Comment 9 for bug 795355
Revision history for this message
| Andreas Hasenack (ahasenack) wrote Re: Intermittent SSL connection faults | #9 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
Right now, admin.landscape
andreas@nsn2:~$ gnutls-cli admin.landscape
Resolving 'admin.
Connecting to '91.189.
*** Fatal error: Decryption has failed.
*** Handshake has failed
GNUTLS ERROR: Decryption has failed.
andreas@nsn2:~$
I tried gnutls-cli-debug against it, and the result is interesting, basically nothing is shown as supported:
andreas@nsn2:~$ gnutls-cli-debug admin.landscape
Resolving 'admin.
Connecting to '91.189.
Checking for TLS 1.1 support... no
Checking fallback from TLS 1.1 to... failed
Checking for TLS 1.0 support... no
Checking for SSL 3.0 support... no
Server does not support any of SSL 3.0, TLS 1.0 and TLS 1.1
Then I hit staging.
andreas@nsn2:~$ gnutls-cli staging.
Resolving 'staging.
Connecting to '91.189.
- Ephemeral Diffie-Hellman parameters
- Using prime: 1024 bits
- Secret key: 1021 bits
- Peer's public key: 1023 bits
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
(...)
But the debug output is the same:
andreas@nsn2:~$ gnutls-cli-debug staging.
Resolving 'staging.
Connecting to '91.189.
Checking for TLS 1.1 support... no
Checking fallback from TLS 1.1 to... failed
Checking for TLS 1.0 support... no
Checking for SSL 3.0 support... no
Server does not support any of SSL 3.0, TLS 1.0 and TLS 1.1
For comparison, here is what -debug says about Launchpad:
andreas@nsn2:~$ gnutls-cli-debug launchpad.net
Resolving 'launchpad.net'...
Connecting to '91.189.
Checking for TLS 1.1 support... no
Checking fallback from TLS 1.1 to... TLS 1.0
Checking for TLS 1.0 support... yes
Checking for SSL 3.0 support... yes
Checking for HTTPS server name... not checked
Checking for version rollback bug in RSA PMS... no
Checking for version rollback bug in Client Hello... no
Checking whether we need to disable TLS 1.0... N/A
Checking whether the server ignores the RSA PMS version... no
Checking whether the server can accept Hello Extensions... yes
Checking whether the server can accept cipher suites not in SSL 3.0 spec... yes
Checking whether the server can accept a bogus TLS record version in the client hello... no
Checking for certificate information... N/A
Checking for trusted CAs... N/A
Checking whether the server understands TLS closure alerts... yes
Checking whether the server supports session resumption... yes
Checking for export-grade ciphersuite support... no
Checking RSA-export ciphersuite info... N/A
Checking for anonymous authentication support... no
Checking anonymous Diffie-Hellman group info... N/A
Checking for ephemeral Diffie-Hellman support... yes
Checking ephemeral Diffie-Hellman group info... N/A
Checking for AES cipher support (TLS extension)... yes
Checking for CAMELLIA cipher support (TLS extension)... no
Checking for 3DES cipher support... yes
Checking for ARCFOUR 128 cipher support... yes
Checking for ARCFOUR 40 cipher support... no
Checking for MD5 MAC support... yes
Checking for SHA1 MAC support... yes
Checking for LZO compression support (GnuTLS extension)... no
Checking for max record size (TLS extension)... no
Checking for SRP authentication support (TLS extension)... yes
Checking for OpenPGP authentication support (TLS extension)... no
I'll see if the -debug output changes after we graceful apache on admin.landscape