ssl connection issues

Michael Blumenkrantz mike at zentific.com
Tue Sep 28 11:04:30 CEST 2010


Hi,

I figured I would mail again since I now have more specifics of the issue I am
experiencing as well as an easy way to replicate it.

I have a client which uses gnutls to connect to a specified url/port.  It
functions fine except for certain sites which I am having issues with.  An easy
public example site/port would be verisign.com:443 : I receive the following
output while trying to connect to it:


---CLIP---
|<4>| REC[0x8e92098]: Expected Packet[1] Handshake(22) with length: 1
|<4>| REC[0x8e92098]: Received Packet[1] Handshake(22) with length: 4600
|<4>| REC[0x8e92098]: Decrypted Packet[1] Handshake(22) with length: 4600
|<3>| HSK[0x8e92098]: CERTIFICATE was received [4600 bytes]
|<4>| REC[0x8e92098]: Expected Packet[2] Handshake(22) with length: 1
|<4>| REC[0x8e92098]: Received Packet[2] Handshake(22) with length: 525
|<4>| REC[0x8e92098]: Decrypted Packet[2] Handshake(22) with length: 525
|<3>| HSK[0x8e92098]: SERVER KEY EXCHANGE was received [525 bytes]
|<4>| REC[0x8e92098]: Expected Packet[3] Handshake(22) with length: 1
|<4>| REC[0x8e92098]: Received Packet[3] Handshake(22) with length: 4
|<4>| REC[0x8e92098]: Decrypted Packet[3] Handshake(22) with length: 4
|<3>| HSK[0x8e92098]: SERVER HELLO DONE was received [4 bytes]
|<2>| ASSERT: gnutls_handshake.c:1332
|<3>| HSK[0x8e92098]: CLIENT KEY EXCHANGE was sent [134 bytes]
|<4>| REC[0x8e92098]: Sending Packet[1] Handshake(22) with length: 134
|<4>| REC[0x8e92098]: Sent Packet[2] Handshake(22) with length: 139
|<3>| REC[0x8e92098]: Sent ChangeCipherSpec
|<4>| REC[0x8e92098]: Sending Packet[2] Change Cipher Spec(20) with length: 1
|<4>| REC[0x8e92098]: Sent Packet[3] Change Cipher Spec(20) with length: 6
|<9>| INT: PREMASTER SECRET[128]:
ae66b9c2a926ed210333c81e128c70e9ac55523a3517a1710f60d9effcbc0bcd9892d056aee4250d2f75f0ac2f60b6954273e946fb317b36ef18079adcb0bc659d1be4b03cb460b10f764063f21e08ea061d297671d535082ac8f0001dbcf4ec38a6d27ac0952f694c85bd28e8dad07b3c8ac021018b0f2398ecf2a40e4c2c36
|<9>| INT: CLIENT RANDOM[32]:
4ca1ac45f1093f98c34ff5035ac6ab753d3c74e2e5d2d87747746c341c78ee58 |<9>| INT:
SERVER RANDOM[32]:
4ca1ac45546353c3983be7f19ee54ec13ba236289c1ac1bbf7453fb5af057ba8 |<9>| INT:
MASTER SECRET:
7033de0acd1303623adce0cfb76dd2ee34644df1aa03cf30923c6e2bc18d9407cb0bdc3d248d38a3f1f931a062e42096
|<9>| INT: KEY BLOCK[104]:
ae4bed619d78ae2f7f376553c2325dca9a9c90024df7947884e63e6454b6843c |<9>| INT:
CLIENT WRITE KEY [16]: 0b988001817dc84d08e950686542c730 |<9>| INT: SERVER WRITE
KEY [16]: a42051f0db4d07e6b4bc205262cc4b9a |<3>| HSK[0x8e92098]: Cipher Suite:
DHE_RSA_AES_128_CBC_SHA1 |<3>| HSK[0x8e92098]: Initializing internal [write]
cipher sessions |<3>| HSK[0x8e92098]: FINISHED was sent [16 bytes] |<4>|
REC[0x8e92098]: Sending Packet[0] Handshake(22) with length: 16 |<4>|
REC[0x8e92098]: Sent Packet[1] Handshake(22) with length: 53 |<2>| ASSERT:
ext_session_ticket.c:582
-----REPEAT-----
|<4>| REC[0x8e92098]: Expected Packet[4] Handshake(22) with length: 1
|<4>| REC[0x8e92098]: Received Packet[4] Alert(21) with length: 2
|<4>| REC[0x8e92098]: Decrypted Packet[4] Alert(21) with length: 2
|<4>| REC[0x8e92098]: Alert[2|51] - Decrypt error - was received
|<2>| ASSERT: gnutls_record.c:695
|<2>| ASSERT: gnutls_record.c:1055
|<2>| ASSERT: ext_session_ticket.c:582
|<2>| ASSERT: gnutls_handshake.c:3146
ERR:EcoreCon ecore_con_ssl.c:525 _ecore_con_ssl_server_init_gnutls() Error at
ecore_con_ssl.c:_ecore_con_ssl_server_init_gnutls:525! ERR:EcoreCon
ecore_con_ssl.c:52 _gnutls_print_errors() gnutls returned with error:
GNUTLS_E_FATAL_ALERT_RECEIVED - A TLS fatal alert has been received.
ERR:EcoreCon ecore_con_ssl.c:577 _ecore_con_ssl_server_init_gnutls() Also
received alert: Decrypt error ERR:EcoreCon ecore_con_ssl.c:580
_ecore_con_ssl_server_init_gnutls() last out: Finished ERR:EcoreCon
ecore_con_ssl.c:581 _ecore_con_ssl_server_init_gnutls() last in: Server hello
done |<2>| ASSERT: gnutls_record.c:262 ERR:EcoreCon ecore_con.c:1819
_ecore_con_cl_handler() ssl handshaking failed!

