Bug#532752: Bug#482279: Same thing happens with python-pycurl
Simon Josefsson
simon at josefsson.org
Thu Jun 11 11:43:58 UTC 2009
A new bug number has been assigned to your report, #532752.
Mike <stuff at mikepalmer.net> writes:
> Simon Josefsson wrote:
>> I just realized I wasn't clear what the likely cause of your problem is.
>> The problem may be caused by the server you are talking to. Can you
>> access the servers that your clients use from your location? Then
>> running 'gnutls-cli -d 4711' against that host may give enough details
>> to resolve it.
>>
>> Earlier bug reports of this kind suggests that the server is buggy
>> (which can be worked around), but it may also be that the Cisco box is
>> filtering out the traffic if you are only seeing the problem behind
>> those boxes.
>>
>> /Simon
>>
>
> Hi Simon,
>
> I'm not really supposed to be doing this but this is the from the
> Cisco ASA network. I have no admin on anything outside of this box so
> I won't understand the configuration past seeing it dynamically
> redirect packets down different routes:
>
> # gnutls-cli -d 4711 <our_host_here>
...
> |<7>| READ: -1 returned from 4, errno=104 gerrno=0
The server disconnects after seeing the client hello. Please try these
variants:
disable TLS1.1:
gnutls-cli -d 4711 <our_host_here> --priority NORMAL:-VERS-TLS1.1
disable ctype extension:
gnutls-cli -d 4711 <our_host_here> --priority NORMAL:-CTYPE-OPENPGP
disable server name extension:
gnutls-cli -d 4711 <our_host_here> --disable-extensions
disable ctype+servername (i.e., all) extensions:
gnutls-cli -d 4711 <our_host_here> --priority NORMAL:-CTYPE-OPENPGP --disable-extensions
disable TLS1.1 and all extensions:
gnutls-cli -d 4711 <our_host_here> --priority NORMAL:-VERS-TLS1.1:-CTYPE-OPENPGP --disable-extensions
> But lets try a known example like www.yahoo.com from the same network:
>
> gnutls-cli -d 4711 www.yahoo.com
...
> |<7>| READ: -1 returned from 4, errno=104 gerrno=0
Yeah, the firewall drops the connection. Connecting from my network
works fine.
> Now for outside verification with an example you can try yourself
> (this one is on my home network and should work for you too):
>
>
> # gnutls-cli -d 4711 www1.banking.first-direct.com
...
> |<7>| READ: Got 0 bytes from 4
This error is actually different. It doesn't disconnect, but just sends
a zero byte response which causes the client to disconnect. This works:
gnutls-cli -d 4711 www1.banking.first-direct.com --priority NORMAL:-VERS-TLS1.1
> All of these handshake correctly without problems under openssl on the
> same systems in the same networks against the same targets. Let me
> know if I can do anything else I can do to help identify anything with
> gnutls.
OpenSSL does not use any of TLS 1.1, server name extension, or ctype
extension. I guess one or more of them triggers the problem. To work
around the problem, you need to disable the feature causing the problem.
I don't think this indicate any GnuTLS problem.
/Simon
More information about the Pkg-gnutls-maint
mailing list