Bug#835342: curl or git clone commands throws "gnutls_handshake() failed" on https targets

marcelomendes at gmail.com marcelomendes at gmail.com
Tue Sep 20 17:35:10 UTC 2016


2016-09-20 12:48 GMT-04:00 Andreas Metzler <ametzler at bebt.de>:
> On 2016-09-19 "marcelomendes at gmail.com" <marcelomendes at gmail.com> wrote:
>> 2016-09-17 12:15 GMT-04:00 Andreas Metzler <ametzler at bebt.de>:
> [...]
>> > | Then click capture -> Stop, In "apply display filter", type ssl, then
>> > | File -> Export specified packets and send the saved pcap file.
>
>> This link has two files:
>
>> pcap_gnutls.pcapng (Fail, libgnutls30:amd64  3.5.4-2)
>> pcap_gnutls_v352.pcapng (Working version, libgnutls30:amd64  3.5.2-3)
>
>> https://drive.google.com/drive/folders/0B3_AQUiHn1qMcEVjdVpNeHBJUHc
>
> Hello Marcelo,
>
> this seems to be hard to debug/reproduce, Nikos (upstream) writes:


Yeah, I know, I'm following his replies.

I saw that he is making his tests using gnutls-cli, but as I stated
before, gnutls-cli doesn't work at all behind the proxy here.
Regardless of the version, either 3.5.2-x or 3.5.3+

The commands that I'm using to test are curl and git (and vagrant).
And these commands only work if I'm using libgnutls30:amd64 3.5.2-3.

>
> =======================================================================
> I do not see anything wrong in the capture. I even created a small
> program to replay the connection locally (I have a debian installation
> on x86_64 with the same packages available), and the connection
> continued past the failure point on that system.
>
> I'm searching in the dark here, but the following info could help:
> 1. run gnutls-cli www.server-that-fails -d 9

Same as shown in Message #15, except with the debug

> 2. run valgrind gnutls-cli www.server-that-fails
> 3. compile the attached program as "gcc -O2 -g sim.c -lgmp -lhogweed &&
> ./a.out", and also run valgrind ./a.out

I could try this, but where is the source code?

> [...]
> One 4th item suggested by Niels Moeller:
> 4. run ldd /usr/bin/gnutls-cli # (that way we can see whether the
> client is linked to the expected nettle library)
> =======================================================================


ldd /usr/lib/x86_64-linux-gnu/libgnutls.so.30.10.0

linux-vdso.so.1 (0x00007ffc34f7d000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f5cdb8a7000)
libp11-kit.so.0 => /usr/lib/x86_64-linux-gnu/libp11-kit.so.0
(0x00007f5cdb642000)
libidn.so.11 => /lib/x86_64-linux-gnu/libidn.so.11 (0x00007f5cdb40e000)
libtasn1.so.6 => /usr/lib/x86_64-linux-gnu/libtasn1.so.6 (0x00007f5cdb1fb000)
libnettle.so.6 => /usr/lib/x86_64-linux-gnu/libnettle.so.6 (0x00007f5cdafc4000)
libhogweed.so.4 => /usr/lib/x86_64-linux-gnu/libhogweed.so.4
(0x00007f5cdad8d000)
libgmp.so.10 => /usr/lib/x86_64-linux-gnu/libgmp.so.10 (0x00007f5cdab0a000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f5cda76c000)
libffi.so.6 => /usr/lib/x86_64-linux-gnu/libffi.so.6 (0x00007f5cda563000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f5cda35f000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f5cda142000)
/lib64/ld-linux-x86-64.so.2 (0x0000561651905000)

ldd /usr/bin/gnutls-cli

linux-vdso.so.1 (0x00007ffd0c36b000)
libgnutls.so.30 => /usr/lib/x86_64-linux-gnu/libgnutls.so.30
(0x00007f57473f3000)
libopts.so.25 => /usr/lib/x86_64-linux-gnu/libopts.so.25 (0x00007f57471d2000)
libidn.so.11 => /lib/x86_64-linux-gnu/libidn.so.11 (0x00007f5746f9e000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f5746c00000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f57469e5000)
libp11-kit.so.0 => /usr/lib/x86_64-linux-gnu/libp11-kit.so.0
(0x00007f574677e000)
libtasn1.so.6 => /usr/lib/x86_64-linux-gnu/libtasn1.so.6 (0x00007f574656b000)
libnettle.so.6 => /usr/lib/x86_64-linux-gnu/libnettle.so.6 (0x00007f5746334000)
libhogweed.so.4 => /usr/lib/x86_64-linux-gnu/libhogweed.so.4
(0x00007f57460ff000)
libgmp.so.10 => /usr/lib/x86_64-linux-gnu/libgmp.so.10 (0x00007f5745e7c000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f5745b78000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f5745972000)
/lib64/ld-linux-x86-64.so.2 (0x00005581363e8000)
libffi.so.6 => /usr/lib/x86_64-linux-gnu/libffi.so.6 (0x00007f5745769000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f574554c000)

dpkg -l | grep nettle
ii  libnettle4:amd64                       2.7.1-5+deb8u1
      amd64        low level cryptographic library (symmetric and
one-way cryptos)
ii  libnettle6:amd64                       3.2-1
      amd64        low level cryptographic library (symmetric and
one-way cryptos)
ii  nettle-dev                             3.2-1
      amd64        low level cryptographic library (development files)


-- 
"Free Software is not the only way, but it's a correct way."
Marcelo Mendes
http://underlabs.org
mmendes @ IRC [OFTC-Freenode]
Gtalk: marcelomendes at gmail dot com



More information about the Pkg-gnutls-maint mailing list