Re: [Help-gnutls] gnutls_handshake fails with an alert

[Sam Varshavchik]

Nikos Mavrogiannopoulos writes:

> On Saturday 20 October 2007, Sam Varshavchik wrote:
> > I've taken the "Simple client example" from the 1.6.3 pages, and supplied a
> > tcp_connect() that connects to ssl-enabled apache on localhost. Running the
> > code results in:
> >
> > *** Handshake failed
> > GNUTLS ERROR: A TLS fatal alert has been received.
>
> What you say doesn't help anyone who might want to help. It can be an error in 
> your tcp functions, or you might be using the anonymous client to connect to 
> a X.509 authenticated server.

No, I'm running a default Apache install with mod_ssl.

I finally ended up looking at elinks's source to see how it sets up gnutls. 
It turned out that I needed to create a gnutls_certificate_credentials_t 
using gnutls_certificate_allocate_credentials(), and put it into the session 
using gnutls_credentials_set(). Once I did that, the example given in the 
info docs worked correctly, both with my stock Apache, and other external 
SSL servers.

I am NOT using X.509 authentication, I'm running just a basic, plain-vanilla 
Apache+mod_ssl, using a self-signed test cert, without any X.509 
authentication set up. It looks to me like the simple client example won't 
really work with garden-variety SSL servers. Looks like I need to put a 
GNUTLS_CRD_CERTIFICATE into a client session structure even if the server 
does not use or require X.509 authentication, in order for the handshake to 
work. I couldn't find anything in info docs that pointed me in that 
direction, I had to look at some other code to figure it out.

pgpEwicqLNyrV.pgp
Description: PGP signature