When running in FIPS mode, gnutls does not adjust its set of negotiated ciphersuites, meaning in some cases it will negotiate a ciphersuite using a forbidden algorithm, and then it hits an internal error and fails the handshake when it reaches ChangeCipherSpec. Although it's possible to work around this at higher levels, it seems like gnutls ought to do this automatically, right?
Can you give a concrete example? I cannot reproduce it with gnutls-cli on a few public TLS servers I tried.
eg, for both bugzilla.gnome.org and google.com it negotiates RSA_ARCFOUR_SHA1 and then fails But "gnutls-cli --priority 'NORMAL:-ARCFOUR-128' bugzilla.gnome.org" will succeed with RSA_AES_256_CBC_SHA1
gnutls-2.12.20-4.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/gnutls-2.12.20-4.fc18
Package gnutls-2.12.20-4.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing gnutls-2.12.20-4.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-17433/gnutls-2.12.20-4.fc18 then log in and leave karma (feedback).
gnutls-2.12.20-4.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.