From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) Subject: bug#23311: TLS handshake error Date: Wed, 20 Apr 2016 13:18:38 +0200 Message-ID: <877ffsy1dd.fsf@gnu.org> References: <87y48a7dpd.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:36184) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1asq9x-0002Fn-Ba for bug-guix@gnu.org; Wed, 20 Apr 2016 07:19:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1asq9t-0004tM-UW for bug-guix@gnu.org; Wed, 20 Apr 2016 07:19:05 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:56948) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1asq9t-0004tI-R1 for bug-guix@gnu.org; Wed, 20 Apr 2016 07:19:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1asq9t-0008Ij-NG for bug-guix@gnu.org; Wed, 20 Apr 2016 07:19:01 -0400 Sender: "Debbugs-submit" Resent-To: bug-guix@gnu.org Resent-Message-ID: In-Reply-To: <87y48a7dpd.fsf@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\= \=\?utf-8\?Q\?s\?\= message of "Tue, 19 Apr 2016 00:29:50 +0200") List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: 23311-done@debbugs.gnu.org ludo@gnu.org (Ludovic Court=C3=A8s) skribis: > $ while ./pre-inst-env guix download https://mirror.hydra.gnu.org/index.h= tml ; do : ; done Interestingly, the same loop with wget (which uses the very same GnuTLS) goes on forever. It turns out that instead of the default TLS cipher suite priority string (=E2=80=9CNORMAL=E2=80=9D), wget does: --8<---------------cut here---------------start------------->8--- case secure_protocol_auto: err =3D gnutls_priority_set_direct (session, "NORMAL:%COMPAT:-VERS-SS= L3.0", NULL); break; --8<---------------cut here---------------end--------------->8--- The code doesn=E2=80=99t explain why, but GnuTLS=E2=80=99s documentation ha= s this bit (info "(gnutls) Priority Strings"): --8<---------------cut here---------------start------------->8--- %COMPAT will enable compatibility mode. It might mean that violations of the protocols are allowed as long as maximum compatibility with problematic clients and servers is achieved. More specifically this string would disable TLS record random padding, tolerate packets over the maximum allowed TLS record, and add a padding to TLS Client Hello packet to prevent it being in the 256-512 range which is known to be causing issues with a commonly used firewall. --8<---------------cut here---------------end--------------->8--- Indeed, as soon as we add %COMPAT, =E2=80=98gnutls-cli=E2=80=99 et al. send= a 253-byte client hello (instead of 261) and the problem vanishes. Commit 967ee481e893fd77ff8ca896188e20e425331bf2 does that. Ludo=E2=80=99.