[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: gnutls claims a disabled algorithm was negotiated
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
Re: gnutls claims a disabled algorithm was negotiated |
|
Date: |
Sat, 01 Sep 2012 10:31:55 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:10.0.6esrpre) Gecko/20120805 Icedove/10.0.6 |
On 09/01/2012 01:42 AM, brian m. carlson wrote:
> I've recently moved my mail server to running postfix, and as a result,
> am now able to provide an EC key and certificate for TLS (the
> certificate is signed by my local RSA CA). However, when I try to
> connect to postfix either using gnutls-cli or mutt (linked against
> 3.0.22), gnutls provides the following error:
>
> *** Fatal error: An algorithm that is not enabled was negotiated.
>
> This seems odd to me, since OpenSSL is very happy to make the
> connection (as the client), and the algorithm that was negotiated is
> ECDHE_ECDSA_AES_128_GCM_SHA256, which I'm pretty sure both GnuTLS and
> OpenSSL support. It also is odd that the complaint doesn't happen until
> GnuTLS tries to verify the signature; shouldn't it die sooner if the
> server picks an algorithm that it doesn't support?
Interesting case.
> |<3>| HSK[0x188ae60]: Selected ECC curve SECP384R1 (3)
> |<3>| HSK[0x188ae60]: verify handshake data: using ECDSA-SHA256
> |<2>| ASSERT: gnutls_sig.c:365
I suppose that your server's certificate has the SECP384R1 curve, is
that right? In that case the server should have used the SHA-384 or
SHA-512 hash algorithms (see
http://tools.ietf.org/html/rfc5480#section-4 ). However your server used
SHA-256 instead and that's why gnutls complains.
Is that the case?
regards,
Nikos