[gnutls-help] Chrome and GNUTLS_E_PREMATURE_TERMINATION
mk at cognitivedissonance.ca
Thu Oct 3 14:16:35 CEST 2013
On Wed, 02 Oct 2013 00:28:55 +0200
Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:
> On 10/01/2013 05:41 PM, MK wrote:
>> I have an HTTP server under development using gnuTLS, and notice a
>> strange issue when testing with Chrome specifically -- the first
>> gnutls_record_recv() on a new connection will frequently fail with
> That means that the other party terminated the connection.
>> Chrome retries until it gets what it is looking for, so this is not
>>noticeable to the user,
> You may see what chrome is looking for by checking the connections
> using wireshark. I suspect that chrome is trying to determine the
> highest TLS version number supported by the server.
Actually what I meant by "retries until gets what it is looking for" is
the web page; what it's looking for beyond/before that with the
"improperly terminated connections" I dunno. Here's an example of what
happens in wireshark:
1) Chrome initiates a connection (actually, it usually initiates *two*
connections simultaneously, but they both do the same thing -- this
appears interleaved as both client and server are otherwise idle). That
goes through a normal SYN, SYN, ACK shake then there is a TLS 1.1 Client
Hello. The server says Hello in return with a certificate, then Server
2) Client sends Client Key Exchange together with a Change Cipher Spec
and Encrypted Handshake. The server responds with a Change Cipher Spec
and Encrypted Handshake.
3) The client sends a FIN. The server sends an ACK back but no FIN --
instead there is a TLS "Encryption Alert".
4) The client sends a RST. It then initiates a new connection, which
goes through #1 and #2 but then proceeds properly.
Is this consistent with what you have said about trying to determine
the TLS version?
"You are lost in the Real." -- Jean Baudrillard
More information about the Gnutls-help