[gnutls-devel] [resent][PATCH] ALPN and session resumption

Yuriy M. Kaminskiy yumkam at gmail.com
Wed Mar 16 20:51:34 CET 2016


I've played a bit with curl with HTTP/2 support and gnutls backend (curl 
git master [curl-7_47_1-75-g3c2ef2a], [self-compiled] nghttp2 1.8.0, 
[distro] debian's gnutls 3.3.8), and it looks like ALPN is broken with 
session resumption.

   curl -v -c jar --location https://www.google.com/ncr >log 2>errlog

fails; first connection succeed (got redirect), then second connection
to same server (resumes session) fails with

   * ALPN, server did not agree to a protocol

If I disable session support:
   curl -v -c jar --location --no-sessionid https://www.google.com/ncr
everything works.

I played with gdb, looked at gnutls sources, and found that libgnutls 
neither parse ALPN extension on resume[1], nor re-uses session data[2], 
as a result after session resumption 
gnutls_alpn_get_selected_protocol() returns failure (even though server 
sent ALPN/h2 in ServerHello).

I've re-tested with (self-compiled) gnutls 3.3.22, it behaves same.

I cannot test with 3.4.* atm (missing build-req), but quick look at 
sources suggests bug is still present.

[1] ALPN extension state is per-connection, it should not be saved with 
session data, and should be parsed on each connection:
=== rfc7301 ===
     Unlike many other TLS extensions, this extension does not establish
     properties of the session, only of the connection.  When session
     resumption or session tickets [RFC5077] are used, the previous
     contents of this extension are irrelevant, and only the values in
     the new handshake messages are considered.
=== cut ===

See attached patches against gnutls_3_3_x (not sure if it is correct, as
it also may affect SRTP extension, please verify). Briefly run-tested,
passes `make check`.

I also attached same patches rebased against git master (*completely 
untested*).

[2] I'm not sure, but other extension may also want their data after 
session resumption, restored from saved state or parsed?

Before commit 20151edffdb8d99c7feb986a2f102df76314cb7d, all
(non-GNUTLS_EXT_MANDATORY) extension data from resumed session was
pulled back by _gnutls_ext_restore_resumed_session() function. After
that commit, extension data are not restored (and, except for 
*MANDATORY, are not parsed from ServerHello either), and this function 
remains unused.

Probably, it should be either removed (if each extension should deal 
with resumed session data by itself), or used again?

(but it should not cover ALPN either way, as ALPN state is not session data)

