1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<link rel="icon" type="image/png" href="graphics/gnutls-logo-icon.png">
<meta name="DC.title" content="gnutls.org">
<title>GnuTLS</title>
<!-- start of banner.html -->
<!-- start of head-include-2.html -->
<link rel="stylesheet" href="css/combo.css" media="screen">
<link rel="stylesheet" href="css/layout.css" media="screen">
<link rel="stylesheet" href="css/mini.css" media="handheld">
<link rel="stylesheet" href="css/print.css" media="print">
<!-- end of head-include-2.html -->
<!-- flattr code
<script type="text/javascript">
/* <![CDATA[ */
(function() {
var s=document.createElement('script'), t=document.getElementsByTagName('script')[0];
s.type = 'text/javascript';
s.async = true;
s.src = 'http://api.flattr.com/js/0.6/load.js?mode=auto';
t.parentNode.insertBefore(s, t);
})();
/* ]]> */
</script>
end of flattr -->
</head>
<body>
<div id="null-wrapper">
<!-- begin of body-include-2 -->
<div id="header">
<div class="inner" style="position: relative;">
<a href="gnutls-logo.html">
<img alt="Gnutls Logo" src="graphics/gnutls-logo.png" align="Left" border="0" width="94" height="86">
</a>
<h1>The GnuTLS Transport Layer Security Library</h1>
</div>
</div>
<div id="navigation">
<div class="inner">
<ul>
<li id="tab"><a href="index.html">Overview</a></li>
<li id="tab"><a href="news.html">News</a></li>
<!-- <li id="tab"><a href="soc.html">Summer of code</a></li>
-->
<li id="tab"><a href="download.html">Download</a></li>
<li id="tab"><a href="lists.html">Mailing lists</a></li>
<li id="tab"><a href="devel.html">Development</a></li>
<li id="tab"><a href="documentation.html">Documentation</a></li>
<li id="tab"><a href="security.html">Security advisories</a></li>
<li id="tab"><a href="commercial.html">Commercial support</a></li>
<li id="tab"><a href="contrib.html">Authors</a></li>
</ul>
</div><!-- /inner -->
</div><!-- /navigation -->
<div id="content" class="inner">
<p>Answers to common questions follow.
</p>
<div class="emph-box" id="prime-not-acceptable">
<h1><a href="#prime-not-acceptable">The software I use outputs the following error:
"The Diffie-Hellman prime sent by the server is not acceptable (not long enough)"
and the connection is terminated.</a></h1>
<p><b>Answer:</b>
The server you have tried to connect negotiates Diffie-Hellman (DH) ciphersuites
but offers a small and insecure DH group. This means that any connection data
could be decrypted in weeks or even hours by a determined adversary. For that
reason GnuTLS will refuse to communicate such servers. To work around the issue disable Diffie-Hellman
ciphersuites on the client (by using "NORMAL:-DHE-RSA" as a priority string);
this will allow connecting using the plain RSA ciphersuites, at the cost
of losing perfect forward secrecy.
</p>
<p>
Note that currently in the NORMAL priority string, the minimum acceptable
size of DH group is set to be at 728 bits. This is a very low size for
today's threats but unfortunately there are many popular Internet servers
providing such a weak security level. To increase the security level use
the SECURE128 or better priority strings, at the risk of a failed connection
with an insecure server. To avoid this issue, newer versions of GnuTLS prioritize the elliptic
curve DH ciphersuites that have no such issues.
</p>
</div>
<br>
<div class="emph-box" id="key-usage-violation">
<h1><a href="#key-usage-violation">"The software I use outputs the following error:
"Key usage violation in certificate has been detected."
and the connection is terminated.</a></h1>
<p><b>Answer:</b>
The server you have tried to connect has a certificate that is marked for
encryption-only but the server uses it with a ciphersuite that requires signing (or vice-versa). This is
either due to an attack, or due to a serious server misconfiguration.
Contact the server administrator. <br>
Because this misconfiguration problem is widespread, other TLS/SSL
software used by popular browsers tolerate the violation, and several servers negotiate ciphersuites
not allowed by the certificate, newer
versions of GnuTLS may also allow such key usage violations (and will only output a warning message).
</p>
</div>
</div>
<!-- <p id="backtotop"><a href="#header">back to top</a></p> -->
</div>
<!-- end server/footer-text.html -->
<div id="footer">
<table width="100%" class="transparent" summary="">
<tr>
<td>
<p>
Please send broken links and other corrections or suggestions to
<a href="mailto:bugs@gnutls.org"><em>bugs@gnutls.org</em></a>.
</p>
<!--
<p>
Copyright © 2011, 2012 Free Software Foundation, Inc.<br>
Copyright © 2012 Nikos Mavrogiannopoulos<br>
Verbatim copying and distribution of this entire article are permitted worldwide, without royalty, in any medium, provided this notice, and the copyright notice, are preserved.<br>
</p>
-->
</td>
<!--
<td>
<div align="center">
<a class="FlattrButton" style="display:none;" rev="flattr;button:compact;" href="http://www.gnutls.org"></a>
<noscript><a href="http://flattr.com/thing/291598/GnuTLS" target="_blank">
<img src="http://api.flattr.com/button/flattr-badge-large.png" alt="Flattr this" title="Flattr this" border="0"></a></noscript>
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick">
<input type="hidden" name="business" value="simon@josefsson.org">
<input type="hidden" name="item_name" value="Donation for development">
<input type="hidden" name="item_number" value="GnuTLS">
<input type="hidden" name="no_shipping" value="1">
<input type="hidden" name="cn" value="Comment">
<input type="hidden" name="currency_code" value="EUR">
<input type="hidden" name="tax" value="0">
<input type="hidden" name="bn" value="PP-DonationsBF">
<input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_donate_SM.gif" name="submit" alt="Paypal">
</form>
</div>
</td>
-->
<td>
Hosted by<br>
<a href="http://www.openit.de/"><img src="graphics/logo-sponsor.png" alt="Sponsor" title="Sponsor" border="0" width="76" height="24"></a>
</td>
</tr>
</table>
</div>
</body>
</html>
|
