Bug#708174: gnutls26: with priority SECURE128 fails to negotiate a cipher suite with itself

Roger Lynn roger at rilynn.me.uk
Mon May 13 17:28:33 UTC 2013 

Source: gnutls26
Version: 2.12.20-6
Severity: normal

Running
gnutls-serv -d 255 -p 1234 --x509certfile /etc/ssl/certs/rilynn.pem --x509keyfile /etc/ssl/private/rilynn.key
and
gnutls-cli -d 255 -p 1234 --priority SECURE128 rilynn.me.uk
on the same box fails to negotiate a cipher suite. A priority string of
NORMAL appears to work.

The server reports:

Set static Diffie-Hellman parameters, consider --dhparams.
Echo Server listening on IPv4 0.0.0.0 port 1234...done
Echo Server listening on IPv6 :: port 1234...bind() failed: Address already in use
|<4>| REC[0x9224138]: Allocating epoch #0

* Accepted connection from IPv4 192.168.0.1 port 50714 on Mon May 13 18:07:09 2013
|<2>| ASSERT: gnutls_constate.c:695
|<4>| REC[0x9224138]: Allocating epoch #1
|<7>| READ: Got 5 bytes from 0x5
|<7>| READ: read 5 bytes from 0x5
|<7>| RB: Have 0 bytes into buffer. Adding 5 bytes.
|<7>| RB: Requested 5 bytes
|<4>| REC[0x9224138]: Expected Packet[0] Handshake(22) with length: 1
|<4>| REC[0x9224138]: Received Packet[0] Handshake(22) with length: 113
|<7>| READ: Got 113 bytes from 0x5
|<7>| READ: read 113 bytes from 0x5
|<7>| RB: Have 5 bytes into buffer. Adding 113 bytes.
|<7>| RB: Requested 118 bytes
|<4>| REC[0x9224138]: Decrypted Packet[0] Handshake(22) with length: 113
|<6>| BUF[HSK]: Inserted 113 bytes of Data(22)
|<6>| BUF[REC][HD]: Read 1 bytes of Data(22)
|<6>| BUF[REC][HD]: Read 3 bytes of Data(22)
|<3>| HSK[0x9224138]: CLIENT HELLO was received [113 bytes]
|<6>| BUF[REC][HD]: Read 109 bytes of Data(22)
|<6>| BUF[HSK]: Inserted 4 bytes of Data
|<6>| BUF[HSK]: Inserted 109 bytes of Data
|<3>| HSK[0x9224138]: Client's version: 3.3
|<2>| ASSERT: gnutls_db.c:326
|<2>| ASSERT: gnutls_db.c:246
|<2>| EXT[0x9224138]: Parsing extension 'SERVER NAME/0' (17 bytes)
|<2>| EXT[0x9224138]: Parsing extension 'SAFE RENEGOTIATION/65281' (1 bytes)
|<2>| EXT[0x9224138]: Parsing extension 'SESSION TICKET/35' (0 bytes)
|<2>| EXT[0x9224138]: Parsing extension 'SIGNATURE ALGORITHMS/13' (6 bytes)
|<2>| EXT[SIGA]: rcvd signature algo (4.1) RSA-SHA256
|<2>| EXT[SIGA]: rcvd signature algo (2.2) DSA-SHA1
|<2>| ASSERT: gnutls_handshake.c:3348
|<1>| Could not find an appropriate certificate: Insufficient credentials for that request.
