GnuTLS versions 2.9.7 and later breaks libsoup (epiphany)
Simon Josefsson
simon at josefsson.org
Thu Jun 10 09:08:23 CEST 2010
Andreas Metzler <ametzler at downhill.at.eu.org> writes:
> On 2010-06-08 Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:
>> Andreas Metzler wrote:
>> > Hello,
>> > this is http://bugs.debian.org/576339
>>
>> > With GnuTLS versions 2.9.7 and later epiphany is unable to load https
>> > sites. Reproducing this is very easy on Debian/unstable
>> > (+experimental)
>
>> > sudo apt-get install epiphany-browser
>> > sudo apt-get install libgnutls26=2.9.11-1
>> > epiphany-browser https://db.debian.org/
>
>> > epiphany simply gets stuck, resending the same request again and
>> > again. GnuTLS 2.9.6 and earlier (including 2.8.x) are fine.
>
>> Hi,
>> The problem seems to be the support for TLS 1.2. It seems that epiphany
>> sets a priority string of "NORMAL:!VERS-TLS1.1:!VERS-TLS1.0". Thus the
>> allowed versions are now TLS 1.2 and SSL 3.0. The servers do not support
>> TLS 1.2 thus falling back to TLS 1.0 which is not supported.
>
> Shouldn't GnuTLS fall back to the supported protocol (SSL 3.0) in that
> case instead of getting stuck?
I think there is a bug in epiphany (or libsoup) here that cause it to
send the same request over and over again -- either the request should
succeed or it should fail. I don't see why it is trying the same
request over and over again.
What it could do is to try the request with default settings (i.e.,
NORMAL, which makes it support latest protocol improvements) but if that
fails with an error message that indicate that re-trying without TLS 1.x
will help, it should re-try with lower TLS protocol versions. It won't
help to re-try the exact same handshake.
>> A quick fix
>> would be to add !VERS-TLS1.2 to epiphany (I have no idea where it is).
>
> The respective code seems to be in libsoup
> libsoup2.4-2.30.1/libsoup/soup-gnutls.c
> and the explaining comment points to
> http://bugzilla.gnome.org/show_bug.cgi?id=581342 as reason. Apparently
> epiphany experienced breakage with SSL 3.0 only servers
> (www.paypal.com).
>
> While changing the respective initialisation from
>
> gnutls_priority_set_direct (session, "NORMAL:!VERS-TLS1.1:!VERS-TLS1.0", NULL)
> to
> gnutls_priority_set_direct (session, "NORMAL", NULL)
>
> makes https://db.debian.org/ accessible again with GnuTLS 2.9.7,
> it also breaks connecting to https://www.paypal.com/. Not really a
> solution.
A better solution is to attempt the NORMAL setting first, and if it
fails, also attempt to negotiate using SSL3+TLS1 only. If that fails,
stop retrying.
/Simon
More information about the Gnutls-devel
mailing list