Bug#766929: SSL handshake failed (fail to connect to sites that only support TLS1.0)
Laurent Bigonville
bigon at debian.org
Mon Oct 27 07:44:31 UTC 2014
Le Sun, 26 Oct 2014 16:52:18 -0700,
Troy Sankey <sankeytms at gmail.com> a écrit :
Hello,
I've added the maintainers of openssl and gnutls in the loop, sorry for
the noise.
> When I use any web browser (that uses libsoup) to access the URL
> <https://be.my.ucla.edu/> I get the following error:
>
> Unable to load page
> Problem occurred while loading the URL https://be.my.ucla.edu/
> SSL handshake failed
>
> Affected web browsers include midori, dwb, uzbl, surf, and luakit.
> Browsers that work for me are firefox and rekonq, both of which don't
> use libsoup. I haven't tried Chromium.
>
> The openssl command line program successfully connects to the server:
>
> $ printf "GET / HTTP/1.1\n\n" | \
> openssl s_client -ign_eof -connect be.my.ucla.edu:443
> [...]
> HTTP/1.1 302 Please Wait
> [...]
>
> See full output in the attachment "openssl.txt"
Thanks for the bug report.
libsoup seems to use GnuTLS instead of openssl. I just tried with wget
which is also using GnuTLS and I also get an error:
$ wget -O - https://be.my.ucla.edu/
--2014-10-27 08:11:49-- https://be.my.ucla.edu/
Resolving be.my.ucla.edu (be.my.ucla.edu)... 128.97.52.156
Connecting to be.my.ucla.edu (be.my.ucla.edu)|128.97.52.156|:443... connected.
HTTP request sent, awaiting response... 302 Please Wait
Location: https://shb.ais.ucla.edu/shibboleth-idp/profile/Shibboleth/SSO?shire=https%3A%2F%2Fbe.my.ucla.edu%2FShibboleth.sso%2FSAML%2FPOST&time=1414393910&target=cookie%3A1414393910_8276&providerId=https%3A%2F%2Fbe.my.ucla.edu%2Fshibboleth-sp%2F [following]
--2014-10-27 08:11:50-- https://shb.ais.ucla.edu/shibboleth-idp/profile/Shibboleth/SSO?shire=https%3A%2F%2Fbe.my.ucla.edu%2FShibboleth.sso%2FSAML%2FPOST&time=1414393910&target=cookie%3A1414393910_8276&providerId=https%3A%2F%2Fbe.my.ucla.edu%2Fshibboleth-sp%2F
Resolving shb.ais.ucla.edu (shb.ais.ucla.edu)... 164.67.228.230
Connecting to shb.ais.ucla.edu (shb.ais.ucla.edu)|164.67.228.230|:443... connected.
GnuTLS: The TLS connection was non-properly terminated.
Unable to establish SSL connection.
As you can see there is a redirection, to shb.ais.ucla.edu.
Running both openssl s_client and gnutls-cli on this URL gives me an
error. Forcing openssl to use TLS1.0 works. (Not sure how to do the
same with gnutls-cli though).
Also Running the following external test tool on this url gives a
warning:
"This site is intolerant to newer protocol versions, which might cause
connection failures."
See: https://www.ssllabs.com/ssltest/analyze.html?d=shb.ais.ucla.edu
So it seems that both openssl and gnutls have issues with this (and
probably all the) sites that are only supporting tls1.0.
I also had issues in the past (with both debian and ubuntu) when trying
to connect some old linksys AP. Other users running Arch where able to
connect to it. This might be related.
So I'm a bit confused here, did we explicitly disable TLS1.0 in debian?
The initial bug reporter is running stable and I'm running unstable.
Cheers,
Laurent Bigonville
More information about the pkg-gnome-maintainers
mailing list