Bug#482279: Same thing happens with python-pycurl

Mike stuff at mikepalmer.net
Mon May 25 20:48:51 UTC 2009


Simon Josefsson wrote:
> I just realized I wasn't clear what the likely cause of your problem is.
> The problem may be caused by the server you are talking to.  Can you
> access the servers that your clients use from your location?  Then
> running 'gnutls-cli -d 4711' against that host may give enough details
> to resolve it.
>
> Earlier bug reports of this kind suggests that the server is buggy
> (which can be worked around), but it may also be that the Cisco box is
> filtering out the traffic if you are only seeing the problem behind
> those boxes.
>
> /Simon
>   

Hi Simon,

I'm not really supposed to be doing this but this is the from the Cisco 
ASA network. I have no admin on anything outside of this box so I won't 
understand the configuration past seeing it dynamically redirect packets 
down different routes:

# gnutls-cli -d 4711 <our_host_here>
Resolving '<our_host_here_which_is_correct>'...
Connecting to '<our_ip_here>:443'...
|<3>| HSK[9e385a0]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1
|<3>| HSK[9e385a0]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1
|<3>| HSK[9e385a0]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1
|<3>| HSK[9e385a0]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1
|<3>| HSK[9e385a0]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[9e385a0]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1
|<3>| HSK[9e385a0]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1
|<3>| HSK[9e385a0]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1
|<3>| HSK[9e385a0]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1
|<3>| HSK[9e385a0]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[9e385a0]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1
|<3>| HSK[9e385a0]: Keeping ciphersuite: DHE_PSK_SHA_AES_128_CBC_SHA1
|<3>| HSK[9e385a0]: Keeping ciphersuite: DHE_PSK_SHA_AES_256_CBC_SHA1
|<3>| HSK[9e385a0]: Keeping ciphersuite: DHE_PSK_SHA_3DES_EDE_CBC_SHA1
|<3>| HSK[9e385a0]: Keeping ciphersuite: DHE_PSK_SHA_ARCFOUR_SHA1
|<3>| HSK[9e385a0]: Removing ciphersuite: SRP_SHA_RSA_AES_128_CBC_SHA1
|<3>| HSK[9e385a0]: Removing ciphersuite: SRP_SHA_RSA_AES_256_CBC_SHA1
|<3>| HSK[9e385a0]: Removing ciphersuite: SRP_SHA_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[9e385a0]: Removing ciphersuite: SRP_SHA_DSS_AES_128_CBC_SHA1
|<3>| HSK[9e385a0]: Removing ciphersuite: SRP_SHA_DSS_AES_256_CBC_SHA1
