[Help-gnutls] Re: gnutls_handshake fails with an alert

help-gnutls

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Help-gnutls] Re: gnutls_handshake fails with an alert

From:	Simon Josefsson
Subject:	[Help-gnutls] Re: gnutls_handshake fails with an alert
Date:	Mon, 22 Oct 2007 07:51:39 +0200
User-agent:	Gnus/5.110007 (No Gnus v0.7) Emacs/22.1 (gnu/linux)

Sam Varshavchik <address@hidden> writes:

> Nikos Mavrogiannopoulos writes:
>
>> On Saturday 20 October 2007, Sam Varshavchik wrote:
>>> I've taken the "Simple client example" from the 1.6.3 pages, and supplied a
>>> tcp_connect() that connects to ssl-enabled apache on localhost. Running the
>>> code results in:
>>>
>>> *** Handshake failed
>>> GNUTLS ERROR: A TLS fatal alert has been received.
>>
>> What you say doesn't help anyone who might want to help. It can be
>> an error in your tcp functions, or you might be using the anonymous
>> client to connect to a X.509 authenticated server.
>
> No, I'm running a default Apache install with mod_ssl.
>
> I finally ended up looking at elinks's source to see how it sets up
> gnutls. It turned out that I needed to create a
> gnutls_certificate_credentials_t using
> gnutls_certificate_allocate_credentials(), and put it into the session
> using gnutls_credentials_set(). Once I did that, the example given in
> the info docs worked correctly, both with my stock Apache, and other
> external SSL servers.
>
> I am NOT using X.509 authentication, I'm running just a basic,
> plain-vanilla Apache+mod_ssl, using a self-signed test cert, without
> any X.509 authentication set up. It looks to me like the simple client
> example won't really work with garden-variety SSL servers. Looks like
> I need to put a GNUTLS_CRD_CERTIFICATE into a client session structure
> even if the server does not use or require X.509 authentication, in
> order for the handshake to work. I couldn't find anything in info docs
> that pointed me in that direction, I had to look at some other code to
> figure it out.

I believe that Apache/mod_ssl requires X.509, and refuses to handshake
an anonymous cipher.  There is a simple X.509 client GnuTLS example:

http://www.gnu.org/software/gnutls/manual/html_node/Simple-client-example-with-X_002e509-certificate-support.html

Generally, there are many servers out there that refuses to negotiate
anonymous ciphers.  So you typically need to configure X.509 to use TLS,
even if it is just a self-signed test cert.

/Simon

[Prev in Thread]

Current Thread

[Next in Thread]

[Help-gnutls] gnutls_handshake fails with an alert, Sam Varshavchik, 2007/10/20
- Re: [Help-gnutls] gnutls_handshake fails with an alert, Nikos Mavrogiannopoulos, 2007/10/21
  - Re: [Help-gnutls] gnutls_handshake fails with an alert, Sam Varshavchik, 2007/10/21
    - [Help-gnutls] Re: gnutls_handshake fails with an alert, Simon Josefsson <=
    - Re: [Help-gnutls] gnutls_handshake fails with an alert, Nikos Mavrogiannopoulos, 2007/10/22

Prev by Date: Re: [Help-gnutls] gnutls_handshake fails with an alert
Next by Date: Re: [Help-gnutls] gnutls_handshake fails with an alert
Previous by thread: Re: [Help-gnutls] gnutls_handshake fails with an alert
Next by thread: Re: [Help-gnutls] gnutls_handshake fails with an alert
Index(es):
- Date
- Thread