[gnutls-devel] GnuTLS | GnuTLS 3.6.3 connection failure: Error performing TLS handshake: The operation was cancelled due to user error (#530)

Martin Pitt gitlab at mg.gitlab.com
Wed Jul 25 09:26:44 CEST 2018 

New Issue was created.

Issue 530: https://gitlab.com/gnutls/gnutls/issues/530
Author:    Martin Pitt
Assignee:  

Since Fedora Rawhide and Fedora testing updated GnuTLS to 3.6.3, our Cockpit unit tests for TLS connections [fail](https://github.com/cockpit-project/cockpit/issues/9723) during handshake:
```
$ ./test-httpstream
./test-httpstream terminated with SIGABRT
FAIL: test-httpstream 7 /http-stream/tls/basic

FAIL: test-httpstream 12 /http-stream/tls/authority-good
cockpit-bridge-Message: 14:08:31.926: https://localhost:42005/test: couldn't read: Error performing TLS handshake: The operation was cancelled due to user error
**
cockpit-bridge:ERROR:src/bridge/test-httpstream.c:815:test_tls_authority_bad: Got unexpected message: https://localhost:42005/test: couldn't read: Error performing TLS handshake: The operation was cancelled due to user error instead of cockpit-bridge-Message: *Unacceptable TLS certificate:*untrusted-issuer*

FAIL: test-httpstream 13 /http-stream/tls/authority-bad
ERROR: test-httpstream process failed: 250
```

This can be reproduced without Cockpit, just a simple [standalone reproducer](https://piware.de/tmp/glib-networking-tls-9723.c) using glib-networking:

```
curl -O https://raw.githubusercontent.com/cockpit-project/cockpit/master/src/bridge/mock-server.crt
curl -O https://raw.githubusercontent.com/cockpit-project/cockpit/master/src/bridge/mock-server.key
curl -O https://piware.de/tmp/glib-networking-tls-9723.c
gnutls-serv --x509keyfile ./mock-server.key --x509certfile ./mock-server.crt --port 9999
# in another terminal:
gcc -g -O0 `pkg-config --cflags --libs gio-2.0` glib-networking-tls-9723.c
./a.out
```

This works with GnuTLS 3.6.2, as currently in Fedora 28:
```
** Message: 09:19:51.913: successfully connected
HTTP/1.0 200 OK
Content-type: text/html


<HTML>[...]
```

But it fails with GnuTLS 3.6.3 (on the client side -- didn't test the server side). I extracted libgnutls.so.30 from a rawhide mock chroot and put it into /tmp/. Then `LD_LIBRARY_PATH=/tmp ./a.out` reproduces the bug:
```
** Message: 09:21:00.794: successfully connected
**
ERROR:glib-networking-tls-9723.c:36:main: assertion failed (error == NULL): Error performing TLS handshake: The operation was cancelled due to user error (g-tls-error-quark, 1)
Aborted (core dumped)
```

The server says:
```
* Accepted connection from IPv4 127.0.0.1 port 59050 on Wed Jul 25 09:21:21 2018
Error in handshake: Error in the pull function.
```

Notes:
  * This works against an OpenSSL server:

        openssl s_server -cert ./mock-server.crt -key ./mock-server.key -port 

    (You need to type something onto the server side to see it on the client - but if you are there, you are past the connection)

 * This doesn't depend on the actual certificates. I tried a different one, and it fails in the same way. The above ones are the ones from Cockpit's tests, and are convenient to use.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/530
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20180725/708cef33/attachment.html>

More information about the Gnutls-devel mailing list