<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en">

<head>

<meta content="text/html; charset=utf-8" http-equiv="Content-Type">

<title>

GitLab

</title>

<style>img {

max-width: 100%; height: auto;

}

</style>

</head>

<body>

<div class="content">

<div></div>

<p dir="auto">Since Fedora Rawhide and Fedora testing updated GnuTLS to 3.6.3, our Cockpit unit tests for TLS connections <a href="https://github.com/cockpit-project/cockpit/issues/9723" rel="nofollow noreferrer noopener" target="_blank">fail</a> during handshake:</p>

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">$ ./test-httpstream</span>

<span id="LC2" class="line" lang="plaintext">./test-httpstream terminated with SIGABRT</span>

<span id="LC3" class="line" lang="plaintext">FAIL: test-httpstream 7 /http-stream/tls/basic</span>

<span id="LC4" class="line" lang="plaintext"></span>

<span id="LC5" class="line" lang="plaintext">FAIL: test-httpstream 12 /http-stream/tls/authority-good</span>

<span id="LC6" class="line" lang="plaintext">cockpit-bridge-Message: 14:08:31.926: https://localhost:42005/test: couldn't read: Error performing TLS handshake: The operation was cancelled due to user error</span>

<span id="LC7" class="line" lang="plaintext">**</span>

<span id="LC8" class="line" lang="plaintext">cockpit-bridge:ERROR:src/bridge/test-httpstream.c:815:test_tls_authority_bad: Got unexpected message: https://localhost:42005/test: couldn't read: Error performing TLS handshake: The operation was cancelled due to user error instead of cockpit-bridge-Message: *Unacceptable TLS certificate:*untrusted-issuer*</span>

<span id="LC9" class="line" lang="plaintext"></span>

<span id="LC10" class="line" lang="plaintext">FAIL: test-httpstream 13 /http-stream/tls/authority-bad</span>

<span id="LC11" class="line" lang="plaintext">ERROR: test-httpstream process failed: 250</span></code></pre>

<p dir="auto">This can be reproduced without Cockpit, just a simple <a href="https://piware.de/tmp/glib-networking-tls-9723.c" rel="nofollow noreferrer noopener" target="_blank">standalone reproducer</a> using glib-networking:</p>

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">curl -O https://raw.githubusercontent.com/cockpit-project/cockpit/master/src/bridge/mock-server.crt</span>

<span id="LC2" class="line" lang="plaintext">curl -O https://raw.githubusercontent.com/cockpit-project/cockpit/master/src/bridge/mock-server.key</span>

<span id="LC3" class="line" lang="plaintext">curl -O https://piware.de/tmp/glib-networking-tls-9723.c</span>

<span id="LC4" class="line" lang="plaintext">gnutls-serv --x509keyfile ./mock-server.key --x509certfile ./mock-server.crt --port 9999</span>

<span id="LC5" class="line" lang="plaintext"># in another terminal:</span>

<span id="LC6" class="line" lang="plaintext">gcc -g -O0 `pkg-config --cflags --libs gio-2.0` glib-networking-tls-9723.c</span>

<span id="LC7" class="line" lang="plaintext">./a.out</span></code></pre>

<p dir="auto">This works with GnuTLS 3.6.2, as currently in Fedora 28:</p>

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">** Message: 09:19:51.913: successfully connected</span>

<span id="LC2" class="line" lang="plaintext">HTTP/1.0 200 OK</span>

<span id="LC3" class="line" lang="plaintext">Content-type: text/html</span>

<span id="LC4" class="line" lang="plaintext"></span>

<span id="LC5" class="line" lang="plaintext"></span>

<span id="LC6" class="line" lang="plaintext"><HTML>[...]</span></code></pre>

<p dir="auto">But it fails with GnuTLS 3.6.3 (on the client side -- didn't test the server side). I extracted libgnutls.so.30 from a rawhide mock chroot and put it into /tmp/. Then <code>LD_LIBRARY_PATH=/tmp ./a.out</code> reproduces the bug:</p>

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">** Message: 09:21:00.794: successfully connected</span>

<span id="LC2" class="line" lang="plaintext">**</span>

<span id="LC3" class="line" lang="plaintext">ERROR:glib-networking-tls-9723.c:36:main: assertion failed (error == NULL): Error performing TLS handshake: The operation was cancelled due to user error (g-tls-error-quark, 1)</span>

<span id="LC4" class="line" lang="plaintext">Aborted (core dumped)</span></code></pre>

<p dir="auto">The server says:</p>

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">* Accepted connection from IPv4 127.0.0.1 port 59050 on Wed Jul 25 09:21:21 2018</span>

<span id="LC2" class="line" lang="plaintext">Error in handshake: Error in the pull function.</span></code></pre>

<p dir="auto">Notes:</p>

<ul dir="auto">

<li>

<p>This works against an OpenSSL server:</p>

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">openssl s_server -cert ./mock-server.crt -key ./mock-server.key -port </span></code></pre>

<p>(You need to type something onto the server side to see it on the client - but if you are there, you are past the connection)</p>

</li>

<li>

<p>This doesn't depend on the actual certificates. I tried a different one, and it fails in the same way. The above ones are the ones from Cockpit's tests, and are convenient to use.</p>

</li>

</ul>

</div>

<div class="footer" style="margin-top: 10px;">

<p style="font-size: small; color: #777;">

—

<br>

Reply to this email directly or

<a href="https://gitlab.com/gnutls/gnutls/issues/530">view it on GitLab</a>.

<br>

You're receiving this email because of your account on gitlab.com.

If you'd like to receive fewer emails, you can

<a href="https://gitlab.com/sent_notifications/a6922050192040c11e29375567c7b6ab/unsubscribe">unsubscribe</a>

from this thread or

adjust your notification settings.

<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/issues/530"}}</script>

</p>

</div>

</body>

</html>