* Paul Aurich <[email protected]> wrote: > On 2010-03-26 09:14, Sebastian Kayser wrote: > > I am using pidgin 2.6.6 with GnuTLS 2.8.6 and the company XMPP server > > drops my connection attempt with a TLS alert right after the TLS client > > hello. Company IT says "known issue with GnuTLS, use NSS instead". Is > > there any way to narrow down and possibly solve this issue instead of > > simply falling back to NSS (which wouldn't be that easy to do as we are > > using distro provided packages)? > > > > The following is the connection relevant, (anonymized) excerpt from > > > > $ PURPLE_GNUTLS_DEBUG=9 pidgin -d > > > > I don't have access to the XMPP server. Client platform is Solaris 10 > > x86. Please tell me if you feel that this is something which should be > > taken to the GnuTLS guys instead. > > > > <snip content='log'/> > > I can't tell what's wrong from this (although I'm no GnuTLS internals > expert), though it appears that the server doesn't like something that > GnuTLS is sending in its initial handshake. > > Could you run `gnutls-cli-debug -V -p 5223 xmpp.company.com` and send > back the results?
Sure. Full output can be found on [1]. Here's the output excluding the longish certificate information. Resolving 'xmpp.company.com'... Connecting to 'x.x.x.x:5223'... Checking for TLS 1.1 support... no Checking fallback from TLS 1.1 to... failed Checking for TLS 1.0 support... no Checking for SSL 3.0 support... yes Checking for HTTPS server name... failed Checking for version rollback bug in RSA PMS... yes Checking for version rollback bug in Client Hello... N/A Checking whether we need to disable TLS 1.0... yes Checking whether the server ignores the RSA PMS version... yes Checking whether the server can accept Hello Extensions... yes Checking whether the server can accept cipher suites not in SSL 3.0 spec... yes Checking whether the server can accept a bogus TLS record version in the client hello... no Checking for trusted CAs... Checking whether the server understands TLS closure alerts... yes Checking whether the server supports session resumption... no Checking for export-grade ciphersuite support... yes Checking RSA-export ciphersuite info... Checking for anonymous authentication support... yes Checking anonymous Diffie-Hellman group info... N/A Checking for ephemeral Diffie-Hellman support... no Checking ephemeral Diffie-Hellman group info... N/A Checking for AES cipher support (TLS extension)... no Checking for CAMELLIA cipher support (TLS extension)... no Checking for 3DES cipher support... yes Checking for ARCFOUR 128 cipher support... yes Checking for ARCFOUR 40 cipher support... yes Checking for MD5 MAC support... yes Checking for SHA1 MAC support... yes Checking for LZO compression support (GnuTLS extension)... no Checking for max record size (TLS extension)... no Checking for SRP authentication support (TLS extension)... no Checking for OpenPGP authentication support (TLS extension)... no HTH Sebastian [1] http://dpaste.com/176440/ _______________________________________________ [email protected] mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
