Bug#733039: libgnutls28: wget fails with GnuTLS error after libgnutls28 upgrade

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Dec 26 20:26:00 UTC 2013

On 12/24/2013 10:17 PM, Neil Roeth wrote:
> This command will illustrate the problem: wget -O- -q
> https://api.dreamhost.com/

I can confirm that 3.2.7 seems to hang for me, when i do:

 gnutls-cli --priority NORMAL api.dreamhost.com

However, i can connect cleanly with:

 gnutls-cli --priority NORMAL:-DHE-DSS api.dreamhost.com

I can avoid the same hang if i substitute any large-ish class of ciphers
anywhere i put DHE-DSS above.

Looking at the traffic on the wire, it looks like the non-hanging
connections offer a ClientHello of size < 256 bytes, while the hanging
connections have size >= 256 bytes.

this smells a lot like the F5 bug with certain sizes of TLS handshakes,
being misinterpreted as SSLv2, as reported by Xiaoyong Wu:


The way to resolve this would be:  if the client hello is >= 256 byees,
but < 512 bytes, add a meaningless extension to push the size of the
client hello above 512 bytes.

I haven't tested this yet, unfortunately.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20131226/a2acbce3/attachment.sig>

More information about the Pkg-gnutls-maint mailing list