bug#18526: Failure to download from github due to TLS fatal alert

bug#18526: Failure to download from github due to TLS fatal alert

[Ludovic Courtès]

[-- Attachment #1: Type: text/plain, Size: 18 bytes --]

From guix-devel.


[-- Attachment #2: Type: message/rfc822, Size: 9199 bytes --]

From: ludo@gnu.org (Ludovic Courtès)
To: Mark H Weaver <mhw@netris.org>
Cc: guix-devel@gnu.org
Subject: Re: Guix unable to download from github due to TLS fatal alert
Date: Wed, 13 Aug 2014 23:56:30 +0200
Message-ID: <87y4us12b5.fsf@gnu.org>

Mark H Weaver <mhw@netris.org> skribis:

> Here's what happens:
>
> $ guix download https://github.com/downloads/magit/magit/magit-1.2.0.tar.gz
> starting download of `guix-file.cszPnB' from `https://github.com/downloads/magit/magit/magit-1.2.0.tar.gz'...
> following redirection to `https://cloud.github.com/downloads/magit/magit/magit-1.2.0.tar.gz'...
> ERROR: Throw to key `gnutls-error' with args `(#<gnutls-error-enum A TLS fatal alert has been received.> handshake)'.
> failed to download "guix-file.cszPnB" from "https://github.com/downloads/magit/magit/magit-1.2.0.tar.gz"
> guix download: error: https://github.com/downloads/magit/magit/magit-1.2.0.tar.gz: download failed

I see that as well.  However, other github.com URLs works:

--8<---------------cut here---------------start------------->8---
$ guix download https://github.com/flavio/qjson/archive/0.8.1.tar.gz
starting download of `guix-file.tL8gal' from `https://github.com/flavio/qjson/archive/0.8.1.tar.gz'...
following redirection to `https://codeload.github.com/flavio/qjson/tar.gz/0.8.1'...
https://codeload.github.com/.../0.8.1	100.0% of 71.6 KiB
/gnu/store/fqfm3zm9pzwgic9sz2x8hk8ykm9yhkqw-0.8.1.tar.gz
163fspi0xc705irv79qw861fmh68pjyla9vx3kqiq6xrdhb9834j

$ guix download https://github.com/maebert/jrnl/archive/1.8.4.tar.gz
starting download of `guix-file.oK809e' from `https://github.com/maebert/jrnl/archive/1.8.4.tar.gz'...
following redirection to `https://codeload.github.com/maebert/jrnl/tar.gz/1.8.4'...
https://codeload.github.com/.../1.8.4	100.0% of 162.4 KiB
/gnu/store/cb39bf5ljrglj72bxarcsws241qhw5a8-1.8.4.tar.gz
019ky09sj5i7frmca0imv4jm46mn3f4lzah2wmiwxh22cisj7ksn
--8<---------------cut here---------------end--------------->8---

With debugging enabled in build/download.scm, the relevant part is:

--8<---------------cut here---------------start------------->8---
gnutls: [699|3] HSK[0x104e530]: CLIENT HELLO was queued [249 bytes]
gnutls: [699|7] HWRITE: enqueued [CLIENT HELLO] 249. Total 249 bytes.
gnutls: [699|7] HWRITE FLUSH: 249 bytes in buffer.
gnutls: [699|4] REC[0x104e530]: Preparing Packet Handshake(22) with length: 249 and min pad: 0
gnutls: [699|9] ENC[0x104e530]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
gnutls: [699|7] WRITE: enqueued 254 bytes for 0xe. Total 254 bytes.
gnutls: [699|4] REC[0x104e530]: Sent Packet[1] Handshake(22) in epoch 0 and length: 254
gnutls: [699|7] HWRITE: wrote 1 bytes, 0 bytes left.
gnutls: [699|7] WRITE FLUSH: 254 bytes in buffer.
gnutls: [699|7] WRITE: wrote 254 bytes, 0 bytes left.
gnutls: [699|2] ASSERT: gnutls_buffers.c:1075
gnutls: [699|7] READ: Got 5 bytes from 0xe
gnutls: [699|7] READ: read 5 bytes from 0xe
gnutls: [699|7] RB: Have 0 bytes into buffer. Adding 5 bytes.
gnutls: [699|7] RB: Requested 5 bytes
gnutls: [699|4] REC[0x104e530]: SSL 3.3 Alert packet received. Epoch 0, length: 2
gnutls: [699|4] REC[0x104e530]: Expected Packet Handshake(22)
gnutls: [699|4] REC[0x104e530]: Received Packet Alert(21) with length: 2
gnutls: [699|7] READ: Got 2 bytes from 0xe
gnutls: [699|7] READ: read 2 bytes from 0xe
gnutls: [699|7] RB: Have 5 bytes into buffer. Adding 2 bytes.
gnutls: [699|7] RB: Requested 7 bytes
gnutls: [699|4] REC[0x104e530]: Decrypted Packet[0] Alert(21) with length: 2
gnutls: [699|4] REC[0x104e530]: Alert[2|40] - Handshake failed - was received
--8<---------------cut here---------------end--------------->8---

