[gnutls-help] Problem with https://archive.org

Nikos Mavrogiannopoulos nmav at gnutls.org
Wed May 29 21:13:00 CEST 2013

On 05/17/2013 11:00 PM, Lluís Batlle i Rossell wrote:

> Hello,
> I tried gnutls 3.1 and 3.2.0 on https://archive.org (with wget and gnutls-cli),
> and both give me:
> Connecting to www.archive.org||:443... connected.
> GnuTLS: Could not negotiate a supported cipher suite.
> Unable to establish SSL connection.
> Enabling "EXPORT" in --priority (a friend helped me with that), made gnutls
> choose:
> |<3>| HSK[0x7a9ec0]: Selected cipher suite: RSA_AES_128_CBC_SHA1

Interesting. This server negotiates C0.13 (which is
ECDHE-RSA-AES256-SHA), and selects SSL 3.0. This ciphersuite is only
defined for TLS 1.0 or later and that's why gnutls rejects it and closes
the connection.

This was a bug of a particular openssl version on Debian.

If this is a widespread issue we may try to work it around in gnutls and
allow elliptic curves even in SSL 3.0.


More information about the Gnutls-help mailing list