[gnutls-devel] GnuTLS | ALPN issue (#951)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Sat Mar 7 11:21:18 CET 2020
ASoasofoFoInLoveasorr illov created an issue: https://gitlab.com/gnutls/gnutls/-/issues/951
Hi- I have one issue.
It is related to ALPN in GNUTLS. I have a restricted firewall which allows only HTTPS connection- no other SSL connection. It checks whether ALPN present in CLIENT HELLO . ( h2.http1.1)
I checked in Android using normal Java HttpsURLConnection ( which may be using OpenSSL ) and it is able to connect to HTTPS website. I found when I use HttpsURLConnection it adds ALPN in client hello.
But using GNUTLS a sample C program can not connect to that website. It says SSL negotiation failed. so I added ALPN using
`gnutls_alpn_set_protocols() `
Now I can see ALPN added by GNUTLS in CLIENT HELLO. h2.http1.1. But still not connecting.
I compared traffic generated by GNUTLS and java HttpsURLConnection , found both are almost same , only difference is ALPN in GNUTLS added a first portion of request but in case of HttpsURLConnection ALPN is in last portion of CLENT Hello request.
Can you please give me some light.
```
gnutls_init(&hostinfo->https_sess, GNUTLS_CLIENT);
// SET ALPN
gnutls_datum_t t[2];
t[0].data = (void *) "h2";
t[0].size = 2;
t[1].data = (void *)"http/1.1";
t[1].size = 8;
gnutls_alpn_set_protocols(hostinfo->https_sess, t, 2, 0);
if (gtls_ver(3,2,9)/* && string_is_hostname(hostinfo->hostname)*/)
gnutls_server_name_set(hostinfo->https_sess, GNUTLS_NAME_DNS,
hostinfo->hostname,
strlen(hostinfo->hostname));
gnutls_session_set_ptr(hostinfo->https_sess, (void *) hostinfo);
#ifdef DEFAULT_PRIO
default_prio = DEFAULT_PRIO ":%COMPAT";
#else
if (gtls_ver(3,2,9)) {
default_prio = "NORMAL:-VERS-SSL3.0:%COMPAT";
} else if (gtls_ver(3,0,0)) {
default_prio = "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:" \
"%COMPAT:%DISABLE_SAFE_RENEGOTIATION:%LATEST_RECORD_VERSION" \
":-CURVE-ALL:-ECDHE-RSA:-ECDHE-ECDSA";
} else {
default_prio = "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:" \
"%COMPAT:%DISABLE_SAFE_RENEGOTIATION:%LATEST_RECORD_VERSION";
}
#endif
snprintf(hostinfo->gnutls_prio, sizeof(hostinfo->gnutls_prio), "%s%s",
default_prio, hostinfo->pfs?":-RSA":"");
err = gnutls_priority_set_direct(hostinfo->https_sess,
hostinfo->gnutls_prio, NULL);
if (err) {
host_progress(hostinfo, PRG_ERR,
_("Failed to set TLS priority string (\"%s\"): %s\n"),
hostinfo->gnutls_prio, gnutls_strerror(err));
gnutls_deinit(hostinfo->https_sess);
hostinfo->https_sess = NULL;
closesocket(ssl_sock);
return -EIO;
}
gnutls_record_disable_padding(hostinfo->https_sess);
gnutls_credentials_set(hostinfo->https_sess, GNUTLS_CRD_CERTIFICATE, hostinfo->https_cred);
gnutls_transport_set_ptr(hostinfo->https_sess,(gnutls_transport_ptr_t)(intptr_t)ssl_sock);
host_progress(hostinfo, PRG_INFO, _("SSL negotiation with %s\n"),
hostinfo->hostname);
#ifdef GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT
gnutls_handshake_set_timeout(hostinfo->https_sess,
GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
#endif
err = cstp_handshake(hostinfo, 1);
if (err)
return err;
gnutls_free(hostinfo->cstp_cipher);
hostinfo->cstp_cipher = get_gnutls_cipher(hostinfo->https_sess);
hostinfo->ssl_fd = ssl_sock;
hostinfo->ssl_read = openconnect_gnutls_read;
hostinfo->ssl_write = openconnect_gnutls_write;
hostinfo->ssl_gets = openconnect_gnutls_gets;
```
Thank you
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/951
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200307/99282532/attachment.html>
More information about the Gnutls-devel
mailing list