Andreas Metzler <ametz...@downhill.at.eu.org> writes: > On 2011-08-20 "Andrew M. Bishop" <a...@gedanken.demon.co.uk> wrote: > [...] >> There seems to be a bug with gnutls on the latest Debian (version >> 2.12.7-6 for me). Taking the example code from the gnutls >> documentation and compiling it gives me an SSL server that will not >> accept connections from Iceweasel, wget or the example client from the >> same gnutls documentation. > >> http://www.gnu.org/software/gnutls/manual/html_node/Echo-Server-with-X_002e509-authentication.html >> http://www.gnu.org/software/gnutls/manual/html_node/Simple-client-example-with-X_002e509-certificate-support.html > [...] >> When run the server says: > >> | Server ready. Listening to port '5556'. >> | >> | - connection from 127.0.0.1, port 34901 >> | *** Handshake has failed (Could not negotiate a supported cipher suite.) > >> and the client says: > >> | *** Handshake failed >> | GnuTLS error: A TLS packet with unexpected length was received. > [...] > > I have not wwoffle or its certificates installed, but the example code > does work with 2.12.7-6. I have just ran it unmodified using an example > certificate. - example-clientm gnutls-cli(-debug) and openssl s_client > all managed to connect.
When I create a CA certificate and a server certificate using certtool I can also make the test programs run. The certtool commands that I used were: certtool --generate-privkey --outfile ca-key.pem certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca-cert.pem certtool --generate-privkey --outfile key.pem certtool --generate-certificate --load-privkey key.pem --outfile cert.pem \ --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem (When certtool ran I pressed return for most prompts but ensured that the CA certificate was enabled as a CA and for signing certificates and that the other certificate was enabled for web server authentication.) I can verify the server certificate like this: $ cat cert.pem ca-cert.pem | certtool --verify-chain Certificate[0]: Issued by: Verifying against certificate[1]. Verification output: Verified. Certificate[1]: Issued by: Verification output: Verified. Chain verification output: Verified. > I get the "Could not negotiate a supported cipher suite." if the > example server cannot read/find/access the neccessary cert bit (ca, > key and cert.) Yes, I am sorry to say that this was the problem. The WWWOFFLE server private keys are not readable by my user. When I run the test server as root then it works with the WWWOFFLE certificates. One thing that I noticed during the debugging of this problem is that the newly created certificates (above) are described by certtool as "Version: 3" but the WWWOFFLE ones are "Version: 1". If I do this: certtool --certificate-info < /var/spool/wwwoffle/certificates/root/root-cert.pem then it does not say that it is a CA certificate. When I use an older version of certtool then it does say that the file is a CA certificate. There seems to be a difference in the behaviour of certtool since older versions. I can verify the WWWOFFLE certificates in the same way as above to confirm that I have a server certificate and the correct CA for it: $ cat /var/spool/wwwoffle/certificates/server/localhost-cert.pem \ /var/spool/wwwoffle/certificates/root/root-cert.pem \ | certtool --verify-chain Certificate[0]: O=WWWOFFLE,OU=Server Certificate,CN=localhost Issued by: O=WWWOFFLE,OU=Certificate Authority,CN=WWWOFFLE Verifying against certificate[1]. Verification output: Verified. Certificate[1]: O=WWWOFFLE,OU=Certificate Authority,CN=WWWOFFLE Issued by: O=WWWOFFLE,OU=Certificate Authority,CN=WWWOFFLE Verification output: Verified. Chain verification output: Verified. In another e-mail you tried installing WWWOFFLE and running it and it worked for you. I tried deleting all my certificates and repeating the test that you did but it still crashes (segmentation fault) in the gnutls_handshake() function. There is still a problem between WWWOFFLE and gnutls. As the author of WWWOFFLE I can be certain that nothing has changed in the way that it handles certificates for quite a long time but HTTPS has only just stopped working. Going back to the original (not Debian) version 2.9g WWWOFFLE source code and compiling from scratch also crashes. -- Andrew. ---------------------------------------------------------------------- Andrew M. Bishop a...@gedanken.demon.co.uk http://www.gedanken.demon.co.uk/ WWWOFFLE users page: http://www.gedanken.demon.co.uk/wwwoffle/version-2.9/user.html -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org