[mod_gnutls-devel] mod-gnutls: Ciphers selection problem ?
Thomas Klute
thomas2.klute at uni-dortmund.de
Fri Dec 8 17:13:44 CET 2017
Am 08.12.2017 um 12:44 schrieb osg at free.fr:
> I have configured this servername with cipher SECURE, and using curl I have this negotiation: TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
> ServerName ssl-secure.tst.osgpcq.net
> GnuTLSPriorities SECURE
> curl -k -v https://ssl-secure.tst.osgpcq.net
> * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
>
>
> If I'm trying to configure an another servername with only one cypher: TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
> ServerName ssl-mono.tst.osgpcq.net
> GnuTLSPriorities NONE:+VERS-TLS-ALL:+ECDHE-RSA:+AES-256-GCM:+SHA384:+COMP-NULL
> curl -k -v https://ssl-mono.tst.osgpcq.net
> * error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
> Curl is not able to negotiate...
>
>
> Could you indicate me if I haven't configured correctly the GnuTLSPriorities or if the problem is elsewhere ?
If I run the 00_basic test of the mod_gnutls test suite with the
GnuTLSPriorities changed to your value, the error log reports this:
[Fri Dec 08 16:50:57.773880 2017] [gnutls:info] [pid 27056:tid
139957247129344] [client ::1:35478] GnuTLS: Handshake Failed (-326) 'No
or insufficient priorities were set.'
There are two problems here:
1) The only MAC algorithm you have allowed is SHA384, but you are using
an AEAD cipher. You have to allow the AEAD MAC algorithm ("+AEAD").
2) Your GnuTLSPriorities do not include any signature algorithm and
group configuration, both of which are required for the handshake. The
GnuTLSPriorities string is passed transparently to the GnuTLS library,
so please check the GnuTLS priority documentation [1] for possible
values. The catch-all solution would be to add "+SIGN-ALL:+GROUP-ALL".
Regards,
Thomas
[1] https://gnutls.org/manual/html_node/Priority-Strings.html
More information about the mod_gnutls-devel
mailing list