Bug#528661: elinks eternally stuck in SSL negotiation phase

Simon Josefsson simon at josefsson.org
Fri May 29 10:43:01 UTC 2009


Petr Baudis <pasky at ucw.cz> writes:

> On Thu, May 28, 2009 at 11:38:27PM +0200, Simon Josefsson wrote:
>> The problem is a buggy server, see the upstream bug about this [1], so I
>> don't see anything that can/should be changed in GnuTLS.
>
> Then why do Firefox and applications using OpenSSL have no trouble
> talking to the server?

I believe they only work when they do not attempt to negotiate TLS 1.1.

I see in elinks/src/network/ssl/ssl.c:

	context = SSL_CTX_new(SSLv23_client_method());

The man page reads:

       SSLv23_method(void), SSLv23_server_method(void),
       SSLv23_client_method(void)
           A TLS/SSL connection established with these methods will understand
           the SSLv2, SSLv3, and TLSv1 protocol. A client will send out SSLv2
           client hello messages and will indicate that it also understands
           SSLv3 and TLSv1. A server will understand SSLv2, SSLv3, and TLSv1
           client hello messages. This is the best choice when compatibility
           is a concern.

So if you don't care about TLS 1.1 support, and by using
SSLv23_client_method that seems to be the intention (or?), then you
probably want to ask GnuTLS to disable TLS 1.1 too.

Firefox may have some logic to re-try the connection using a lower TLS
version when a higher TLS version did not work out well -- that logic
would be useful to duplicate in elinks too.  It doesn't belong in
GnuTLS, since GnuTLS does not establish the connection.

/Simon





More information about the Pkg-gnutls-maint mailing list