<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en">

<head>

<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">

<title>

GitLab

</title>

<style>img {

max-width: 100%; height: auto;

}

</style>

</head>

<body>

<div class="content">

<p class="details" style="font-style: italic; color: #777;">

<a href="https://gitlab.com/asofoinlove">ASoasofoFoInLoveasorr illov</a> created an issue:

</p>

<div></div>

<p dir="auto">Hi- I have one issue.</p>

<p dir="auto">It is related to ALPN in GNUTLS. I have a restricted firewall which allows only HTTPS connection- no other SSL connection. It checks whether ALPN present in CLIENT HELLO . ( h2.http1.1)</p>

<p dir="auto">I checked in Android using normal Java HttpsURLConnection ( which may be using OpenSSL ) and it is able to connect to HTTPS website. I found when I use HttpsURLConnection it adds ALPN in client hello.</p>

<p dir="auto">But using GNUTLS a sample C program can not connect to that website. It says SSL negotiation failed. so I added ALPN using</p>

<p dir="auto"><code>gnutls_alpn_set_protocols()   </code></p>

<p dir="auto">Now I can see ALPN added by GNUTLS in CLIENT HELLO. h2.http1.1. But still not connecting.</p>

<p dir="auto">I compared traffic generated by GNUTLS and java HttpsURLConnection , found both are almost same , only difference is ALPN in GNUTLS added a first portion of request but in case of HttpsURLConnection ALPN is in last portion of CLENT Hello request.</p>

<p dir="auto">Can you please give me some light.</p>

<pre class="code highlight js-syntax-highlight plaintext" lang="plaintext" v-pre="true"><code><span id="LC1" class="line" lang="plaintext">gnutls_init(&hostinfo->https_sess, GNUTLS_CLIENT);</span>

<span id="LC2" class="line" lang="plaintext"></span>

<span id="LC3" class="line" lang="plaintext">                // SET ALPN</span>

<span id="LC4" class="line" lang="plaintext">            gnutls_datum_t t[2];</span>

<span id="LC5" class="line" lang="plaintext">        t[0].data = (void *) "h2";</span>

<span id="LC6" class="line" lang="plaintext">        t[0].size = 2;</span>

<span id="LC7" class="line" lang="plaintext">        t[1].data = (void *)"http/1.1";</span>

<span id="LC8" class="line" lang="plaintext">        t[1].size = 8;</span>

<span id="LC9" class="line" lang="plaintext">            gnutls_alpn_set_protocols(hostinfo->https_sess, t, 2, 0);</span>

<span id="LC10" class="line" lang="plaintext"></span>

<span id="LC11" class="line" lang="plaintext">if (gtls_ver(3,2,9)/* && string_is_hostname(hostinfo->hostname)*/)</span>

<span id="LC12" class="line" lang="plaintext">                gnutls_server_name_set(hostinfo->https_sess, GNUTLS_NAME_DNS,</span>

<span id="LC13" class="line" lang="plaintext">                       hostinfo->hostname,</span>

<span id="LC14" class="line" lang="plaintext">                       strlen(hostinfo->hostname)); </span>

<span id="LC15" class="line" lang="plaintext"></span>

<span id="LC16" class="line" lang="plaintext"></span>

<span id="LC17" class="line" lang="plaintext"></span>

<span id="LC18" class="line" lang="plaintext">        gnutls_session_set_ptr(hostinfo->https_sess, (void *) hostinfo);</span>

<span id="LC19" class="line" lang="plaintext"></span>

<span id="LC20" class="line" lang="plaintext"></span>

<span id="LC21" class="line" lang="plaintext"></span>

<span id="LC22" class="line" lang="plaintext">    #ifdef DEFAULT_PRIO</span>

<span id="LC23" class="line" lang="plaintext">        default_prio = DEFAULT_PRIO ":%COMPAT";</span>

<span id="LC24" class="line" lang="plaintext">    #else</span>

<span id="LC25" class="line" lang="plaintext">        if (gtls_ver(3,2,9)) {</span>

<span id="LC26" class="line" lang="plaintext">            default_prio = "NORMAL:-VERS-SSL3.0:%COMPAT";</span>

<span id="LC27" class="line" lang="plaintext">        } else if (gtls_ver(3,0,0)) {</span>

<span id="LC28" class="line" lang="plaintext">            default_prio = "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:" \</span>

<span id="LC29" class="line" lang="plaintext">                "%COMPAT:%DISABLE_SAFE_RENEGOTIATION:%LATEST_RECORD_VERSION" \</span>

<span id="LC30" class="line" lang="plaintext">                ":-CURVE-ALL:-ECDHE-RSA:-ECDHE-ECDSA";</span>

<span id="LC31" class="line" lang="plaintext">        } else {</span>

<span id="LC32" class="line" lang="plaintext">            default_prio = "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:"         \</span>

<span id="LC33" class="line" lang="plaintext">                "%COMPAT:%DISABLE_SAFE_RENEGOTIATION:%LATEST_RECORD_VERSION";</span>

