From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) Subject: bug#23311: TLS handshake error Date: Tue, 19 Apr 2016 16:06:56 +0200 Message-ID: <878u0966bj.fsf@gnu.org> References: <87y48a7dpd.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:36909) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1asWK2-0007ha-Io for bug-guix@gnu.org; Tue, 19 Apr 2016 10:08:14 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1asWJw-0002Yz-Ml for bug-guix@gnu.org; Tue, 19 Apr 2016 10:08:10 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:56382) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1asWJw-0002Yl-JY for bug-guix@gnu.org; Tue, 19 Apr 2016 10:08:04 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1asWJu-0000Js-8l for bug-guix@gnu.org; Tue, 19 Apr 2016 10:08:02 -0400 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <87y48a7dpd.fsf@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\= \=\?utf-8\?Q\?s\?\= message of "Tue, 19 Apr 2016 00:29:50 +0200") List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: 23311@debbugs.gnu.org ludo@gnu.org (Ludovic Court=C3=A8s) skribis: > Sometimes, TLS handshakes fail in strange ways (the following happens > after a dozen of iterations; I=E2=80=99ve enabled GnuTLS debugging in (gu= ix > build download) here): Can also be reproduced like this: --8<---------------cut here---------------start------------->8--- $ while echo 'GET /index.html' | gnutls-cli mirror.hydra.gnu.org ; do : ; d= one [...] Resolving 'mirror.hydra.gnu.org'... Connecting to '131.159.14.26:443'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: - subject `CN=3Dhydra.gnunet.org', issuer `C=3DUS,O=3DLet's Encrypt,CN=3DL= et's Encrypt Authority X1', RSA key 2048 bits, signed using RSA-SHA256, act= ivated `2016-03-19 22:26:00 UTC', expires `2016-06-17 22:26:00 UTC', SHA-1 = fingerprint `51c20b204469ccf4fa62b471f421f15a55146975' Public Key ID: ab678bd61d4e942cc835ee7c099be880d98eca89 Public key's random art: +--[ RSA 2048]----+ | | | o | | . + o . | | o + + | | + +S* . | | o o . =3D.=3D | | o o ..=3D . | |o o . oo+ o | |E+ .oo.. | +-----------------+ - Certificate[1] info: - subject `C=3DUS,O=3DLet's Encrypt,CN=3DLet's Encrypt Authority X1', issu= er `O=3DDigital Signature Trust Co.,CN=3DDST Root CA X3', RSA key 2048 bits= , signed using RSA-SHA256, activated `2015-10-19 22:33:36 UTC', expires `20= 20-10-19 22:33:36 UTC', SHA-1 fingerprint `3eae91937ec85d74483ff4b77b07b43e= 2af36bf4' - Status: The certificate is trusted. - Description: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-256-GCM) - Session ID: 3D:90:F6:7E:0A:B1:58:9B:FE:69:0C:3C:1C:8F:2F:7C:53:FB:5B:0B:8= 6:26:59:C3:E3:98:CF:0C:1E:59:25:3E - Ephemeral EC Diffie-Hellman parameters - Using curve: SECP256R1 - Curve size: 256 bits - Version: TLS1.2 - Key Exchange: ECDHE-RSA - Server Signature: RSA-SHA512 - Cipher: AES-256-GCM - MAC: AEAD - Compression: NULL - Options: safe renegotiation, - Handshake was completed - Simple Client Mode: Processed 525 CA certificate(s). Resolving 'mirror.hydra.gnu.org'... Connecting to '131.159.14.26:443'... *** Fatal error: The operation timed out *** Handshake has failed GnuTLS error: The operation timed out $ gnutls-cli --version gnutls-cli 3.4.7 --8<---------------cut here---------------end--------------->8--- =E2=80=A6 or by running this program: --8<---------------cut here---------------start------------->8--- (use-modules (gnutls) (ice-9 match)) (match (getaddrinfo "mirror.hydra.gnu.org" "https") ((addrinfo _ ...) (let ((addr (addrinfo:addr addrinfo))) (let loop ((i 0)) (pk 'try i) (let ((socket (socket (addrinfo:fam addrinfo) SOCK_STREAM (addrinfo:protocol addrinfo)))) (connect socket addr) (let ((session (make-session connection-end/client))) (set-session-server-name! session server-name-type/dns "mirror.hydra.gnu.org") (set-session-transport-fd! session (fileno socket)) (set-session-default-priority! session) (set-session-credentials! session (make-certificate-credentials)) (handshake session) (close-port socket) (loop (1+ i)))))))) --8<---------------cut here---------------end--------------->8--- =E2=80=A6 like this: --8<---------------cut here---------------start------------->8--- $ guile ./tls.scm=20 [...] ;;; (try 75) Backtrace: In ice-9/boot-9.scm: 155: 8 [catch #t # ...] In unknown file: ?: 7 [apply-smob/1 #] In ice-9/boot-9.scm: 61: 6 [call-with-prompt prompt0 ...] In ice-9/eval.scm: 432: 5 [eval # #] In ice-9/boot-9.scm: 2401: 4 [save-module-excursion #] 4052: 3 [#] In unknown file: ?: 2 [load-compiled/vm "/home/ludo/.cache/guile/ccache/2.0-LE-8-2.0/home= /ludo/src/guix/tls.scm.go"] In /home/ludo/src/guix/./tls.scm: 18: 1 [#] In unknown file: ?: 0 [handshake #] ERROR: In procedure handshake: ERROR: Throw to key `gnutls-error' with args `(# handshake)'. --8<---------------cut here---------------end--------------->8--- Ludo=E2=80=99.