[Pkg-gnutls-maint] Bug#466477: libgnutls26: Failure to talk with IBM ldap/http servers

Richard A Nelson cowboy at debian.org
Tue Feb 19 01:19:43 UTC 2008 

Package: libgnutls26
Version: 2.2.1-3
Severity: important

breaks slapd (ldap caching), ldapsearch, mutt, andanything else
linked against the gnutls library.

While investigating why my slapd ldap caching wasn't working - and
remote ldap authentication started failing, I found this in the
ldapsearch debug output:
TLS: can't connect: A TLS packet with unexpected length was received..

To isolate the problem source, I installed gnutls-bin and compared
gnutlts-cli and openssl s_client output:

$ gnutls-cli -p 636 bluepages.ibm.com
Resolving 'bluepages.ibm.com'...
Connecting to '9.17.186.253:636'...
*** Fatal error: A TLS packet with unexpected length was received.
*** Handshake has failed
GNUTLS ERROR: A TLS packet with unexpected length was received

$ openssl s_client -connect bluepages.ibm.com:636
CONNECTED(00000003)
depth=1 /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
...

$ gnutls-cli -p 443 w3.ibm.com
Resolving 'w3.ibm.com'...
Connecting to '9.17.137.11:443'...
*** Fatal error: A TLS packet with unexpected length was received.
*** Handshake has failed
GNUTLS ERROR: A TLS packet with unexpected length was received.

$ openssl s_client -connect w3.ibm.com:443
CONNECTED(00000003)
depth=1 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
...

I don't know if it'll help, but here is the gnutls debug output
for one of the sites (the other appears pretty much the same)

$ gnutls-cli-debug -p 636 bluepages.ibm.com
Resolving 'bluepages.ibm.com'...
Connecting to '9.17.186.253:636'...
Checking for TLS 1.1 support... no
Checking fallback from TLS 1.1 to... failed
Checking for TLS 1.0 support... yes
Checking for SSL 3.0 support... yes
Checking for HTTPS server name... not checked
Checking for version rollback bug in RSA PMS... no
Checking for version rollback bug in Client Hello... no
Checking whether we need to disable TLS 1.0... N/A
Checking whether the server ignores the RSA PMS version... no
Checking whether the server can accept Hello Extensions... no
Checking whether the server can accept cipher suites not in SSL 3.0 spec... yes
Checking whether the server can accept a bogus TLS record version in the client hello... no
Checking for certificate information... N/A
Checking for trusted CAs... N/A
Checking whether the server understands TLS closure alerts... yes
Checking whether the server supports session resumption... no
Checking for export-grade ciphersuite support... yes
Checking RSA-export ciphersuite info... N/A
Checking for anonymous authentication support... no
Checking anonymous Diffie Hellman group info... N/A
Checking for ephemeral Diffie Hellman support... no
Checking ephemeral Diffie Hellman group info... N/A
Checking for AES cipher support (TLS extension)... yes
Checking for CAMELLIA cipher support (TLS extension)... no
Checking for 3DES cipher support... yes
Checking for ARCFOUR 128 cipher support... yes
Checking for ARCFOUR 40 cipher support... yes
Checking for MD5 MAC support... yes
Checking for SHA1 MAC support... yes
Checking for ZLIB compression support (TLS extension)... no
Checking for LZO compression support (GnuTLS extension)... no
Checking for max record size (TLS extension)... no
Checking for SRP authentication support (TLS extension)... yes
Checking for OpenPGP authentication support (TLS extension)... no


-- System Information:
Debian Release: lenny/sid
  APT prefers testing-proposed-updates
  APT policy: (500, 'testing-proposed-updates'), (500, 'proposed-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.24.2 (SMP w/1 CPU core; PREEMPT)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages libgnutls26 depends on:
ii  libc6                  2.7-8             GNU C Library: Shared libraries
ii  libgcrypt11            1.4.0-3           LGPL Crypto library - runtime libr
ii  libgpg-error0          1.4-2             library for common error values an
ii  libopencdk10           0.6.6-1           Open Crypto Development Kit (OpenC
ii  libtasn1-3             1.3-1             Manage ASN.1 structures (runtime)
ii  zlib1g                 1:1.2.3.3.dfsg-11 compression library - runtime

libgnutls26 recommends no packages.

-- no debconf information

More information about the Pkg-gnutls-maint mailing list