<span id="LC34" class="line" lang="plaintext">        }</span>

<span id="LC35" class="line" lang="plaintext">    #endif</span>

<span id="LC36" class="line" lang="plaintext"></span>

<span id="LC37" class="line" lang="plaintext">        snprintf(hostinfo->gnutls_prio, sizeof(hostinfo->gnutls_prio), "%s%s",</span>

<span id="LC38" class="line" lang="plaintext">             default_prio, hostinfo->pfs?":-RSA":"");</span>

<span id="LC39" class="line" lang="plaintext"></span>

<span id="LC40" class="line" lang="plaintext">        err = gnutls_priority_set_direct(hostinfo->https_sess,</span>

<span id="LC41" class="line" lang="plaintext">                         hostinfo->gnutls_prio, NULL);</span>

<span id="LC42" class="line" lang="plaintext">        if (err) {</span>

<span id="LC43" class="line" lang="plaintext">            host_progress(hostinfo, PRG_ERR,</span>

<span id="LC44" class="line" lang="plaintext">                     _("Failed to set TLS priority string (\"%s\"): %s\n"),</span>

<span id="LC45" class="line" lang="plaintext">                     hostinfo->gnutls_prio, gnutls_strerror(err));</span>

<span id="LC46" class="line" lang="plaintext">            gnutls_deinit(hostinfo->https_sess);</span>

<span id="LC47" class="line" lang="plaintext">            hostinfo->https_sess = NULL;</span>

<span id="LC48" class="line" lang="plaintext">            closesocket(ssl_sock);</span>

<span id="LC49" class="line" lang="plaintext">            return -EIO;</span>

<span id="LC50" class="line" lang="plaintext">        }</span>

<span id="LC51" class="line" lang="plaintext"></span>

<span id="LC52" class="line" lang="plaintext">        gnutls_record_disable_padding(hostinfo->https_sess);</span>

<span id="LC53" class="line" lang="plaintext">        gnutls_credentials_set(hostinfo->https_sess, GNUTLS_CRD_CERTIFICATE, hostinfo->https_cred);</span>

<span id="LC54" class="line" lang="plaintext">        gnutls_transport_set_ptr(hostinfo->https_sess,(gnutls_transport_ptr_t)(intptr_t)ssl_sock);</span>

<span id="LC55" class="line" lang="plaintext"></span>

<span id="LC56" class="line" lang="plaintext">        host_progress(hostinfo, PRG_INFO, _("SSL negotiation with %s\n"),</span>

<span id="LC57" class="line" lang="plaintext">                 hostinfo->hostname);</span>

<span id="LC58" class="line" lang="plaintext"></span>

<span id="LC59" class="line" lang="plaintext">    #ifdef GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT</span>

<span id="LC60" class="line" lang="plaintext">        gnutls_handshake_set_timeout(hostinfo->https_sess,</span>

<span id="LC61" class="line" lang="plaintext">                         GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);</span>

<span id="LC62" class="line" lang="plaintext">    #endif</span>

<span id="LC63" class="line" lang="plaintext"></span>

<span id="LC64" class="line" lang="plaintext">        err = cstp_handshake(hostinfo, 1);</span>

<span id="LC65" class="line" lang="plaintext">        if (err)</span>

<span id="LC66" class="line" lang="plaintext">            return err;</span>

<span id="LC67" class="line" lang="plaintext"></span>

<span id="LC68" class="line" lang="plaintext">        gnutls_free(hostinfo->cstp_cipher);</span>

<span id="LC69" class="line" lang="plaintext">        hostinfo->cstp_cipher = get_gnutls_cipher(hostinfo->https_sess);</span>

<span id="LC70" class="line" lang="plaintext"></span>

<span id="LC71" class="line" lang="plaintext">        hostinfo->ssl_fd = ssl_sock;</span>

<span id="LC72" class="line" lang="plaintext"></span>

<span id="LC73" class="line" lang="plaintext">        hostinfo->ssl_read = openconnect_gnutls_read;</span>

<span id="LC74" class="line" lang="plaintext">        hostinfo->ssl_write = openconnect_gnutls_write;</span>

<span id="LC75" class="line" lang="plaintext">        hostinfo->ssl_gets = openconnect_gnutls_gets;</span></code></pre>

<p dir="auto">Thank you</p>

</div>

<div class="footer" style="margin-top: 10px;">

<p style="font-size: small; color: #777;">

—

<br>

Reply to this email directly or <a href="https://gitlab.com/gnutls/gnutls/-/issues/951">view it on GitLab</a>.

<br>

You're receiving this email because of your account on gitlab.com.

If you'd like to receive fewer emails, you can

<a href="https://gitlab.com/sent_notifications/9bbf649ee3c3d86e0dcb0eba3fc766c6/unsubscribe">unsubscribe</a>

from this thread or

adjust your notification settings.

<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/gnutls/-/issues/951"}}</script>

</p>

</div>

</body>

</html>