Szerteszana²

Recording the fight won against gnuTLS

Maybe someone googles for this...

After an upgrade exim TLS barfs on several connection saying

 (gnutls_handshake): Could not negotiate a supported cipher suite.

or maybe

 (gnutls_handshake): An unexpected TLS packet was received.

All these are caused by the fuckin' gnutls update, which completely starts vomiting when fed by OpenSSL generated key files and/or certificates. In my case I had to regenerate the certificate of the key by:

certtool --generate-certificate --load-request host.req  --outfile host.crt --load-ca-certificate CA/cacert.pem   --load-ca-privkey CA/private/cakey.pem

but had to realise that certtol (of GNUTLS) simply cannot handle encrypted key of the CA, and keeps telling completely stupid error messages, like

certtool: importing --load-privkey: (null): Base64 decoding error.

and some may have realised that I did not even use --load-privkey option. Oh well. Turned out it's the encoded CA private key. So first it has to be decoded, not by GNUTLS of course since it chokes on it but openssl:

openssl rsa < ca.key > ca-fsck.key

which is obviosuly a very secure way to handle a CA key. Anyway, now the generate-certificate works and tries to create a new cert. Of course extended fields are a way off unless you go on and check all the possible options of the template.
After all this mess it works with the old host key and the new host certificate. Boo-hoo.

„Ilyen állat nincs!”

Frissítettem a blog alatti rendszert, pár akadályt leküzdve, de aztán működött. Ezután elmentemelmesélni hogy mikbe ütköztem azoknak, akik a hibákat esetleg javítják, közösségi szolgáltatás cserébe a programért.
Erre közli velem a srác hogy az új rendszer nem működik PostgreSQL alatt, nem támogatott.
Még szerencse, hogy láthatóan sem a blog engine sem a PostgreSQL erről nem tud. ;-)

Ignorance is bliss!