[gnutls-help] gnutls-3.3.12 problems with Apple Push Notifications

Matt Harvey mharvey at gmail.com
Tue Jan 27 22:26:22 CET 2015 

I was wondering if anyone has used gnutls for Apple Push Notifications?

I am trying to use gnutls-cli to establish a connection with
gateway.sandbox.push.apple.com:2195 but am encountering the following error:

Received alert [46]: Unknown certificate

I can successfully connect with openssl which would suggest my
key/certificate is OK and perhaps I need to specify a particular gnutls
priority string?

openssl connection info:

New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA


And here's a subset of gnutls-cli output with debugging on:

|<5>| REC[0xa1d7e60]: SSL 3.1 Alert packet received. Epoch 0, length: 2
|<5>| REC[0xa1d7e60]: Expected Packet Handshake(22)
|<5>| REC[0xa1d7e60]: Received Packet Alert(21) with length: 2
|<10>| READ: Got 2 bytes from 0x4
|<10>| READ: read 2 bytes from 0x4
|<10>| RB: Have 5 bytes into buffer. Adding 2 bytes.
|<10>| RB: Requested 7 bytes
|<5>| REC[0xa1d7e60]: Decrypted Packet[3] Alert(21) with length: 2
|<5>| REC[0xa1d7e60]: Alert[2|46] - Unknown certificate - was received
|<3>| ASSERT: gnutls_record.c:795
|<3>| ASSERT: gnutls_record.c:802
|<3>| ASSERT: gnutls_record.c:1322
|<3>| ASSERT: gnutls_buffers.c:1392
|<3>| ASSERT: gnutls_handshake.c:1428
|<3>| ASSERT: session_ticket.c:663
|<3>| ASSERT: gnutls_handshake.c:2834
*** Fatal error: A TLS fatal alert has been received.
*** Received alert [46]: Unknown certificate
|<5>| REC: Sending Alert[2|80] - Internal error
|<5>| REC[0xa1d7e60]: Preparing Packet Alert(21) with length: 2 and min
pad: 0
|<9>| ENC[0xa1d7e60]: cipher: AES-128-CBC, MAC: SHA1, Epoch: 1
|<11>| WRITE: enqueued 37 bytes for 0x4. Total 37 bytes.
|<11>| WRITE FLUSH: 37 bytes in buffer.
|<2>| errno: 32
|<3>| ASSERT: gnutls_buffers.c:224
|<11>| WRITE error: code -53, 37 bytes left.
|<3>| ASSERT: gnutls_buffers.c:706
|<3>| ASSERT: gnutls_record.c:566
*** Handshake has failed
GnuTLS error: A TLS fatal alert has been received.



gnutls-cli-debug --port=2195 gateway.sandbox.push.apple.com
Warning: getservbyport() failed. Using port number as service.
GnuTLS debug client 3.3.12
Checking gateway.sandbox.push.apple.com:2195
unknown protocol 2195
                             for SSL 3.0 (RFC6101) support... no
unknown protocol 2195
                        whether %NO_EXTENSIONS is required... yes
unknown protocol 2195
                               whether %COMPAT is required... yes
unknown protocol 2195
                             for TLS 1.0 (RFC2246) support... no
unknown protocol 2195
 for TLS 1.0 (RFC2246) support with TLS 1.0 record version... no
unknown protocol 2195
                             for TLS 1.1 (RFC4346) support... no
unknown protocol 2195
                                  fallback from TLS 1.1 to... failed

Server does not support any of SSL 3.0, TLS 1.0 and TLS 1.1 and TLS 1.2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20150128/924938f4/attachment-0001.html>

More information about the Gnutls-help mailing list