[Pkg-gnutls-maint] Bug#466477: Bug#466477: libgnutls26: Failure to talk with IBM ldap/http servers

Simon Josefsson simon at josefsson.org
Tue Feb 19 09:45:50 UTC 2008 

Richard A Nelson <cowboy at debian.org> writes:

> breaks slapd (ldap caching), ldapsearch, mutt, andanything else
> linked against the gnutls library.
>
> While investigating why my slapd ldap caching wasn't working - and
> remote ldap authentication started failing, I found this in the
> ldapsearch debug output:
> TLS: can't connect: A TLS packet with unexpected length was received..
>
> To isolate the problem source, I installed gnutls-bin and compared
> gnutlts-cli and openssl s_client output:
>
> $ gnutls-cli -p 636 bluepages.ibm.com
> Resolving 'bluepages.ibm.com'...
> Connecting to '9.17.186.253:636'...
> *** Fatal error: A TLS packet with unexpected length was received.
> *** Handshake has failed
> GNUTLS ERROR: A TLS packet with unexpected length was received
>
> $ openssl s_client -connect bluepages.ibm.com:636
> CONNECTED(00000003)
> depth=1 /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> ...
>
> $ gnutls-cli -p 443 w3.ibm.com
> Resolving 'w3.ibm.com'...
> Connecting to '9.17.137.11:443'...
> *** Fatal error: A TLS packet with unexpected length was received.
> *** Handshake has failed
> GNUTLS ERROR: A TLS packet with unexpected length was received.
>
> $ openssl s_client -connect w3.ibm.com:443
> CONNECTED(00000003)
> depth=1 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> ...

I can't seem to be able to connect to these sites at all -- they don't
exist in the global DNS, and the IP addresses aren't routable.  Can you
reproduce this using some public servers as well?

/Simon

jas at mocca:~$ gnutls-cli -p 636 bluepages.ibm.com
Resolving 'bluepages.ibm.com'...
Cannot resolve bluepages.ibm.com:636: Name or service not known
jas at mocca:~$ gnutls-cli -p 636 9.17.186.253
Resolving '9.17.186.253'...
Connecting to '9.17.186.253:636'...
Cannot connect to 9.17.186.253:636: Network is unreachable
jas at mocca:~$ gnutls-cli -p 443 w3.ibm.com
Resolving 'w3.ibm.com'...
Cannot resolve w3.ibm.com:443: Name or service not known
jas at mocca:~$ gnutls-cli -p 443 9.17.137.11
Resolving '9.17.137.11'...
Connecting to '9.17.137.11:443'...

More information about the Pkg-gnutls-maint mailing list