Error when viewing HTTPS pages with a browser using GnuTLS

Matthew Carter jehiva at gmail.com
Thu Mar 29 06:00:28 CEST 2012


Hi all,

Honestly if a fallback can be implemented in any fashion (if the
negotiation hits one of these errors, it is retried with the fallback
priority string) that would be best from this user's POV, as it would be
a lot more practical to change on this end than getting all the vendors
still running IIS 6.0 to upgrade.

As it is now, my option is to use another browser to get around this, or
tweak the browser's source to try to change the priority string being
sent (I may have to dig into webkit/libsoup stuff at that point, since
the browser uses those as the backend).

Slightly related, but it looks like the Arch Linux evolution/google
calendar desync issue is getting the same TLS ended unexpectedly type
error; as my issue cropped up at the same time under Arch, it would seem
the most recent GnuTLS update re-introduced this (the last version did
not have this issue, a few versions ago did).

Thanks,
-Matt

On Wed, Mar 28, 2012 at 04:13:35PM -0400, Daniel Kahn Gillmor wrote:
> On 03/28/2012 09:17 AM, Matthew Carter wrote:
> > You can see an occurrence of the first error at:
> > 
> > https://time.techni-serve.com
> > 
> > you can also see a similar error ("SSL Handshake Failed") via:
> > 
> > https://www.microsoft.com
> > 
> > The failure is consistent with both the vimprobable2 browser and using
> > the gnutls-cli to connect (same error message in output in both cases).
> 
> Thanks!  I see the same thing you do with gnutls-cli, so i can confirm
> this as an issue with their servers.  I see those connection failures
> even with the priority string NORMAL:+%COMPAT :(
> 
> FWIW, i can get connections to work with both of the above using the
> following priority string:
> 
>   NORMAL:-VERS-TLS1.1:-VERS-TLS1.2
> 
> That is, it looks like these two servers sending fatal alerts to any
> client that advertises support for TLS1.1 or TLS1.2 :(
> 
> They both negotiate to TLS1.0, though.
> 
> > I would guess it is an IIS issue as both sites are running IIS 6.0.
> 
> https://en.wikipedia.org/wiki/Internet_Information_Services suggests
> that 6.0 was released with Windows Server 2003, and superceded by IIS
> 7.0 with the release of Windows Server 2008.  I'm a little surprised to
> see www.microsoft.com running such an old version on their flagship web
> site.  other MS sites (e.g. technet.microsoft.com) are using IIS 7.5 by now.
> 
> I'm not sure the right way to deal with this from GnuTLS is.  Should we
> be doing anything differently to accommodate these non-compliant servers?
> 
> 	--dkg
> 



-- 
Matthew Carter
jehiva at gmail.com




More information about the Gnutls-devel mailing list