Bug#466477: bluepages.ibm.com

Simon Josefsson simon at josefsson.org
Tue Oct 14 07:08:02 UTC 2008 

Richard A Nelson <cowboy at debian.org> writes:

> On Sun, 12 Oct 2008, Simon Josefsson wrote:
>
>> I was wrong, it doesn't work like that.  GnuTLS doesn't send the
>> server_name extension by default, the application needs to call
>> gnutls_server_name_set explicitly to enable it.  For gnutls-cli, you can
>> use --disable-extensions to avoid sending the server name:
>>
>> gnutls-cli -p 636 bluepages.ibm.com -d 4711 --priority NORMAL:-VERS-TLS1.1 --disable-extensions
>
> *** Fatal error: A TLS packet with unexpected length was received.
> *** Handshake has failed
> GNUTLS ERROR: A TLS packet with unexpected length was received.

That means either TLS 1.0 or the cert_type extension is the problem.

Since your earlier e-mail tested the case with TLS 1.0 and no cert_type
extension (but a server_name extension) we can conclude that either of
these two extensions causes trouble.

>> To disable both cert_type and server_name use:
>>
>> gnutls-cli -d 4711 -p 443 yxa.extundo.com --priority NORMAL:-VERS-TLS1.1:-CTYPE-OPENPGP --disable-extensions
>
> works (after substituting bluepages.ibm.com) - which took me a minute to
> catch ;)

Ah, sorry.  Ok, this is good!  It means TLS 1.0 without any extensions
(neither cert_type nor server_name) works.

>> Maybe TLS 1.1 isn't the problem, if so this should work:
>>
>> gnutls-cli -d 4711 -p 443 yxa.extundo.com --priority NORMAL:-CTYPE-OPENPGP --disable-extensions
>
> *** Fatal error: A TLS packet with unexpected length was received.
> *** Handshake has failed
> GNUTLS ERROR: A TLS packet with unexpected length was received.

Ouch, so the problem appears to have TWO bugs:

- Rejects connections where the client advertised support for cert_type
  or server_name extensions (possibly any extension breaks)
- Rejects connections where the client advertised support for TLS 1.1

In other words, to talk with this server you need to:

1) Disable cert_type extension (-CERT-OPENPGP)

2) Disable server_name extension (--disable-extensions with gnutls-cli)

3) Disable TLS 1.1

I have no idea how to achieve 2) in openldap; it can't be done via a
priority string.  Hopefully openldap doesn't call the gnutls function to
set the server name.  Hm.  It doesn't, I checked the source code.  So
you should be OK for the time being.

Specifically, the NORMAL:-VERS-TLS1.1:-CTYPE-OPENPGP priority string
works against the server, assuming server_name extension isn't sent.

>> I really hope one of these commands work.  I think it would mean we
>> understand the server's bug, and know how to work around it without
>> resorting to falling back to SSL 3.0.
>
> So it looks like it is indeed TLS 1.1 that is the problem ?

One of the problems, yes.

Hurray, I think we can finally close this bug.  Or do you think there is
anything more that can be done?

/Simon

More information about the Pkg-gnutls-maint mailing list