ssl: gnutls [3] HSK[0x24b0470]: Removing ciphersuite:
PSK_SHA_ARCFOUR_SHA1
[ ............. ]
1279664874.629215: ssl: gnutls [3] HSK[0x24b0470]: Keeping ciphersuite:
RSA_CAMELLIA_256_CBC_SHA1
1279664874.629215: ssl: gnutls [3] HSK[0x24b0470]: Selected cipher suite:
DHE_RSA_CAMELLIA_256_CBC_SHA1
1279664874.629215: ssl: gnutls [3] HSK[0x24b0470]: Selected Compression
Method: NULL
1279664874.629215: ssl: gnutls [3] HSK[0x24b0470]: Safe renegotiation
succeeded
1279664874.629215: ssl: gnutls [2] EXT[0x24b0470]: Sending extension
SAFE_RENEGOTIATION
1279664874.629215: ssl: gnutls [3] HSK[0x24b0470]: SessionID:
b98d970db54203e916cc873a53deddcbe3cda7364aa2e78045346912181a679e
1279664874.629215: ssl: gnutls [3] HSK[0x24b0470]: SERVER HELLO was sent
[81 bytes]
1279664874.629215: ssl: gnutls [3] HSK[0x24b0470]: CERTIFICATE was sent
[1027 bytes]
1279664874.629215: ssl: gnutls [3] HSK[0x24b0470]: SERVER KEY EXCHANGE was
sent [525 bytes]
1279664874.629215: ssl: gnutls [3] HSK[0x24b0470]: SERVER HELLO DONE was
sent [4 bytes]
1279664874.629215: ssl: gnutls [3] HSK[0x24b0470]: CLIENT KEY EXCHANGE was
received [134 bytes]
1279664874.629215: ssl: gnutls [3] HSK[0x24b0470]: Cipher Suite:
DHE_RSA_CAMELLIA_256_CBC_SHA1
1279664874.629215: ssl: gnutls [3] HSK[0x24b0470]: Initializing internal
[read] cipher sessions
1279664874.629215: ssl: gnutls [3] HSK[0x24b0470]: FINISHED was received
[16 bytes]
1279664874.629215: ssl: gnutls [3] REC[0x24b0470]: Sent ChangeCipherSpec
1279664874.629215: ssl: gnutls [3] HSK[0x24b0470]: Cipher Suite:
DHE_RSA_CAMELLIA_256_CBC_SHA1
1279664874.629215: ssl: gnutls [3] HSK[0x24b0470]: Initializing internal
[write] cipher sessions
1279664874.629215: ssl: gnutls [3] HSK[0x24b0470]: FINISHED was sent [16
bytes]

FYI: When using curl for querying my https server, everything works fine
(no gnutls errors).
I also see two of the error messages in my first log fragment, I guess
that there are two
different kinds reuested that I (maybe) did not enable explicitely. But
which one...

Sorry for the wrong debug prints in my prior mail. :)

> What did I do wrong? Well, I at least know, that I've successfully
> declared the algorithm
> priorities to { tls1.2, tls1.1, tls1.0, ssl3 }, so this can't be it. but
> what feature is gnutls
> here saying, which I am missing (possibly not enabled)?

Many thanks in advance,
Christian Parpart.