[gnutls-devel] TLS connection improperly terminated

Rustom Mody rustompmody at gmail.com
Wed Jul 29 19:13:24 CEST 2015 

On Wed, Jul 29, 2015 at 4:11 AM, Rustom Mody <rustompmody at gmail.com> wrote:

>
>
> On Wed, Jul 29, 2015 at 1:32 AM, Daniel Kahn Gillmor <
> dkg at fifthhorseman.net> wrote:
>
>> On Tue 2015-07-28 13:25:50 -0400, Eli Zaretskii wrote:
>> >> From: Rustom Mody <rustompmody at gmail.com>
>> >> Date: Tue, 28 Jul 2015 22:37:05 +0530
>> >> Cc: Eli Zaretskii <eliz at gnu.org>
>> >>
>> >> Start emacs with -Q
>> >> Run (package-initialize)
>> >> Run (add-to-list 'package-archives
>> >>              '("marmalade" . "https://marmalade-repo.org/packages/")
>> t)
>> >> Run M-x package-list-packages
>> >>
>> >> Get error
>> >> gnutls.c: [0] (Emacs) fatal error: The TLS connection was non-properly
>> >> terminated.
>> >
>> > I think the real question here is why does GnuTLS regard this
>> > situation so important as to warrant a high-priority alert to the
>> > user.
>>
>> AFAICT, the main issue is that the certificate chain offered by
>> https://marmalade-repo.org is "transvalid" -- meaning it does not offer
>> any intermediate certificates that would allow a user to chain its
>> end-entity certificate to a known root.
>>
>>
>> https://blog.hboeck.de/archives/847-Incomplete-Certificate-Chains-and-Transvalid-Certificates.html
>>
>> see the qualys report for that server here:
>>
>>
>> https://www.ssllabs.com/ssltest/analyze.html?d=marmalade-repo.org&latest
>>
>> The connection to this server fails, because it cannot be properly
>> authenticated.  it looks to me like GnuTLS is doing the right thing by
>> reporting that the connection failed.  Would you rather it do something
>> else?
>>
>>         --dkg
>>
>
> The intricacies of certificates (and security in general) are beyond me.
>
> However the point to be noted is that I get a list of packages alright.
> So I dont know what you mean by "connection failed"
> Is the list the full list? Ive no idea
> AFAIK the message looks (semi)bogus
> If list there should be no message (at least not this one)
> If message there should be no list
>
>
One more datapoint
I changed the https in the (add-to-list ... ) to http
Contacting host: marmalade-repo.org:80
gnutls.c: [0] (Emacs) fatal error: The TLS connection was non-properly
terminated.

Make back https

Contacting host: elpa.gnu.org:80 [3 times]
Contacting host: marmalade-repo.org:443
gnutls.c: [0] (Emacs) fatal error: The TLS connection was non-properly
terminated.

So tls is called for http??
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20150729/f2bc5e63/attachment.html>

More information about the Gnutls-devel mailing list