gnutls_handshake: Could not negotiate a supported cipher suite.
Hi, I am tried to setup an SSL protected irc server using ngIRCd and I epicly failed. Here's my ngircd.conf: [Global] SSLPorts = 17667 SSLKeyFile = /etc/ngircd/ngircd-key.pem SSLCertFile = /etc/ngircd/ngircd-cert.pem SSLDHFile = /etc/ngircd/ngircd-params.pem Name = irc.debian.org Info = Yet another IRC Server running on Debian GNU/Linux AdminInfo1 = Debian User AdminInfo2 = Debian City AdminEMail = root@localhost MotdFile = /etc/ngircd/ngircd.motd PidFile = /var/run/ngircd/ngircd.pid PingTimeout = 120 PongTimeout = 20 ConnectRetry = 60 OperCanUseMode = yes MaxConnections = 500 MaxConnectionsIP = 10 MaxJoins = 10 The problem is that SSL initialisation fails. Here's the relevant /var/log/syslog output: Jan 5 21:31:12 chronos ngircd[12609]: ngircd 15-SYSLOG+ZLIB+SSL+IRCPLUS+IPv6-i486/pc/linux-gnu started. Jan 5 21:31:12 chronos ngircd[12609]: Reading configuration from "/etc/ngircd/ngircd.conf" ... Jan 5 21:31:12 chronos ngircd[12609]: gnutls_certificate_set_x509_key_file (cert /etc/ngircd/ngircd-cert.pem, key /etc/ngircd/ngircd-key.pem): Base64 decoding error. Jan 5 21:31:12 chronos ngircd[12609]: Warning: Error during SSL initialization, continuing ... Jan 5 21:31:12 chronos ngircd[12609]: ServerUID must not be 0, using "nobody" instead. Jan 5 21:31:12 chronos ngircd[12609]: Can't change group ID to 65534: Operation not permitted Jan 5 21:31:12 chronos ngircd[12609]: Can't change user ID to 65534: Operation not permitted Jan 5 21:31:12 chronos ngircd[12610]: Running as user irc(39), group irc(39), with PID 12610. Jan 5 21:31:12 chronos ngircd[12610]: Not running with changed root directory. Jan 5 21:31:12 chronos ngircd[12610]: Notice: Can't change working directory to "/var/run/ircd": No such file or directory Jan 5 21:31:12 chronos ngircd[12610]: IO subsystem: poll (initial maxfd 100). Jan 5 21:31:12 chronos ngircd[12610]: Now listening on [0::]:17667 (socket 5). Jan 5 21:31:12 chronos ngircd[12610]: Now listening on [0.0.0.0]:17667 (socket 6). I doubt it is a permissions problem. Here's the /etc/ngircd directory listing: gp@chronos:/etc/ssl$ sudo ls -l /etc/ngircd/ total 20 -rwxrwxrwx 1 irc irc 0 2011-01-05 21:21 ngircd-cert.pem -rw-r--r-- 1 irc irc 4839 2011-01-05 21:29 ngircd.conf -rwxrwxrwx 1 irc irc 1238 2011-01-05 21:25 ngircd-dhparams.pem -rwxrwxrwx 1 irc irc 1675 2011-01-05 21:21 ngircd-key.pem -rw-r--r-- 1 irc irc 255 2010-05-11 19:16 ngircd.motd gp@chronos:/etc/ssl$ I've read the SSL guide (found here http://ngircd.barton.de/doc/SSL.txt) and it lists 2 methods for creating the SSL certificate/private key. I've used both without success. Does anyone have any ideas? Thank you in advance. Georges
Hi Georges, Am 05.01.2011 um 21:41 schrieb Georges POLITIK:
Jan 5 21:31:12 chronos ngircd[12609]: ngircd 15-SYSLOG+ZLIB+SSL+IRCPLUS+IPv6-i486/pc/linux-gnu started.
Ok, so you are indeed running a version supporting SSL :)
Jan 5 21:31:12 chronos ngircd[12609]: Reading configuration from "/etc/ngircd/ngircd.conf" ... Jan 5 21:31:12 chronos ngircd[12609]: gnutls_certificate_set_x509_key_file (cert /etc/ngircd/ngircd-cert.pem, key /etc/ngircd/ngircd-key.pem): Base64 decoding error.
