Bug#466477: bluepages.ibm.com
Richard A Nelson
cowboy at debian.org
Mon Oct 13 22:30:50 UTC 2008
On Sun, 12 Oct 2008, Simon Josefsson wrote:
> gnutls-cli -p 636 bluepages.ibm.com -d 4711 --priority NORMAL:-VERS-TLS1.1:-VERS-TLS1.0
works
> No need to post logs if that works. You may need to transfer some
> application data to trigger the record padding problem though, so you
> might not see failures with gnutls-cli if you remove %COMPAT.
So the final test would need a modified ldap.conf and an actual query
(not just the simple gnutls-client) ?
> It is possible to disable the CERT_TYPE extension by using a priority of
> -CTYPE-OPENPGP. So would this work:
>
> gnutls-cli -p 636 bluepages.ibm.com -d 4711 --priority NORMAL:-VERS-TLS1.1:-CTYPE-OPENPGP
*** Fatal error: A TLS packet with unexpected length was received.
*** Handshake has failed
GNUTLS ERROR: A TLS packet with unexpected length was received.
> If so, maybe you could try to enable TLS 1.1 as well:
>
> gnutls-cli -p 636 bluepages.ibm.com -d 4711 --priority NORMAL:-CTYPE-OPENPGP
*** Fatal error: A TLS packet with unexpected length was received.
*** Handshake has failed
GNUTLS ERROR: A TLS packet with unexpected length was received.
> If that works, I think we have finally identified that the server does
> not cope well with the cert_type extension.
>
>>> NORMAL:%COMPAT:-VERS-TLS1.1:-VERS-TLS1.0
>>
>> I'll give that a shot on a test machine
>
> Please do, it might save you some re-compiles...
And worse, the mail loss I just suffered due forgetting to bump the
epoch on a compile - meaning when Debian shipped 2.4.11, my local
databases were trashed :(
--
Rick Nelson
<kira> is a surgical war where you go give the foreign troops nose jobs?
More information about the Pkg-gnutls-maint
mailing list