[gnutls-devel] GnuTLS | gnutls_handshake() failed: An unexpected TLS packet was received. (#1551)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Fri May 24 02:37:47 CEST 2024
Felix Adrianto created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1551
## Description of problem:
I have git client from Debian Bookworm which is supported by gnutls. I'm having issue cloning any git repository hosted by Github.
```
I did a little bit deeper opening TLS connection with gnutls-cli. Connecting to github.com produce an error below. I tested with google.com, bitbucket.org, gitlab.com, docker.com the TLS connections were established without any issue. The issue seems specific to github.
```
gnutls-cli -V -d 9999 github.com
|<3>| ASSERT: ../../../lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:1039
|<3>| ASSERT: ../../../lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:1039
|<3>| ASSERT: ../../../lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:1039
Processed 140 CA certificate(s).
Resolving 'github.com:443'...
Connecting to '140.82.112.3:443'...
|<5>| REC[0x55a4f0103cd0]: Allocating epoch #0
|<2>| added 6 protocols, 29 ciphersuites, 19 sig algos and 10 groups into priority list
|<5>| REC[0x55a4f0103cd0]: Allocating epoch #1
|<4>| HSK[0x55a4f0103cd0]: Adv. version: 3.3
|<2>| Keeping ciphersuite 13.02 (GNUTLS_AES_256_GCM_SHA384)
|<2>| Keeping ciphersuite 13.03 (GNUTLS_CHACHA20_POLY1305_SHA256)
|<2>| Keeping ciphersuite 13.01 (GNUTLS_AES_128_GCM_SHA256)
|<2>| Keeping ciphersuite 13.04 (GNUTLS_AES_128_CCM_SHA256)
|<2>| Keeping ciphersuite c0.2c (GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384)
|<2>| Keeping ciphersuite cc.a9 (GNUTLS_ECDHE_ECDSA_CHACHA20_POLY1305)
|<2>| Keeping ciphersuite c0.ad (GNUTLS_ECDHE_ECDSA_AES_256_CCM)
|<2>| Keeping ciphersuite c0.0a (GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1)
|<2>| Keeping ciphersuite c0.2b (GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256)
|<2>| Keeping ciphersuite c0.ac (GNUTLS_ECDHE_ECDSA_AES_128_CCM)
|<2>| Keeping ciphersuite c0.09 (GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1)
|<2>| Keeping ciphersuite c0.30 (GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384)
|<2>| Keeping ciphersuite cc.a8 (GNUTLS_ECDHE_RSA_CHACHA20_POLY1305)
|<2>| Keeping ciphersuite c0.14 (GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1)
|<2>| Keeping ciphersuite c0.2f (GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256)
|<2>| Keeping ciphersuite c0.13 (GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1)
|<2>| Keeping ciphersuite 00.9d (GNUTLS_RSA_AES_256_GCM_SHA384)
|<2>| Keeping ciphersuite c0.9d (GNUTLS_RSA_AES_256_CCM)
|<2>| Keeping ciphersuite 00.35 (GNUTLS_RSA_AES_256_CBC_SHA1)
|<2>| Keeping ciphersuite 00.9c (GNUTLS_RSA_AES_128_GCM_SHA256)
|<2>| Keeping ciphersuite c0.9c (GNUTLS_RSA_AES_128_CCM)
|<2>| Keeping ciphersuite 00.2f (GNUTLS_RSA_AES_128_CBC_SHA1)
|<2>| Keeping ciphersuite 00.9f (GNUTLS_DHE_RSA_AES_256_GCM_SHA384)
|<2>| Keeping ciphersuite cc.aa (GNUTLS_DHE_RSA_CHACHA20_POLY1305)
|<2>| Keeping ciphersuite c0.9f (GNUTLS_DHE_RSA_AES_256_CCM)
|<2>| Keeping ciphersuite 00.39 (GNUTLS_DHE_RSA_AES_256_CBC_SHA1)
|<2>| Keeping ciphersuite 00.9e (GNUTLS_DHE_RSA_AES_128_GCM_SHA256)
|<2>| Keeping ciphersuite c0.9e (GNUTLS_DHE_RSA_AES_128_CCM)
|<2>| Keeping ciphersuite 00.33 (GNUTLS_DHE_RSA_AES_128_CBC_SHA1)
|<4>| EXT[0x55a4f0103cd0]: Preparing extension (OCSP Status Request/5) for 'client hello'
|<4>| EXT[0x55a4f0103cd0]: Sending extension OCSP Status Request/5 (5 bytes)
|<4>| EXT[0x55a4f0103cd0]: Preparing extension (Client Certificate Type/19) for 'client hello'
|<4>| EXT[0x55a4f0103cd0]: Client certificate type was set to default cert type (X.509). We therefore do not send this extension.
|<4>| EXT[0x55a4f0103cd0]: Preparing extension (Server Certificate Type/20) for 'client hello'
|<4>| EXT[0x55a4f0103cd0]: Server certificate type was set to default cert type (X.509). We therefore do not send this extension.
