gnuTLS 3.0.20 - 'Fatal error: The TLS connection was non-properly terminated' against Cisco load balancers
Scott McGillivray
scott.mcgillivray at gmail.com
Sun Jun 17 11:58:01 CEST 2012
Hi,
On my older Debian server running gnutls-cli (GnuTLS) 2.8.5 if i test
various websites located behind a Cisco CSS load balancer that does the SSL
offload with command "gnutls-cli accounts.codemasters.com" it works OK but
with a newer install of Debian server running gnutls-cli 3.0.20 if i issue
the same command then i get the below error.
Processed 153 CA certificate(s).
Resolving 'accounts.codemasters.com'...
Connecting to '94.75.196.190:443'...
|<1>| Note that the security level of the Diffie-Hellman key exchange has
been lowered to 512 bits and this may allow decryption of the session data
*** Fatal error: The TLS connection was non-properly terminated.
No certificates found!
*** Handshake has failed
GnuTLS error: The TLS connection was non-properly terminated.
If i try to connect to https://accounts.codemasters.com using Firefox,
Chrome or openssl s_client then it works fine. So it seems that GnuTLS
3.0.x has a bug maybe? On the server running gnuTLS 3.0.20 i am able to run
gnutls-cli against other sites such as google.com, hotmail.com etc.. and it
works fine so i know that it works, just not against the sites where the
SSL offload is performed by these Cisco CSS load balancers.
On the gnuTLS 2.8.5 install i noticed that the client/server hello is
processed ok as seen in the debug output below
|<3>| HSK[0x9342d78]: CLIENT HELLO was send [136 bytes]
|<2>| ASSERT: gnutls_cipher.c:204
|<2>| ASSERT: gnutls_cipher.c:204
|<3>| HSK[0x9342d78]: SERVER HELLO was received [74 bytes]
|<3>| HSK[0x9342d78]: Server's version: 3.1
|<3>| HSK[0x9342d78]: SessionID length: 32
|<3>| HSK[0x9342d78]: SessionID:
a32ec5fb0f2fef86bbc660747ee3cd49f0d68483ced53f116f451a96a2ad97d0
|<3>| HSK[0x9342d78]: Selected cipher suite: RSA_ARCFOUR_MD5
|<2>| ASSERT: gnutls_extensions.c:124
|<2>| ASSERT: gnutls_cipher.c:204
|<3>| HSK[0x9342d78]: CERTIFICATE was received [3602 bytes]
but on the 3.2.20 install i get
|<3>| HSK[0x1b5c550]: CLIENT HELLO was queued [217 bytes]
|<7>| HWRITE: enqueued [CLIENT HELLO] 217. Total 217 bytes.
|<7>| HWRITE FLUSH: 217 bytes in buffer.
|<4>| REC[0x1b5c550]: Preparing Packet Handshake(22) with length: 217
|<9>| ENC[0x1b5c550]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
|<7>| WRITE: enqueued 222 bytes for 0x4. Total 222 bytes.
|<4>| REC[0x1b5c550]: Sent Packet[1] Handshake(22) in epoch 0 and length:
222
|<7>| HWRITE: wrote 1 bytes, 0 bytes left.
|<7>| WRITE FLUSH: 222 bytes in buffer.
|<7>| WRITE: wrote 222 bytes, 0 bytes left.
|<2>| ASSERT: gnutls_buffers.c:974
|<7>| READ: Got 0 bytes from 0x4
|<7>| READ: read 0 bytes from 0x4
|<2>| ASSERT: gnutls_buffers.c:482
|<2>| ASSERT: gnutls_record.c:876
|<2>| ASSERT: gnutls_record.c:986
|<2>| ASSERT: gnutls_buffers.c:1175
|<2>| ASSERT: gnutls_handshake.c:1269
|<2>| ASSERT: gnutls_handshake.c:2484
*** Fatal error: The TLS connection was non-properly terminated.
|<2>| ASSERT: gnutls_ui.c:544
No certificates found!
|<4>| REC: Sending Alert[2|10] - Unexpected message
|<4>| REC[0x1b5c550]: Preparing Packet Alert(21) with length: 2
|<9>| ENC[0x1b5c550]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
|<7>| WRITE: enqueued 7 bytes for 0x4. Total 7 bytes.
|<7>| WRITE FLUSH: 7 bytes in buffer.
|<2>| errno: 32
|<2>| ASSERT: gnutls_buffers.c:374
|<7>| WRITE error: code -53, 7 bytes left.
|<2>| ASSERT: gnutls_buffers.c:599
|<2>| ASSERT: gnutls_record.c:456
*** Handshake has failed
GnuTLS error: The TLS connection was non-properly terminated.
Can anyone suggest how i can fix this ? I'm trying to to use a program that
needs gnuTLS 3.x libs so i can't just use gnuTLS 2.x that works. Also the
Cisco devices are running the latest and greatest firmware from Cisco circa
Dec 2011.
many thanks
Scott
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20120617/bf144758/attachment.htm>
More information about the Gnutls-help
mailing list