Disclaimer: my knowledge of TLS protocol and gnutls implementation in
particular is rather limited, please review carefully.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-alpn-ALPN-state-is-per-connection-it-should-not-be-s.patch
Type: text/x-diff
Size: 3762 bytes
Desc: not available
URL: </pipermail/attachments/20160316/c8e68f12/attachment-0004.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-handshake-parse-ALPN-extension-in-resumed-client-ses.patch
Type: text/x-diff
Size: 956 bytes
Desc: not available
URL: </pipermail/attachments/20160316/c8e68f12/attachment-0005.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: master-0001-alpn-ALPN-state-is-per-connection-it-should-not-be-s.patch
Type: text/x-diff
Size: 3582 bytes
Desc: not available
URL: </pipermail/attachments/20160316/c8e68f12/attachment-0006.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: master-0002-handshake-parse-ALPN-extension-in-resumed-client-ses.patch
Type: text/x-diff
Size: 856 bytes
Desc: not available
URL: </pipermail/attachments/20160316/c8e68f12/attachment-0007.patch>
-------------- next part --------------
*   Trying 2a00:1450:4001:805::1013...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to www.google.com (2a00:1450:4001:805::1013) port 443 (#0)
* found 174 certificates in /etc/ssl/certs/ca-certificates.crt
* ALPN, offering h2
* ALPN, offering http/1.1
  0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* 	 server certificate verification OK
* 	 server certificate status verification SKIPPED
* 	 common name: www.google.com (matched)
* 	 server certificate expiration date OK
* 	 server certificate activation date OK
* 	 certificate public key: RSA
* 	 certificate version: #3
* 	 subject: C=US,ST=California,L=Mountain View,O=Google Inc,CN=www.google.com
* 	 start date: Wed, 02 Mar 2016 11:08:25 GMT
* 	 expire date: Tue, 31 May 2016 00:00:00 GMT
* 	 issuer: C=US,O=Google Inc,CN=Google Internet Authority G2
* 	 compression: NULL
* ALPN, server accepted to use h2
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* TCP_NODELAY set
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x8a71a58)
> GET /ncr HTTP/1.1
> Host: www.google.com
> User-Agent: curl/7.47.2-DEV
> Accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2.0 302
< location:https://www.google.com/
< cache-control:private
< content-type:text/html; charset=UTF-8
< p3p:CP="This is not a P3P policy! See https://www.google.com/support/accounts/answer/151657?hl=en for more info."
< date:Tue, 15 Mar 2016 22:15:01 GMT
< server:gws
< content-length:220
< x-xss-protection:1; mode=block
< x-frame-options:SAMEORIGIN
* Added cookie NID="77=c7OgNFwKmGK9ljYBGoWfZc7btb6HYFVYPigYRv_71hOycRU4aw31XSoTxI2YwzG1gZtOEHoM-vvTxV9LJP_S3IvQTHgE4LWwevyLYJ90m_UPiuVxQQJQANp09WqywAQO" for domain google.com, path /, expire 1473891301
< set-cookie:NID=77=c7OgNFwKmGK9ljYBGoWfZc7btb6HYFVYPigYRv_71hOycRU4aw31XSoTxI2YwzG1gZtOEHoM-vvTxV9LJP_S3IvQTHgE4LWwevyLYJ90m_UPiuVxQQJQANp09WqywAQO; expires=Wed, 14-Sep-2016 22:15:01 GMT; path=/; domain=.google.com; HttpOnly
< alternate-protocol:443:quic,p=1
< alt-svc:quic=":443"; ma=2592000; v="31,30,29,28,27,26,25"
< 
* Ignoring the response-body
{ [220 bytes data]
100   220  100   220    0     0    138      0  0:00:01  0:00:01 --:--:--   156
* Connection #0 to host www.google.com left intact
* Issue another request to this URL: 'https://www.google.com/'
* Connection 0 seems to be dead!
* Closing connection 0
* Hostname www.google.com was found in DNS cache
*   Trying 2a00:1450:4001:805::1013...
* Connected to www.google.com (2a00:1450:4001:805::1013) port 443 (#1)
* found 174 certificates in /etc/ssl/certs/ca-certificates.crt
* ALPN, offering h2
* ALPN, offering http/1.1
* SSL re-using session ID
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* 	 server certificate verification OK
* 	 server certificate status verification SKIPPED
* 	 common name: www.google.com (matched)
* 	 server certificate expiration date OK
* 	 server certificate activation date OK
* 	 certificate public key: RSA
* 	 certificate version: #3
* 	 subject: C=US,ST=California,L=Mountain View,O=Google Inc,CN=www.google.com
* 	 start date: Wed, 02 Mar 2016 11:08:25 GMT
* 	 expire date: Tue, 31 May 2016 00:00:00 GMT
