Re: NULL cipher suites broken in gnutls 3.0.5 ?

[Fabrice Gautier]

I also verified this against gnutls-2.12.11, as both client and server:

When using NULL cipher suites:
- The 3.0.5 client cannot talk to the 2.12.11 server
- The 2.12.11 client cannot talk to 3.0.5 server.


-- Fabrice

On Thu, Nov 3, 2011 at 5:59 PM, Fabrice Gautier
<address@hidden> wrote:
> Hi,
>
> I get decryption error when using NULL-MD5 or NULL-SHA1 cipher suites
> when using gnutls-serv, and connecting with a openssl client.
>
> Server is started that way:
>
> $ gnutls-serv --http --x509cafile x509-ca.pem --x509keyfile
> x509-server-key.pem --x509certfile x509-server.pem  --priority
> "NORMAL:+ANON-DH:+NULL"
>
> The openssl s_client is started that way:
>
> $ openssl s_client -cipher NULL-SHA -connect localhost:5556
>
>
> This is what I get from the gnutls logs:
>
>
> * Accepted connection from IPv4 127.0.0.1 port 53650 on Thu Nov  3 17:23:51 
> 2011
>
> * Successful handshake from IPv4 127.0.0.1 port 53650
> - Session ID: 
> 26:C8:6A:7B:CE:F2:99:0B:19:1F:90:90:D8:58:73:60:99:BF:8D:DE:1B:7B:77:A2:80:54:65:11:D0:A8:5F:94
> - Certificate type: X.509
> - Could not verify certificate (err: The peer did not send any certificate.)
> - Version: TLS1.0
> - Key Exchange: RSA
> - Cipher: NULL
> - MAC: SHA1
> - Compression: NULL
> Error while receiving data
>
>
>
> From the openssl side I get an error as well:
>
> 140735311722940:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption
> failed or bad record mac:s3_pkt.c:479:
>
>
> I believe it worked fine when I was using gnutls-2.12. I used both
> openssl 0.9.8r and 1.0.0e for the client side.
>
>
> Any known issue there ?
>
> -- Fabrice
>