Bug#709301: [Pkg-openssl-devel] Bug#709292: closed by Kurt Roeckx <kurt at roeckx.be> (Re: Bug#709292: curl: Connection to https server produces SSL error.)

Kurt Roeckx kurt at roeckx.be
Thu May 23 17:05:29 UTC 2013 

Hi,

I get this:
$ wget https://sede.dgt.gob.es/sede/faces/paginas/testra/testraIframe.xhtml?pagina=consulta.html
--2013-05-23 19:02:18--  https://sede.dgt.gob.es/sede/faces/paginas/testra/testraIframe.xhtml?pagina=consulta.html
Resolving sede.dgt.gob.es (sede.dgt.gob.es)... 213.4.59.219
Connecting to sede.dgt.gob.es (sede.dgt.gob.es)|213.4.59.219|:443... connected.
[1157675.268577] wget[14792]: segfault at 1013c4ad4 ip 00007f0ece581fee sp 00007fff855b2670 error 4 in libgnutls.so.26.22.4[7f0ece564000+b9000]
Segmentation fault

That clearly looks like a real bug somewhere, and still open against libgnutls26.


Kurt

On Thu, May 23, 2013 at 08:25:10AM +0100, Caronte Estigia wrote:
> Good Morning Kurt,
> 
> just one question. I think Alessandro reasigned the bug to both libssl and libgnutls. Am I correct?
> 
> Question is because specifying the protocol solves the problem with libssl, not with libgnutls. When I test wget with --secure-protocol it works fine when compiled with libssl but it keeps failing with libgnutls.
> 
> Could you please confirm the fact that the case is still open in libgnutls or should I file a new bug?
> 
> Best regards.
> Francisco.
> 
> 
> ________________________________
>  De: Debian Bug Tracking System <owner at bugs.debian.org>
> Para: rodrifra <sable_laser at yahoo.es> 
> Enviado: Miércoles 22 de Mayo de 2013 18:21
> Asunto: Bug#709292 closed by Kurt Roeckx <kurt at roeckx.be> (Re: Bug#709292: curl: Connection to https server produces SSL error.)
>  
> 
> This is an automatic notification regarding your Bug report
> which was filed against the libssl1.0.0 package:
> 
> #709292: libssl1.0.0: "decryption failed or bad record mac" during handshake
> 
> It has been closed by Kurt Roeckx <kurt at roeckx.be>.
> 
> Their explanation is attached below along with your original report.
> If this explanation is unsatisfactory and you have not received a
> better one in a separate message then please contact Kurt Roeckx <kurt at roeckx.be> by
> replying to this email.
> 
> 
> -- 
> 709292: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=709292
> Debian Bug Tracking System
> Contact owner at bugs.debian.org with problems
> On Wed, May 22, 2013 at 02:32:29PM +0200, Alessandro Ghedini wrote:
> > reassign 709292 libssl1.0.0
> > retitle 709292 libssl1.0.0: "decryption failed or bad record mac" during handshake
> > clone 709292 -1
> > reassign -1 libgnutls26
> > retitle -1 libgnutls26: segfaults during handshake
> > severity -1 important
> > affects -1 wget
> > kthxbye
> > 
> > On Wed, May 22, 2013 at 01:37:35PM +0200, rodrifra wrote:
> > > Package: curl
> > > Version: 7.26.0-1+wheezy2
> > > Severity: normal
> > > 
> > > Dear Maintainer,
> > > 
> > >    Executing the following:
> > >     curl -o pruebacurl.html https://sede.dgt.gob.es/sede/faces/paginas/testra/testraIframe.xhtml?pagina=consulta.html
> > >    Produced the next error:
> > >     error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
> > > 
> > >    Forcing SSLv3 solves the problem:
> > >     curl -3 -o pruebacurl.html https://sede.dgt.gob.es/sede/faces/paginas/testra/testraIframe.xhtml?pagina=consulta.html
> > 
> > If there's any bug, it's probably in the server's SSL implementation, since it
> > can't do a proper TLS handshake, in any case it's not curl's fault. I'm
> > reassigning this to openssl (which is what curl uses) to make sure there's
> > nothing wrong with it.
> 
> Yes, this is the server's problems, nothing you can do about it
> other than downgrading to a lower TLS version.  TLS 1.0
> should work in most cases.  About 1% of the servers are known to
> have this problem.
> 
> The problem is that we announce that we support TLS 1.2 to the server,
> and the server should reply that it only supports 1.0, but just
> closes the connection or does something else weird.  This is why
> you also see this with gnutls.
> 
> There is nothing we can do in openssl or gnutls about this.  What
> could be done is that something like curl or wget tries to connect
> again with a lower TLS version.  But if you automate this, you
> also need to think about version downgrade attacks.
> 
> Since we can't actually fix anything, and curl and wget have
> options to use a lower protocol version, I'm just going to
> close this bug.
> 
> 
> KurtPackage: curl
> Version: 7.26.0-1+wheezy2
> Severity: normal
> 
> Dear Maintainer,
> 
>    Executing the following:
>     curl -o pruebacurl.html https://sede.dgt.gob.es/sede/faces/paginas/testra/testraIframe.xhtml?pagina=consulta.html
>    Produced the next error:
>     error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
> 
>    Forcing SSLv3 solves the problem:
>     curl -3 -o pruebacurl.html https://sede.dgt.gob.es/sede/faces/paginas/testra/testraIframe.xhtml?pagina=consulta.html
> 
>    wget has same problem in latest stable version, but oldstable works fine.
> 
> 
> -- System Information:
> Debian Release: 7.0
>   APT prefers stable-updates
>   APT policy: (500, 'stable-updates'), (500, 'stable')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
> Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/bash
> 
> Versions of packages curl depends on:
> ii  libc6     2.13-38
> ii  libcurl3  7.26.0-1+wheezy2
> ii  zlib1g    1:1.2.7.dfsg-13
> 
> curl recommends no packages.
> 
> curl suggests no packages.
> 
> -- no debconf information

> _______________________________________________
> Pkg-openssl-devel mailing list
> Pkg-openssl-devel at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-openssl-devel

More information about the Pkg-gnutls-maint mailing list