[gnutls-devel] gnutls 3.2.6+: connection to api.dreamhost.com hangs
Andreas Metzler
ametzler at bebt.de
Sun Jan 19 13:34:22 CET 2014
Hello,
this is http://bugs.debian.org/733039 reported by Neil Roeth.
Recent versions of gnutls fail at connecting to api.dreamhost.com,
they just hang. Git bisect shows that breakage started with this commit:
-------
3ff8313d3eb53eed1a509e45d5f5103c87c1900d is the first bad commit
commit 3ff8313d3eb53eed1a509e45d5f5103c87c1900d
Author: Nikos Mavrogiannopoulos <nmav at gnutls.org>
Date: Wed Oct 23 18:53:45 2013 +0200
Added camellia-gcm into the default priority levels, and prioritized
GCM over CBC everywhere.
-------
Daniel Kahn Gillmor added these interesting pieces of information:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=733039#22
|------------------------------------------------------
| I can confirm that 3.2.7 seems to hang for me, when i do:
|
| gnutls-cli --priority NORMAL api.dreamhost.com
|
| However, i can connect cleanly with:
|
| gnutls-cli --priority NORMAL:-DHE-DSS api.dreamhost.com
|
| I can avoid the same hang if i substitute any large-ish class of ciphers
| anywhere i put DHE-DSS above.
|
| Looking at the traffic on the wire, it looks like the non-hanging
| connections offer a ClientHello of size < 256 bytes, while the hanging
| connections have size >= 256 bytes.
|
| this smells a lot like the F5 bug with certain sizes of TLS handshakes,
| being misinterpreted as SSLv2, as reported by Xiaoyong Wu:
|
| http://thread.gmane.org/gmane.ietf.tls/11187/focus=11227
|
| The way to resolve this would be: if the client hello is >= 256 byees,
| but < 512 bytes, add a meaningless extension to push the size of the
| client hello above 512 bytes.
|
| I haven't tested this yet, unfortunately.
|
| --dkg
|------------------------------------------------------
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
More information about the Gnutls-devel
mailing list