[gnutls-devel] TLS connection improperly terminated

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Jul 28 22:02:19 CEST 2015


On Tue 2015-07-28 13:25:50 -0400, Eli Zaretskii wrote:
>> From: Rustom Mody <rustompmody at gmail.com>
>> Date: Tue, 28 Jul 2015 22:37:05 +0530
>> Cc: Eli Zaretskii <eliz at gnu.org>
>> 
>> Start emacs with -Q
>> Run (package-initialize)
>> Run (add-to-list 'package-archives
>>              '("marmalade" . "https://marmalade-repo.org/packages/") t)
>> Run M-x package-list-packages
>> 
>> Get error
>> gnutls.c: [0] (Emacs) fatal error: The TLS connection was non-properly
>> terminated.
>
> I think the real question here is why does GnuTLS regard this
> situation so important as to warrant a high-priority alert to the
> user.

AFAICT, the main issue is that the certificate chain offered by
https://marmalade-repo.org is "transvalid" -- meaning it does not offer
any intermediate certificates that would allow a user to chain its
end-entity certificate to a known root.

  https://blog.hboeck.de/archives/847-Incomplete-Certificate-Chains-and-Transvalid-Certificates.html

see the qualys report for that server here:

  https://www.ssllabs.com/ssltest/analyze.html?d=marmalade-repo.org&latest

The connection to this server fails, because it cannot be properly
authenticated.  it looks to me like GnuTLS is doing the right thing by
reporting that the connection failed.  Would you rather it do something
else?

        --dkg



More information about the Gnutls-devel mailing list