Still chipping away at this and I've found a way to get more information. Here is the Client Hello I'm sending: Data::Hexdumper: data length isn't an integer multiple of lines so has been padded with NULLs at the end. 0x0000 : 16 03 03 00 35 01 00 00 31 03 03 56 6C 90 CA C5 : ....5...1..Vl... 0x0010 : C5 4D 73 22 ED E3 D9 0E 86 53 CB 94 E6 35 2C 2B : .Ms".....S...5,+ 0x0020 : 91 6F 6D A7 35 D5 2E 6D 7E D6 47 00 00 02 00 2F : .om.5..m~.G..../ 0x0030 : 01 00 00 06 00 09 00 02 01 01 00 00 00 00 00 00 : ................
and the resulting log level 99: [ 4718| 3] ASSERT: mpi.c:240 [ 4718| 3] ASSERT: gnutls_dh.c:332 [ 4718|13] armor filter: decode [ 4718| 3] ASSERT: stream.c:952 [ 4718|13] free armor filter [ 4718|13] armor filter: decode [ 4718| 3] ASSERT: stream.c:952 [ 4718|13] free armor filter [ 4718| 3] ASSERT: pgp.c:166 [ 4718| 3] ASSERT: stream.c:952 [ 4718| 3] ASSERT: privkey.c:1230 [ 4718| 3] ASSERT: privkey.c:1230 [ 4718| 3] ASSERT: pgp.c:166 [ 4718| 3] ASSERT: pgp.c:1644 [ 4718| 3] ASSERT: pgp.c:1644 [ 4718| 3] ASSERT: privkey.c:1230 [ 4718| 3] ASSERT: privkey.c:1230 [ 4718| 9] Signing using master PGP key [ 4718| 3] ASSERT: privkey.c:1230 [ 4718| 5] REC[0x93332b0]: Allocating epoch #0 New connection from localhost on socket 6 index 0 [ 4718| 3] ASSERT: gnutls_constate.c:588 [ 4718| 5] REC[0x93332b0]: Allocating epoch #1 [ 4718| 3] ASSERT: gnutls_buffers.c:1154 [ 4718|10] READ: Got 5 bytes from 0x6 [ 4718|10] READ: read 5 bytes from 0x6 [ 4718|10] RB: Have 0 bytes into buffer. Adding 5 bytes. [ 4718|10] RB: Requested 5 bytes [ 4718| 5] REC[0x93332b0]: SSL 3.3 Handshake packet received. Epoch 0, length: 53 [ 4718| 5] REC[0x93332b0]: Expected Packet Handshake(22) [ 4718| 5] REC[0x93332b0]: Received Packet Handshake(22) with length: 53 [ 4718|10] READ: Got 53 bytes from 0x6 [ 4718|10] READ: read 53 bytes from 0x6 [ 4718|10] RB: Have 5 bytes into buffer. Adding 53 bytes. [ 4718|10] RB: Requested 58 bytes [ 4718| 5] REC[0x93332b0]: Decrypted Packet[0] Handshake(22) with length: 53 [ 4718|13] BUF[REC]: Inserted 53 bytes of Data(22) [ 4718| 4] HSK[0x93332b0]: CLIENT HELLO (1) was received. Length 49[49], frag offset 0, frag length: 49, sequence: 0 [ 4718| 4] HSK[0x93332b0]: Client's version: 3.3 [ 4718| 4] HSK[0x93332b0]: Selected version TLS1.2 [ 4718| 3] ASSERT: gnutls_db.c:263 [ 4718| 4] EXT[0x93332b0]: Found extension 'CERT TYPE/9' [ 4718| 4] EXT[0x93332b0]: Found extension 'CERT TYPE/9' [ 4718| 4] EXT[0x93332b0]: Parsing extension 'CERT TYPE/9' (2 bytes) [ 4718| 3] ASSERT: cert_type.c:120 [ 4718| 3] ASSERT: cert_type.c:136 [ 4718| 3] ASSERT: server_name.c:307 [ 4718| 4] HSK[0x93332b0]: Requested PK algorithm: RSA (1) -- ctype: X.509 (1) [ 4718| 3] ASSERT: cert.c:2059 [ 4718| 3] ASSERT: ciphersuites.c:1355 [ 4718| 2] Could not find an appropriate certificate: Insufficient credentials for that request. [ 4718| 3] ASSERT: ciphersuites.c:1430 [ 4718| 3] ASSERT: gnutls_handshake.c:964 [ 4718| 3] ASSERT: gnutls_handshake.c:665 [ 4718| 3] ASSERT: gnutls_handshake.c:2277 [ 4718| 3] ASSERT: gnutls_handshake.c:1481 [ 4718| 3] ASSERT: gnutls_handshake.c:3125 [ 4718| 5] REC[0x93332b0]: Start of epoch cleanup [ 4718| 5] REC[0x93332b0]: End of epoch cleanup [ 4718| 5] REC[0x93332b0]: Epoch #0 freed [ 4718| 5] REC[0x93332b0]: Epoch #1 freed Thus it looks like \x1 isn't a currently loaded cert type. How can I tell what type of cert is loaded into the session's credentials? On Fri, Dec 11, 2015 at 2:22 PM, Mike Mestnik <[email protected]> wrote: > Is there a way to figure out more specifically what is wrong with a > ClientHello? I've been toying with the idea of implementing the > handshake portion in perl, but currently I've no working client to > copy and no way of knowing what's wrong it would be pointless. > > Here is what I have so far: > #!