Mandos on Fedora/RHEL
Teddy Hogeborn
teddy at recompile.se
Sat Oct 26 20:16:28 CEST 2013
"Nathanael D. Noblet" <nathanael at gnat.ca> writes:
> > I get the following error on the server:
> >
> > Exception happened during processing of request from
> > ('::ffff:192.168.56.152', 39635, 0, 0)
> > Traceback (most recent call last):
> > File "/usr/sbin/mandos", line 1889, in sub_process_main
> > self.finish_request(request, address)
> > File "/usr/lib64/python2.6/SocketServer.py", line 322, in finish_request
> > self.RequestHandlerClass(request, client_address, self)
> > File "/usr/lib64/python2.6/SocketServer.py", line 617, in __init__
> > self.handle()
> > File "/usr/sbin/mandos", line 1697, in handle
> > priority, None))
> > File "/usr/lib64/python2.6/site-packages/gnutls/library/errors.py",
> > line 54, in check_status
> > raise GNUTLSError(ErrorMessage(retcode))
> > GNUTLSError: The request is invalid.
>
> Okay so digging a little deeper into that stack trace the error is
> from setting the priority to
>
> SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:+SIGN-RSA-SHA224:+SIGN-RSA-RMD160
>
> When I remove +SIGN-RSA-SHA224 it completes successfully. What are the
> implications of removing that setting?
I added the last two settings, "+SIGN-RSA-SHA224" and "+SIGN-RSA-RMD160"
to be compatible with connections from Mandos clients using the old
default of DSA-2028/ELG-2048 keys. If this is not a concern for you,
you can freely remove both of them from the priority string.
> Also I'm wondering if there is a way to detect/know what a particular
> gnutls version supports?
I don't think that GnuTLS doesn't *support* SIGN-RSA-SHA224, I think
there's probably a more esoteric reason it fails when using it. At
least, that's been my experience.
That said, you can list the supported stuff by running the command
"gnutls-serv --list".
/Teddy Hogeborn
--
The Mandos Project
http://www.recompile.se/mandos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20131026/d8eb4523/attachment.sig>
More information about the Mandos-Dev
mailing list