bug#38171: guix lynx can not connect, ArchLinux lynx can, why?

bug#38171: guix lynx can not connect, ArchLinux lynx can, why?

[Bengt Richter]

Hi Guix,

Sorry about the vterm escapes, but perhaps it's easy to see for someone anyway?

Both lynxes started and both use the same lynx.cfg and lynx.lss in /etc/.
I selected a bookmark link to duckduckgo and /usr/bin/lynx got there, but guix lynx did not.
Either way, I just exited lynx, so make the strace as small as possible.

The first lines from the greps show a TLS difference -- (why? different internal defaults?)
and is that the explanation? Can I fix it with /etc/lynx.cfg?

guix describe:
Generation 22	Nov 08 2019 17:49:27	(current)
  guix be4f2d9
    repository URL: https://git.savannah.gnu.org/git/guix.git
    branch: master
    commit: be4f2d9451344701599b6dc000c0345ce53b2128

The respective lynxes:
    /gnu/store/7vwm0ly476k7p2spbwxsqr2p7khg69yc-lynx-2.8.9rel.1/bin/lynx:
    ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter
    /gnu/store/h90vnqw0nwd0hhm1l5dgxsdrigddfmq4-glibc-2.28/lib/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, not stripped

    /usr/bin/lynx:
    ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter
    /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=9a1efceaaead8942151b0719125d63cbd4e296cf, stripped

Results:

--8<----(guix lynx)-----------cut here---------------start------------->8---
[12:07 ~/bs]$ egrep -E '(Alert|TLS|HTTP)' lynx-gx.strace
122385 write(1</dev/tty3>, "\33[0;10;1m\17\33[33m\33[44mSecure 256-bit TLS1.3 (ECDHE_RSA_AES_256_GCM_SHA384) HTTP co"..., 91) = 91
122385 write(1</dev/tty3>, "\33[0;10;1m\17\33[33m\33[44mnding HTTP request.\33[K", 42) = 42
122385 write(1</dev/tty3>, "\33[0;10;1m\17\33[33m\33[44mHTTP request sent; w", 40) = 40
122385 write(1</dev/tty3>, "\33[0;10;1m\17\33[33m\33[41mAlert!: Unexpected network read error; connection aborted.\33["..., 81) = 81
122385 write(1</dev/tty3>, "\33[0;10;1m\17\33[33m\33[41mAlert!: Unable to access document.\33[K", 57) = 57
--8<----(guix lynx)-----------cut here---------------end--------------->8---

--8<----(ArchLinux lynx)-----------cut here---------------start------------->8---
[12:07 ~/bs]$ egrep -E '(Alert|TLS|HTTP)' lynx-usr.strace
122308 write(1</dev/tty3>, "\33[0;10;1m\17\33[33m\33[44mSecure 256-bit TLSv1.3 (TLS_AES_256_GCM_SHA384) HTTP connect"..., 86) = 86
122308 write(1</dev/tty3>, "\33[0;10;1m\17\33[33m\33[44mnding HTTP request.", 39) = 39
122308 write(1</dev/tty3>, "\33[0;10;1m\17\33[33m\33[44mHTTP request sent; w", 40) = 40
122308 write(1</dev/tty3>, "\33[0;10;1m\17\33[33m\33[44mHTTP/1.1 302 Moved Temporarily", 50) = 50
122308 write(1</dev/tty3>, "\33[0;10;1m\17\33[33m\33[44mSecure 256-bit TLSv1.3 (TLS_AES_256_GCM_SHA384) HTTP connect"..., 86) = 86
122308 write(1</dev/tty3>, "\33[0;10;1m\17\33[33m\33[44mnding HTTP request.", 39) = 39
122308 write(1</dev/tty3>, "\33[0;10;1m\17\33[33m\33[44mHTTP request sent; w", 40) = 40
122308 write(1</dev/tty3>, "\33[0;10;1m\17\33[33m\33[44mHTTP/1.1 200 OK\33[K", 38) = 38
--8<----(ArchLinux lynx)-----------cut here---------------end--------------->8---

--8<----(strace cmds)-----------cut here---------------start------------->8---
[12:07 ~/bs]$ # above from: strace -s 80 -yfo lynx-gx.strace lynx
[12:15 ~/bs]$ #        and: strace -s 80 -yfo lynx-usr.strace /usr/bin/lynx
--8<----(strace cmds)-----------cut here---------------end--------------->8---

I've got the whole strace logs still, in case you want me to grep out something more.
TIA
-- 
Regards,
Bengt Richter

bug#38171: guix lynx can not connect, ArchLinux lynx can, why?

[Clément Lassieur]

[-- Attachment #1: Type: text/plain, Size: 361 bytes --]

Hi Bengt,

Thank you for the report!

It seems to be a GnuTLS issue with TLS 1.3 hosts[1].  There is patch
upstream but it hasn't landed in a release yet, so I think it's safer to
switch to OpenSSL.  What do you think?  I attached a patch doing just
that.