Included are some of the debug messages from gnutls error reporting functions.
I've spent a considerable amount of time trying to figure out the issue, but to
no success.  The relevant gnutls code is as follows, where error is a label
that prints all gnutls errors and exits the function:


#define SSL_ERROR_CHECK_GOTO_ERROR(X) \
do \
  { \
     if ((X)) \
       { \
          ERR("Error at %s:%s:%d!", __FILE__, __PRETTY_FUNCTION__, __LINE__); \
          goto error; \
       } \
  } \
while (0)

        int kx[] = { GNUTLS_KX_DHE_RSA, GNUTLS_KX_RSA, GNUTLS_KX_ANON_DH, 0 };
        int mixed_proto[] = { GNUTLS_VERSION_MAX, GNUTLS_TLS1_1, GNUTLS_TLS1_0,
        GNUTLS_SSL3, 0 }; 
        int compress[] = { GNUTLS_COMP_DEFLATE, GNUTLS_COMP_NULL, 0 }; 
        int cipher[] = { GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_AES_128_CBC,
        GNUTLS_CIPHER_3DES_CBC, GNUTLS_CIPHER_DES_CBC, 0 };


        SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_init(&svr->session,
        GNUTLS_CLIENT)); SSL_ERROR_CHECK_GOTO_ERROR(ret =
        gnutls_set_default_priority(svr->session));
        SSL_ERROR_CHECK_GOTO_ERROR(ret =
        gnutls_session_ticket_enable_client(svr->session));
        SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_server_name_set(svr->session,
        GNUTLS_NAME_DNS, svr->name, strlen(svr->name)));

        SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_credentials_set(svr->session,
        GNUTLS_CRD_CERTIFICATE, svr->cert)); SSL_ERROR_CHECK_GOTO_ERROR(ret =
        gnutls_credentials_set(svr->session, GNUTLS_CRD_ANON, svr->anoncred_c));

        SSL_ERROR_CHECK_GOTO_ERROR(ret =
        gnutls_cipher_set_priority(svr->session, cipher));
        SSL_ERROR_CHECK_GOTO_ERROR(ret = gnutls_kx_set_priority(svr->session,
        kx)); SSL_ERROR_CHECK_GOTO_ERROR(ret =
        gnutls_protocol_set_priority(svr->session, proto));
        SSL_ERROR_CHECK_GOTO_ERROR(ret =
        gnutls_compression_set_priority(svr->session, compress));

        gnutls_dh_set_prime_bits(svr->session, 512);
        gnutls_transport_set_ptr(svr->session, (gnutls_transport_ptr_t)svr->fd);
        ret = gnutls_handshake(svr->session);


Hopefully someone will see something obvious that I have missed.
-- 
Mike Blumenkrantz
Zentific: Our boolean values are huge.




More information about the Gnutls-help mailing list