|<3>| HSK[9e385a0]: Removing ciphersuite: SRP_SHA_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[9e385a0]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1
|<3>| HSK[9e385a0]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1
|<3>| HSK[9e385a0]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1
|<3>| HSK[9e385a0]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1
|<3>| HSK[9e385a0]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[9e385a0]: Keeping ciphersuite: RSA_ARCFOUR_SHA1
|<3>| HSK[9e385a0]: Keeping ciphersuite: RSA_ARCFOUR_MD5
|<3>| HSK[9e385a0]: Keeping ciphersuite: PSK_SHA_AES_128_CBC_SHA1
|<3>| HSK[9e385a0]: Keeping ciphersuite: PSK_SHA_AES_256_CBC_SHA1
|<3>| HSK[9e385a0]: Keeping ciphersuite: PSK_SHA_3DES_EDE_CBC_SHA1
|<3>| HSK[9e385a0]: Keeping ciphersuite: PSK_SHA_ARCFOUR_SHA1
|<3>| HSK[9e385a0]: Removing ciphersuite: SRP_SHA_AES_128_CBC_SHA1
|<3>| HSK[9e385a0]: Removing ciphersuite: SRP_SHA_AES_256_CBC_SHA1
|<3>| HSK[9e385a0]: Removing ciphersuite: SRP_SHA_3DES_EDE_CBC_SHA1
|<2>| EXT[9e385a0]: Sending extension CERT_TYPE
|<2>| EXT[9e385a0]: Sending extension SERVER_NAME
|<3>| HSK[9e385a0]: CLIENT HELLO was send [119 bytes]
|<6>| BUF[HSK]: Peeked 0 bytes of Data
|<6>| BUF[HSK]: Emptied buffer
|<4>| REC[9e385a0]: Sending Packet[0] Handshake(22) with length: 119
|<2>| ASSERT: gnutls_cipher.c:205
|<7>| WRITE: Will write 124 bytes to 4.
|<7>| WRITE: wrote 124 bytes to 4. Left 0 bytes. Total 124 bytes.
|<7>| 0000 - 16 03 02 00 77 01 00 00 73 03 02 4a 1a fa dc 32
|<7>| 0001 - c4 53 e3 da a8 9e e2 9b 3a dc ed 5a ec 60 33 b9
|<7>| 0002 - 59 5e 47 a5 cc 3d 92 95 2c ad 27 00 00 34 00 33
|<7>| 0003 - 00 45 00 39 00 88 00 16 00 32 00 44 00 38 00 87
|<7>| 0004 - 00 13 00 66 00 90 00 91 00 8f 00 8e 00 2f 00 41
|<7>| 0005 - 00 35 00 84 00 0a 00 05 00 04 00 8c 00 8d 00 8b
|<7>| 0006 - 00 8a 01 00 00 16 00 09 00 03 02 00 01 00 00 00
|<7>| 0007 - 0b 00 09 00 00 06 70 6f 72 74 61 6c
|<4>| REC[9e385a0]: Sent Packet[1] Handshake(22) with length: 124
|<7>| READ: -1 returned from 4, errno=104 gerrno=0
|<2>| ASSERT: gnutls_buffers.c:368
|<2>| ASSERT: gnutls_buffers.c:623
|<2>| ASSERT: gnutls_record.c:909
|<2>| ASSERT: gnutls_buffers.c:1152
|<2>| ASSERT: gnutls_handshake.c:1032
|<2>| ASSERT: gnutls_handshake.c:2331
|<6>| BUF[HSK]: Cleared Data from buffer
*** Fatal error: A TLS packet with unexpected length was received.
*** Handshake has failed
GNUTLS ERROR: A TLS packet with unexpected length was received.


