I've got hit by a problem today where trying to connect with GTalk through KTP failed to connect with a GNUTLS_E_DH_PRIME_UNACCEPTABLE error.
The solution was to EXTRA_ECONF when building telepathy-gabble so that wocky makes use of OpenSSL instead. The result has been positive, and it works fine now.
Just add a +gnutls USE flag and let me "downgrade" to OpenSSL (that works). Thanks.
According to changelog:
18 Feb 2011; Nirbheek Chauhan <firstname.lastname@example.org>
Fix libsoup dependency: after 2.33.1, libsoup started using
glib-networking for ssl instead of gnutls, and it is now enabled
So it looks like this is something that can be revisited indeed.
*** Bug 456258 has been marked as a duplicate of this bug. ***
Note that the new version is connecting through a (bundled) libwocky, which is where the selection between GnuTLS/OpenSSL has to be made (./configure at top level will not let you spot any selection).
I've reported the GnuTLS issue upstream, for what it's worth here's me trying to connect with gnutls-cli:
flame@saladin ~ % gnutls-cli -p 5223 talk.google.com
Processed 160 CA certificate(s).
Connecting to '126.96.36.199:5223'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate info:
- subject `C=US,ST=California,L=Mountain View,O=Google Inc,CN=talk.google.com', issuer `C=US,O=Google Inc,CN=Google Internet Authority', RSA key 1024 bits, signed using RSA-SHA1, activated `2012-06-05 00:53:35 UTC', expires `2013-06-05 01:03:35 UTC', SHA-1 fingerprint `7833da4b3a1642e680d7f8e58fd99ed31493b790'
Public Key Id:
Public key's random art:
+--[ RSA 1024]----+
| +.o*o= o.. |
| . =oo o. |
| = = . |
| + S E |
| . |
- Certificate info:
- subject `C=US,O=Google Inc,CN=Google Internet Authority', issuer `C=US,O=Equifax,OU=Equifax Secure Certificate Authority', RSA key 1024 bits, signed using RSA-SHA1, activated `2009-06-08 20:43:27 UTC', expires `2013-06-07 19:43:27 UTC', SHA-1 fingerprint `dd7a7f131ddba33d3e8670179483e6fea6987d6a'
- Status: The certificate is trusted.
*** Fatal error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough).
*** Handshake has failed
GnuTLS error: The Diffie-Hellman prime sent by the server is not acceptable (not long enough).
Created attachment 338388 [details, diff]
Isn't the bug with telepathy-gabble, not gnutls or libsoup? Shouldn't telepathy-gabble be requesting telling libsoup to not require such a high prime number?
I've created bz #456392 for fixing the bug in net-voip-telepathy-gabble
+ 10 Feb 2013; Gilles Dartiguelongue <email@example.com>
+ -telepathy-gabble-0.16.3.ebuild, telepathy-gabble-0.16.4.ebuild:
+ Fix USE=jingle confusing file-transfer with voip, switch to EAPI=5 and
+ python-any-r1. Make tls backend configurable, bug #456250.
Thanks for reporting.