Bug#945507: systemd-resolved rejects DNS-over-TLS based on GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER even though gnutls-cli works fine

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Nov 26 03:49:06 GMT 2019


Control: tags 945507 + patch

On Mon 2019-11-25 21:18:02 -0500, Daniel Kahn Gillmor wrote:
> Note from the pcaps that the gnutls-cli connection manages to negotiate
> TLS 1.3, while the systemd-resolved connection only manages to elicit a
> TLS 1.2 response from the server for some reason.
>
> I'm seeing this error in systemd-resolved with libgnutls30 3.6.10-5, but
> I also tried this while rolling back to older versions of libgnutls30 --
> version 3.6.7-4 from buster, for example -- and it didn't fix the
> problem.
>
> So i think the issue is something to do with the way that libgnutls is
> being initialized in this version of systemd.

I think this might be related to upstream commit
68805580209cfaa50b2400d1a2e6c66500001395, which fixes
https://github.com/systemd/systemd/issues/13528

I'm attaching an attempt at importing this patch from upstream.  It
applies and builds fine, but an unrelated part of the dh_auto_test
failed for me (https://github.com/systemd/systemd/issues/14152)

      --dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-try-to-address-945507.patch
Type: text/x-diff
Size: 2523 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20191125/7e136860/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20191125/7e136860/attachment.sig>


More information about the Pkg-systemd-maintainers mailing list