Christoph Biedl wrote...
Since even connection manually using "gnutls-cli --priority SECURE128" fails I assume "SECURE128" might be a good choice for a server but a terrible idea for a client.
Not that easy, after some experiments in IRC we found this is related to the gnutls version. Debian wheezy uses 2.12.x, that causes trouble. My initial reports were indeed from a machine running wheezy. However, 3.2.4 from Debian jessie just does fine.
Reproducer (certs provided by the ssl-cert package):
Server: gnutls-serv --priority SECURE128 \ --x509certfile /etc/ssl/certs/ssl-cert-snakeoil.pem \ --x509keyfile /etc/ssl/private/ssl-cert-snakeoil.key \ --port 9999
Client: gnutls-cli --port 9999 localhost --priority SECURE128
Connecting to a server running wheezy:
Connecting to '127.0.0.1:9999'... *** Fatal error: A TLS fatal alert has been received. *** Received alert [40]: Handshake failed *** Handshake has failed GnuTLS error: A TLS fatal alert has been received.
Connecting to a server running jessie:
Connecting to '127.0.0.1:9999'... - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: (...)
As also reported in http://bugs.debian.org/708174, SECURE256 works too.
Christoph