On Wed, May 29, 2013 at 09:13:00PM +0200, Nikos Mavrogiannopoulos wrote: > On 05/17/2013 11:00 PM, Lluís Batlle i Rossell wrote: > > I tried gnutls 3.1 and 3.2.0 on https://archive.org (with wget and > > gnutls-cli), > > and both give me: > > Connecting to www.archive.org|207.241.224.2|:443... connected. > > GnuTLS: Could not negotiate a supported cipher suite. > > Unable to establish SSL connection. > > Enabling "EXPORT" in --priority (a friend helped me with that), made gnutls > > choose: > > |<3>| HSK[0x7a9ec0]: Selected cipher suite: RSA_AES_128_CBC_SHA1 > > Interesting. This server negotiates C0.13 (which is > ECDHE-RSA-AES256-SHA), and selects SSL 3.0. This ciphersuite is only > defined for TLS 1.0 or later and that's why gnutls rejects it and closes > the connection. > > This was a bug of a particular openssl version on Debian. > > If this is a widespread issue we may try to work it around in gnutls and > allow elliptic curves even in SSL 3.0.
Thank you for the analysis! Is there anything I can do (env vars, config files) to tweak that gnutls behaviour so it could connect with a reasonable ciphersuite? Regards, Lluís. _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
