Re: Error running auto-key-locate wkd in Windows 10

Fri, 27 Mar 2020 19:41:00 -0700 

On Fri, Mar 27, 2020 at 03:42:39PM +0100, Ingo Klöcker wrote:
> On Freitag, 27. März 2020 09:48:01 CET Werner Koch via Gnupg-users wrote:
> > That is: "Fatal alert message received" which comes from the TLS
> > layer.  To see the actual cause you need to add
> > 
> >   log-file /some/file
> >   tls-debug 2
> > 
> > or a higher level to dirmngr.conf and "gpgconf --reload dirmngr".  For
> > me a
> > 
> >   gpg --locate-external-keys -v [email protected]
> > 
> > (--locate-external-key is easier to type than yours.  It excludes the
> >  local keys and thus always goes out to the WKD) then gives:
> > 
> >   DBG: ntbtls(2): got an alert message, type: [2:40]
> >   DBG: ntbtls(1): is a fatal alert message (msg 40)
> >   DBG: ntbtls(1): (handshake failed)
> >   DBG: ntbtls(1): read_record returned: Fatal alert message received <TLS>
> >   DBG: ntbtls(2): handshake ready
> >   TLS handshake failed: Fatal alert message received <TLS>
> >   error connecting to 'https://openpgpkey.tor[...]
> > 
> > A reason for the failed handhake might be that no common parameters
> > could be found.
> 
> Probably, no matching cipher suite. According to ssllabs.com/ssltest 
> openpgpkey.torproject.org (well, at least one of the actual servers) only 
> supports the following cipher suites:
> # TLS 1.3 (server has no preference)
> TLS_AES_128_GCM_SHA256
> TLS_AES_256_GCM_SHA384
> TLS_CHACHA20_POLY1305_SHA256
> 
> # TLS 1.2 (server has no preference)
> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
> 
> I think none of those matches any of those in the output of ntbtls in your 
> message.
> 
> Regards,
> Ingo
> 

It was a ciphersuite change on our server, and it's fixed now.

Thanks all!

Gus

-- 
The Tor Project
Community Team Lead
http://expyuzz4wqqyqhjn.onion/

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Gnupg-users mailing list
[email protected]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to