[gnutls-help] Renegotiating from ANON to RSA -- Removing all ciphersuites?

Rick van Rein rick at openfortress.nl
Mon Nov 9 23:29:11 CET 2015


Hello,

I'm trying to get optimal TLS privacy by first establishing an ANON-ECDH
connection, and then renegotiate it into an authenticated connection,
such as with an RSA certificate.  This is only done when the application
protocol allows it.

Without the ANON-ECDH precursor, the authenticated connection succeeds. 
Its cli+srv priority string is
NONE:+VERS-TLS-ALL:+VERS-DTLS-ALL:+COMP-NULL:+CIPHER-ALL:+CURVE-ALL:+SIGN-ALL:+MAC-ALL:-ANON-ECDH:+ECDHE-RSA:+DHE-RSA:+ECDHE-ECDSA:+DHE-DSS:+RSA:+CTYPE-X.509:+CTYPE-OPENPGP:+SRP:+SRP-RSA:+SRP-DSS

The ANON-ECDH precursor also works (and moves straight on to
renegotiation).  Its cli+srv priority string is
NONE:+VERS-TLS-ALL:+VERS-DTLS-ALL:+COMP-NULL:+CIPHER-ALL:+CURVE-ALL:+SIGN-ALL:+MAC-ALL:+ANON-ECDH:+ECDHE-RSA:+DHE-RSA:+ECDHE-ECDSA:+DHE-DSS:+RSA:+CTYPE-X.509:+CTYPE-OPENPGP:+SRP:+SRP-RSA:+SRP-DSS

After the ANON-ECDH precursor, the renegotiated / authenticated
connection (with the former priority string) fails.  It lists "Removing
ciphersuite" for all ciphersuites (note that ANON-ECDH is not provided
for any longer).  The GnuTLS code for sending the ClientHello suggests
that this is based on the KX supported by the certificate, which I
imagine must refer to the pre-renegotiation (so ANON-ECDH) precursor
certificate.  No KX would match with that (lack of a) certificate, of
course.  The result is GNUTLS_E_INSUFFICIENT_CRED and a breakdown of
communication.  IIRC.

I wonder if there is a way to have this "anonymous precursor" with
GnuTLS, or that I am overlooking something?
I'm working with GnuTLS 3.2.21.

Thanks,
 -Rick



More information about the Gnutls-help mailing list