Debugging connection failure (GnuTLS TLS alert)?

Sebastian Kayser sebastian at skayser.de
Fri Mar 26 13:15:49 EDT 2010 

* Paul Aurich <darkrain42 at pidgin.im> wrote:
> On 2010-03-26 09:14, Sebastian Kayser wrote:
> > I am using pidgin 2.6.6 with GnuTLS 2.8.6 and the company XMPP server
> > drops my connection attempt with a TLS alert right after the TLS client
> > hello. Company IT says "known issue with GnuTLS, use NSS instead". Is
> > there any way to narrow down and possibly solve this issue instead of
> > simply falling back to NSS (which wouldn't be that easy to do as we are
> > using distro provided packages)?
> > 
> > The following is the connection relevant, (anonymized) excerpt from
> > 
> > $ PURPLE_GNUTLS_DEBUG=9 pidgin -d
> > 
> > I don't have access to the XMPP server. Client platform is Solaris 10
> > x86. Please tell me if you feel that this is something which should be
> > taken to the GnuTLS guys instead.
> > 
> 
> <snip content='log'/>
> 
> I can't tell what's wrong from this (although I'm no GnuTLS internals
> expert), though it appears that the server doesn't like something that
> GnuTLS is sending in its initial handshake.
> 
> Could you run `gnutls-cli-debug -V -p 5223 xmpp.company.com` and send
> back the results?

Sure. Full output can be found on [1]. Here's the output excluding the
longish certificate information.

Resolving 'xmpp.company.com'...
Connecting to 'x.x.x.x:5223'...
Checking for TLS 1.1 support... no
Checking fallback from TLS 1.1 to... failed
Checking for TLS 1.0 support... no
Checking for SSL 3.0 support... yes
Checking for HTTPS server name... failed
Checking for version rollback bug in RSA PMS... yes
Checking for version rollback bug in Client Hello... N/A
Checking whether we need to disable TLS 1.0... yes
Checking whether the server ignores the RSA PMS version... yes
Checking whether the server can accept Hello Extensions... yes
Checking whether the server can accept cipher suites not in SSL 3.0 spec... yes
Checking whether the server can accept a bogus TLS record version in the client hello... no
Checking for trusted CAs... 
Checking whether the server understands TLS closure alerts... yes
Checking whether the server supports session resumption... no
Checking for export-grade ciphersuite support... yes
Checking RSA-export ciphersuite info...
Checking for anonymous authentication support... yes
Checking anonymous Diffie-Hellman group info... N/A
Checking for ephemeral Diffie-Hellman support... no
Checking ephemeral Diffie-Hellman group info... N/A
Checking for AES cipher support (TLS extension)... no
Checking for CAMELLIA cipher support (TLS extension)... no
Checking for 3DES cipher support... yes
Checking for ARCFOUR 128 cipher support... yes
Checking for ARCFOUR 40 cipher support... yes
Checking for MD5 MAC support... yes
Checking for SHA1 MAC support... yes
Checking for LZO compression support (GnuTLS extension)... no
Checking for max record size (TLS extension)... no
Checking for SRP authentication support (TLS extension)... no
Checking for OpenPGP authentication support (TLS extension)... no

HTH

Sebastian

[1] http://dpaste.com/176440/

More information about the Support mailing list