Cheers,
Clément

[1]: https://lists.gnu.org/archive/html/lynx-dev/2018-12/msg00009.html


[-- Attachment #2: 0001-gnu-lynx-Fix-errors-with-TLS-1.3-hosts.patch --]
[-- Type: text/x-diff, Size: 2028 bytes --]

From 83523b25d10f5fc42473dbfb93e5ee3c29e23b88 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20Lassieur?= <clement@lassieur.org>
Date: Tue, 12 Nov 2019 00:38:30 +0100
Subject: [PATCH] gnu: lynx: Fix errors with TLS 1.3 hosts.

Fixes <https://bugs.gnu.org/38171>.
Reported by Bengt Richter <bokr@bokr.com>.

See <https://lists.gnu.org/archive/html/lynx-dev/2018-12/msg00009.html>.

* gnu/packages/web-browsers.scm (lynx)[inputs, arguments]: Replace GnuTLS with
OpenSSL.
---
 gnu/packages/web-browsers.scm | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/gnu/packages/web-browsers.scm b/gnu/packages/web-browsers.scm
index 1b41aec874..24531623c6 100644
--- a/gnu/packages/web-browsers.scm
+++ b/gnu/packages/web-browsers.scm
@@ -8,6 +8,7 @@
 ;;; Copyright © 2018 Rutger Helling <rhelling@mykolab.com>
 ;;; Copyright © 2018 Timo Eisenmann <eisenmann@fn.de>
 ;;; Copyright © 2018 Pierre Neidhardt <mail@ambrevar.xyz>
+;;; Copyright © 2019 Clément Lassieur <clement@lassieur.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -222,7 +223,7 @@ and the GTK+ toolkit.")
                      ("perl" ,perl)))
     (inputs `(("ncurses" ,ncurses)
               ("libidn" ,libidn)
-              ("gnutls" ,gnutls)
+              ("openssl" ,openssl)
               ("libgcrypt" ,libgcrypt)
               ("unzip" ,unzip)
               ("zlib" ,zlib)
@@ -230,12 +231,12 @@ and the GTK+ toolkit.")
               ("bzip2" ,bzip2)))
     (arguments
      `(#:configure-flags
-       (let ((gnutls (assoc-ref %build-inputs "gnutls")))
+       (let ((openssl (assoc-ref %build-inputs "openssl")))
          `("--with-pkg-config"
            "--with-screen=ncurses"
            "--with-zlib"
            "--with-bzlib"
-           ,(string-append "--with-gnutls=" gnutls)
+           ,(string-append "--with-ssl=" openssl)
            ;; "--with-socks5"    ; XXX TODO
            "--enable-widec"
            "--enable-ascii-ctypes"
-- 
2.23.0

bug#38171: guix lynx can not connect, ArchLinux lynx can, why?

[Leo Famulari]

On Tue, Nov 12, 2019 at 01:05:41AM +0100, Clément Lassieur wrote:
> Hi Bengt,
> 
> Thank you for the report!
> 
> It seems to be a GnuTLS issue with TLS 1.3 hosts[1].  There is patch
> upstream but it hasn't landed in a release yet, so I think it's safer to
> switch to OpenSSL.  What do you think?  I attached a patch doing just
> that.

Can you double-check that the licenses of Lynx and OpenSSL are
compatible for redistribution?

bug#38171: guix lynx can not connect, ArchLinux lynx can, why?

[Clément Lassieur]

Leo Famulari <leo@famulari.name> writes:

> Can you double-check that the licenses of Lynx and OpenSSL are
> compatible for redistribution?

https://lynx.invisible-island.net/current/README.ssl says:

--8<---------------cut here---------------start------------->8---
OpenSSL's distribution and use may be restricted by licenses and laws.
For information on obtaining OpenSSL, as well as information on its
distribution, see http://www.openssl.org/
--8<---------------cut here---------------end--------------->8---

and https://www.openssl.org/docs/faq.html says:

--8<---------------cut here---------------start------------->8---
Can I use OpenSSL with GPL software?

On many systems including the major Linux and BSD distributions, yes
(the GPL does not place restrictions on using libraries that are part of
the normal operating system distribution).

On other systems, the situation is less clear. Some GPL software
copyright holders claim that you infringe on their rights if you use
OpenSSL with their software on operating systems that don't normally
include OpenSSL.

If you develop open source software that uses OpenSSL, you may find it
useful to choose an other license than the GPL, or state explicitly that
"This program is released under the GPL with the additional exemption
that compiling, linking, and/or using OpenSSL is allowed." If you are
using GPL software developed by others, you may want to ask the
copyright holder for permission to use their software with OpenSSL.
--8<---------------cut here---------------end--------------->8---

If Guix is one of the major Linux distributions (as I think it is), Lynx
and OpenSSL are compatible as per OpenSSL's site (first paragraph).  In
any case, Lynx's README.ssl makes it clear that they have nothing
against OpenSSL use.  (It even says GnuTLS support is experimental.)

bug#38171: guix lynx can not connect, ArchLinux lynx can, why?

[Clément Lassieur]

Pushed.  Bengt, you can 'guix pull', it should work now :)

Clément