* 	 issuer: C=US,O=Google Inc,CN=Google Internet Authority G2
* 	 compression: NULL
* ALPN, server did not agree to a protocol
> GET / HTTP/1.1
> Host: www.google.com
> User-Agent: curl/7.47.2-DEV
> Accept: */*
> Cookie: NID=77=c7OgNFwKmGK9ljYBGoWfZc7btb6HYFVYPigYRv_71hOycRU4aw31XSoTxI2YwzG1gZtOEHoM-vvTxV9LJP_S3IvQTHgE4LWwevyLYJ90m_UPiuVxQQJQANp09WqywAQO
> 
{ [27 bytes data]
100    54    0    54    0     0     27      0 --:--:--  0:00:01 --:--:--    27* GnuTLS recv error (-110): The TLS connection was non-properly terminated.
100   106    0   106    0     0     54      0 --:--:--  0:00:01 --:--:-- 52000
* Closing connection 1
curl: (56) GnuTLS recv error (-110): The TLS connection was non-properly terminated.
* Hostname www.google.com was found in DNS cache
*   Trying 2a00:1450:4001:805::1013...
* Connected to www.google.com (2a00:1450:4001:805::1013) port 443 (#2)
* found 174 certificates in /etc/ssl/certs/ca-certificates.crt
* ALPN, offering h2
* ALPN, offering http/1.1
* SSL re-using session ID
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* 	 server certificate verification OK
* 	 server certificate status verification SKIPPED
* 	 common name: www.google.com (matched)
* 	 server certificate expiration date OK
* 	 server certificate activation date OK
* 	 certificate public key: RSA
* 	 certificate version: #3
* 	 subject: C=US,ST=California,L=Mountain View,O=Google Inc,CN=www.google.com
* 	 start date: Wed, 02 Mar 2016 11:08:25 GMT
* 	 expire date: Tue, 31 May 2016 00:00:00 GMT
* 	 issuer: C=US,O=Google Inc,CN=Google Internet Authority G2
* 	 compression: NULL
* ALPN, server accepted to use h2
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* TCP_NODELAY set
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x8a71a58)
> GET /ncr HTTP/1.1
> Host: www.google.com
> User-Agent: curl/7.47.2-DEV
> Accept: */*
> Cookie: NID=77=c7OgNFwKmGK9ljYBGoWfZc7btb6HYFVYPigYRv_71hOycRU4aw31XSoTxI2YwzG1gZtOEHoM-vvTxV9LJP_S3IvQTHgE4LWwevyLYJ90m_UPiuVxQQJQANp09WqywAQO
> 
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2.0 302
< location:https://www.google.com/
< cache-control:private
< content-type:text/html; charset=UTF-8
< date:Tue, 15 Mar 2016 22:15:01 GMT
< server:gws
< content-length:220
< x-xss-protection:1; mode=block
< x-frame-options:SAMEORIGIN
< alternate-protocol:443:quic,p=1
< alt-svc:quic=":443"; ma=2592000; v="31,30,29,28,27,26,25"
< 
* Ignoring the response-body
{ [220 bytes data]
100   220  100   220    0     0    482      0 --:--:-- --:--:-- --:--:--   482
* Connection #2 to host www.google.com left intact
* Issue another request to this URL: 'https://www.google.com/'
* Found bundle for host www.google.com: 0x8a69d58 [can multiplex]
* Connection 2 seems to be dead!
* Closing connection 2
* Hostname www.google.com was found in DNS cache
*   Trying 2a00:1450:4001:805::1013...
* Connected to www.google.com (2a00:1450:4001:805::1013) port 443 (#3)
* found 174 certificates in /etc/ssl/certs/ca-certificates.crt
* ALPN, offering h2
* ALPN, offering http/1.1
* SSL re-using session ID
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* 	 server certificate verification OK
* 	 server certificate status verification SKIPPED
* 	 common name: www.google.com (matched)
* 	 server certificate expiration date OK
* 	 server certificate activation date OK
* 	 certificate public key: RSA
* 	 certificate version: #3
* 	 subject: C=US,ST=California,L=Mountain View,O=Google Inc,CN=www.google.com
* 	 start date: Wed, 02 Mar 2016 11:08:25 GMT
* 	 expire date: Tue, 31 May 2016 00:00:00 GMT
* 	 issuer: C=US,O=Google Inc,CN=Google Internet Authority G2
* 	 compression: NULL
* ALPN, server did not agree to a protocol
> GET / HTTP/1.1
> Host: www.google.com
> User-Agent: curl/7.47.2-DEV
> Accept: */*
> Cookie: NID=77=c7OgNFwKmGK9ljYBGoWfZc7btb6HYFVYPigYRv_71hOycRU4aw31XSoTxI2YwzG1gZtOEHoM-vvTxV9LJP_S3IvQTHgE4LWwevyLYJ90m_UPiuVxQQJQANp09WqywAQO
> 
{ [27 bytes data]
* GnuTLS recv error (-110): The TLS connection was non-properly terminated.
100   106    0   106    0     0    136      0 --:--:-- --:--:-- --:--:--   136
* Closing connection 3
curl: (56) GnuTLS recv error (-110): The TLS connection was non-properly terminated.

