Mandos on Fedora/RHEL

Teddy Hogeborn teddy at recompile.se
Sat Oct 26 20:16:28 CEST 2013 

"Nathanael D. Noblet" <nathanael at gnat.ca> writes:

> > I get the following error on the server:
> >
> > Exception happened during processing of request from
> > ('::ffff:192.168.56.152', 39635, 0, 0)
> > Traceback (most recent call last):
> >    File "/usr/sbin/mandos", line 1889, in sub_process_main
> >      self.finish_request(request, address)
> >    File "/usr/lib64/python2.6/SocketServer.py", line 322, in finish_request
> >      self.RequestHandlerClass(request, client_address, self)
> >    File "/usr/lib64/python2.6/SocketServer.py", line 617, in __init__
> >      self.handle()
> >    File "/usr/sbin/mandos", line 1697, in handle
> >      priority, None))
> >    File "/usr/lib64/python2.6/site-packages/gnutls/library/errors.py",
> > line 54, in check_status
> >      raise GNUTLSError(ErrorMessage(retcode))
> > GNUTLSError: The request is invalid.
>
> Okay so digging a little deeper into that stack trace the error is
> from setting the priority to
>
> SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:+SIGN-RSA-SHA224:+SIGN-RSA-RMD160
>
> When I remove +SIGN-RSA-SHA224 it completes successfully. What are the
> implications of removing that setting?

I added the last two settings, "+SIGN-RSA-SHA224" and "+SIGN-RSA-RMD160"
to be compatible with connections from Mandos clients using the old
default of DSA-2028/ELG-2048 keys.  If this is not a concern for you,
you can freely remove both of them from the priority string.

> Also I'm wondering if there is a way to detect/know what a particular
> gnutls version supports?

I don't think that GnuTLS doesn't *support* SIGN-RSA-SHA224, I think
there's probably a more esoteric reason it fails when using it.  At
least, that's been my experience.

That said, you can list the supported stuff by running the command
"gnutls-serv --list".

/Teddy Hogeborn

-- 
The Mandos Project
http://www.recompile.se/mandos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20131026/d8eb4523/attachment.sig>

More information about the Mandos-Dev mailing list