[Pkg-gnutls-maint] Bug#396867: gnutls-bin: does not seem to properly handle rehandshake request

[Nikos Mavrogiannopoulos]

> I have one internal https server (running IIS on Windows Server 2003)
> which seems to request a rehandshake after the http request was
> transmitted. This seems to badly confuse gnutls-cli:

It is quite late for a reply but anyway.

It could be a server issue. A debug input from wireshark or tcpdump
might tell us what is happening.

There are three ways to reply to a rehandshake request.
1. ignore it
2. send a no renegotiation alert and continue normally
3. handshake

gnutls-cli currently does a new handshake.

However the fact that the server requests a renegotiation means that he
requires some additional credentials. This might be a certificate or
something like this.

Anyway without some additional input (output with -d 2, and/or tcpdump)
I don't think there is much we can do.

regards,
Nikos



> 
> | $ gnutls-cli -p 443 a.b.c.d
> | Resolving 'a.b.c.d'...
> | Connecting to 'a.b.c.d:443'...
> | - Certificate type: X.509
> |  - Got a certificate list of 1 certificates.
> | 
> |  - Certificate[0] info:
> |  # The hostname in the certificate does NOT match 'a.b.c.d'.
> |  # valid since: Wed Jul 20 12:23:32 CEST 2005
> |  # expires at: Wed Sep  9 12:34:44 CEST 2009
> |  # fingerprint: 6B:22:44:F3:22:CC:BA:36:64:70:0F:C0:D5:CD:87:9E
> |  # Subject's DN:  C=DE,ST=BW,L=City,O=Site,OU=Site,CN=some.invalid.host.name.example
> |  # Issuer's DN: CN=unqualifiedname
> |
> |
> | - Peer's certificate issuer is unknown
> | - Peer's certificate is NOT trusted
> | - Version: TLS 1.0
> | - Key Exchange: RSA
> | - Cipher: ARCFOUR 128
> | - MAC: MD5
> | - Compression: NULL
> | - Handshake was completed
> |
> | - Simple Client Mode:
> |
> | GET / HTTP/1.0
> | 
> | *** Non fatal error: Rehandshake was requested by the peer.
> 
> After this, nothing happens any more. Ctrl-C out.