Debugging connection failure (GnuTLS TLS alert)?

Paul Aurich darkrain42 at pidgin.im
Fri Mar 26 13:58:58 EDT 2010


On 2010-03-26 10:15, Sebastian Kayser wrote:
> Sure. Full output can be found on [1]. Here's the output excluding the
> longish certificate information.
> 
> Resolving 'xmpp.company.com'...
> Connecting to 'x.x.x.x:5223'...
> Checking for TLS 1.1 support... no
> Checking fallback from TLS 1.1 to... failed
> Checking for TLS 1.0 support... no
> Checking for SSL 3.0 support... yes
> Checking for HTTPS server name... failed
> Checking for version rollback bug in RSA PMS... yes
> Checking for version rollback bug in Client Hello... N/A
> Checking whether we need to disable TLS 1.0... yes

This is probably the issue.

We don't disable TLS 1.0 support (IOW, it's enabled by default), and the
server's SSL library appears antiquated (side note: what software is it
running and, if you know, what SSL library/version?)  We also don't have
a mechanism to allow users to disable TLS 1.0 (either per-connection or
globally).

Just to make sure (I can't remember what exactly current versions of
GnuTLS send by default), could you get a packet capture of an attempt to
connect?  This will contain the identifying information about your
domain, so if you're willing to do this, you can send it directly to me.

~P

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <http://pidgin.im/pipermail/support/attachments/20100326/5b0718a1/attachment.sig>


More information about the Support mailing list