[gnutls-help] gnutls-cli and apache

Frédéric Dreier frederic.dreier at gmail.com
Mon Feb 11 17:48:36 CET 2013 

Hi,

I try since some hours deploy a webdav server using apache under ubuntu
12.4 using client certificates.

I already setup apache+webdav and I can access it through firefox using the
client certificate.

Now I want to use davfs2 which use gnutls but it exits with an gnutls error
(handshake failed, no details)

I tried with gnutls-cli and I also get an error (with more details), but I
am not able to understand it (or what is incorrect).

gnutls-cli -d 9 --x509cafile ca.crt --x509keyfile client.key --x509certfile
client.crt -p 443 myserver
Processed 1 CA certificate(s).
Processed 1 client certificates...
Processed 1 client X.509 certificates...
Resolving 'myserver'...
Connecting to '192.168.1.10:443'...
|<4>| REC[0x1495a80]: Allocating epoch #0
|<2>| ASSERT: gnutls_constate.c:695
|<4>| REC[0x1495a80]: Allocating epoch #1
|<3>| HSK[0x1495a80]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1
|<3>| HSK[0x1495a80]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA256
|<3>| HSK[0x1495a80]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0x1495a80]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1
|<3>| HSK[0x1495a80]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA256
|<3>| HSK[0x1495a80]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1
|<3>| HSK[0x1495a80]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x1495a80]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1
|<3>| HSK[0x1495a80]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA256
|<3>| HSK[0x1495a80]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0x1495a80]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1
|<3>| HSK[0x1495a80]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA256
|<3>| HSK[0x1495a80]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1
|<3>| HSK[0x1495a80]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[0x1495a80]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1
|<3>| HSK[0x1495a80]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1
|<3>| HSK[0x1495a80]: Keeping ciphersuite: RSA_AES_128_CBC_SHA256
|<3>| HSK[0x1495a80]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0x1495a80]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1
|<3>| HSK[0x1495a80]: Keeping ciphersuite: RSA_AES_256_CBC_SHA256
|<3>| HSK[0x1495a80]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1
|<3>| HSK[0x1495a80]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x1495a80]: Keeping ciphersuite: RSA_ARCFOUR_SHA1
|<3>| HSK[0x1495a80]: Keeping ciphersuite: RSA_ARCFOUR_MD5
|<2>| EXT[0x1495a80]: Sending extension SERVER NAME (19 bytes)
|<2>| EXT[0x1495a80]: Sending extension SAFE RENEGOTIATION (1 bytes)
|<2>| EXT[0x1495a80]: Sending extension SESSION TICKET (0 bytes)
|<2>| EXT[SIGA]: sent signature algo (4.2) DSA-SHA256
|<2>| EXT[SIGA]: sent signature algo (4.1) RSA-SHA256
|<2>| EXT[SIGA]: sent signature algo (2.1) RSA-SHA1
|<2>| EXT[SIGA]: sent signature algo (2.2) DSA-SHA1
|<2>| EXT[0x1495a80]: Sending extension SIGNATURE ALGORITHMS (10 bytes)
|<3>| HSK[0x1495a80]: CLIENT HELLO was sent [139 bytes]
|<4>| REC[0x1495a80]: Sending Packet[0] Handshake(22) with length: 139
|<4>| REC[0x1495a80]: Sent Packet[1] Handshake(22) with length: 144
|<4>| REC[0x1495a80]: Expected Packet[0] Handshake(22) with length: 1
|<4>| REC[0x1495a80]: Received Packet[0] Alert(21) with length: 2
|<4>| REC[0x1495a80]: Decrypted Packet[0] Alert(21) with length: 2
|<4>| REC[0x1495a80]: Alert[1|112] - The server name sent was not
recognized - was received
|<2>| ASSERT: gnutls_record.c:726
|<2>| ASSERT: gnutls_record.c:1122
*** Non fatal error: A TLS warning alert has been received.
*** Received alert [112]: The server name sent was not recognized
|<4>| REC[0x1495a80]: Expected Packet[1] Handshake(22) with length: 1