-------------- next part --------------
*   Trying 2a00:1450:4001:805::1013...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to www.google.com (2a00:1450:4001:805::1013) port 443 (#0)
* found 174 certificates in /etc/ssl/certs/ca-certificates.crt
* ALPN, offering h2
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* 	 server certificate verification OK
* 	 server certificate status verification SKIPPED
* 	 common name: www.google.com (matched)
* 	 server certificate expiration date OK
* 	 server certificate activation date OK
* 	 certificate public key: RSA
* 	 certificate version: #3
* 	 subject: C=US,ST=California,L=Mountain View,O=Google Inc,CN=www.google.com
* 	 start date: Wed, 02 Mar 2016 11:08:25 GMT
* 	 expire date: Tue, 31 May 2016 00:00:00 GMT
* 	 issuer: C=US,O=Google Inc,CN=Google Internet Authority G2
* 	 compression: NULL
* ALPN, server accepted to use h2
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* TCP_NODELAY set
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x8b2ca58)
> GET /ncr HTTP/1.1
> Host: www.google.com
> User-Agent: curl/7.47.2-DEV
> Accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2.0 302
< location:https://www.google.com/
< cache-control:private
< content-type:text/html; charset=UTF-8
< p3p:CP="This is not a P3P policy! See https://www.google.com/support/accounts/answer/151657?hl=en for more info."
< date:Tue, 15 Mar 2016 22:16:29 GMT
< server:gws
< content-length:220
< x-xss-protection:1; mode=block
< x-frame-options:SAMEORIGIN
* Added cookie NID="77=eLRcQff-tv-XdEugTW2Gh9r0y49l-O_iWUBGqtOYYGOSILbzji4dsikgr4tjU62OmbCbpNrmNtdF07Scmmc8lbkYo9hQYY-rZTMTQagWmeboKfqEhSzDYrBZIG6IuY1A" for domain google.com, path /, expire 1473891389
< set-cookie:NID=77=eLRcQff-tv-XdEugTW2Gh9r0y49l-O_iWUBGqtOYYGOSILbzji4dsikgr4tjU62OmbCbpNrmNtdF07Scmmc8lbkYo9hQYY-rZTMTQagWmeboKfqEhSzDYrBZIG6IuY1A; expires=Wed, 14-Sep-2016 22:16:29 GMT; path=/; domain=.google.com; HttpOnly
< alternate-protocol:443:quic,p=1
< alt-svc:quic=":443"; ma=2592000; v="31,30,29,28,27,26,25"
< 
* Ignoring the response-body
{ [220 bytes data]
100   220  100   220    0     0    332      0 --:--:-- --:--:-- --:--:--   397
* Connection #0 to host www.google.com left intact
* Issue another request to this URL: 'https://www.google.com/'
* Found bundle for host www.google.com: 0x8b177c8 [can multiplex]
* Connection 0 seems to be dead!
* Closing connection 0
* Hostname www.google.com was found in DNS cache
*   Trying 2a00:1450:4001:805::1013...
* Connected to www.google.com (2a00:1450:4001:805::1013) port 443 (#1)
* found 174 certificates in /etc/ssl/certs/ca-certificates.crt
* ALPN, offering h2
* ALPN, offering http/1.1
  0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* 	 server certificate verification OK
* 	 server certificate status verification SKIPPED
* 	 common name: www.google.com (matched)
* 	 server certificate expiration date OK
* 	 server certificate activation date OK
* 	 certificate public key: RSA
* 	 certificate version: #3
* 	 subject: C=US,ST=California,L=Mountain View,O=Google Inc,CN=www.google.com
* 	 start date: Wed, 02 Mar 2016 11:08:25 GMT
* 	 expire date: Tue, 31 May 2016 00:00:00 GMT
* 	 issuer: C=US,O=Google Inc,CN=Google Internet Authority G2
* 	 compression: NULL
* ALPN, server accepted to use h2
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* TCP_NODELAY set
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x8b2ca58)
> GET / HTTP/1.1
> Host: www.google.com
> User-Agent: curl/7.47.2-DEV
> Accept: */*
> Cookie: NID=77=eLRcQff-tv-XdEugTW2Gh9r0y49l-O_iWUBGqtOYYGOSILbzji4dsikgr4tjU62OmbCbpNrmNtdF07Scmmc8lbkYo9hQYY-rZTMTQagWmeboKfqEhSzDYrBZIG6IuY1A
> 
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2.0 200
< date:Tue, 15 Mar 2016 22:16:30 GMT
< expires:-1
< cache-control:private, max-age=0
< content-type:text/html; charset=ISO-8859-1
< p3p:CP="This is not a P3P policy! See https://www.google.com/support/accounts/answer/151657?hl=en for more info."
< server:gws
< x-xss-protection:1; mode=block
< x-frame-options:SAMEORIGIN
* Replaced cookie NID="77=fHsBvo5s4xB0c1erVngykj7rF3z4gssxWWqxDKS7-euakJIcDYHJR22ovZBQp3JEoUstldpUNTOUJQjZebHM2HjbgyR-bWEAYrTTRU7AyRDdjYkYNbW-fE-uBV26PszDnqfhAfan1KJpuIfaSY39xmc" for domain google.com, path /, expire 1473891390