And the daemon uses GnuTLS (not OpenSSL), which fails to decode the certificate and/or the key file. So my guess is, that one (or both) of these files are not in the expected format.
Jan 5 21:31:12 chronos ngircd[12609]: Warning: Error during SSL initialization, continuing …
Because of the SSL initialization error, the daemon will not use SSL but continue …
Jan 5 21:31:12 chronos ngircd[12610]: Notice: Can't change working directory to "/var/run/ircd": No such file or directory
BTW … this is a second error message; but it isn’t related to your SSL problem.
I doubt it is a permissions problem. Here's the /etc/ngircd directory listing:
I don’t think so, too.
I've read the SSL guide (found here http://ngircd.barton.de/doc/SSL.txt) and it lists 2 methods for creating the SSL certificate/private key. I've used both without success.
Strange. The GnuTLS section should result in a usable certificate and key file for your ngircd!? Both the certificate and the key file look reasonable? The key file should start with a line „-----BEGIN RSA PRIVATE KEY-----„, followed by „garbage“ (the base64 encoded key) and end with a line „-----END RSA PRIVATE KEY-----„. The certificate starts with „-----BEGIN CERTIFICATE-----“, then „garbage“ (the base64 encoded certificate) and ends with „-----END CERTIFICATE-----“. Regards Alex
Hi Alexander, Thank you for your suggestions, they helped me solve the problem which was an empty certificate file. When generating a new certificate certtool asks a lot of questions and for some reason I have the tendency to press enter assuming that the default value will be used. This technique however didn't work very well when certtool asked me if "Is the above information ok? (Y/N):". The capital case indicates that I should provide a value, which I didn't. Given the fact that no error messages appeared, I assumed that everything was OK but, as it turned out, the file was empty. Thanks again. Regards, Georges On Wed, 05 Jan 2011 22:04:45 +0100, Alexander Barton <alex@barton.de> wrote:
Hi Georges,
Am 05.01.2011 um 21:41 schrieb Georges POLITIK:
Jan 5 21:31:12 chronos ngircd[12609]: ngircd 15-SYSLOG+ZLIB+SSL+IRCPLUS+IPv6-i486/pc/linux-gnu started.
Ok, so you are indeed running a version supporting SSL :)
Jan 5 21:31:12 chronos ngircd[12609]: Reading configuration from "/etc/ngircd/ngircd.conf" ... Jan 5 21:31:12 chronos ngircd[12609]: gnutls_certificate_set_x509_key_file (cert /etc/ngircd/ngircd-cert.pem, key /etc/ngircd/ngircd-key.pem): Base64 decoding error.
And the daemon uses GnuTLS (not OpenSSL), which fails to decode the certificate and/or the key file.
So my guess is, that one (or both) of these files are not in the expected format.
Jan 5 21:31:12 chronos ngircd[12609]: Warning: Error during SSL initialization, continuing …
Because of the SSL initialization error, the daemon will not use SSL but continue …
Jan 5 21:31:12 chronos ngircd[12610]: Notice: Can't change working directory to "/var/run/ircd": No such file or directory
BTW … this is a second error message; but it isn’t related to your SSL problem.
I doubt it is a permissions problem. Here's the /etc/ngircd directory listing:
I don’t think so, too.
I've read the SSL guide (found here http://ngircd.barton.de/doc/SSL.txt) and it lists 2 methods for creating the SSL certificate/private key. I've used both without success.
Strange.
The GnuTLS section should result in a usable certificate and key file for your ngircd!?
Both the certificate and the key file look reasonable? The key file should start with a line „-----BEGIN RSA PRIVATE KEY-----„, followed by „garbage“ (the base64 encoded key) and end with a line „-----END RSA PRIVATE KEY-----„. The certificate starts with „-----BEGIN CERTIFICATE-----“, then „garbage“ (the base64 encoded certificate) and ends with „-----END CERTIFICATE-----“.
Regards Alex
-- Using Opera's revolutionary email client: http://www.opera.com/mail/
Teilnehmer (3)
-
Alexander Barton -
Georges POLITIS -
Georgios Politis