NULL cipher suites broken in gnutls 3.0.5 ?

Fabrice Gautier fabrice.gautier at
Fri Nov 4 01:59:30 CET 2011


I get decryption error when using NULL-MD5 or NULL-SHA1 cipher suites
when using gnutls-serv, and connecting with a openssl client.

Server is started that way:

$ gnutls-serv --http --x509cafile x509-ca.pem --x509keyfile
x509-server-key.pem --x509certfile x509-server.pem  --priority

The openssl s_client is started that way:

$ openssl s_client -cipher NULL-SHA -connect localhost:5556

This is what I get from the gnutls logs:

* Accepted connection from IPv4 port 53650 on Thu Nov  3 17:23:51 2011

* Successful handshake from IPv4 port 53650
- Session ID: 26:C8:6A:7B:CE:F2:99:0B:19:1F:90:90:D8:58:73:60:99:BF:8D:DE:1B:7B:77:A2:80:54:65:11:D0:A8:5F:94
- Certificate type: X.509
- Could not verify certificate (err: The peer did not send any certificate.)
- Version: TLS1.0
- Key Exchange: RSA
- Cipher: NULL
- Compression: NULL
Error while receiving data

>From the openssl side I get an error as well:

140735311722940:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption
failed or bad record mac:s3_pkt.c:479:

I believe it worked fine when I was using gnutls-2.12. I used both
openssl 0.9.8r and 1.0.0e for the client side.

Any known issue there ?

-- Fabrice

More information about the Gnutls-help mailing list