Bug#466477: bluepages.ibm.com

Richard A Nelson cowboy at debian.org
Sun Oct 12 19:14:43 UTC 2008 

On Sun, 12 Oct 2008, Simon Josefsson wrote:

> At least I understand the three _other_ problems reported in this bug
> now...

;)  Still better off than before

> Ok.  The random success is interesting.

I thought so as well - I wonder if the server (regional IP - I always
see the same IP due to DNS magic) could be loadbalanced... and on the
one success I hit a different server.

>  Could you try this:
>
> gnutls-cli -p 636 bluepages.ibm.com -d 4711 --priority NORMAL:%COMPAT:-VERS-TLS1.1

*** Fatal error: A TLS packet with unexpected length was received.
*** Handshake has failed
GNUTLS ERROR: A TLS packet with unexpected length was received.

> Maybe it doesn't like TLS 1.1 _and_ doesn't like record padding.  later:
> Reading your logs suggests this will not work, record padding is only
> effective after handshake is complete.
>
> Btw, could you also try this command:
>
> gnutls-cli -p 636 bluepages.ibm.com -d 4711 --priority NORMAL:%COMPAT:-VERS-TLS1.1:-VERS-TLS1.0

This one works (and more than once) ;)

> That forces SSL 3.0.
>
> If that doesn't work, try:
>
> gnutls-cli -p 636 bluepages.ibm.com -d 4711 --priority NORMAL:%COMPAT:-VERS-TLS1.1:-VERS-TLS1.0 --disable-extensions

This one works as well

> That was claimed to work before in this bug report, but using somewhat
> different parameters.
>
> Please post logs of these three commands.

attached

> This suggest there is a pretty fundamental problem, the server
> disconnects after seeing client hello.  Maybe the CERT_TYPE or the
> SERVER_NAME extension triggers the bug.

That has been my estimation of the failure

> I believe that's fixed already, use 'TLSCipherSuite' with a GnuTLS
> priority string.

Oh, I wasn't aware that had been added - it wasn't in the first spin of
GnuTLS support, so I had to fallback to OpenSSL

> However, I'd like to understand why GnuTLS can't connect to the server
> first.

Yeah, I'm really surprised that it hasn't been reported by others who
happen to be using IBM LDAP servers ... Though it may be a specific to
IBM internal (IGS is prone to lots of ad-hoc crap)

> Olivier Eymere said he was able to connect to the server using SSL 3.0,
> so I think you should be able to use openldap+gnutls with a priority
> string such as:

Ah, so I'm not the only one ... and I also seem to recall, when this all
started that SSL 3.0 worked for me - just couldn't, at the time, tell
ldap to do that

> NORMAL:%COMPAT:-VERS-TLS1.1:-VERS-TLS1.0

I'll give that a shot on a test machine

> However, maybe the problem is with some extension.  Then maybe disabling
> that extension should be sufficient, and you don't need to disable TLS
> 1.0.

Indeed, it'd be nice to drop just the problematic extension, if feasible

-- 
Rick Nelson
Operating Systems Installed:
   * Debian GNU/Linux 2.1 4 CD Set ($20 from www.chguy.net; price includes
     taxes, shipping, and a $3 donation to FSF). 2 CDs are binaries, 2 CDs
     complete source code;
   * Windows 98 Second Edition Upgrade Version ($136 through Megadepot.com,
     price does not include taxes/shipping). Surprisingly, no source code
     is included.

 		-- Bill Stilwell, http://linuxtoday.com/stories/8794.html

More information about the Pkg-gnutls-maint mailing list