Mandos + CentOS 6
Teddy Hogeborn
teddy at recompile.se
Sat Apr 5 04:19:03 CEST 2014
"Nathanael D. Noblet" <nathanael at gnat.ca> writes:
> > > The server spits out an error about a "TLS packet with unexpected
> > > length was received".
> >
> > Yeah, that's the GnuTLS standard message for "something unexpected
> > happened and I'm not going to tell you what it is".
> >
> > > Any thoughts on how to debug this? Once I have this working I'll
> > > post the needed bits for a Centos/RHEL client and a Fedora/systemd
> > > client.
> >
> > Use the "gnutls-cli" and "gnutls-serv" commands to debug straight
> > GnuTLS without any Mandos complications. [...]
>
> So I emailed the fedora @devel ml. I've been told the following:
>
> "Does it really use TLS with openpgp certificates?
Yes indeed it does.
> If yes, I doubt you could make 2.8.5 interoperate with gnutls
> 3.1.20. GnuTLS was modified in 3.1.x to adhere with RFC6091 which was
> incompatible the previous attempt to have openpgp keys to TLS."
Huh, I was not aware of this. It seems I have some reading to do. Not
that it's going to do us any good - if the library doesn't support
interoperability, there's nothing we can do.
> In talking with them it looks like there is no way around it. As such
> any machine running mandos with gnutls 3.1.x won't work with a machine
> running gnutls 2.8.x or probably <= 3.0 I would imagine.
Until such time as Debian gets GnuTLS 3.1, we will certainly stick with
the old version.
> Any thoughts on how to proceed? Are there alternate implementations of
> the communication protocols you're using? OpenSSL or something like
> that that could be compiled against instead of gnutls (as an optional
> configure argument or something? )
As far as I know, OpenSSL can not use OpenPGP keys, and at the time I
investigated, GnuTLS was the only TLS library to support it. I also
seem to recall that OpenSSL has a problematic license which precludes us
From using it.
In *theory* it would be possible to run two Mandos servers with one
using one version of GnuTLS and the other another one. Clients should
discover, and try, both of them. But I am not sure how using two
separate versions of GnuTLS would even work.
This would not help users of --connect, though. We might implement an
option where multiple servers can be specified, if the above problem
with multiple GnuTLS versions could be solved.
/Teddy Hogeborn
--
The Mandos Project
http://www.recompile.se/mandos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20140405/a9595ecb/attachment.sig>
More information about the Mandos-Dev
mailing list