[gnutls-devel] GnuTLS | gnutls-cli starttls connection to XMPP fails with 'error receiving <proceed' (#1507)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Wed Oct 11 19:43:56 CEST 2023
Paul Menzel created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1507
## Description of problem:
Using Debian sid/unstable with *gnutls-bin* 3.8.1-4+b1, it fails to connect to an ejabberd server:
$ gnutls-cli --starttls-proto=xmpp xmpp.molgen.mpg.de:5222
Processed 140 CA certificate(s).
Resolving 'xmpp.molgen.mpg.de:5222'...
Connecting to '141.14.18.22:5222'...
error receiving '<proceed': Timeout
$ gnutls-cli --starttls-proto=xmpp xmpp.molgen.mpg.de:5222 --verbose
Processed 140 CA certificate(s).
Resolving 'xmpp.molgen.mpg.de:5222'...
Connecting to '141.14.18.22:5222'...
Negotiating XMPP STARTTLS
starttls: sending: <stream:stream xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client' to='xmpp.molgen.mpg.de' version='1.0'>
starttls: waiting for: "<?"
starttls: received: <?xml version='1.0'?><stream:stream id='13166148693175300500' version='1.0' xml:lang='en' xmlns:stream='http://etherx.jabber.org/streams' from='xmpp.molgen.mpg.de' xmlns='jabber:client'><stream:error><host-unknown xmlns='urn:ietf:params:xml:ns:xmpp-streams'/></stream:error>
starttls: sending: <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
starttls: waiting for: "<proceed"
starttls: received: </stream:stream>
error receiving '<proceed': Timeout
ejabberd log:
```
2023-10-11 17:30:58.616252+00:00 [info] (<0.3464.0>) Accepted connection [::ffff:172.17.0.1]:56920 -> [::ffff:172.17.0.4]:5222
2023-10-11 17:30:58.619661+00:00 [notice] (tcp|<0.3464.0>) Received XML on stream = <<"<stream:stream xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client' to='xmpp.molgen.mpg.de' version='1.0'>\n">>
2023-10-11 17:30:58.619974+00:00 [notice] (tcp|<0.3464.0>) Send XML on stream = <<"<?xml version='1.0'?><stream:stream id='6677975890715839606' version='1.0' xml:lang='en' xmlns:stream='http://etherx.jabber.org/streams' from='xmpp.molgen.mpg.de' xmlns='jabber:client'>">>
2023-10-11 17:30:58.620301+00:00 [debug] Running hook c2s_filter_send: mod_client_state:filter_chat_states/1
2023-10-11 17:30:58.620526+00:00 [debug] Running hook c2s_filter_send: mod_client_state:filter_pep/1
2023-10-11 17:30:58.620714+00:00 [debug] Running hook c2s_filter_send: mod_client_state:filter_presence/1
2023-10-11 17:30:58.620852+00:00 [debug] Running hook c2s_filter_send: mod_client_state:filter_other/1
2023-10-11 17:30:58.621029+00:00 [notice] (tcp|<0.3464.0>) Send XML on stream = <<"<stream:error><host-unknown xmlns='urn:ietf:params:xml:ns:xmpp-streams'/></stream:error>">>
2023-10-11 17:30:58.621205+00:00 [debug] Running hook c2s_handle_send: mod_push:c2s_stanza/3
2023-10-11 17:30:58.621413+00:00 [debug] Running hook c2s_handle_send: mod_push_keepalive:c2s_stanza/3
2023-10-11 17:30:58.621738+00:00 [debug] Running hook c2s_handle_send: mod_stream_mgmt:c2s_handle_send/3
2023-10-11 17:30:58.621935+00:00 [debug] Running hook c2s_closed: mod_stream_mgmt:c2s_closed/2
2023-10-11 17:30:58.622124+00:00 [debug] Running hook c2s_closed: ejabberd_c2s:process_closed/2
2023-10-11 17:30:58.622288+00:00 [debug] Running hook c2s_terminated: mod_stream_mgmt:c2s_terminated/2
2023-10-11 17:30:58.622450+00:00 [debug] Running hook c2s_terminated: mod_pubsub:on_user_offline/2
2023-10-11 17:30:58.622603+00:00 [debug] Running hook c2s_terminated: ejabberd_c2s:process_terminated/2
2023-10-11 17:30:58.622766+00:00 [notice] (tcp|<0.3464.0>) Send XML on stream = <<"</stream:stream>">>
```
*openssl* 3.0.11-1 works:
```
$ openssl s_client -connect xmpp.molgen.mpg.de:5222 </dev/null -starttls xmpp -xmpphost molgen.mpg.de
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Organization Validation Secure Server CA
verify return:1
depth=0 C = DE, ST = Bayern, O = Max-Planck-Gesellschaft zur F\C3\B6rderung der Wissenschaften e.V., CN = xmpp.molgen.mpg.de