< set-cookie:NID=77=fHsBvo5s4xB0c1erVngykj7rF3z4gssxWWqxDKS7-euakJIcDYHJR22ovZBQp3JEoUstldpUNTOUJQjZebHM2HjbgyR-bWEAYrTTRU7AyRDdjYkYNbW-fE-uBV26PszDnqfhAfan1KJpuIfaSY39xmc; expires=Wed, 14-Sep-2016 22:16:30 GMT; path=/; domain=.google.com; HttpOnly
< alternate-protocol:443:quic,p=1
< alt-svc:quic=":443"; ma=2592000; v="31,30,29,28,27,26,25"
< accept-ranges:none
< vary:Accept-Encoding
< 
{ [1170 bytes data]
100 19216    0 19216    0     0  14017      0 --:--:--  0:00:01 --:--:-- 56187
* Connection #1 to host www.google.com left intact
* Connection 1 seems to be dead!
* Closing connection 1
* Hostname www.google.com was found in DNS cache
*   Trying 2a00:1450:4001:805::1013...
* Connected to www.google.com (2a00:1450:4001:805::1013) port 443 (#2)
* found 174 certificates in /etc/ssl/certs/ca-certificates.crt
* ALPN, offering h2
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* 	 server certificate verification OK
* 	 server certificate status verification SKIPPED
* 	 common name: www.google.com (matched)
* 	 server certificate expiration date OK
* 	 server certificate activation date OK
* 	 certificate public key: RSA
* 	 certificate version: #3
* 	 subject: C=US,ST=California,L=Mountain View,O=Google Inc,CN=www.google.com
* 	 start date: Wed, 02 Mar 2016 11:08:25 GMT
* 	 expire date: Tue, 31 May 2016 00:00:00 GMT
* 	 issuer: C=US,O=Google Inc,CN=Google Internet Authority G2
* 	 compression: NULL
* ALPN, server accepted to use h2
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* TCP_NODELAY set
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x8b2ca58)
> GET /ncr HTTP/1.1
> Host: www.google.com
> User-Agent: curl/7.47.2-DEV
> Accept: */*
> Cookie: NID=77=fHsBvo5s4xB0c1erVngykj7rF3z4gssxWWqxDKS7-euakJIcDYHJR22ovZBQp3JEoUstldpUNTOUJQjZebHM2HjbgyR-bWEAYrTTRU7AyRDdjYkYNbW-fE-uBV26PszDnqfhAfan1KJpuIfaSY39xmc
> 
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2.0 302
< location:https://www.google.com/
< cache-control:private
< content-type:text/html; charset=UTF-8
< date:Tue, 15 Mar 2016 22:16:31 GMT
< server:gws
< content-length:220
< x-xss-protection:1; mode=block
< x-frame-options:SAMEORIGIN
< alternate-protocol:443:quic,p=1
< alt-svc:quic=":443"; ma=2592000; v="31,30,29,28,27,26,25"
< 
* Ignoring the response-body
{ [220 bytes data]
100   220  100   220    0     0    477      0 --:--:-- --:--:-- --:--:--   477
* Connection #2 to host www.google.com left intact
* Issue another request to this URL: 'https://www.google.com/'
* Found bundle for host www.google.com: 0x8ef9538 [can multiplex]
* Connection 2 seems to be dead!
* Closing connection 2
* Hostname www.google.com was found in DNS cache
*   Trying 2a00:1450:4001:805::1013...
* Connected to www.google.com (2a00:1450:4001:805::1013) port 443 (#3)
* found 174 certificates in /etc/ssl/certs/ca-certificates.crt
* ALPN, offering h2
* ALPN, offering http/1.1
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* 	 server certificate verification OK
* 	 server certificate status verification SKIPPED
* 	 common name: www.google.com (matched)
* 	 server certificate expiration date OK
* 	 server certificate activation date OK
* 	 certificate public key: RSA
* 	 certificate version: #3
* 	 subject: C=US,ST=California,L=Mountain View,O=Google Inc,CN=www.google.com
* 	 start date: Wed, 02 Mar 2016 11:08:25 GMT
* 	 expire date: Tue, 31 May 2016 00:00:00 GMT
* 	 issuer: C=US,O=Google Inc,CN=Google Internet Authority G2
* 	 compression: NULL
* ALPN, server accepted to use h2
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* TCP_NODELAY set
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x8b2ca58)
> GET / HTTP/1.1
> Host: www.google.com
> User-Agent: curl/7.47.2-DEV
> Accept: */*
> Cookie: NID=77=fHsBvo5s4xB0c1erVngykj7rF3z4gssxWWqxDKS7-euakJIcDYHJR22ovZBQp3JEoUstldpUNTOUJQjZebHM2HjbgyR-bWEAYrTTRU7AyRDdjYkYNbW-fE-uBV26PszDnqfhAfan1KJpuIfaSY39xmc
> 
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2.0 200
< date:Tue, 15 Mar 2016 22:16:31 GMT
< expires:-1
< cache-control:private, max-age=0
< content-type:text/html; charset=ISO-8859-1
< server:gws
< x-xss-protection:1; mode=block
< x-frame-options:SAMEORIGIN
< alternate-protocol:443:quic,p=1
< alt-svc:quic=":443"; ma=2592000; v="31,30,29,28,27,26,25"
< accept-ranges:none
< vary:Accept-Encoding
< 
{ [1170 bytes data]
100 19216    0 19216    0     0  19489      0 --:--:-- --:--:-- --:--:-- 57361
* Connection #3 to host www.google.com left intact