/usr/bin/env perl > > use IO::Socket::INET; > > my $socket = new IO::Socket::INET( > PeerHost => '127.0.0.1', > PeerPort => '4458', > Proto => 'tcp', > ); > > sub r{rand()*0xffffffff}; > > my$a=sprintf'\x3\x3%s\x0%s%s\x0%s%s',pack('NL7',time(),r(),r(),r(),r(),r(),r(),r()), > pack("n",8),sprintf'\x0\x40\x0\x6a\x0\x9',pack('C',1),sprintf''; > my$b=sprintf'\x1\x0%s%s',pack('n',length$a),$a; > $socket->send(sprintf'\x16\x3\x3%s%s',pack('n',length$b),$b); > $socket->recv(my$r,4096); > print $r; > > =pod > 000005e0 16 03 01 00 fc 01 00 00 f8 03 03 56 69 bf 40 cc |...........Vi.@.| > 000005f0 ef 1c b1 5e 81 af cc 3c 4f a9 ca fe 05 a6 6c 0c |...^...<O.....l.| > 00000600 ae e5 24 fc 18 38 5f a0 bd 2b db 00 00 6c c0 2b |..$..8_..+...l.+| > 00000610 c0 2c c0 86 c0 87 c0 09 c0 23 c0 0a c0 24 c0 72 |.,.......#...$.r| > 00000620 c0 73 c0 ac c0 ad c0 08 c0 2f c0 30 c0 8a c0 8b |.s......./.0....| > 00000630 c0 13 c0 27 c0 14 c0 28 c0 76 c0 77 c0 12 00 9c |...'...(.v.w....| > 00000640 00 9d c0 7a c0 7b 00 2f 00 3c 00 35 00 3d 00 41 |...z.{./.<.5.=.A| > 00000650 00 ba 00 84 00 c0 c0 9c c0 9d 00 0a 00 9e 00 9f |................| > 00000660 c0 7c c0 7d 00 33 00 67 00 39 00 6b 00 45 00 be |.|.}.3.g.9.k.E..| > 00000670 00 88 00 c4 c0 9e c0 9f 00 16 01 00 00 63 00 17 |.............c..| > 00000680 00 00 00 16 00 00 00 05 00 05 01 00 00 00 00 00 |................| > 00000690 09 00 03 02 00 01 00 00 00 0e 00 0c 00 00 09 6c |...............l| > 000006a0 6f 63 61 6c 68 6f 73 74 ff 01 00 01 00 00 23 00 |ocalhost......#.| > 000006b0 00 00 0a 00 0c 00 0a 00 17 00 18 00 19 00 15 00 |................| > 000006c0 13 00 0b 00 02 01 00 00 0d 00 16 00 14 04 01 04 |................| > 000006d0 03 05 01 05 03 06 01 06 03 03 01 03 03 02 01 02 |................| > 000006e0 03 00 00 > > > On Mon, Dec 7, 2015 at 2:30 AM, Nikos Mavrogiannopoulos <[email protected]> > wrote: >> You can test gnutls-serv and gnutls-cli in the gnutls distribution >> with the following options: >> cd doc/credentials && ./../src/gnutls-serv --pgpkeyfile >> openpgp/sec.asc --pgpcertfile openpgp/pub.asc --dhparams params.pem >> --priority "NORMAL:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:+CTYPE-OPENPGP" >> >> cd src && ./gnutls-cli localhost -p 5556 --insecure --priority >> "NORMAL:+DHE-DSS:+SIGN-DSA-SHA256:+SIGN-DSA-SHA1:+CTYPE-OPENPGP" >> >> >> regards, >> Nikos >> >> On Mon, Dec 7, 2015 at 7:49 AM, Mike Mestnik >> <[email protected]> wrote: >>> From a tip on IRC, I've included the results of a test from the >>> gnutls-cli application. This is to rule out an issue where a non cert >>> type supporting client might be causing problems. >>> >>> https://travis-ci.org/cheako/ihlt/builds/95292899 >>> >>> At the end, when the other connections from perl fail, there is a test >>> from gnutls-client. Same failure. >>> >>> Is there an issue with non cert type clients? Would that also be >>> mapped to "No supported cipher suites..." error? Can i have a patch >>> where this error has it's own message? >>> >>> On Wed, Dec 2, 2015 at 7:54 PM, Mike Mestnik >>> <[email protected]> wrote: >>>> I'm writing an example application using gnutls and I'm wondering how >>>> to get SSL support for RFC 6091, as found in gnutls. >>>> >>>> https://github.com/cheako/ihlt/tree/24f6f08cf7c4c118550858718f0a3bb07d3bfa6b >>>> >>>> # This gives the same error as [1]perl, so I'm thinking I've a genuine >>>> problem with my implementation of the echo server. >>>> gnutls-cli -p 4458 --pgpkeyfile=example/openpgp-secret.txt >>>> --pgpcertfile=example/openpgp-server.txt localhost >>>> >>>> See also: >>>> 1. http://www.perlmonks.org/?node_id=1149241 >>> >>> _______________________________________________ >>> Gnutls-help mailing list >>> [email protected] >>> http://lists.gnupg.org/mailman/listinfo/gnutls-help _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
