On 09/01/2012 01:42 AM, brian m. carlson wrote: > I've recently moved my mail server to running postfix, and as a result, > am now able to provide an EC key and certificate for TLS (the > certificate is signed by my local RSA CA). However, when I try to > connect to postfix either using gnutls-cli or mutt (linked against > 3.0.22), gnutls provides the following error: > > *** Fatal error: An algorithm that is not enabled was negotiated. > > This seems odd to me, since OpenSSL is very happy to make the > connection (as the client), and the algorithm that was negotiated is > ECDHE_ECDSA_AES_128_GCM_SHA256, which I'm pretty sure both GnuTLS and > OpenSSL support. It also is odd that the complaint doesn't happen until > GnuTLS tries to verify the signature; shouldn't it die sooner if the > server picks an algorithm that it doesn't support?
Interesting case. > |<3>| HSK[0x188ae60]: Selected ECC curve SECP384R1 (3) > |<3>| HSK[0x188ae60]: verify handshake data: using ECDSA-SHA256 > |<2>| ASSERT: gnutls_sig.c:365 I suppose that your server's certificate has the SECP384R1 curve, is that right? In that case the server should have used the SHA-384 or SHA-512 hash algorithms (see http://tools.ietf.org/html/rfc5480#section-4 ). However your server used SHA-256 instead and that's why gnutls complains. Is that the case? regards, Nikos _______________________________________________ Help-gnutls mailing list [email protected] https://lists.gnu.org/mailman/listinfo/help-gnutls