Wget can be made to fail similarly:

--8<---------------cut here---------------start------------->8---
$ wget --secure-protocol=SSLv3 -O /dev/null https://github.com/downloads/magit/magit/magit-1.2.0.tar.gz
--2014-08-13 23:48:53--  https://github.com/downloads/magit/magit/magit-1.2.0.tar.gz
Resolving github.com... 192.30.252.128
Connecting to github.com|192.30.252.128|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://cloud.github.com/downloads/magit/magit/magit-1.2.0.tar.gz [following]
--2014-08-13 23:48:54--  https://cloud.github.com/downloads/magit/magit/magit-1.2.0.tar.gz
Resolving cloud.github.com... 54.230.44.78, 54.230.44.145, 54.230.44.189, ...
Connecting to cloud.github.com|54.230.44.78|:443... connected.
GnuTLS: A TLS fatal alert has been received.
GnuTLS: received alert [40]: Handshake failed
Unable to establish SSL connection.
--8<---------------cut here---------------end--------------->8---

But its default --secure-protocol=auto just works, although its gnutls.c
just seems to use the default priorities like we do.

Further investigation needed...

Ludo’.

bug#18526: Failure to download from github due to TLS fatal alert

[Ludovic Courtès]

[-- Attachment #1: Type: text/plain, Size: 230 bytes --]

The culprit is that our client would not support the TLS ‘SERVER NAME’
extension, unlike the wget and gnutls-cli (this is enabled simply by
calling ‘gnutls_server_name_set’.)  Here’s a proof-of-concept
workaround:


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: Type: text/x-patch, Size: 1631 bytes --]

diff --git a/guix/build/download.scm b/guix/build/download.scm
index d98933a..b44302f 100644
--- a/guix/build/download.scm
+++ b/guix/build/download.scm
@@ -112,6 +112,24 @@ abbreviation of URI showing the scheme, host, and basename of the file."
       "Hold a weak reference from FROM to TO."
       (hashq-set! table from to))))
 
+(use-modules (system foreign))
+
+(define set-server-name!
+  (let* ((lib  (string-append (getenv "HOME") "/.guix-profile/lib/libgnutls"))
+         (ptr  (dynamic-func "gnutls_server_name_set"
+                             (dynamic-link lib)))
+         (proc (pointer->procedure int ptr
+                                   (list '* int '* size_t))))
+    (lambda (session type name)
+      ;; SESSION is a SMOB, and the 'gnutls_session_t' pointer is in its
+      ;; second cell.
+      (let* ((cell    (make-pointer (+ (sizeof '*) (object-address session))))
+             (session (dereference-pointer cell)))
+        (zero? (proc session type
+                     (string->pointer name) (string-length name)))))))
+
+(define GNUTLS_NAME_DNS 1)
+
 (define (tls-wrap port)
   "Return PORT wrapped in a TLS connection."
   (define (log level str)
@@ -119,6 +137,7 @@ abbreviation of URI showing the scheme, host, and basename of the file."
             "gnutls: [~a|~a] ~a" (getpid) level str))
 
   (let ((session (make-session connection-end/client)))
+    (set-server-name! session GNUTLS_NAME_DNS "cloud.github.com")
     (set-session-transport-fd! session (fileno port))
     (set-session-default-priority! session)
     (set-session-credentials! session (make-certificate-credentials))

[-- Attachment #3: Type: text/plain, Size: 131 bytes --]


I’ll add bindings for ‘gnutls_server_name_set’ in GnuTLS proper, and
then we can correctly address this bug.

Ludo’.

bug#18526: Failure to download from github due to TLS fatal alert

[Ludovic Courtès]

Commit 077bd18 fixes it, using the ‘set-session-server-name!’ procedure
introduced in GnuTLS commit e9fc746:

  https://gitorious.org/gnutls/gnutls/commit/e9fc74641dae2747b98bc9f79afc041805819339

It should be in the next GnuTLS release.

Ludo’.

bug#18526: Failure to download from github due to TLS fatal alert

[Ludovic Courtès]

Commit 3de9a59 pushed an update to GnuTLS 3.2.19, which brings the new
‘set-server-name!’ procedure.

Ludo’.