Weird TLS Compression Error

Nikos Mavrogiannopoulos nmav at gnutls.org
Mon May 23 21:44:55 CEST 2011 

On 05/23/2011 07:00 PM, Dash Shendy wrote:
> Here's my Virtual host setup:

> GnuTLSPriorities 
> NONE:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-SSL3.0:+COMP-NULL:+SHA1:+MD5:+RSA:+DHE-RSA:+CAMELLIA-128-CBC:+ARCFOUR-128:+AES-128-CBC:+3DES-CBC

If you exchange that string for "NORMAL" does it make any difference?
(or adding %COMPAT?)

> As far as I understand the error message "no compression overlap" is 
> similar to "no cypher overlap". That is, there's no common
> encryption/compression algorithm.

TLS can negotiate apart from cipher a compression algorithm. In your
case your priority string specifies the COMP-NULL thus there is an
option both parties can negotiate (no compression). I don't know why
your browser fails. I connected with firefox 3.6 to the site you
mentioned and had no issues.

Which browser did you try? Could it be buggy? Did you try others?

What could help debugging that would be a capture of the handshake with
wireshark.

> P.S. I heard you mention that you are quite busy with GnuTLS
> development and can not afford the time to maintain mod_gnutls, and
> unless you find someone to maintain it, this module is unmaintained. 
> I would love to get involved and contribute, please let me know what
> I can do to help (I do know how to code in C but I do not believe I 
> have the Mathematical background required, and do not want to
> introduce bugs or weaken the security as it happened with Debian's
> implementation of OpenSSL a while back, but please do let me know if
> I can get involved somehow).

mod_gnutls doesn't really require a mathematical background, just basic
knowledge of cryptography. It is the internals of apache it requires
that I had no time into digging into. If you are interested the open
issues (some of them have patches to be reviewed) are at:
http://issues.outoforder.cc/view_all_bug_page.php
and some fixes are sent to the mailing list at:
http://lists.outoforder.cc/pipermail/modules/ (last two or three
months). It would be nice if you or someone could test them and
include them to the main branch.

regards,
Nikos

More information about the Gnutls-help mailing list