gnutls claims a disabled algorithm was negotiated

Nikos Mavrogiannopoulos nmav at gnutls.org
Sat Sep 1 19:17:08 CEST 2012


On 09/01/2012 01:42 AM, brian m. carlson wrote:

> I've recently moved my mail server to running postfix, and as a result,
> am now able to provide an EC key and certificate for TLS (the
> certificate is signed by my local RSA CA).  However, when I try to
> connect to postfix either using gnutls-cli or mutt (linked against
> 3.0.22), gnutls provides the following error:
> 
> *** Fatal error: An algorithm that is not enabled was negotiated.
> 
> This seems odd to me, since OpenSSL is very happy to make the
> connection (as the client), and the algorithm that was negotiated is
> ECDHE_ECDSA_AES_128_GCM_SHA256, which I'm pretty sure both GnuTLS and
> OpenSSL support.  It also is odd that the complaint doesn't happen until
> GnuTLS tries to verify the signature; shouldn't it die sooner if the
> server picks an algorithm that it doesn't support?

I've pushed a patch to make gnutls more tolerant in ECDSA violations.
Does this fix the issue for you?
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=5bd518deaab699d46164f9e82744f482f3dabde7

regards,
Nikos




More information about the Gnutls-help mailing list