Christoph Biedl wrote...
Since even connection manually using "gnutls-cli --priority SECURE128" fails I assume "SECURE128" might be a good choice for a server but a terrible idea for a client.
Not that easy, after some experiments in IRC we found this is related to the gnutls version. Debian wheezy uses 2.12.x, that causes trouble. My initial reports were indeed from a machine running wheezy. However, 3.2.4 from Debian jessie just does fine. Reproducer (certs provided by the ssl-cert package): Server: gnutls-serv --priority SECURE128 \ --x509certfile /etc/ssl/certs/ssl-cert-snakeoil.pem \ --x509keyfile /etc/ssl/private/ssl-cert-snakeoil.key \ --port 9999 Client: gnutls-cli --port 9999 localhost --priority SECURE128 Connecting to a server running wheezy: Connecting to '127.0.0.1:9999'... *** Fatal error: A TLS fatal alert has been received. *** Received alert [40]: Handshake failed *** Handshake has failed GnuTLS error: A TLS fatal alert has been received. Connecting to a server running jessie: Connecting to '127.0.0.1:9999'... - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: (...) As also reported in <http://bugs.debian.org/708174>, SECURE256 works too. Christoph