[Pkg-gnutls-maint] Bug#466477: downgrade this bug?

Richard A Nelson cowboy at debian.org
Fri May 2 04:53:47 UTC 2008 

On Thu, 1 May 2008, Simon Josefsson wrote:

> Richard,

Hello !

> I'm looking at debian bug #466477.  Marc F. Clemente's problem discussed
> in this bug should be resolved with the recent upload, which returns the
> subject to your original report from February 19th.

Cool, some progress :)

> We haven't been able to reproduce this.

Not surprising, the server is an IBM product, based upon older apache2
and openssl (not supporting newer TLS).

$ ldapsearch -x -Hldap://bluepages.ibm.com -b '' -sbase '(objectclass=*)' '*'
...
secureport: 636
security: ssl
port: 389
supportedsaslmechanisms: CRAM-MD5
supportedsaslmechanisms: DIGEST-MD5
supportedldapversion: 2
supportedldapversion: 3
ibmdirectoryversion: 5.2
...
vendorname: International Business Machines (IBM)
vendorversion: 5.2
ibm-sslciphers: 352F04050A090306
ibm-slapdisconfigurationmode: FALSE
ibm-slapdSizeLimit: 100000
ibm-slapdTimeLimit: 0
ibm-slapdDerefAliases: never
ibm-supportedAuditVersion: 2
ibm-sasldigestrealmname: d03ldr210a
...

>  Do you still have this problem?

Most definitely :(

$ dpkg -l libgnutls26
ii  libgnutls26    2.2.3~rc-1

$ gnutls-cli -p 636 bluepages.ibm.com
Resolving 'bluepages.ibm.com'...
Connecting to '9.17.186.253:636'...
*** Fatal error: A TLS packet with unexpected length was received.
*** Handshake has failed
GNUTLS ERROR: A TLS packet with unexpected length was received.

> I'd like to close or downgrade the bug.

I'd rather not... I've had to rebuild openldap against openssl to
be able to operate in this environment - and there is a large number
of us using Debian - and I'm sure others who must live with an IBM
server in their environment.

> /Simon

Thanks for the follow-up, and let me know how I can help with this...
I can provide ldap/wireshark/etc traces if needed;  I'm guessing the
hand-shake error occurs as gnutls tries to check on TLS extensions,
but haven't spent much time on digging through the code.

I can't (I'd be canned, and its not my sever) expose the beast for
external testing, but I can run any diagnostics and report the results.

-- 
Rick Nelson
* shortc wants to get in one of knghtbrd's sigs one of these days.

More information about the Pkg-gnutls-maint mailing list