-------------- next part --------------
*   Trying 2a00:1450:4001:805::1013...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to www.google.com (2a00:1450:4001:805::1013) port 443 (#0)
* found 174 certificates in /etc/ssl/certs/ca-certificates.crt
* ALPN, offering h2
* ALPN, offering http/1.1
  0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* 	 server certificate verification OK
* 	 server certificate status verification SKIPPED
* 	 common name: www.google.com (matched)
* 	 server certificate expiration date OK
* 	 server certificate activation date OK
* 	 certificate public key: RSA
* 	 certificate version: #3
* 	 subject: C=US,ST=California,L=Mountain View,O=Google Inc,CN=www.google.com
* 	 start date: Wed, 02 Mar 2016 11:08:25 GMT
* 	 expire date: Tue, 31 May 2016 00:00:00 GMT
* 	 issuer: C=US,O=Google Inc,CN=Google Internet Authority G2
* 	 compression: NULL
* ALPN, server accepted to use h2
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* TCP_NODELAY set
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x8be3aa0)
> GET /ncr HTTP/1.1
> Host: www.google.com
> User-Agent: curl/7.47.2-DEV
> Accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2.0 302
< location:https://www.google.com/
< cache-control:private
< content-type:text/html; charset=UTF-8
< p3p:CP="This is not a P3P policy! See https://www.google.com/support/accounts/answer/151657?hl=en for more info."
< date:Tue, 15 Mar 2016 22:19:10 GMT
< server:gws
< content-length:220
< x-xss-protection:1; mode=block
< x-frame-options:SAMEORIGIN
* Added cookie NID="77=Hurb2mzgSJuNgd8Ml2DjETqqaShKSTQ7zz-tvpTzZMUYZoL7lIxUWXcLUnKpgsr2wBQEseGVRV05UB0m6BNEMfGwipLfwILNgYu5LWSl5m2Ul6IiGsqqySlqTy9b3ddC" for domain google.com, path /, expire 1473891550
< set-cookie:NID=77=Hurb2mzgSJuNgd8Ml2DjETqqaShKSTQ7zz-tvpTzZMUYZoL7lIxUWXcLUnKpgsr2wBQEseGVRV05UB0m6BNEMfGwipLfwILNgYu5LWSl5m2Ul6IiGsqqySlqTy9b3ddC; expires=Wed, 14-Sep-2016 22:19:10 GMT; path=/; domain=.google.com; HttpOnly
< alternate-protocol:443:quic,p=1
< alt-svc:quic=":443"; ma=2592000; v="31,30,29,28,27,26,25"
< 
* Ignoring the response-body
{ [220 bytes data]
100   220  100   220    0     0    108      0  0:00:02  0:00:02 --:--:--   124
* Connection #0 to host www.google.com left intact
* Issue another request to this URL: 'https://www.google.com/'
* Connection 0 seems to be dead!
* Closing connection 0
* Hostname www.google.com was found in DNS cache
*   Trying 2a00:1450:4001:805::1013...
* Connected to www.google.com (2a00:1450:4001:805::1013) port 443 (#1)
* found 174 certificates in /etc/ssl/certs/ca-certificates.crt
* ALPN, offering h2
* ALPN, offering http/1.1
* SSL re-using session ID
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* 	 server certificate verification OK
* 	 server certificate status verification SKIPPED
* 	 common name: www.google.com (matched)
* 	 server certificate expiration date OK
* 	 server certificate activation date OK
* 	 certificate public key: RSA
* 	 certificate version: #3
