[gnutls-devel] GnuTLS | Cannot connect to github.com, download.mono-project.com (#990)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Tue May 26 14:56:29 CEST 2020

Maarten Boekhold commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/990#note_349129974

@rockdaboot Can I ask one question? How is `gnutls-cli-debug` able to complete successfully, while `gnutls-cli` is not?

If I run `gnutls-cli-debug -d 4 github.com`, I can see:

|<4>| HSK[0x558b10fd4620]: CLIENT HELLO was queued [254 bytes]
|<3>| ASSERT: ../../lib/buffers.c[get_last_packet]:1168
|<4>| HSK[0x558b10fd4620]: SERVER HELLO (2) was received. Length 93[93], frag offset 0, frag length: 93, sequence: 0
|<3>| ASSERT: ../../lib/buffers.c[get_last_packet]:1159
|<3>| ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1411

If on the other hand I run `gnutls-cli -d 4 github.com`, I never get passed the `CLIENT HELLO was queued`:

<4>| HSK[0x55da6730e920]: CLIENT HELLO was queued [351 bytes]
|<3>| ASSERT: ../../lib/buffers.c[get_last_packet]:1168
|<3>| ASSERT: ../../lib/buffers.c[_gnutls_stream_read]:337
|<3>| ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589
|<3>| ASSERT: ../../lib/record.c[recv_headers]:1183
|<3>| ASSERT: ../../lib/record.c[_gnutls_recv_in_buffers]:1309
|<3>| ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1446
|<3>| ASSERT: ../../lib/handshake.c[_gnutls_recv_handshake]:1531
|<3>| ASSERT: ../../lib/handshake.c[handshake_client]:2918
*** Fatal error: The operation timed out

Note however that the CLIENT HELLO packets are clearly different. With `gnutls-cli-debug -d 4 github.com 2>&1 | grep 'CLIENT HELLO'`, I can see that it's never using the same CLIENT HELLO packet as `gnutls-cli github.com`.

I've discovered as well that the following 2 invocations work!

- `gnutls-cli --priority=PERFORMANCE github.com`
- `gnutls-cli --priority=SECURE128 github.com`

Using `SECURE256` results in:

$ gnutls-cli --priority=SECURE256 github.com
Processed 128 CA certificate(s).
Resolving 'github.com:443'...
Connecting to ''...
*** Fatal error: A TLS fatal alert has been received.
*** Received alert [40]: Handshake failed

Also discovered is that `gnutls-cli --priority=NORMAL:-VERS-TLS1.3 github.com` is working. So this looks to be something related to TLSv1.3...

I'll continue digging, suggestions to narrow down the priorities to exclude would be much appreciated however.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/990#note_349129974
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200526/8a62b70e/attachment.html>

More information about the Gnutls-devel mailing list