[gnutls-devel] GnuTLS | Cannot connect to github.com, download.mono-project.com (#990)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Tue May 26 14:56:29 CEST 2020 



Maarten Boekhold commented on a discussion: https://gitlab.com/gnutls/gnutls/-/issues/990#note_349129974

@rockdaboot Can I ask one question? How is `gnutls-cli-debug` able to complete successfully, while `gnutls-cli` is not?

If I run `gnutls-cli-debug -d 4 github.com`, I can see:

```
|<4>| HSK[0x558b10fd4620]: CLIENT HELLO was queued [254 bytes]
|<3>| ASSERT: ../../lib/buffers.c[get_last_packet]:1168
|<4>| HSK[0x558b10fd4620]: SERVER HELLO (2) was received. Length 93[93], frag offset 0, frag length: 93, sequence: 0
|<3>| ASSERT: ../../lib/buffers.c[get_last_packet]:1159
|<3>| ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1411
```

If on the other hand I run `gnutls-cli -d 4 github.com`, I never get passed the `CLIENT HELLO was queued`:

```
<4>| HSK[0x55da6730e920]: CLIENT HELLO was queued [351 bytes]
|<3>| ASSERT: ../../lib/buffers.c[get_last_packet]:1168
|<3>| ASSERT: ../../lib/buffers.c[_gnutls_stream_read]:337
|<3>| ASSERT: ../../lib/buffers.c[_gnutls_io_read_buffered]:589
|<3>| ASSERT: ../../lib/record.c[recv_headers]:1183
|<3>| ASSERT: ../../lib/record.c[_gnutls_recv_in_buffers]:1309
|<3>| ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1446
|<3>| ASSERT: ../../lib/handshake.c[_gnutls_recv_handshake]:1531
|<3>| ASSERT: ../../lib/handshake.c[handshake_client]:2918
*** Fatal error: The operation timed out
```

Note however that the CLIENT HELLO packets are clearly different. With `gnutls-cli-debug -d 4 github.com 2>&1 | grep 'CLIENT HELLO'`, I can see that it's never using the same CLIENT HELLO packet as `gnutls-cli github.com`.

I've discovered as well that the following 2 invocations work!

- `gnutls-cli --priority=PERFORMANCE github.com`
- `gnutls-cli --priority=SECURE128 github.com`

Using `SECURE256` results in:

```
$ gnutls-cli --priority=SECURE256 github.com
Processed 128 CA certificate(s).
Resolving 'github.com:443'...
Connecting to '140.82.118.3:443'...
*** Fatal error: A TLS fatal alert has been received.
*** Received alert [40]: Handshake failed
```

Also discovered is that `gnutls-cli --priority=NORMAL:-VERS-TLS1.3 github.com` is working. So this looks to be something related to TLSv1.3...

I'll continue digging, suggestions to narrow down the priorities to exclude would be much appreciated however.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/990#note_349129974
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200526/8a62b70e/attachment.html>

More information about the Gnutls-devel mailing list