Bug#466477: SSLv2 ldap servers

[Simon Josefsson]

Andy Clayton <clayt055 at umn.edu> writes:

>> 2) we need someone to debug the problem further.  A publicly reachable
>> server that exhibit the same problem would help, or if you can run
>> gnutls under gdb against this particular server and step through the
>> code and find out what happens.
>
> For another example server which exhibits the problem and reports
> itself as IBM: https://www99.americanexpress.com/.

Thanks!

It appears as if that server simply refuse to talk to a client that
advertise that it supports TLS 1.1.

This works:

jas at mocca:~$ gnutls-cli -p 443 www99.americanexpress.com -d 4711 --priority NORMAL:-VERS-TLS1.1

This does not:

jas at mocca:~$ gnutls-cli -p 443 www99.americanexpress.com -d 4711 --priority NORMAL

The server simply disconnects without sending any TLS alert or anything.

I can't interprete this as anything else than a server bug.

The reason OpenSSL works against the server is that OpenSSL doesn't
support TLS 1.1 (at least the OpenSSL installed on my system).

If anyone can talk to the server using a client that advertise support
for TLS 1.1, then it would be a GnuTLS bug that I'd be very interested
in tracking down further!

Can others test whether disabling TLS 1.1 support makes other similar
servers start to work?

/Simon