|<4>| REC[0x1495a80]: Received Packet[1] Handshake(22) with length: 57
|<4>| REC[0x1495a80]: Decrypted Packet[1] Handshake(22) with length: 57
|<3>| HSK[0x1495a80]: SERVER HELLO was received [57 bytes]
|<3>| HSK[0x1495a80]: Server's version: 3.3
|<3>| HSK[0x1495a80]: SessionID length: 0
|<3>| HSK[0x1495a80]: SessionID: 00
|<3>| HSK[0x1495a80]: Selected cipher suite: DHE_RSA_AES_128_CBC_SHA1
|<2>| EXT[0x1495a80]: Parsing extension 'SERVER NAME/0' (0 bytes)
|<2>| EXT[0x1495a80]: Parsing extension 'SAFE RENEGOTIATION/65281' (1 bytes)
|<2>| EXT[0x1495a80]: Parsing extension 'SESSION TICKET/35' (0 bytes)
|<3>| HSK[0x1495a80]: Safe renegotiation succeeded
|<4>| REC[0x1495a80]: Expected Packet[2] Handshake(22) with length: 1
|<4>| REC[0x1495a80]: Received Packet[2] Handshake(22) with length: 2510
|<4>| REC[0x1495a80]: Decrypted Packet[2] Handshake(22) with length: 2510
|<3>| HSK[0x1495a80]: CERTIFICATE was received [2510 bytes]
|<2>| ASSERT: ext_signature.c:388
|<2>| ASSERT: ext_signature.c:388
|<2>| ASSERT: mpi.c:609
|<2>| ASSERT: dn.c:1209
|<4>| REC[0x1495a80]: Expected Packet[3] Handshake(22) with length: 1
|<4>| REC[0x1495a80]: Received Packet[3] Handshake(22) with length: 527
|<4>| REC[0x1495a80]: Decrypted Packet[3] Handshake(22) with length: 527
|<3>| HSK[0x1495a80]: SERVER KEY EXCHANGE was received [527 bytes]
|<3>| HSK[0x1495a80]: verify handshake data: using RSA-SHA256
|<2>| ASSERT: ext_signature.c:388
|<4>| REC[0x1495a80]: Expected Packet[4] Handshake(22) with length: 1
|<4>| REC[0x1495a80]: Received Packet[4] Handshake(22) with length: 97
|<4>| REC[0x1495a80]: Decrypted Packet[4] Handshake(22) with length: 97
|<3>| HSK[0x1495a80]: CERTIFICATE REQUEST was received [93 bytes]
|<2>| EXT[SIGA]: rcvd signature algo (6.1) RSA-SHA512
|<2>| EXT[SIGA]: rcvd signature algo (6.2) GOST R 34.10-94
|<2>| EXT[SIGA]: rcvd signature algo (6.3) GOST R 34.10-94
|<2>| EXT[SIGA]: rcvd signature algo (5.1) RSA-SHA384
|<2>| EXT[SIGA]: rcvd signature algo (5.2) GOST R 34.10-94
|<2>| EXT[SIGA]: rcvd signature algo (5.3) GOST R 34.10-94
|<2>| EXT[SIGA]: rcvd signature algo (4.1) RSA-SHA256
|<2>| EXT[SIGA]: rcvd signature algo (4.2) DSA-SHA256
|<2>| EXT[SIGA]: rcvd signature algo (4.3) GOST R 34.10-94
|<2>| EXT[SIGA]: rcvd signature algo (3.1) RSA-SHA224
|<2>| EXT[SIGA]: rcvd signature algo (3.2) DSA-SHA224
|<2>| EXT[SIGA]: rcvd signature algo (3.3) GOST R 34.10-94
|<2>| EXT[SIGA]: rcvd signature algo (2.1) RSA-SHA1
|<2>| EXT[SIGA]: rcvd signature algo (2.2) DSA-SHA1
|<2>| EXT[SIGA]: rcvd signature algo (2.3) GOST R 34.10-94
|<2>| EXT[SIGA]: rcvd signature algo (1.1) RSA-MD5
|<3>| HSK[0x1495a80]: SERVER HELLO DONE was received [4 bytes]
|<3>| HSK[0x1495a80]: CERTIFICATE was sent [1137 bytes]
|<3>| HSK[0x1495a80]: CLIENT KEY EXCHANGE was sent [134 bytes]
|<2>| sign handshake cert vrfy: picked RSA-SHA512 with SHA512
|<2>| ASSERT: gnutls_sig.c:630
|<2>| ASSERT: auth_cert.c:1562
|<2>| ASSERT: gnutls_kx.c:336
|<2>| ASSERT: gnutls_handshake.c:2833
*** Fatal error: GnuTLS internal error.
|<4>| REC: Sending Alert[2|80] - Internal error
|<4>| REC[0x1495a80]: Sending Packet[1] Alert(21) with length: 2
|<4>| REC[0x1495a80]: Sent Packet[2] Alert(21) with length: 7
*** Handshake has failed
GnuTLS error: GnuTLS internal error.
|<4>| REC[0x1495a80]: Epoch #0 freed
|<4>| REC[0x1495a80]: Epoch #1 freed


Using "openssl client -connect ..." I am able to connect apache with the
client certificate and execute a GET request.

I only found one post refering to unimplemented SHA512 in gnutls. Is that
the reason?

I tried to switch to gnutls_mod in apache. It works BUT I have other issues
since a lot of functionalities are not implemented there (DN filtering,
fakeauth, etc)

Best regards,

Frederic
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20130211/ce9cc1d9/attachment.htm>

More information about the Gnutls-help mailing list