* 	 subject: C=US,ST=California,L=Mountain View,O=Google Inc,CN=www.google.com
* 	 start date: Wed, 02 Mar 2016 11:08:25 GMT
* 	 expire date: Tue, 31 May 2016 00:00:00 GMT
* 	 issuer: C=US,O=Google Inc,CN=Google Internet Authority G2
* 	 compression: NULL
* ALPN, server accepted to use h2
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* TCP_NODELAY set
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x8be3aa0)
> GET / HTTP/1.1
> Host: www.google.com
> User-Agent: curl/7.47.2-DEV
> Accept: */*
> Cookie: NID=77=Hurb2mzgSJuNgd8Ml2DjETqqaShKSTQ7zz-tvpTzZMUYZoL7lIxUWXcLUnKpgsr2wBQEseGVRV05UB0m6BNEMfGwipLfwILNgYu5LWSl5m2Ul6IiGsqqySlqTy9b3ddC
> 
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2.0 200
< date:Tue, 15 Mar 2016 22:19:11 GMT
< expires:-1
< cache-control:private, max-age=0
< content-type:text/html; charset=ISO-8859-1
< p3p:CP="This is not a P3P policy! See https://www.google.com/support/accounts/answer/151657?hl=en for more info."
< server:gws
< x-xss-protection:1; mode=block
< x-frame-options:SAMEORIGIN
* Replaced cookie NID="77=PASAKCaQbbS1mn79D3iovTJqQgQ-URT1bMC7IaOtWtbQ06--Wcwu4TvTQh62-Z090HcoP-NWPKdRkIZIIt9_atSlIy5mY3AcH_Tkem71TzHzcMDR-ZdDXgGnVZZvrHE39XnpPh7P73gfmjCx41xSTq4" for domain google.com, path /, expire 1473891551
< set-cookie:NID=77=PASAKCaQbbS1mn79D3iovTJqQgQ-URT1bMC7IaOtWtbQ06--Wcwu4TvTQh62-Z090HcoP-NWPKdRkIZIIt9_atSlIy5mY3AcH_Tkem71TzHzcMDR-ZdDXgGnVZZvrHE39XnpPh7P73gfmjCx41xSTq4; expires=Wed, 14-Sep-2016 22:19:11 GMT; path=/; domain=.google.com; HttpOnly
< alternate-protocol:443:quic,p=1
< alt-svc:quic=":443"; ma=2592000; v="31,30,29,28,27,26,25"
< accept-ranges:none
< vary:Accept-Encoding
< 
{ [1170 bytes data]
100 19206    0 19206    0     0   8124      0 --:--:--  0:00:02 --:--:--  8124
* Connection #1 to host www.google.com left intact
* Found bundle for host www.google.com: 0x8bce750 [can multiplex]
* Connection 1 seems to be dead!
* Closing connection 1
* Hostname www.google.com was found in DNS cache
*   Trying 2a00:1450:4001:805::1013...
* Connected to www.google.com (2a00:1450:4001:805::1013) port 443 (#2)
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* found 174 certificates in /etc/ssl/certs/ca-certificates.crt
* ALPN, offering h2
* ALPN, offering http/1.1
* SSL re-using session ID
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* 	 server certificate verification OK
* 	 server certificate status verification SKIPPED
* 	 common name: www.google.com (matched)
* 	 server certificate expiration date OK
* 	 server certificate activation date OK
* 	 certificate public key: RSA
* 	 certificate version: #3
* 	 subject: C=US,ST=California,L=Mountain View,O=Google Inc,CN=www.google.com
* 	 start date: Wed, 02 Mar 2016 11:08:25 GMT
* 	 expire date: Tue, 31 May 2016 00:00:00 GMT
* 	 issuer: C=US,O=Google Inc,CN=Google Internet Authority G2
* 	 compression: NULL
* ALPN, server accepted to use h2
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* TCP_NODELAY set
