bug-guix
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#23311: TLS handshake error

From: Ludovic Courtès
Subject: bug#23311: TLS handshake error
Date: Tue, 19 Apr 2016 16:06:56 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) 
address@hidden (Ludovic Courtès) skribis:

> Sometimes, TLS handshakes fail in strange ways (the following happens
> after a dozen of iterations; I’ve enabled GnuTLS debugging in (guix
> build download) here):

Can also be reproduced like this:

--8<---------------cut here---------------start------------->8---
$ while echo 'GET /index.html' | gnutls-cli mirror.hydra.gnu.org ; do : ; done

[...]

Resolving 'mirror.hydra.gnu.org'...
Connecting to '131.159.14.26:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - subject `CN=hydra.gnunet.org', issuer `C=US,O=Let's Encrypt,CN=Let's Encrypt 
Authority X1', RSA key 2048 bits, signed using RSA-SHA256, activated 
`2016-03-19 22:26:00 UTC', expires `2016-06-17 22:26:00 UTC', SHA-1 fingerprint 
`51c20b204469ccf4fa62b471f421f15a55146975'
        Public Key ID:
                ab678bd61d4e942cc835ee7c099be880d98eca89
        Public key's random art:
                +--[ RSA 2048]----+
                |                 |
                |        o        |
                |     . + o .     |
                |      o + +      |
                |   +   +S* .     |
                |  o o . =.=      |
                |   o o ..= .     |
                |o o . oo+ o      |
                |E+   .oo..       |
                +-----------------+

- Certificate[1] info:
 - subject `C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X1', issuer 
`O=Digital Signature Trust Co.,CN=DST Root CA X3', RSA key 2048 bits, signed 
using RSA-SHA256, activated `2015-10-19 22:33:36 UTC', expires `2020-10-19 
22:33:36 UTC', SHA-1 fingerprint `3eae91937ec85d74483ff4b77b07b43e2af36bf4'
- Status: The certificate is trusted.
- Description: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-256-GCM)
- Session ID: 
3D:90:F6:7E:0A:B1:58:9B:FE:69:0C:3C:1C:8F:2F:7C:53:FB:5B:0B:86:26:59:C3:E3:98:CF:0C:1E:59:25:3E
- Ephemeral EC Diffie-Hellman parameters
 - Using curve: SECP256R1
 - Curve size: 256 bits
- Version: TLS1.2
- Key Exchange: ECDHE-RSA
- Server Signature: RSA-SHA512
- Cipher: AES-256-GCM
- MAC: AEAD
- Compression: NULL
- Options: safe renegotiation,
- Handshake was completed

- Simple Client Mode:

Processed 525 CA certificate(s).
Resolving 'mirror.hydra.gnu.org'...
Connecting to '131.159.14.26:443'...
*** Fatal error: The operation timed out
*** Handshake has failed
GnuTLS error: The operation timed out
$ gnutls-cli --version
gnutls-cli 3.4.7
--8<---------------cut here---------------end--------------->8---

… or by running this program:

--8<---------------cut here---------------start------------->8---
(use-modules (gnutls)
             (ice-9 match))

(match (getaddrinfo "mirror.hydra.gnu.org" "https")
  ((addrinfo _ ...)
   (let ((addr (addrinfo:addr addrinfo)))
     (let loop ((i 0))
       (pk 'try i)
       (let ((socket (socket (addrinfo:fam addrinfo)
                             SOCK_STREAM (addrinfo:protocol addrinfo))))
         (connect socket addr)
         (let ((session (make-session connection-end/client)))
           (set-session-server-name! session server-name-type/dns
                                     "mirror.hydra.gnu.org")
           (set-session-transport-fd! session (fileno socket))
           (set-session-default-priority! session)
           (set-session-credentials! session (make-certificate-credentials))
           (handshake session)
           (close-port socket)
           (loop (1+ i))))))))
--8<---------------cut here---------------end--------------->8---

… like this:

--8<---------------cut here---------------start------------->8---
$ guile ./tls.scm 

[...]

;;; (try 75)

Backtrace:
In ice-9/boot-9.scm:
 155: 8 [catch #t #<catch-closure 28887e0> ...]
In unknown file:
   ?: 7 [apply-smob/1 #<catch-closure 28887e0>]
In ice-9/boot-9.scm:
  61: 6 [call-with-prompt prompt0 ...]
In ice-9/eval.scm:
 432: 5 [eval # #]
In ice-9/boot-9.scm:
2401: 4 [save-module-excursion #<procedure 28d2a40 at ice-9/boot-9.scm:4045:3 
()>]
4052: 3 [#<procedure 28d2a40 at ice-9/boot-9.scm:4045:3 ()>]
In unknown file:
   ?: 2 [load-compiled/vm 
"/home/ludo/.cache/guile/ccache/2.0-LE-8-2.0/home/ludo/src/guix/tls.scm.go"]
In /home/ludo/src/guix/./tls.scm:
  18: 1 [#<procedure 29f34a0 ()>]
In unknown file:
   ?: 0 [handshake #<session 2e0c680>]

ERROR: In procedure handshake:
ERROR: Throw to key `gnutls-error' with args `(#<gnutls-error-enum The TLS 
connection was non-properly terminated.> handshake)'.
--8<---------------cut here---------------end--------------->8---

Ludo’.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]