Bug#466477: bluepages.ibm.com
Simon Josefsson
simon at josefsson.org
Tue Oct 14 10:24:04 UTC 2008
Simon Josefsson <simon at josefsson.org> writes:
> In other words, to talk with this server you need to:
>
> 1) Disable cert_type extension (-CERT-OPENPGP)
>
> 2) Disable server_name extension (--disable-extensions with gnutls-cli)
>
> 3) Disable TLS 1.1
>
> I have no idea how to achieve 2) in openldap; it can't be done via a
> priority string. Hopefully openldap doesn't call the gnutls function to
> set the server name. Hm. It doesn't, I checked the source code. So
> you should be OK for the time being.
>
> Specifically, the NORMAL:-VERS-TLS1.1:-CTYPE-OPENPGP priority string
> works against the server, assuming server_name extension isn't sent.
>
>>> I really hope one of these commands work. I think it would mean we
>>> understand the server's bug, and know how to work around it without
>>> resorting to falling back to SSL 3.0.
>>
>> So it looks like it is indeed TLS 1.1 that is the problem ?
>
> One of the problems, yes.
>
> Hurray, I think we can finally close this bug. Or do you think there is
> anything more that can be done?
Risking the opportunity to close this bug, could you try whether you can
reproduce the problem using openSSL as well? You need to force it to
send a servername extension:
openssl s_client -connect bluepages.ibm.com:636 -servername foo
If that works, we have more work to do.
/Simon
More information about the Pkg-gnutls-maint
mailing list