But lets try a known example like www.yahoo.com from the same network:

gnutls-cli -d 4711 www.yahoo.com
Resolving 'www.yahoo.com'...
Connecting to '69.147.76.15:443'...
|<3>| HSK[9c56ca8]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1
|<3>| HSK[9c56ca8]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1
|<3>| HSK[9c56ca8]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1
|<3>| HSK[9c56ca8]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1
|<3>| HSK[9c56ca8]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[9c56ca8]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1
|<3>| HSK[9c56ca8]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1
|<3>| HSK[9c56ca8]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1
|<3>| HSK[9c56ca8]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1
|<3>| HSK[9c56ca8]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[9c56ca8]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1
|<3>| HSK[9c56ca8]: Keeping ciphersuite: DHE_PSK_SHA_AES_128_CBC_SHA1
|<3>| HSK[9c56ca8]: Keeping ciphersuite: DHE_PSK_SHA_AES_256_CBC_SHA1
|<3>| HSK[9c56ca8]: Keeping ciphersuite: DHE_PSK_SHA_3DES_EDE_CBC_SHA1
|<3>| HSK[9c56ca8]: Keeping ciphersuite: DHE_PSK_SHA_ARCFOUR_SHA1
|<3>| HSK[9c56ca8]: Removing ciphersuite: SRP_SHA_RSA_AES_128_CBC_SHA1
|<3>| HSK[9c56ca8]: Removing ciphersuite: SRP_SHA_RSA_AES_256_CBC_SHA1
|<3>| HSK[9c56ca8]: Removing ciphersuite: SRP_SHA_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[9c56ca8]: Removing ciphersuite: SRP_SHA_DSS_AES_128_CBC_SHA1
|<3>| HSK[9c56ca8]: Removing ciphersuite: SRP_SHA_DSS_AES_256_CBC_SHA1
|<3>| HSK[9c56ca8]: Removing ciphersuite: SRP_SHA_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[9c56ca8]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1
|<3>| HSK[9c56ca8]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1
|<3>| HSK[9c56ca8]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1
|<3>| HSK[9c56ca8]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1
|<3>| HSK[9c56ca8]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[9c56ca8]: Keeping ciphersuite: RSA_ARCFOUR_SHA1
|<3>| HSK[9c56ca8]: Keeping ciphersuite: RSA_ARCFOUR_MD5
|<3>| HSK[9c56ca8]: Keeping ciphersuite: PSK_SHA_AES_128_CBC_SHA1
|<3>| HSK[9c56ca8]: Keeping ciphersuite: PSK_SHA_AES_256_CBC_SHA1
|<3>| HSK[9c56ca8]: Keeping ciphersuite: PSK_SHA_3DES_EDE_CBC_SHA1
|<3>| HSK[9c56ca8]: Keeping ciphersuite: PSK_SHA_ARCFOUR_SHA1
|<3>| HSK[9c56ca8]: Removing ciphersuite: SRP_SHA_AES_128_CBC_SHA1
|<3>| HSK[9c56ca8]: Removing ciphersuite: SRP_SHA_AES_256_CBC_SHA1
|<3>| HSK[9c56ca8]: Removing ciphersuite: SRP_SHA_3DES_EDE_CBC_SHA1
|<2>| EXT[9c56ca8]: Sending extension CERT_TYPE
|<2>| EXT[9c56ca8]: Sending extension SERVER_NAME
|<3>| HSK[9c56ca8]: CLIENT HELLO was send [126 bytes]
|<6>| BUF[HSK]: Peeked 0 bytes of Data
|<6>| BUF[HSK]: Emptied buffer
|<4>| REC[9c56ca8]: Sending Packet[0] Handshake(22) with length: 126
|<2>| ASSERT: gnutls_cipher.c:205
|<7>| WRITE: Will write 131 bytes to 4.
|<7>| WRITE: wrote 131 bytes to 4. Left 0 bytes. Total 131 bytes.
|<7>| 0000 - 16 03 02 00 7e 01 00 00 7a 03 02 4a 1a fc 87 5d
|<7>| 0001 - 47 20 db 55 1f c9 a3 bc af 22 aa 32 af f7 1a fa
|<7>| 0002 - d8 6c 13 c1 06 4f e8 2d 12 ec 87 00 00 34 00 33
|<7>| 0003 - 00 45 00 39 00 88 00 16 00 32 00 44 00 38 00 87
|<7>| 0004 - 00 13 00 66 00 90 00 91 00 8f 00 8e 00 2f 00 41
|<7>| 0005 - 00 35 00 84 00 0a 00 05 00 04 00 8c 00 8d 00 8b
|<7>| 0006 - 00 8a 01 00 00 1d 00 09 00 03 02 00 01 00 00 00
|<7>| 0007 - 12 00 10 00 00 0d 77 77 77 2e 79 61 68 6f 6f 2e
|<7>| 0008 - 63 6f 6d
|<4>| REC[9c56ca8]: Sent Packet[1] Handshake(22) with length: 131
|<7>| READ: -1 returned from 4, errno=104 gerrno=0
|<2>| ASSERT: gnutls_buffers.c:368
|<2>| ASSERT: gnutls_buffers.c:623
|<2>| ASSERT: gnutls_record.c:909
|<2>| ASSERT: gnutls_buffers.c:1152
|<2>| ASSERT: gnutls_handshake.c:1032
|<2>| ASSERT: gnutls_handshake.c:2331
|<6>| BUF[HSK]: Cleared Data from buffer
*** Fatal error: A TLS packet with unexpected length was received.
*** Handshake has failed
GNUTLS ERROR: A TLS packet with unexpected length was received.



Now for outside verification with an example you can try yourself (this 
one is on my home network and should work for you too):