|<3>| HSK[0x9224138]: Removing ciphersuite: DHE_DSS_ARCFOUR_SHA1
|<3>| HSK[0x9224138]: Removing ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[0x9224138]: Removing ciphersuite: DHE_DSS_AES_128_CBC_SHA1
|<3>| HSK[0x9224138]: Removing ciphersuite: DHE_DSS_AES_256_CBC_SHA1
|<3>| HSK[0x9224138]: Removing ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0x9224138]: Removing ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1
|<3>| HSK[0x9224138]: Removing ciphersuite: DHE_DSS_AES_128_CBC_SHA256
|<3>| HSK[0x9224138]: Removing ciphersuite: DHE_DSS_AES_256_CBC_SHA256
|<3>| HSK[0x9224138]: Removing ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x9224138]: Removing ciphersuite: DHE_RSA_AES_128_CBC_SHA1
|<3>| HSK[0x9224138]: Removing ciphersuite: DHE_RSA_AES_256_CBC_SHA1
|<3>| HSK[0x9224138]: Removing ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0x9224138]: Removing ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1
|<3>| HSK[0x9224138]: Removing ciphersuite: DHE_RSA_AES_128_CBC_SHA256
|<3>| HSK[0x9224138]: Removing ciphersuite: DHE_RSA_AES_256_CBC_SHA256
|<3>| HSK[0x9224138]: Removing ciphersuite: RSA_ARCFOUR_SHA1
|<3>| HSK[0x9224138]: Removing ciphersuite: RSA_ARCFOUR_MD5
|<3>| HSK[0x9224138]: Removing ciphersuite: RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x9224138]: Removing ciphersuite: RSA_AES_128_CBC_SHA1
|<3>| HSK[0x9224138]: Removing ciphersuite: RSA_AES_256_CBC_SHA1
|<3>| HSK[0x9224138]: Removing ciphersuite: RSA_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0x9224138]: Removing ciphersuite: RSA_CAMELLIA_256_CBC_SHA1
|<3>| HSK[0x9224138]: Removing ciphersuite: RSA_AES_128_CBC_SHA256
|<3>| HSK[0x9224138]: Removing ciphersuite: RSA_AES_256_CBC_SHA256
|<2>| ASSERT: gnutls_handshake.c:921
|<2>| ASSERT: gnutls_handshake.c:586
|<2>| ASSERT: gnutls_handshake.c:2358
|<2>| ASSERT: gnutls_handshake.c:2991
|<6>| BUF[HSK]: Cleared Data from buffer
Error in handshake
Error: Could not negotiate a supported cipher suite.
|<4>| REC: Sending Alert[2|40] - Handshake failed
|<4>| REC[0x9224138]: Sending Packet[0] Alert(21) with length: 2
|<7>| WRITE: enqueued 7 bytes for 0x5. Total 7 bytes.
|<7>| WRITE FLUSH: 7 bytes in buffer.
|<7>| WRITE: wrote 7 bytes, 0 bytes left.
|<4>| REC[0x9224138]: Sent Packet[1] Alert(21) with length: 7
|<2>| ASSERT: gnutls_record.c:276
|<6>| BUF[HSK]: Cleared Data from buffer
|<4>| REC[0x9224138]: Epoch #0 freed
|<4>| REC[0x9224138]: Epoch #1 freed


