ssl connection issues

[Michael Blumenkrantz]

On Wed, 29 Sep 2010 16:04:21 +0200
Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:

> On Wed, Sep 29, 2010 at 3:15 PM, Michael Blumenkrantz <mike at zentific.com>
> wrote:
> 
> > I have read through the examples and tested using my code.  It functions
> > fine, though I took your advice and migrated to newer priority strings.  It
> > seems that I may have found a gnutls bug in handshaking, however, though I
> > will reserve judgment on that until I have investigated further.  The bug
> > seems to be if you are doing async connections, you cannot call
> > gnutls_handshake with a very small amount of data in the buffer or else the
> > handshake will fail with an error.  Specifically, I find this occurring
> > while receiving data (as a client) for a session ticket.
> > I have so far found this to be the case by briefly pausing execution of my
> > program just before the gnutls_handshake() call where it would be reading
> > from the file descriptor so that more data can accumulate, and then
> > continuing.  The handshake completes as expected, where it would have
> > failed if running at normal speed.
> 
> Where does handshake fail? (if you use level 2 debugging you get a
> nice backtrace of the
> failure).
> 
> > Is it possible that there is a bug like this?
> 
> You never know, although I think gnutls is being used in async mode quite
> often.
> 
> regards,
> Nikos

This is a log of the handshake failure while attempting to connect to verisign.com:443 using gnutls log level 2.  Additionally there is some debug info from my code which is prefixed by DBG.  Let me know if there is more information that I can provide.

DBG:EcoreCon ecore_con.c:1478 _ecore_con_cb_tcp_connect() beginning ssl handshake
DBG:EcoreCon ecore_con_ssl.c:497 _ecore_con_ssl_server_init_gnutls() calling gnutls_handshake()
|<2>| EXT[0x8d460b8]: Sending extension SERVER_NAME
|<2>| EXT[0x8d460b8]: Sending extension SAFE_RENEGOTIATION
|<2>| EXT[0x8d460b8]: Sending extension SESSION_TICKET
|<2>| ASSERT: gnutls_record.c:450
|<2>| ASSERT: gnutls_buffers.c:933
|<2>| ASSERT: gnutls_buffers.c:957
|<2>| ASSERT: gnutls_handshake.c:2772
DBG:EcoreCon ecore_con.c:1822 _ecore_con_cl_handler() Continuing ssl handshake
DBG:EcoreCon ecore_con.c:1826 _ecore_con_cl_handler() Preparing to write handshake data...
DBG:EcoreCon ecore_con_ssl.c:497 _ecore_con_ssl_server_init_gnutls() calling gnutls_handshake()
|<2>| ASSERT: gnutls_buffers.c:857
DBG:EcoreCon ecore_con.c:1822 _ecore_con_cl_handler() Continuing ssl handshake
DBG:EcoreCon ecore_con.c:1826 _ecore_con_cl_handler() Preparing to write handshake data...
DBG:EcoreCon ecore_con_ssl.c:497 _ecore_con_ssl_server_init_gnutls() calling gnutls_handshake()
---REPEAT---
|<2>| EXT[0x8d460b8]: Found extension 'SAFE_RENEGOTIATION/65281'
|<2>| EXT[0x8d460b8]: Found extension 'SESSION_TICKET/35'
|<2>| ASSERT: gnutls_handshake.c:1332
|<2>| ASSERT: ext_session_ticket.c:582
DBG:EcoreCon ecore_con.c:1822 _ecore_con_cl_handler() Continuing ssl handshake
DBG:EcoreCon ecore_con.c:1826 _ecore_con_cl_handler() Preparing to write handshake data...
DBG:EcoreCon ecore_con_ssl.c:497 _ecore_con_ssl_server_init_gnutls() calling gnutls_handshake()
---REPEAT---
|<2>| ASSERT: gnutls_record.c:695
|<2>| ASSERT: gnutls_record.c:1055
|<2>| ASSERT: ext_session_ticket.c:582
|<2>| ASSERT: gnutls_handshake.c:3146
ERR:EcoreCon ecore_con_ssl.c:499 _ecore_con_ssl_server_init_gnutls() Error at ecore_con_ssl.c:_ecore_con_ssl_server_init_gnutls:499!
ERR:EcoreCon ecore_con_ssl.c:52 _gnutls_print_errors() gnutls returned with error: GNUTLS_E_FATAL_ALERT_RECEIVED - A TLS fatal alert has been received.
ERR:EcoreCon ecore_con_ssl.c:551 _ecore_con_ssl_server_init_gnutls() Also received alert: Decrypt error
ERR:EcoreCon ecore_con_ssl.c:554 _ecore_con_ssl_server_init_gnutls() last out: Finished
ERR:EcoreCon ecore_con_ssl.c:555 _ecore_con_ssl_server_init_gnutls() last in: Server hello done
|<2>| ASSERT: gnutls_record.c:262


-- 
Mike Blumenkrantz
Zentific: Our boolean values are huge.