[gnutls-help] Problem with https://archive.org

Lluís Batlle i Rossell viric at viric.name
Wed May 29 22:17:28 CEST 2013


On Wed, May 29, 2013 at 09:13:00PM +0200, Nikos Mavrogiannopoulos wrote:
> On 05/17/2013 11:00 PM, Lluís Batlle i Rossell wrote:
> > I tried gnutls 3.1 and 3.2.0 on https://archive.org (with wget and gnutls-cli),
> > and both give me:
> > Connecting to www.archive.org|207.241.224.2|:443... connected.
> > GnuTLS: Could not negotiate a supported cipher suite.
> > Unable to establish SSL connection.
> > Enabling "EXPORT" in --priority (a friend helped me with that), made gnutls
> > choose:
> > |<3>| HSK[0x7a9ec0]: Selected cipher suite: RSA_AES_128_CBC_SHA1
> 
> Interesting. This server negotiates C0.13 (which is
> ECDHE-RSA-AES256-SHA), and selects SSL 3.0. This ciphersuite is only
> defined for TLS 1.0 or later and that's why gnutls rejects it and closes
> the connection.
> 
> This was a bug of a particular openssl version on Debian.
> 
> If this is a widespread issue we may try to work it around in gnutls and
> allow elliptic curves even in SSL 3.0.

Thank you for the analysis!

Is there anything I can do (env vars, config files) to tweak that gnutls
behaviour so it could connect with a reasonable ciphersuite?

Regards,
Lluís.



More information about the Gnutls-help mailing list