# gnutls-cli -d 4711 www1.banking.first-direct.com
Resolving 'www1.banking.first-direct.com'...
Connecting to '193.108.74.220:443'...
|<3>| HSK[8e92ca8]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1
|<3>| HSK[8e92ca8]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1
|<3>| HSK[8e92ca8]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1
|<3>| HSK[8e92ca8]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1
|<3>| HSK[8e92ca8]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[8e92ca8]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1
|<3>| HSK[8e92ca8]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1
|<3>| HSK[8e92ca8]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1
|<3>| HSK[8e92ca8]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1
|<3>| HSK[8e92ca8]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[8e92ca8]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1
|<3>| HSK[8e92ca8]: Keeping ciphersuite: DHE_PSK_SHA_AES_128_CBC_SHA1
|<3>| HSK[8e92ca8]: Keeping ciphersuite: DHE_PSK_SHA_AES_256_CBC_SHA1
|<3>| HSK[8e92ca8]: Keeping ciphersuite: DHE_PSK_SHA_3DES_EDE_CBC_SHA1
|<3>| HSK[8e92ca8]: Keeping ciphersuite: DHE_PSK_SHA_ARCFOUR_SHA1
|<3>| HSK[8e92ca8]: Removing ciphersuite: SRP_SHA_RSA_AES_128_CBC_SHA1
|<3>| HSK[8e92ca8]: Removing ciphersuite: SRP_SHA_RSA_AES_256_CBC_SHA1
|<3>| HSK[8e92ca8]: Removing ciphersuite: SRP_SHA_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[8e92ca8]: Removing ciphersuite: SRP_SHA_DSS_AES_128_CBC_SHA1
|<3>| HSK[8e92ca8]: Removing ciphersuite: SRP_SHA_DSS_AES_256_CBC_SHA1
|<3>| HSK[8e92ca8]: Removing ciphersuite: SRP_SHA_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[8e92ca8]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1
|<3>| HSK[8e92ca8]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1
|<3>| HSK[8e92ca8]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1
|<3>| HSK[8e92ca8]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1
|<3>| HSK[8e92ca8]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[8e92ca8]: Keeping ciphersuite: RSA_ARCFOUR_SHA1
|<3>| HSK[8e92ca8]: Keeping ciphersuite: RSA_ARCFOUR_MD5
|<3>| HSK[8e92ca8]: Keeping ciphersuite: PSK_SHA_AES_128_CBC_SHA1
|<3>| HSK[8e92ca8]: Keeping ciphersuite: PSK_SHA_AES_256_CBC_SHA1
|<3>| HSK[8e92ca8]: Keeping ciphersuite: PSK_SHA_3DES_EDE_CBC_SHA1
|<3>| HSK[8e92ca8]: Keeping ciphersuite: PSK_SHA_ARCFOUR_SHA1
|<3>| HSK[8e92ca8]: Removing ciphersuite: SRP_SHA_AES_128_CBC_SHA1
|<3>| HSK[8e92ca8]: Removing ciphersuite: SRP_SHA_AES_256_CBC_SHA1
|<3>| HSK[8e92ca8]: Removing ciphersuite: SRP_SHA_3DES_EDE_CBC_SHA1
|<2>| EXT[8e92ca8]: Sending extension CERT_TYPE
|<2>| EXT[8e92ca8]: Sending extension SERVER_NAME
|<3>| HSK[8e92ca8]: CLIENT HELLO was send [142 bytes]
|<6>| BUF[HSK]: Peeked 0 bytes of Data
|<6>| BUF[HSK]: Emptied buffer
|<4>| REC[8e92ca8]: Sending Packet[0] Handshake(22) with length: 142
|<2>| ASSERT: gnutls_cipher.c:205
|<7>| WRITE: Will write 147 bytes to 4.
|<7>| WRITE: wrote 147 bytes to 4. Left 0 bytes. Total 147 bytes.
|<7>| 0000 - 16 03 02 00 8e 01 00 00 8a 03 02 4a 1a fc 5b 64
|<7>| 0001 - 52 4e 81 87 2e 4d ac 2a cc e1 19 12 c7 36 4e e7
|<7>| 0002 - 3f bd 17 35 6a 65 5f 22 07 7b 12 00 00 34 00 33
|<7>| 0003 - 00 45 00 39 00 88 00 16 00 32 00 44 00 38 00 87
|<7>| 0004 - 00 13 00 66 00 90 00 91 00 8f 00 8e 00 2f 00 41
|<7>| 0005 - 00 35 00 84 00 0a 00 05 00 04 00 8c 00 8d 00 8b
|<7>| 0006 - 00 8a 01 00 00 2d 00 09 00 03 02 00 01 00 00 00
|<7>| 0007 - 22 00 20 00 00 1d 77 77 77 31 2e 62 61 6e 6b 69
|<7>| 0008 - 6e 67 2e 66 69 72 73 74 2d 64 69 72 65 63 74 2e
|<7>| 0009 - 63 6f 6d
|<4>| REC[8e92ca8]: Sent Packet[1] Handshake(22) with length: 147
|<7>| READ: Got 0 bytes from 4
|<7>| READ: read 0 bytes from 4
|<7>| 0000 -
|<2>| ASSERT: gnutls_buffers.c:638
|<2>| ASSERT: gnutls_record.c:909
|<2>| ASSERT: gnutls_buffers.c:1152
|<2>| ASSERT: gnutls_handshake.c:1032
|<2>| ASSERT: gnutls_handshake.c:2331
|<6>| BUF[HSK]: Cleared Data from buffer
*** Fatal error: A TLS packet with unexpected length was received.
*** Handshake has failed
GNUTLS ERROR: A TLS packet with unexpected length was received.


All of these handshake correctly without problems under openssl on the 
same systems in the same networks against the same targets. Let me know 
if I can do anything else I can do to help identify anything with gnutls.





More information about the Pkg-gnutls-maint mailing list