verify return:1
---
Certificate chain
0 s:C = DE, ST = Bayern, O = Max-Planck-Gesellschaft zur F\C3\B6rderung der Wissenschaften e.V., CN = xmpp.molgen.mpg.de
i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Organization Validation Secure Server CA
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: May 24 00:00:00 2023 GMT; NotAfter: May 23 23:59:59 2024 GMT
1 s:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Organization Validation Secure Server CA
i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA384
v:NotBefore: Nov 2 00:00:00 2018 GMT; NotAfter: Dec 31 23:59:59 2030 GMT
2 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA384
v:NotBefore: Mar 12 00:00:00 2019 GMT; NotAfter: Dec 31 23:59:59 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHADCCBeigAwIBAgIRALdKUzlBc1J4JeY1Sgz+8DQwDQYJKoZIhvcNAQELBQAw
gZUxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE9MDsGA1UE
AxM0U2VjdGlnbyBSU0EgT3JnYW5pemF0aW9uIFZhbGlkYXRpb24gU2VjdXJlIFNl
cnZlciBDQTAeFw0yMzA1MjQwMDAwMDBaFw0yNDA1MjMyMzU5NTlaMIGEMQswCQYD
VQQGEwJERTEPMA0GA1UECBMGQmF5ZXJuMUcwRQYDVQQKDD5NYXgtUGxhbmNrLUdl
c2VsbHNjaGFmdCB6dXIgRsO2cmRlcnVuZyBkZXIgV2lzc2Vuc2NoYWZ0ZW4gZS5W
LjEbMBkGA1UEAxMSeG1wcC5tb2xnZW4ubXBnLmRlMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAxE+aOikOJ/Xl+pFWOFnxhQZUdulZEkLs2qfNpxHSrYIQ
3ii3XdzvvtX9SmvVG1Ov4CyT2zLl4X4diaQhcpgDnWBzb2n9zmZPaRxBTm7xnS9i
cvQ/B9rI4zpu8+WG3F4cB+czIJeEUgL80dZXWawf6pOjsF5c/q2kPyH7MUiwogOE
hMH3UptM46pvvHTa8WqcROZ4Dc4vg5rThUjdR2w+mRdQgc+9UuUHq0zOdiQWjEFD
VRoCKea/xHC4VKdrYhcWz+ZnaviCNhOK8RRarYxEsNFm4/tPBqzvVhAAVZvG2heK
9nGIpWPIwCTYiK4tpirxLcuOFMUz0/AkjbAKSIe6ywIDAQABo4IDWDCCA1QwHwYD
VR0jBBgwFoAUF9nWJSdn+THCSUPZMDZEjGypT+swHQYDVR0OBBYEFAUgcUSbjvLc
k7dFGCsm6hj1sA9xMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBKBgNVHSAEQzBBMDUGDCsGAQQBsjEB
AgEDBDAlMCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZn
gQwBAgIwWgYDVR0fBFMwUTBPoE2gS4ZJaHR0cDovL2NybC5zZWN0aWdvLmNvbS9T
ZWN0aWdvUlNBT3JnYW5pemF0aW9uVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNy
bDCBigYIKwYBBQUHAQEEfjB8MFUGCCsGAQUFBzAChklodHRwOi8vY3J0LnNlY3Rp
Z28uY29tL1NlY3RpZ29SU0FPcmdhbml6YXRpb25WYWxpZGF0aW9uU2VjdXJlU2Vy
dmVyQ0EuY3J0MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTAd
BgNVHREEFjAUghJ4bXBwLm1vbGdlbi5tcGcuZGUwggF/BgorBgEEAdZ5AgQCBIIB
bwSCAWsBaQB2AHb/iD8KtvuVUcJhzPWHujS0pM27KdxoQgqf5mdMWjp0AAABiE3R
+agAAAQDAEcwRQIhAIsiQdJMgS1+sy3kJeAAwbb20fyVesAhTApICSEaYv5jAiA8
JKdLz+9JYIUCDZ9pweJcu+zdE9ou0hlIGvBlrF5PrAB2ANq2v2s/tbYin5vCu1xr
6HCRcWy7UYSFNL2kPTBI1/urAAABiE3R+gMAAAQDAEcwRQIgNaWXKwc1k1ilCnvT
Oiv/7k/DCCphLgIIHBhJGJCfoKsCIQCfHmUKNYCj8c8W376foH9R8hqBpWcwzjUO
FNwlZ8fVrQB3AO7N0GTV2xrOxVy3nbTNE6Iyh0Z8vOzew1FIWUZxH7WbAAABiE3R
+c4AAAQDAEgwRgIhANe5PYib5hn0POb5Z1nncqdMz+eeHVXpjNLOdb2MqUo7AiEA
m9mmdaDhLh5J+iax9+IoNJzR7VPV6/yX2FuhlEBhBB4wDQYJKoZIhvcNAQELBQAD
ggEBAJdiFa8PfV7nJJfKIqJSyVZeL/X6HXxML/i5rUcPY9dp90UGJnbwktF20DXt
Wb6tV79CpmewZlf2/kGWfnEWp57g+mz32hdf4lsiLrqhrUTizg0WIo3tZpjqNJsN
E3Pl9Q/bInyrtngpzkDDCaEhAL8hyMC7hV5uYDTS0YiHsuk+gw5J9S7kydsdZZtr
NltRm4jFlYcyymxCCVtuc3P3UQ8vps0TR0OfVO3LjdyhEpbANhxE8AIR8ZYNrdef
RVBtiZ02K55vqvJx5QeDblvA7Wgjcxuete78jTkcFGN7N5QgGfRu9kFgWpTfeMGo
f6LbsixgE+NfpAnfTk1bXxqiC9E=
-----END CERTIFICATE-----
subject=C = DE, ST = Bayern, O = Max-Planck-Gesellschaft zur F\C3\B6rderung der Wissenschaften e.V., CN = xmpp.molgen.mpg.de
issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Organization Validation Secure Server CA
---
No client certificate CA names sent
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5911 bytes and written 603 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE
```
## Version of gnutls used:
3.8.1-4+b1
## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Debian
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1507
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20231011/35223b55/attachment-0001.html>
More information about the Gnutls-devel
mailing list