The client reports :

Resolving 'rilynn.me.uk'...
Connecting to '192.168.0.1:1234'...
|<4>| REC[0x89c9238]: Allocating epoch #0
|<2>| ASSERT: gnutls_constate.c:695
|<4>| REC[0x89c9238]: Allocating epoch #1
|<3>| HSK[0x89c9238]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA256
|<3>| HSK[0x89c9238]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1
|<3>| HSK[0x89c9238]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0x89c9238]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x89c9238]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA256
|<3>| HSK[0x89c9238]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1
|<3>| HSK[0x89c9238]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0x89c9238]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[0x89c9238]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1
|<3>| HSK[0x89c9238]: Keeping ciphersuite: RSA_AES_128_CBC_SHA256
|<3>| HSK[0x89c9238]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1
|<3>| HSK[0x89c9238]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0x89c9238]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x89c9238]: Keeping ciphersuite: RSA_ARCFOUR_SHA1
|<2>| EXT[0x89c9238]: Sending extension SERVER NAME (17 bytes)
|<2>| EXT[0x89c9238]: Sending extension SAFE RENEGOTIATION (1 bytes)
|<2>| EXT[0x89c9238]: Sending extension SESSION TICKET (0 bytes)
|<2>| EXT[SIGA]: sent signature algo (4.1) RSA-SHA256
|<2>| EXT[SIGA]: sent signature algo (2.2) DSA-SHA1
|<2>| EXT[0x89c9238]: Sending extension SIGNATURE ALGORITHMS (6 bytes)
|<3>| HSK[0x89c9238]: CLIENT HELLO was sent [113 bytes]
|<6>| BUF[HSK]: Inserted 113 bytes of Data
|<7>| HWRITE: enqueued 113. Total 113 bytes.
|<7>| HWRITE FLUSH: 113 bytes in buffer.
|<4>| REC[0x89c9238]: Sending Packet[0] Handshake(22) with length: 113
|<7>| WRITE: enqueued 118 bytes for 0x4. Total 118 bytes.
|<4>| REC[0x89c9238]: Sent Packet[1] Handshake(22) with length: 118
|<7>| HWRITE: wrote 113 bytes, 0 bytes left.
|<7>| WRITE FLUSH: 118 bytes in buffer.
|<7>| WRITE: wrote 118 bytes, 0 bytes left.
|<7>| READ: Got 5 bytes from 0x4
|<7>| READ: read 5 bytes from 0x4
|<7>| RB: Have 0 bytes into buffer. Adding 5 bytes.
|<7>| RB: Requested 5 bytes
|<4>| REC[0x89c9238]: Expected Packet[0] Handshake(22) with length: 1
|<4>| REC[0x89c9238]: Received Packet[0] Alert(21) with length: 2
|<7>| READ: Got 2 bytes from 0x4
|<7>| READ: read 2 bytes from 0x4
|<7>| RB: Have 5 bytes into buffer. Adding 2 bytes.
|<7>| RB: Requested 7 bytes
|<4>| REC[0x89c9238]: Decrypted Packet[0] Alert(21) with length: 2
|<4>| REC[0x89c9238]: Alert[2|40] - Handshake failed - was received
|<2>| ASSERT: gnutls_record.c:726
|<2>| ASSERT: gnutls_record.c:1122
|<2>| ASSERT: gnutls_handshake.c:2762
|<6>| BUF[HSK]: Cleared Data from buffer
*** Fatal error: A TLS fatal alert has been received.
*** Received alert [40]: Handshake failed
|<4>| REC: Sending Alert[2|80] - Internal error
|<4>| REC[0x89c9238]: Sending Packet[1] Alert(21) with length: 2
|<7>| WRITE: enqueued 7 bytes for 0x4. Total 7 bytes.
|<7>| WRITE FLUSH: 7 bytes in buffer.
|<7>| WRITE: wrote 7 bytes, 0 bytes left.
|<4>| REC[0x89c9238]: Sent Packet[2] Alert(21) with length: 7
*** Handshake has failed
GnuTLS error: A TLS fatal alert has been received.
|<6>| BUF[HSK]: Cleared Data from buffer
|<4>| REC[0x89c9238]: Epoch #0 freed
|<4>| REC[0x89c9238]: Epoch #1 freed


Using a priority string of SECURE128 for outgoing SMTP connections in Debian
exim also fails between two Wheezy boxes, which is how I noticed the problem
in the first place.

Also, gnutls appears to prefer to use the weakest available cipher instead of
the strongest, which seems a bit odd.

Thanks,

Roger

-- System Information:
Debian Release: 7.0
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libgnutls26 depends on:
ii  libc6              2.13-38
ii  libgcrypt11        1.5.0-5
ii  libp11-kit0        0.12-3
ii  libtasn1-3         2.13-2
ii  multiarch-support  2.13-38
ii  zlib1g             1:1.2.7.dfsg-13

libgnutls26 recommends no packages.

libgnutls26 suggests no packages.

-- no debconf information

More information about the Pkg-gnutls-maint mailing list