Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.


#17 TLS connections are broken with newer versoin of GNUTLS


Thanks for helping maintain Rudel! I use it often and love it!

Rudel uses the "--kx ANON_DH" option with gnutls-cli which has been deprecated for quite some time and which has been turned off completely in recent versions, as far as I can tell.. In the "old" versions (e.g., 2.8), Rudel works fine but provides a warning that the the --kx argument is deprecated. In newer versions of gnutls, (e.g., 2.12 or 3.0) the gnutls-cli tunnel fails to opened at all and rudel fails to connect to the obby server altogether. The new way to specify this is with the "--priority" option. I believe the correct new gnutls-cli arguments should be: "--priority NORMAL:+ANON-DH".

Reproducing this bug should be reasonably simple: (1) Install a new version of GNUTLS and the gnutls-cli program in particular. (2) Try to connect to an encyrpted gobby session of TLS through rudel. You can create one with gobby or sobby.

As a result of this bug, rudel will fail to connect to any encyrpted obby connections including obby servers run by sobby or by gobby. It will silently fail to join sessions without any comprehensible error to the user. Debugging exactly what was going wrong took me a couple hours.

Debian testing is already shipping an incompatible version of gnutls-cli and this problem is likely to become widespread quickly.

This is reasonably easy to work around this bug and I've attached a patch to rudel-tls.el which fixes the issue on my system and which allows me to use rudel with both new and old versions of gnutls-cli without problems. I've tested it with gnutls-cli 2.8.6 and 2.12.10.

One warning, I've made this patch against the rudel-0.2.4 release tarball. I tried to test this on bzr trunk but couldn't get it the trunk version of rudel to connect to gobby at all (with either the old or new version of gnutls-cli). I'm quite confident that this is a configuration error on my end. The only reason I mention this is that I have not tested this patch in the bzr trunk version of Rudel. But I am very confident it will both apply cleanly and work.


  • Anonymous

    patch to rudel-tls.el (made against 2.4.0)