Bug#576339: makes libsoup go crazy, and start sending infinite requests

Andreas Metzler ametzler at downhill.at.eu.org
Sun Jun 27 15:54:55 UTC 2010 

reassign 576339 libsoup2.4-1 2.29.91-1
retitle 576339 libsoup does not disable TLS1.2
thanks

On 2010-06-08 Andreas Metzler <ametzler at downhill.at.eu.org> wrote:
> found 576339 2.9.11-1
> thanks
> On 2010-04-08 Debian Bug Tracking System <owner at bugs.debian.org> wrote:
> > Processing commands for control at bugs.debian.org:

> > > reassign 576339 gnutls26 2.9.9-1
> > Bug #576339 [epiphany-browser] epiphany-browser: unable to access https site after webkit switchover
> > Bug reassigned from package 'epiphany-browser' to 'gnutls26'.

> This seems to have been introduced in 2.9.7. Versions up to and
> including 2.9.6 are ok. 2.9.10 is not fixed.
[...]

This is caused by the TLS1.2 support in gnutls 2.9.7.

<quoting Nikos Mavrogiannopoulos:>
libsoup sets a priority string of "NORMAL:!VERS-TLS1.1:!VERS-TLS1.0".
Thus the allowed versions are now TLS 1.2 and SSL 3.0. The servers do
not support TLS 1.2 thus falling back to TLS 1.0 which is not
supported.
</quote>

A hotfix for this is to add :!VERS-TLS1.2 to the priority string the
call to gnutls_priority_set_direct() in libsoup/soup-gnutls.c.
---------------------------------
--- libsoup2.4-2.31.2.orig/libsoup/soup-gnutls.c
+++ libsoup2.4-2.31.2/libsoup/soup-gnutls.c
@@ -477,7 +477,7 @@ soup_ssl_wrap_iochannel (GIOChannel *soc
 		goto THROW_CREATE_ERROR;
 
 	/* See http://bugzilla.gnome.org/show_bug.cgi?id=581342 */
-	if (gnutls_priority_set_direct (session, "NORMAL:!VERS-TLS1.1:!VERS-TLS1.0", NULL) != 0)
+	if (gnutls_priority_set_direct (session, "NORMAL:!VERS-TLS1.1:!VERS-TLS1.0:!VERS-TLS1.2", NULL) != 0)
 		goto THROW_CREATE_ERROR;
 
 	if (gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE,
---------------------------------

This worked for me, testing with both https://db.debian.org/ and
https://www.paypal.com/

The endless loop ("makes libsoup go crazy") is a bug in libsoup 
https://bugzilla.gnome.org/show_bug.cgi?id=615535 which should be
fixed in experimental. 

There is more interesting stuff in the discussion on gnutls-devel,
most importantly http://mid.gmane.org/87bpbjs6u0.fsf@mocca.josefsson.org

cu andreas

More information about the pkg-gnome-maintainers mailing list