MK mk at cognitivedissonance.ca
Thu Oct 3 14:16:35 CEST 2013

On Wed, 02 Oct 2013 00:28:55 +0200
Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:

> On 10/01/2013 05:41 PM, MK wrote:
>> I have an HTTP server under development using gnuTLS, and notice a
>> strange issue when testing with Chrome specifically -- the first
>> gnutls_record_recv() on a new connection will frequently fail with
>  That means that the other party terminated the connection.
>> Chrome retries until it gets what it is looking for, so this is not
>>noticeable to the user, 
> You may see what chrome is looking for by checking the connections
> using wireshark. I suspect that chrome is trying to determine the
> highest TLS version number supported by the server.

Actually what I meant by "retries until gets what it is looking for" is
the web page; what it's looking for beyond/before that with the
"improperly terminated connections" I dunno.  Here's an example of what
happens in wireshark: 

1) Chrome initiates a connection (actually, it usually initiates *two*
connections simultaneously, but they both do the same thing -- this
appears interleaved as both client and server are otherwise idle). That
goes through a normal SYN, SYN, ACK shake then there is a TLS 1.1 Client
Hello.  The server says Hello in return with a certificate, then Server
Hello Done.

2) Client sends Client Key Exchange together with a Change Cipher Spec
and Encrypted Handshake.  The server responds with a Change Cipher Spec
and Encrypted Handshake.

3) The client sends a FIN.  The server sends an ACK back but no FIN --
instead there is a TLS "Encryption Alert".

4) The client sends a RST.  It then initiates a new connection, which
goes through #1 and #2 but then proceeds properly.

Is this consistent with what you have said about trying to determine
the TLS version?


"You are lost in the Real." -- Jean Baudrillard

More information about the Gnutls-help mailing list