gnutls 2.10 won't negotiate TLS 1.2 if priority is set to "SECURE256"

Sam Varshavchik mrsam at courier-mta.com
Thu May 26 17:56:03 CEST 2011 

I rebuilt a client/server against gnutls 2.10, from 2.8 before.

I give "SECURE256:-CTYPE-OPENPGP" to gnutls_priority_set_direct() on both  
the client and the server side.

After updating to 2.10, TLS negotiation fails a  
GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM.

Stumbling my way through the debugger, and stepping through, I see that both  
sides are going for TLS 1.2.

Adding "-VERS-TLS1.2" to the priority string gets everything working.

I'm wondering what I'm missing. I was using RSA-SHA1 certs. I regenerated  
them as RSA-SHA256 certs, that still doesn't work. I generate my own certs,  
here's how one looks like:


X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 01
	Issuer: O=libx library,OU=GnuTLS wrapper,CN=example.com
	Validity:
		Not Before: Thu May 26 15:51:45 UTC 2011
		Not After: Fri Jun 29 15:51:45 UTC 2012
	Subject: O=libx library,OU=GnuTLS wrapper,CN=example.com
	Subject Public Key Algorithm: RSA
		Modulus (bits 1024):
			bd:76:c7:26:19:46:5c:a4:99:ed:12:8a:ef:3d:f6:8b
			16:26:c7:33:fd:09:b2:05:5a:ae:af:eb:e4:37:39:c6
			69:76:5a:aa:ac:6a:5b:3b:8a:02:c4:a8:13:31:e1:f7
			e0:fd:34:c8:87:f4:e7:82:ef:f5:52:34:fe:46:14:56
			d6:da:4c:43:61:be:50:67:0a:20:c6:ac:eb:ef:2f:32
			c6:9a:74:aa:22:cb:75:8e:ce:a3:77:c4:23:f4:71:e8
			37:1e:6e:ab:16:43:ad:94:17:34:8d:58:5e:9a:87:23
			54:27:41:32:ec:d4:4a:4a:e9:b0:45:8a:81:e7:b9:69
		Exponent (bits 24):
			01:00:01
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): TRUE
		Key Usage (critical):
			Digital signature.
			Non repudiation.
			Key encipherment.
			Key agreement.
			Certificate signing.
			CRL signing.
		Key Purpose (not critical):
			TLS WWW Server.
			Code signing.
			Email protection.
		Subject Alternative Name (not critical):
			DNSname: example.com
		Subject Key Identifier (not critical):
			06b4ea4797850dd103c88f17f291ca5be54f424b
	Signature Algorithm: RSA-SHA512
	Signature:
		6b:a8:93:2a:ad:b3:6b:82:fb:d8:7f:fa:24:06:b5:63
		c5:0c:bb:23:90:92:59:9b:d7:9c:0c:d4:83:20:76:af
		fe:18:3e:d1:af:1b:60:d1:b7:ac:0e:85:e8:46:35:8a
		74:e3:83:b5:06:d5:6c:82:2c:be:d6:7d:a4:fe:e2:4e
		4c:f8:ee:68:fd:a8:55:46:85:48:2e:12:39:d8:e8:6a
		66:be:f6:f9:9a:87:bf:98:a5:11:27:24:28:0c:92:ad
		ea:11:62:7c:d2:74:cf:64:c9:10:b4:60:9c:77:28:86
		20:fc:be:90:8f:db:a8:84:06:53:2a:c4:e1:20:17:9c
Other Information:
	MD5 fingerprint:
		0a805cfad3c2d7355c2b9496833997ce
	SHA-1 fingerprint:
		9cac002d6bd19cd855d46d89ae46b55d2f4df24a
	Public Key Id:
		06b4ea4797850dd103c88f17f291ca5be54f424b

More information about the Gnutls-help mailing list