GnuTLS versions 2.9.7 and later breaks libsoup (epiphany)

Simon Josefsson simon at
Thu Jun 10 09:08:23 CEST 2010

Andreas Metzler <ametzler at> writes:

> On 2010-06-08 Nikos Mavrogiannopoulos <nmav at> wrote:
>> Andreas Metzler wrote:
>> > Hello,
>> > this is
>> > With GnuTLS versions 2.9.7 and later epiphany is unable to load https
>> > sites. Reproducing this is very easy on Debian/unstable
>> > (+experimental)
>> > sudo apt-get install epiphany-browser
>> > sudo apt-get install libgnutls26=2.9.11-1
>> > epiphany-browser
>> > epiphany simply gets stuck, resending the same request again and
>> > again. GnuTLS 2.9.6 and earlier (including 2.8.x) are fine.
>> Hi,
>>  The problem seems to be the support for TLS 1.2. It seems that epiphany
>> sets a priority string of "NORMAL:!VERS-TLS1.1:!VERS-TLS1.0". Thus the
>> allowed versions are now TLS 1.2 and SSL 3.0. The servers do not support
>> TLS 1.2 thus falling back to TLS 1.0 which is not supported.
> Shouldn't GnuTLS fall back to the supported protocol (SSL 3.0) in that
> case instead of getting stuck?

I think there is a bug in epiphany (or libsoup) here that cause it to
send the same request over and over again -- either the request should
succeed or it should fail.  I don't see why it is trying the same
request over and over again.

What it could do is to try the request with default settings (i.e.,
NORMAL, which makes it support latest protocol improvements) but if that
fails with an error message that indicate that re-trying without TLS 1.x
will help, it should re-try with lower TLS protocol versions.  It won't
help to re-try the exact same handshake.

>> A quick fix
>> would be to add !VERS-TLS1.2 to epiphany (I have no idea where it is).
> The respective code seems to be in libsoup
> libsoup2.4-2.30.1/libsoup/soup-gnutls.c
> and the explaining comment points to 
> as reason. Apparently
> epiphany experienced breakage with SSL 3.0 only servers
> (
> While changing the respective initialisation from
> gnutls_priority_set_direct (session, "NORMAL:!VERS-TLS1.1:!VERS-TLS1.0", NULL)
> to
> gnutls_priority_set_direct (session, "NORMAL", NULL)
> makes accessible again with GnuTLS 2.9.7,
> it also breaks connecting to Not really a
> solution.

A better solution is to attempt the NORMAL setting first, and if it
fails, also attempt to negotiate using SSL3+TLS1 only.  If that fails,
stop retrying.


More information about the Gnutls-devel mailing list