Sam Varshavchik <[EMAIL PROTECTED]> writes: > Nikos Mavrogiannopoulos writes: > >> On Saturday 20 October 2007, Sam Varshavchik wrote: >>> I've taken the "Simple client example" from the 1.6.3 pages, and supplied a >>> tcp_connect() that connects to ssl-enabled apache on localhost. Running the >>> code results in: >>> >>> *** Handshake failed >>> GNUTLS ERROR: A TLS fatal alert has been received. >> >> What you say doesn't help anyone who might want to help. It can be >> an error in your tcp functions, or you might be using the anonymous >> client to connect to a X.509 authenticated server. > > No, I'm running a default Apache install with mod_ssl. > > I finally ended up looking at elinks's source to see how it sets up > gnutls. It turned out that I needed to create a > gnutls_certificate_credentials_t using > gnutls_certificate_allocate_credentials(), and put it into the session > using gnutls_credentials_set(). Once I did that, the example given in > the info docs worked correctly, both with my stock Apache, and other > external SSL servers. > > I am NOT using X.509 authentication, I'm running just a basic, > plain-vanilla Apache+mod_ssl, using a self-signed test cert, without > any X.509 authentication set up. It looks to me like the simple client > example won't really work with garden-variety SSL servers. Looks like > I need to put a GNUTLS_CRD_CERTIFICATE into a client session structure > even if the server does not use or require X.509 authentication, in > order for the handshake to work. I couldn't find anything in info docs > that pointed me in that direction, I had to look at some other code to > figure it out.
I believe that Apache/mod_ssl requires X.509, and refuses to handshake an anonymous cipher. There is a simple X.509 client GnuTLS example: http://www.gnu.org/software/gnutls/manual/html_node/Simple-client-example-with-X_002e509-certificate-support.html Generally, there are many servers out there that refuses to negotiate anonymous ciphers. So you typically need to configure X.509 to use TLS, even if it is just a self-signed test cert. /Simon _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
