Bug#709301: [Pkg-openssl-devel] Bug#709292: closed by Kurt Roeckx <kurt at roeckx.be> (Re: Bug#709292: curl: Connection to https server produces SSL error.)
kurt at roeckx.be
Thu May 23 17:05:29 UTC 2013
I get this:
$ wget https://sede.dgt.gob.es/sede/faces/paginas/testra/testraIframe.xhtml?pagina=consulta.html
--2013-05-23 19:02:18-- https://sede.dgt.gob.es/sede/faces/paginas/testra/testraIframe.xhtml?pagina=consulta.html
Resolving sede.dgt.gob.es (sede.dgt.gob.es)... 188.8.131.52
Connecting to sede.dgt.gob.es (sede.dgt.gob.es)|184.108.40.206|:443... connected.
[1157675.268577] wget: segfault at 1013c4ad4 ip 00007f0ece581fee sp 00007fff855b2670 error 4 in libgnutls.so.26.22.4[7f0ece564000+b9000]
That clearly looks like a real bug somewhere, and still open against libgnutls26.
On Thu, May 23, 2013 at 08:25:10AM +0100, Caronte Estigia wrote:
> Good Morning Kurt,
> just one question. I think Alessandro reasigned the bug to both libssl and libgnutls. Am I correct?
> Question is because specifying the protocol solves the problem with libssl, not with libgnutls. When I test wget with --secure-protocol it works fine when compiled with libssl but it keeps failing with libgnutls.
> Could you please confirm the fact that the case is still open in libgnutls or should I file a new bug?
> Best regards.
> De: Debian Bug Tracking System <owner at bugs.debian.org>
> Para: rodrifra <sable_laser at yahoo.es>
> Enviado: Miércoles 22 de Mayo de 2013 18:21
> Asunto: Bug#709292 closed by Kurt Roeckx <kurt at roeckx.be> (Re: Bug#709292: curl: Connection to https server produces SSL error.)
> This is an automatic notification regarding your Bug report
> which was filed against the libssl1.0.0 package:
> #709292: libssl1.0.0: "decryption failed or bad record mac" during handshake
> It has been closed by Kurt Roeckx <kurt at roeckx.be>.
> Their explanation is attached below along with your original report.
> If this explanation is unsatisfactory and you have not received a
> better one in a separate message then please contact Kurt Roeckx <kurt at roeckx.be> by
> replying to this email.
> 709292: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=709292
> Debian Bug Tracking System
> Contact owner at bugs.debian.org with problems
> On Wed, May 22, 2013 at 02:32:29PM +0200, Alessandro Ghedini wrote:
> > reassign 709292 libssl1.0.0
> > retitle 709292 libssl1.0.0: "decryption failed or bad record mac" during handshake
> > clone 709292 -1
> > reassign -1 libgnutls26
> > retitle -1 libgnutls26: segfaults during handshake
> > severity -1 important
> > affects -1 wget
> > kthxbye
> > On Wed, May 22, 2013 at 01:37:35PM +0200, rodrifra wrote:
> > > Package: curl
> > > Version: 7.26.0-1+wheezy2
> > > Severity: normal
> > >
> > > Dear Maintainer,
> > >
> > > Executing the following:
> > > curl -o pruebacurl.html https://sede.dgt.gob.es/sede/faces/paginas/testra/testraIframe.xhtml?pagina=consulta.html
> > > Produced the next error:
> > > error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
> > >
> > > Forcing SSLv3 solves the problem:
> > > curl -3 -o pruebacurl.html https://sede.dgt.gob.es/sede/faces/paginas/testra/testraIframe.xhtml?pagina=consulta.html
> > If there's any bug, it's probably in the server's SSL implementation, since it
> > can't do a proper TLS handshake, in any case it's not curl's fault. I'm
> > reassigning this to openssl (which is what curl uses) to make sure there's
> > nothing wrong with it.
> Yes, this is the server's problems, nothing you can do about it
> other than downgrading to a lower TLS version. TLS 1.0
> should work in most cases. About 1% of the servers are known to
> have this problem.
> The problem is that we announce that we support TLS 1.2 to the server,
> and the server should reply that it only supports 1.0, but just
> closes the connection or does something else weird. This is why
> you also see this with gnutls.
> There is nothing we can do in openssl or gnutls about this. What
> could be done is that something like curl or wget tries to connect
> again with a lower TLS version. But if you automate this, you
> also need to think about version downgrade attacks.
> Since we can't actually fix anything, and curl and wget have
> options to use a lower protocol version, I'm just going to
> close this bug.
> KurtPackage: curl
> Version: 7.26.0-1+wheezy2
> Severity: normal
> Dear Maintainer,
> Executing the following:
> curl -o pruebacurl.html https://sede.dgt.gob.es/sede/faces/paginas/testra/testraIframe.xhtml?pagina=consulta.html
> Produced the next error:
> error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
> Forcing SSLv3 solves the problem:
> curl -3 -o pruebacurl.html https://sede.dgt.gob.es/sede/faces/paginas/testra/testraIframe.xhtml?pagina=consulta.html
> wget has same problem in latest stable version, but oldstable works fine.
> -- System Information:
> Debian Release: 7.0
> APT prefers stable-updates
> APT policy: (500, 'stable-updates'), (500, 'stable')
> Architecture: amd64 (x86_64)
> Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
> Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/bash
> Versions of packages curl depends on:
> ii libc6 2.13-38
> ii libcurl3 7.26.0-1+wheezy2
> ii zlib1g 1:1.2.7.dfsg-13
> curl recommends no packages.
> curl suggests no packages.
> -- no debconf information
> Pkg-openssl-devel mailing list
> Pkg-openssl-devel at lists.alioth.debian.org
More information about the Pkg-gnutls-maint