[gnutls-help] Fwd: TLS1.2 fail, Could not negotiate a supported cipher suite,

Nikos Mavrogiannopoulos nmav at gnutls.org
Sun Oct 27 19:35:50 CET 2013


On 10/17/2013 11:11 PM, Peter Gervai wrote:

> Regardless of the numerous advice to recompile exim to use openssl I'm
> rather here. :-) I kind of avoided the problem but it's not
> prefect.... later on that .
> A mailserver running Exim on Debian stable (wheezy) acts unfriendly
> towards TLS users, and spews too much "Could not negotiate a supported
> cipher suite." errors.
> Exim is 4.80-7 (exim4-daemon-heavy) and libgnutls26 is 2.12.20-7. The
> problem is that this is the same as many other servers running happily
> and without significant problems.

Hello Peter,
 This is a very old libgnutls version. It also looks like it is
custom-patched as the lines of code in the log you attach below don't
correspond to lines in any released version. I'd suggest to upgrade to a
most recent gnutls version.

> The problem is the "same old" problem happens from time to time to
> gnutls installs: certs generated by openssl. These certs may work, or
> may not work, or somewhere inbetween generating various horrible side
> effects, including the one you have observed above. These otherwise
> perfectly work with anything which is not gnutls. ;-)

Are you sure you are not in one of the cases below?
http://www.gnutls.org/faq.html

There are implementations that ignore the flags in a certificate. GnuTLS
doesn't. Why set flags there if you don't want them to be used?

> The solution was partly helped by
> gnutls_serv --debug 5 --port 1234  --x509keyfile server.key
> --x509certfile server.crt
> but only partially since it's almost impossible to figure out what the
> bloody message means:
> Could not find an appropriate certificate: Insufficient credentials
> for that request.

It means there is an issue in the credentials entered (in your case
certificate). Most probably the certificate you are using doesn't allow
for the TLS ciphersuites you are using.

> I guess now (after knowing the solution) that it would like to convey
> the message that the certificate does not allow the method I try to
> use it for, or that it is missing the required extension (for example
> "Key Encipherment"), or that the extension is not understood by
> gnutls. If I knew that I would have suspected problems with the
> certificate. But the message is so cryptic that not even
> google-my-friend was able to figure it out. (Partially helped by
> gnutls documentation which says not a word more explaining the
> problem.)

Ok it seems you figured it out. You are in case
http://www.gnutls.org/faq.html#key-usage-violation
I'll add another faq entry for the server side.

In order to use the RSA ciphersuites in TLS your certificate must either
have no key usage extension, or if it has it, it must allow for Key
Encipherment. When you generate a certificate with certtool it should
mention that this is needed.

regards,
Nikos




More information about the Gnutls-help mailing list