online banking with BB&T

Wed Apr 15 12:08:00 EDT 2015

Ok, had to do a bit of digging in the source tree, but I made it work.
Thanks John for the tip that it uses gnutls instead of openssl. This
allowed me to debug the priority string needed for BB&T. The basic problem
is that gnutls tries to use TLS 1.2 first and then must negotiate with the
server to get TLS 1.0. The server doesn't support renegotiation, so the
handshake fails. To get this to work you must tell gnutls explicitly to use
TLS 1.0.

Using the default gnutls priority string,
$ gnutls-cli -d 10 -V --x509cafile /etc/ssl/certs/ca-certificates.crt
eftx.bbt.com
...<snip debug messages>...
*** Fatal error: A TLS fatal alert has been received.
*** Received alert [70]: Error in protocol version
|<4>| REC: Sending Alert[2|80] - Internal error
|<4>| REC[0x1201770]: Sending Packet[1] Alert(21) with length: 2
|<7>| WRITE: enqueued 7 bytes for 0x5. Total 7 bytes.
|<7>| WRITE FLUSH: 7 bytes in buffer.
|<7>| WRITE: wrote 7 bytes, 0 bytes left.
|<4>| REC[0x1201770]: Sent Packet[2] Alert(21) with length: 7
*** Handshake has failed
GnuTLS error: A TLS fatal alert has been received.

Forcing TLS 1.0,
gnutls-cli -d 10 -V --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0"
--x509cafile /etc/ssl/certs/ca-certificates.crt eftx.bbt.com
...<snip debug messages>...
- Peer's certificate is trusted
- Version: TLS1.0
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Session ID:
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:02:00:01:AF:66:55:2E:89:ED:00:00:00:00:51:5A:A3:A1
- Channel binding 'tls-unique': 45613ee75632f28820457f2f
- Handshake was completed

- Simple Client Mode:

Ok, so how do we get this to work with GnuCash? GnuCash uses AqBanking to
do online accounts, which in turn uses the Gwenhywfar library to do the ssl
work. It turns out there is code to allow use of an environment variable,
GWEN_TLS_CIPHER_PRIORITIES, to override the default cipher priorities, but
this code is disabled in the current branch. I enabled it and recompiled
the library, and now everything works great.

export
GWEN_TLS_CIPHER_PRIORITIES="SECURE256:-ARCFOUR-128:-AES-128-CBC:-CAMELLIA-128-CBC:-3DES-CBC:-VERS-TLS-ALL:+VERS-TLS1.0"

now GnuCash can set up the user, retrieve the account list, and get the
transactions I need.

Hopefully this new SSL code will be enabled upstream at some point in the
future, but if anybody needs it sooner, I can send you my recompiled
version (or I can tell you exactly how to do it yourself).

Best,
Chris

On Tue, Apr 14, 2015 at 12:05 AM, John Ralls <jralls at ceridwen.us> wrote:

>
> > On Apr 13, 2015, at 9:22 PM, Chris Hoefler <hoeflerb at gmail.com> wrote:
> >
> > I agree. Unfortunately, I don't have the option to switch banks at the
> moment. Is there a way to configure the SSL client that aqbanking uses? I'm
> not aware of any global configuration for all ssl clients.... For example,
> when I use openssl s_client, I can handshake just fine. Aqbanking must be
> specifically rejecting TLS 1.0.
> >
> > (The cipher is good, btw. It is just the old protocol version that seems
> problematic.)
>
> Please remember to copy the list on all replies, using "reply all".
>
> I don't know how to specify which libssl aqbanking uses short of compiling
> the latter with an rpath specifying a particular one.
>
> Debian Wheezy appears to use /etc/ssl/openssl.cfg as the global OpenSSL
> config file, but I don't find anything about -no_tls_1 in it; in fact I
> find that only in the man page for s_client. Anyway it appears from a quick
> look through the sources that AQBanking and its Gwenhyfar backend use
> libgnutls rather than openssl for the tls implementation, but I don't find
> the VERS-TLS strings that gnutls uses to set protocol levels in either.
>
> Sorry I can't be more help.
>
> Regards,
> John Ralls
>
>