I've got hit by a problem today where trying to connect with GTalk through KTP failed to connect with a GNUTLS_E_DH_PRIME_UNACCEPTABLE error. The solution was to EXTRA_ECONF when building telepathy-gabble so that wocky makes use of OpenSSL instead. The result has been positive, and it works fine now. Just add a +gnutls USE flag and let me "downgrade" to OpenSSL (that works). Thanks. Diego
According to changelog: 18 Feb 2011; Nirbheek Chauhan <nirbheek@gentoo.org> telepathy-gabble-0.10.5.ebuild: Fix libsoup dependency: after 2.33.1, libsoup started using glib-networking for ssl instead of gnutls, and it is now enabled unconditionally) So it looks like this is something that can be revisited indeed.
*** Bug 456258 has been marked as a duplicate of this bug. ***
Note that the new version is connecting through a (bundled) libwocky, which is where the selection between GnuTLS/OpenSSL has to be made (./configure at top level will not let you spot any selection).
I've reported the GnuTLS issue upstream, for what it's worth here's me trying to connect with gnutls-cli: flame@saladin ~ % gnutls-cli -p 5223 talk.google.com Processed 160 CA certificate(s). Resolving 'talk.google.com'... Connecting to '173.194.65.125:5223'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: - subject `C=US,ST=California,L=Mountain View,O=Google Inc,CN=talk.google.com', issuer `C=US,O=Google Inc,CN=Google Internet Authority', RSA key 1024 bits, signed using RSA-SHA1, activated `2012-06-05 00:53:35 UTC', expires `2013-06-05 01:03:35 UTC', SHA-1 fingerprint `7833da4b3a1642e680d7f8e58fd99ed31493b790' Public Key Id: 92b4709209e60147dc572dc02c85c45cdc456ade Public key's random art: +--[ RSA 1024]----+ |.+*=.B++.+o | | +.o*o= o.. | | . =oo o. | | = = . | | + S E | | . | | | | | | | +-----------------+ - Certificate[1] info: - subject `C=US,O=Google Inc,CN=Google Internet Authority', issuer `C=US,O=Equifax,OU=Equifax Secure Certificate Authority', RSA key 1024 bits, signed using RSA-SHA1, activated `2009-06-08 20:43:27 UTC', expires `2013-06-07 19:43:27 UTC', SHA-1 fingerprint `dd7a7f131ddba33d3e8670179483e6fea6987d6a' - Status: The certificate is trusted. *** Fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough). *** Handshake has failed GnuTLS error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough).
Created attachment 338388 [details, diff] Ebuild patch
Isn't the bug with telepathy-gabble, not gnutls or libsoup? Shouldn't telepathy-gabble be requesting telling libsoup to not require such a high prime number?
I've created bz #456392 for fixing the bug in net-voip-telepathy-gabble
+ 10 Feb 2013; Gilles Dartiguelongue <eva@gentoo.org> + -telepathy-gabble-0.16.3.ebuild, telepathy-gabble-0.16.4.ebuild: + Fix USE=jingle confusing file-transfer with voip, switch to EAPI=5 and + python-any-r1. Make tls backend configurable, bug #456250. + Thanks for reporting.