[gnutls-help] SSL Hanshake error

Niranjan Rao nhrdls at gmail.com
Thu Nov 13 03:27:37 CET 2014


Greetings,


I am getting ssl handshake error while visiting site 
https://www.pge.com/eum/login and some other sites using Webkit GTK 
2.2.6 on Ubuntu 12.04. I am really not certain which version of TLS 
library is getting used, but it appears that glib-networking version is 
2.36.1.

I raised the question on webkit gtk list and nice person 
mcatanzaro at igalia.com did some initial steps for debugging the issue and 
directed me to this mailing list for support. Following mail contains 
his analysis.

What can I do to solve this problem?


n Wed, 2014-11-12 at 11:44 -0800, Niranjan Rao wrote:

> Greetings,
>
> On Webkit 2.2.6/Ubuntu 12.04
>
> When visiting some sites, I get error SLS handshake error. For example
> sitehttps://www.pge.com/eum/login  gives SSL handshake error when using
> MiniBrowser. Usual browsers are doing ok when visiting the site.
>
> Is there any way to mitigate this problem?

Each such site requires individual investigation, unfortunately.

> I saw some documentation about TLS errors in webkitgtk web site. Not
> clear if this applies to me or not.

Well, that documentation describes how to handle "successful" TLS
connections with unverified TLS certificates, which is important for
developers because older versions of WebKitGTK+ handle this insecurely
by default. But it's not relevant here, since this connection has failed
completely. We use GnuTLS to handle TLS; here's what its command line
debug tool tells us:

$ gnutls-cliwww.pge.com
Processed 153 CA certificate(s).
Resolving 'www.pge.com'...
Connecting to '131.89.128.67:443'...
*** Fatal error: The TLS connection was non-properly terminated.
*** Handshake has failed
GnuTLS error: The TLS connection was non-properly terminated.

That error message is misleading:

$ gnutls-cli-debugwww.pge.com
Resolving 'www.pge.com'...
Connecting to '131.89.128.67:443'...
Checking for SSL 3.0 support... no
Connecting to '131.89.128.67:443'...
Checking whether %COMPAT is required... yes
Connecting to '131.89.128.67:443'...
Checking for TLS 1.0 support... no
Connecting to '131.89.128.67:443'...
Checking for TLS 1.1 support... no
Connecting to '131.89.128.67:443'...
Checking fallback from TLS 1.1 to... failed
Connecting to '131.89.128.67:443'...
Checking for TLS 1.2 support... no
Connecting to '131.89.128.67:443'...
Checking whether we need to disable TLS 1.2... yes

So GnuTLS thinks this server apparently does not support any TLS
protocol, and you get no connection. But for a second opinion I went to
https://www.ssllabs.com/ssltest/analyze.html?d=pge.com  which was able to
connect via TLS 1.0. The server supports very few cipher suites (you can
see that the site is completely inaccessible with the latest Safari, for
example), but we share three in common so I'm not sure what's wrong. The
next step would be to ask on the gnutls-help mailing list [1] to find
out whether there is a GnuTLS bug (not really likely) or why it's
refusing to connect if not. Please do CC me; I'm curious!

Michael

[1]http://lists.gnutls.org/mailman/listinfo/gnutls-help





More information about the Gnutls-help mailing list