[gnutls-devel] GnuTLS | GnuTLS 3.6.3 connection failure: Error performing TLS handshake: The operation was cancelled due to user error (#530)
gitlab at mg.gitlab.com
Wed Jul 25 09:26:44 CEST 2018
New Issue was created.
Issue 530: https://gitlab.com/gnutls/gnutls/issues/530
Author: Martin Pitt
Since Fedora Rawhide and Fedora testing updated GnuTLS to 3.6.3, our Cockpit unit tests for TLS connections [fail](https://github.com/cockpit-project/cockpit/issues/9723) during handshake:
./test-httpstream terminated with SIGABRT
FAIL: test-httpstream 7 /http-stream/tls/basic
FAIL: test-httpstream 12 /http-stream/tls/authority-good
cockpit-bridge-Message: 14:08:31.926: https://localhost:42005/test: couldn't read: Error performing TLS handshake: The operation was cancelled due to user error
cockpit-bridge:ERROR:src/bridge/test-httpstream.c:815:test_tls_authority_bad: Got unexpected message: https://localhost:42005/test: couldn't read: Error performing TLS handshake: The operation was cancelled due to user error instead of cockpit-bridge-Message: *Unacceptable TLS certificate:*untrusted-issuer*
FAIL: test-httpstream 13 /http-stream/tls/authority-bad
ERROR: test-httpstream process failed: 250
This can be reproduced without Cockpit, just a simple [standalone reproducer](https://piware.de/tmp/glib-networking-tls-9723.c) using glib-networking:
curl -O https://raw.githubusercontent.com/cockpit-project/cockpit/master/src/bridge/mock-server.crt
curl -O https://raw.githubusercontent.com/cockpit-project/cockpit/master/src/bridge/mock-server.key
curl -O https://piware.de/tmp/glib-networking-tls-9723.c
gnutls-serv --x509keyfile ./mock-server.key --x509certfile ./mock-server.crt --port 9999
# in another terminal:
gcc -g -O0 `pkg-config --cflags --libs gio-2.0` glib-networking-tls-9723.c
This works with GnuTLS 3.6.2, as currently in Fedora 28:
** Message: 09:19:51.913: successfully connected
HTTP/1.0 200 OK
But it fails with GnuTLS 3.6.3 (on the client side -- didn't test the server side). I extracted libgnutls.so.30 from a rawhide mock chroot and put it into /tmp/. Then `LD_LIBRARY_PATH=/tmp ./a.out` reproduces the bug:
** Message: 09:21:00.794: successfully connected
ERROR:glib-networking-tls-9723.c:36:main: assertion failed (error == NULL): Error performing TLS handshake: The operation was cancelled due to user error (g-tls-error-quark, 1)
Aborted (core dumped)
The server says:
* Accepted connection from IPv4 127.0.0.1 port 59050 on Wed Jul 25 09:21:21 2018
Error in handshake: Error in the pull function.
* This works against an OpenSSL server:
openssl s_server -cert ./mock-server.crt -key ./mock-server.key -port
(You need to type something onto the server side to see it on the client - but if you are there, you are past the connection)
* This doesn't depend on the actual certificates. I tried a different one, and it fails in the same way. The above ones are the ones from Cockpit's tests, and are convenient to use.
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/530
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnutls-devel