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x8be3aa0)
> GET /ncr HTTP/1.1
> Host: www.google.com
> User-Agent: curl/7.47.2-DEV
> Accept: */*
> Cookie: NID=77=PASAKCaQbbS1mn79D3iovTJqQgQ-URT1bMC7IaOtWtbQ06--Wcwu4TvTQh62-Z090HcoP-NWPKdRkIZIIt9_atSlIy5mY3AcH_Tkem71TzHzcMDR-ZdDXgGnVZZvrHE39XnpPh7P73gfmjCx41xSTq4
> 
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2.0 302
< location:https://www.google.com/
< cache-control:private
< content-type:text/html; charset=UTF-8
< date:Tue, 15 Mar 2016 22:19:11 GMT
< server:gws
< content-length:220
< x-xss-protection:1; mode=block
< x-frame-options:SAMEORIGIN
< alternate-protocol:443:quic,p=1
< alt-svc:quic=":443"; ma=2592000; v="31,30,29,28,27,26,25"
< 
* Ignoring the response-body
{ [220 bytes data]
100   220  100   220    0     0    457      0 --:--:-- --:--:-- --:--:--   536
* Connection #2 to host www.google.com left intact
* Issue another request to this URL: 'https://www.google.com/'
* Found bundle for host www.google.com: 0x8fb61f0 [can multiplex]
* Connection 2 seems to be dead!
* Closing connection 2
* Hostname www.google.com was found in DNS cache
*   Trying 2a00:1450:4001:805::1013...
* Connected to www.google.com (2a00:1450:4001:805::1013) port 443 (#3)
* found 174 certificates in /etc/ssl/certs/ca-certificates.crt
* ALPN, offering h2
* ALPN, offering http/1.1
* SSL re-using session ID
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* 	 server certificate verification OK
* 	 server certificate status verification SKIPPED
* 	 common name: www.google.com (matched)
* 	 server certificate expiration date OK
* 	 server certificate activation date OK
* 	 certificate public key: RSA
* 	 certificate version: #3
* 	 subject: C=US,ST=California,L=Mountain View,O=Google Inc,CN=www.google.com
* 	 start date: Wed, 02 Mar 2016 11:08:25 GMT
* 	 expire date: Tue, 31 May 2016 00:00:00 GMT
* 	 issuer: C=US,O=Google Inc,CN=Google Internet Authority G2
* 	 compression: NULL
* ALPN, server accepted to use h2
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* TCP_NODELAY set
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x8be3aa0)
> GET / HTTP/1.1
> Host: www.google.com
> User-Agent: curl/7.47.2-DEV
> Accept: */*
> Cookie: NID=77=PASAKCaQbbS1mn79D3iovTJqQgQ-URT1bMC7IaOtWtbQ06--Wcwu4TvTQh62-Z090HcoP-NWPKdRkIZIIt9_atSlIy5mY3AcH_Tkem71TzHzcMDR-ZdDXgGnVZZvrHE39XnpPh7P73gfmjCx41xSTq4
> 
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2.0 200
< date:Tue, 15 Mar 2016 22:19:12 GMT
< expires:-1
< cache-control:private, max-age=0
< content-type:text/html; charset=ISO-8859-1
< server:gws
< x-xss-protection:1; mode=block
< x-frame-options:SAMEORIGIN
< alternate-protocol:443:quic,p=1
< alt-svc:quic=":443"; ma=2592000; v="31,30,29,28,27,26,25"
< accept-ranges:none
< vary:Accept-Encoding
< 
{ [1170 bytes data]
100 19206    0 19206    0     0  22984      0 --:--:-- --:--:-- --:--:-- 22984
* Connection #3 to host www.google.com left intact



More information about the Gnutls-devel mailing list