gnutls-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GnuTLS versions 2.9.7 and later breaks libsoup (epiphany)


From: Simon Josefsson
Subject: Re: GnuTLS versions 2.9.7 and later breaks libsoup (epiphany)
Date: Thu, 10 Jun 2010 09:08:23 +0200
User-agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.1 (gnu/linux)

Andreas Metzler <address@hidden> writes:

> On 2010-06-08 Nikos Mavrogiannopoulos <address@hidden> wrote:
>> Andreas Metzler wrote:
>> > Hello,
>> > this is http://bugs.debian.org/576339
>>
>> > With GnuTLS versions 2.9.7 and later epiphany is unable to load https
>> > sites. Reproducing this is very easy on Debian/unstable
>> > (+experimental)
>
>> > sudo apt-get install epiphany-browser
>> > sudo apt-get install libgnutls26=2.9.11-1
>> > epiphany-browser https://db.debian.org/
>  
>> > epiphany simply gets stuck, resending the same request again and
>> > again. GnuTLS 2.9.6 and earlier (including 2.8.x) are fine.
>
>> Hi,
>>  The problem seems to be the support for TLS 1.2. It seems that epiphany
>> sets a priority string of "NORMAL:!VERS-TLS1.1:!VERS-TLS1.0". Thus the
>> allowed versions are now TLS 1.2 and SSL 3.0. The servers do not support
>> TLS 1.2 thus falling back to TLS 1.0 which is not supported.
>
> Shouldn't GnuTLS fall back to the supported protocol (SSL 3.0) in that
> case instead of getting stuck?

I think there is a bug in epiphany (or libsoup) here that cause it to
send the same request over and over again -- either the request should
succeed or it should fail.  I don't see why it is trying the same
request over and over again.

What it could do is to try the request with default settings (i.e.,
NORMAL, which makes it support latest protocol improvements) but if that
fails with an error message that indicate that re-trying without TLS 1.x
will help, it should re-try with lower TLS protocol versions.  It won't
help to re-try the exact same handshake.

>> A quick fix
>> would be to add !VERS-TLS1.2 to epiphany (I have no idea where it is).
>
> The respective code seems to be in libsoup
> libsoup2.4-2.30.1/libsoup/soup-gnutls.c
> and the explaining comment points to 
> http://bugzilla.gnome.org/show_bug.cgi?id=581342 as reason. Apparently
> epiphany experienced breakage with SSL 3.0 only servers
> (www.paypal.com).
>
> While changing the respective initialisation from
>
> gnutls_priority_set_direct (session, "NORMAL:!VERS-TLS1.1:!VERS-TLS1.0", NULL)
> to
> gnutls_priority_set_direct (session, "NORMAL", NULL)
>
> makes https://db.debian.org/ accessible again with GnuTLS 2.9.7,
> it also breaks connecting to https://www.paypal.com/. Not really a
> solution.

A better solution is to attempt the NORMAL setting first, and if it
fails, also attempt to negotiate using SSL3+TLS1 only.  If that fails,
stop retrying.

/Simon



reply via email to

[Prev in Thread] Current Thread [Next in Thread]