Re: [libmicrohttpd] SSL handshake fails between libcurl and libgnutls/MHD

[Piotr Grzybowski]

hello all

 If the error appears after moving from gnutls 2.8.x to 2.12.x then
keep in mind that a lot of things have changed. When I made that
transition (on some environment using gnutls, curl, and libmicrohttpd
(I updraged gnutls and rebuilt libmicrohttpd)) many things refused to
work, mainly because of changes that went into gnutls-bin packages
after 2.10 i think. I do not know if it is related to the way curl
works with gnutls, but the fact remains that many executables now
needed, e.g., explicit ciphers scpecifications. How deep this goes I
am not sure, I did not run any tests when I made the transition, just
verified that in new setup libmicrohttpd worked, and as far as i know
everything is fine with basic libmicrohttpd operations even with
gnutls-3.x.

yours,
pg


On Thu, Jan 19, 2012 at 6:29 PM, Christian Grothoff <address@hidden> wrote:
> Dear all,
>
> After a recent update of libcurl / libgnutls on my Debian unstable system,
> the fully automated tests of GNU libmicrohttpd for HTTPS started to fail.
>  These tests start an HTTPS server using libgnutls and GNU libmicrohttpd and
> then try downloading a site using libcurl.
>
> Here is the key output:
> $ cd libmicrohttpd/src/testcurl/https/; make check
> curl version: libcurl/7.23.1 GnuTLS/2.12.14 zlib/1.2.3.4 libidn/1.23
> librtmp/2.3
> # ...
> curl_easy_perform failed: `SSL connect error'
> Error: received handshake message out of context
> Error (code: 4294967295)
> FAIL: mhds_session_info_test
>
> (this is not the only test that suddenly started to fail).
>
> One of our tests also provokes a failure by selecting incompatible versions
> of the SSL protocol.  With older versions, that test produces ONCE:
>
> curl version: libcurl/7.21.3 GnuTLS/2.8.6 zlib/1.2.3.4 libidn/1.18
> curl_easy_perform failed: `SSL connect error'
> Error: received handshake message out of context
>
> With the latest version, the two lines are repeated several times (and the
> test now fails).
>
>
> My guess right now is that there must have been some incompatible (!)
> protocol change in gnutls with itself (!?) or a significant change in how
> libcurl uses gnutls (i.e. change of supported ciphers, certificate checking,
> etc.).
>
> I've not yet had the time to investigate which revision exactly introduced
> the problem; however, I've seen it on several systems now, so it is pretty
> real.  I suspect this is an unintended bug; however, if there was a change
> in how one should use the curl or gnutls APIs, I'd really appreciate some
> hints :-).
>
> I'm collecting information about the bug in our bugtracker at
> https://gnunet.org/bugs/view.php?id=2086
>
> Help would be very welcome.
>
>
> Happy hacking!
>
> Christian
>