Bug#733039: libgnutls28: wget fails with GnuTLS error after libgnutls28 upgrade
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Dec 26 20:26:00 UTC 2013
On 12/24/2013 10:17 PM, Neil Roeth wrote:
> This command will illustrate the problem: wget -O- -q
> https://api.dreamhost.com/
I can confirm that 3.2.7 seems to hang for me, when i do:
gnutls-cli --priority NORMAL api.dreamhost.com
However, i can connect cleanly with:
gnutls-cli --priority NORMAL:-DHE-DSS api.dreamhost.com
I can avoid the same hang if i substitute any large-ish class of ciphers
anywhere i put DHE-DSS above.
Looking at the traffic on the wire, it looks like the non-hanging
connections offer a ClientHello of size < 256 bytes, while the hanging
connections have size >= 256 bytes.
this smells a lot like the F5 bug with certain sizes of TLS handshakes,
being misinterpreted as SSLv2, as reported by Xiaoyong Wu:
http://thread.gmane.org/gmane.ietf.tls/11187/focus=11227
The way to resolve this would be: if the client hello is >= 256 byees,
but < 512 bytes, add a meaningless extension to push the size of the
client hello above 512 bytes.
I haven't tested this yet, unfortunately.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20131226/a2acbce3/attachment.sig>
More information about the Pkg-gnutls-maint
mailing list