[Pkg-gnutls-maint] Help with exim4 #390712,
interaction with mobile phones
Marc Haber
mh+pkg-gnutls-maint at zugschlus.de
Thu Dec 21 15:14:03 CET 2006
On Wed, Dec 13, 2006 at 06:46:00PM +0000, James Westby wrote:
> On (13/12/06 13:41), Marc Haber wrote:
> > On Tue, Dec 12, 2006 at 07:23:11PM +0000, James Westby wrote:
> > > On (10/12/06 19:06), Marc Haber wrote:
> > > > can I run gnutls-serv in the same way as gnutls-cli, so that I can
> > > > simply type into the connection? or is echo or http server all I can
> > > > get?
> > >
> > > It looks that way (I have only used -cli before). As we know that this
> > > is easily reproducible with any gnutls server then we could hack
> > > something together that gave this functionality though
> >
> > Do you want me to file a wishlist request for that functionality?
>
> If you want it then go ahead and do it.
Done.
> It looks that way. As there is no way to use AES without SHA1
so AES without SHA1 is not standard compliant? That's an explanation
why we fall back to RC4 when SHA1 is forbidden.
> I fear though that for etch users of these phones are going to have to
> find a workaround for the problem. Assuming that there is a bug in
> GnuTLS there's no guarantee we can find it, let alone fix it, before the
> release.
I understand that. Unfortunately, both known workarounds (OpenSSL and
forbidding SHA1 via source code modification) mean rebuilding exim.
> I think the only debugging that we can do from here is to verify the
> MACs and then the plaintext/ciphertext pairs of one of the sessions.
> This is going to be a bit of work, but I'll look in to setting up a
> debug copy of the library soon.
>
> There's one more thing that I have been meaning to mention wireshark
> (ethereal) has some support for watching SSL handshakes. It might be
> worth checking that it's idea of what is going on is the same as
> GnuTLS'. It doesn't tell us what the phone thinks, but it is a quick
> sanity check.
I have sent you tcpdumps in private mail of one successful connection
and one failed connection. In my opinion, the wireshark analysis of
these dump is quite inconclusive, but you know much more about TLS
than I do.
> Thanks for your help,
I appreciate your efforts and thank you for leading me through the
debugging process, which has been so far a great experience for me and
has greatly improved my knowledge of the tools.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
More information about the Pkg-gnutls-maint
mailing list