From: ludo@gnu.org (Ludovic Courtès)
To: 23311@debbugs.gnu.org
Subject: bug#23311: TLS handshake error
Date: Tue, 19 Apr 2016 16:06:56 +0200 [thread overview]
Message-ID: <878u0966bj.fsf@gnu.org> (raw)
In-Reply-To: <87y48a7dpd.fsf@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\= \=\?utf-8\?Q\?s\?\= message of "Tue, 19 Apr 2016 00:29:50 +0200")
ludo@gnu.org (Ludovic Courtès) skribis:
> Sometimes, TLS handshakes fail in strange ways (the following happens
> after a dozen of iterations; I’ve enabled GnuTLS debugging in (guix
> build download) here):
Can also be reproduced like this:
--8<---------------cut here---------------start------------->8---
$ while echo 'GET /index.html' | gnutls-cli mirror.hydra.gnu.org ; do : ; done
[...]
Resolving 'mirror.hydra.gnu.org'...
Connecting to '131.159.14.26:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
- subject `CN=hydra.gnunet.org', issuer `C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X1', RSA key 2048 bits, signed using RSA-SHA256, activated `2016-03-19 22:26:00 UTC', expires `2016-06-17 22:26:00 UTC', SHA-1 fingerprint `51c20b204469ccf4fa62b471f421f15a55146975'
Public Key ID:
ab678bd61d4e942cc835ee7c099be880d98eca89
Public key's random art:
+--[ RSA 2048]----+
| |
| o |
| . + o . |
| o + + |
| + +S* . |
| o o . =.= |
| o o ..= . |
|o o . oo+ o |
|E+ .oo.. |
+-----------------+
- Certificate[1] info:
- subject `C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X1', issuer `O=Digital Signature Trust Co.,CN=DST Root CA X3', RSA key 2048 bits, signed using RSA-SHA256, activated `2015-10-19 22:33:36 UTC', expires `2020-10-19 22:33:36 UTC', SHA-1 fingerprint `3eae91937ec85d74483ff4b77b07b43e2af36bf4'
- Status: The certificate is trusted.
- Description: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-256-GCM)
- Session ID: 3D:90:F6:7E:0A:B1:58:9B:FE:69:0C:3C:1C:8F:2F:7C:53:FB:5B:0B:86:26:59:C3:E3:98:CF:0C:1E:59:25:3E
- Ephemeral EC Diffie-Hellman parameters
- Using curve: SECP256R1
- Curve size: 256 bits
- Version: TLS1.2
- Key Exchange: ECDHE-RSA
- Server Signature: RSA-SHA512
- Cipher: AES-256-GCM
- MAC: AEAD
- Compression: NULL
- Options: safe renegotiation,
- Handshake was completed
- Simple Client Mode:
Processed 525 CA certificate(s).
Resolving 'mirror.hydra.gnu.org'...
Connecting to '131.159.14.26:443'...
*** Fatal error: The operation timed out
*** Handshake has failed
GnuTLS error: The operation timed out
$ gnutls-cli --version
gnutls-cli 3.4.7
--8<---------------cut here---------------end--------------->8---
… or by running this program:
--8<---------------cut here---------------start------------->8---
(use-modules (gnutls)
(ice-9 match))
(match (getaddrinfo "mirror.hydra.gnu.org" "https")
((addrinfo _ ...)
(let ((addr (addrinfo:addr addrinfo)))
(let loop ((i 0))
(pk 'try i)
(let ((socket (socket (addrinfo:fam addrinfo)
SOCK_STREAM (addrinfo:protocol addrinfo))))
(connect socket addr)
(let ((session (make-session connection-end/client)))
(set-session-server-name! session server-name-type/dns
"mirror.hydra.gnu.org")
(set-session-transport-fd! session (fileno socket))
(set-session-default-priority! session)
(set-session-credentials! session (make-certificate-credentials))
(handshake session)
(close-port socket)
(loop (1+ i))))))))
--8<---------------cut here---------------end--------------->8---
… like this:
--8<---------------cut here---------------start------------->8---
$ guile ./tls.scm
[...]
;;; (try 75)
Backtrace:
In ice-9/boot-9.scm:
155: 8 [catch #t #<catch-closure 28887e0> ...]
In unknown file:
?: 7 [apply-smob/1 #<catch-closure 28887e0>]
In ice-9/boot-9.scm:
61: 6 [call-with-prompt prompt0 ...]
In ice-9/eval.scm:
432: 5 [eval # #]
In ice-9/boot-9.scm:
2401: 4 [save-module-excursion #<procedure 28d2a40 at ice-9/boot-9.scm:4045:3 ()>]
4052: 3 [#<procedure 28d2a40 at ice-9/boot-9.scm:4045:3 ()>]
In unknown file:
?: 2 [load-compiled/vm "/home/ludo/.cache/guile/ccache/2.0-LE-8-2.0/home/ludo/src/guix/tls.scm.go"]
In /home/ludo/src/guix/./tls.scm:
18: 1 [#<procedure 29f34a0 ()>]
In unknown file:
?: 0 [handshake #<session 2e0c680>]
ERROR: In procedure handshake:
ERROR: Throw to key `gnutls-error' with args `(#<gnutls-error-enum The TLS connection was non-properly terminated.> handshake)'.
--8<---------------cut here---------------end--------------->8---
Ludo’.
next prev parent reply other threads:[~2016-04-19 14:08 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-18 22:29 bug#23311: TLS handshake error Ludovic Courtès
2016-04-19 14:06 ` Ludovic Courtès [this message]
2016-04-19 21:10 ` Ludovic Courtès
2016-04-19 21:51 ` Ludovic Courtès
2016-04-20 11:18 ` Ludovic Courtès
2016-04-20 11:31 ` Mathieu Lirzin
2016-04-20 15:32 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=878u0966bj.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=23311@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).