online banking with BB&T

John Ralls jralls at ceridwen.us
Wed Apr 15 21:02:23 EDT 2015 

> On Apr 15, 2015, at 9:08 AM, Chris Hoefler <hoeflerb at gmail.com> wrote:
> 
> Ok, had to do a bit of digging in the source tree, but I made it work. Thanks John for the tip that it uses gnutls instead of openssl. This allowed me to debug the priority string needed for BB&T. The basic problem is that gnutls tries to use TLS 1.2 first and then must negotiate with the server to get TLS 1.0. The server doesn't support renegotiation, so the handshake fails. To get this to work you must tell gnutls explicitly to use TLS 1.0.
> 
> Using the default gnutls priority string,
> $ gnutls-cli -d 10 -V --x509cafile /etc/ssl/certs/ca-certificates.crt eftx.bbt.com <http://eftx.bbt.com/>
> ...<snip debug messages>...
> *** Fatal error: A TLS fatal alert has been received.
> *** Received alert [70]: Error in protocol version
> |<4>| REC: Sending Alert[2|80] - Internal error
> |<4>| REC[0x1201770]: Sending Packet[1] Alert(21) with length: 2
> |<7>| WRITE: enqueued 7 bytes for 0x5. Total 7 bytes.
> |<7>| WRITE FLUSH: 7 bytes in buffer.
> |<7>| WRITE: wrote 7 bytes, 0 bytes left.
> |<4>| REC[0x1201770]: Sent Packet[2] Alert(21) with length: 7
> *** Handshake has failed
> GnuTLS error: A TLS fatal alert has been received.
> 
> Forcing TLS 1.0,
> gnutls-cli -d 10 -V --priority "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0" --x509cafile /etc/ssl/certs/ca-certificates.crt eftx.bbt.com <http://eftx.bbt.com/>
> ...<snip debug messages>...
> - Peer's certificate is trusted
> - Version: TLS1.0
> - Key Exchange: RSA
> - Cipher: AES-128-CBC
> - MAC: SHA1
> - Compression: NULL
> - Session ID: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:02:00:01:AF:66:55:2E:89:ED:00:00:00:00:51:5A:A3:A1
> - Channel binding 'tls-unique': 45613ee75632f28820457f2f
> - Handshake was completed
> 
> - Simple Client Mode:
> 
> Ok, so how do we get this to work with GnuCash? GnuCash uses AqBanking to do online accounts, which in turn uses the Gwenhywfar library to do the ssl work. It turns out there is code to allow use of an environment variable, GWEN_TLS_CIPHER_PRIORITIES, to override the default cipher priorities, but this code is disabled in the current branch. I enabled it and recompiled the library, and now everything works great.
> 
> export GWEN_TLS_CIPHER_PRIORITIES="SECURE256:-ARCFOUR-128:-AES-128-CBC:-CAMELLIA-128-CBC:-3DES-CBC:-VERS-TLS-ALL:+VERS-TLS1.0"
> 
> now GnuCash can set up the user, retrieve the account list, and get the transactions I need.
> 
> Hopefully this new SSL code will be enabled upstream at some point in the future, but if anybody needs it sooner, I can send you my recompiled version (or I can tell you exactly how to do it yourself).

Would you write up what you did on http://wiki.gnucash.org/wiki/AqBanking? <http://wiki.gnucash.org/wiki/AqBanking?>

Regards,
John Ralls

More information about the gnucash-user mailing list