[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: gnutls-cli fails to handshake with Exchange server that uses DES-CBC
|
From: |
Thomas Fitzsimmons |
|
Subject: |
Re: gnutls-cli fails to handshake with Exchange server that uses DES-CBC3-SHA cipher |
|
Date: |
Thu, 29 Mar 2012 20:22:31 -0400 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/23.1.50 (gnu/linux) |
Hi Nikos,
Emacs allows overriding the default GnuTLS priority string using a
variable (gnutls-algorithm-priority) so I set it to "performance" to
work around this server-side issue. In cases where Emacs would
otherwise fail to connect to a server because of a weak ciphersuite
maybe the UI should warn the user and ask them whether or not to
proceed. Anyway, thanks for analyzing the logs.
Thomas
Nikos Mavrogiannopoulos <address@hidden> writes:
> Thank you. It seems however that the server you're talking to isn't a
> valid TLS server. If you check the negotiation in the attached files,
> gnutls suggests some ciphersuites and the server decides to use one
> outside the suggested set. Moreover the server decided ciphersuite is
> an insecure one using DES-56bit. I don't know if it is configuration
> issue (i.e. somebody configured the server to intentionally negotiate
> a weak ciphersuite), or bug. In both cases I'd suggest to keep away
> from this server. If you cannot then just find a priority string that
> works for this server and use it. It is broken and there is nothing we
> can do in gnutls to fix it.
>
> If openssl negotiates with this server it means that it accepts weak
> ciphersuites, something that we don't do unless explicitly instructed.
>
> regards,
> Nikos
>
> On Tue, Mar 27, 2012 at 12:13 AM, Thomas Fitzsimmons
> <address@hidden> wrote:
>> Nikos Mavrogiannopoulos <address@hidden> writes:
>>
>>> On 03/24/2012 10:57 PM, Thomas Fitzsimmons wrote:
>>>
>>>> Hi,
>>>> gnutls-cli --verbose --debug 10 --port 993 "<imap_hostname>"
>>>> fails to handshake with my Exchange server, whereas
>>>> openssl s_client -debug -port 993 -host "<imap_hostname>"
>>>> succeeds. OpenSSL reports that the server is using the DES-CBC3-SHA
>>>> cipher.
>>>> For background on this issue see:
>>>> http://debbugs.gnu.org/cgi/bugreport.cgi?bug=10904#14
>>>
>>>
>>> Hello,
>>> The comment below in the thread is very interesting. Could you send me
>>> a capture of a failed handshake?
>>>
>>>> gnutls.c: [1] Received unexpected handshake message 'CERTIFICATE'
>>>> (11). Expected 'SERVER HELLO' (2)
>>
>> Yes, attached the redacted output of:
>>
>> ./gnutls-cli --debug 10 --verbose --port 993 <imap_hostname>
>>
>> from gnutls HEAD.
>>
>>> Do priority strings like the ones below help?
>>> http://www.gnu.org/software/gnutls/manual/html_node/Interoperability.html
>>
>> Also attached the redacted output after adding:
>>
>> 1. --priority "NORMAL:%COMPAT"
>> 2. --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:+VERS-SSL3.0:%COMPAT"
>> 3. --priority
>> "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:+VERS-SSL3.0:-CIPHER-ALL:+ARCFOUR-128:%COMPAT"
>>
>> The third priority setting works by using ARCFOUR-128.
>>
>> Thomas