|<4>| EXT[0x55a4f0103cd0]: Preparing extension (Supported Groups/10) for 'client hello'
|<4>| EXT[0x55a4f0103cd0]: Sent group SECP256R1 (0x17)
|<4>| EXT[0x55a4f0103cd0]: Sent group SECP384R1 (0x18)
|<4>| EXT[0x55a4f0103cd0]: Sent group SECP521R1 (0x19)
|<4>| EXT[0x55a4f0103cd0]: Sent group X25519 (0x1d)
|<4>| EXT[0x55a4f0103cd0]: Sent group X448 (0x1e)
|<4>| EXT[0x55a4f0103cd0]: Sent group FFDHE2048 (0x100)
|<4>| EXT[0x55a4f0103cd0]: Sent group FFDHE3072 (0x101)
|<4>| EXT[0x55a4f0103cd0]: Sent group FFDHE4096 (0x102)
|<4>| EXT[0x55a4f0103cd0]: Sent group FFDHE6144 (0x103)
|<4>| EXT[0x55a4f0103cd0]: Sent group FFDHE8192 (0x104)
|<4>| EXT[0x55a4f0103cd0]: Sending extension Supported Groups/10 (22 bytes)
|<4>| EXT[0x55a4f0103cd0]: Preparing extension (Supported EC Point Formats/11) for 'client hello'
|<4>| EXT[0x55a4f0103cd0]: Sending extension Supported EC Point Formats/11 (2 bytes)
|<4>| EXT[0x55a4f0103cd0]: Preparing extension (SRP/12) for 'client hello'
|<4>| EXT[0x55a4f0103cd0]: Preparing extension (Signature Algorithms/13) for 'client hello'
|<4>| EXT[0x55a4f0103cd0]: sent signature algo (4.1) RSA-SHA256
|<4>| EXT[0x55a4f0103cd0]: sent signature algo (8.9) RSA-PSS-SHA256
|<4>| EXT[0x55a4f0103cd0]: sent signature algo (8.4) RSA-PSS-RSAE-SHA256
|<4>| EXT[0x55a4f0103cd0]: sent signature algo (4.3) ECDSA-SHA256
|<4>| EXT[0x55a4f0103cd0]: sent signature algo (8.7) EdDSA-Ed25519
|<4>| EXT[0x55a4f0103cd0]: sent signature algo (5.1) RSA-SHA384
|<4>| EXT[0x55a4f0103cd0]: sent signature algo (8.10) RSA-PSS-SHA384
|<4>| EXT[0x55a4f0103cd0]: sent signature algo (8.5) RSA-PSS-RSAE-SHA384
|<4>| EXT[0x55a4f0103cd0]: sent signature algo (5.3) ECDSA-SHA384
|<4>| EXT[0x55a4f0103cd0]: sent signature algo (8.8) EdDSA-Ed448
|<4>| EXT[0x55a4f0103cd0]: sent signature algo (6.1) RSA-SHA512
|<4>| EXT[0x55a4f0103cd0]: sent signature algo (8.11) RSA-PSS-SHA512
|<4>| EXT[0x55a4f0103cd0]: sent signature algo (8.6) RSA-PSS-RSAE-SHA512
|<4>| EXT[0x55a4f0103cd0]: sent signature algo (6.3) ECDSA-SHA512
|<4>| EXT[0x55a4f0103cd0]: sent signature algo (2.1) RSA-SHA1
|<4>| EXT[0x55a4f0103cd0]: sent signature algo (2.3) ECDSA-SHA1
|<4>| EXT[0x55a4f0103cd0]: Sending extension Signature Algorithms/13 (34 bytes)
|<4>| EXT[0x55a4f0103cd0]: Preparing extension (SRTP/14) for 'client hello'
|<4>| EXT[0x55a4f0103cd0]: Preparing extension (Heartbeat/15) for 'client hello'
|<4>| EXT[0x55a4f0103cd0]: Preparing extension (ALPN/16) for 'client hello'
|<4>| EXT[0x55a4f0103cd0]: Preparing extension (Encrypt-then-MAC/22) for 'client hello'
|<4>| EXT[0x55a4f0103cd0]: Sending extension Encrypt-then-MAC/22 (0 bytes)
|<4>| EXT[0x55a4f0103cd0]: Preparing extension (Extended Master Secret/23) for 'client hello'
|<4>| EXT[0x55a4f0103cd0]: Sending extension Extended Master Secret/23 (0 bytes)
|<4>| EXT[0x55a4f0103cd0]: Preparing extension (Session Ticket/35) for 'client hello'
|<4>| EXT[0x55a4f0103cd0]: Sending extension Session Ticket/35 (0 bytes)
|<4>| EXT[0x55a4f0103cd0]: Preparing extension (Key Share/51) for 'client hello'
|<4>| EXT[0x55a4f0103cd0]: sending key share for SECP256R1
|<4>| EXT[0x55a4f0103cd0]: sending key share for X25519
|<4>| EXT[0x55a4f0103cd0]: Sending extension Key Share/51 (107 bytes)
|<4>| EXT[0x55a4f0103cd0]: Preparing extension (Supported Versions/43) for 'client hello'
|<2>| Advertizing version 3.4
|<2>| Advertizing version 3.3
|<2>| Advertizing version 3.2
|<2>| Advertizing version 3.1
|<4>| EXT[0x55a4f0103cd0]: Sending extension Supported Versions/43 (9 bytes)
|<4>| EXT[0x55a4f0103cd0]: Preparing extension (Post Handshake Auth/49) for 'client hello'
|<4>| EXT[0x55a4f0103cd0]: Preparing extension (Safe Renegotiation/65281) for 'client hello'
|<4>| EXT[0x55a4f0103cd0]: Sending extension Safe Renegotiation/65281 (1 bytes)
|<4>| EXT[0x55a4f0103cd0]: Preparing extension (Server Name Indication/0) for 'client hello'
|<2>| HSK[0x55a4f0103cd0]: sent server name: 'github.com'
|<4>| EXT[0x55a4f0103cd0]: Sending extension Server Name Indication/0 (15 bytes)
|<4>| EXT[0x55a4f0103cd0]: Preparing extension (Cookie/44) for 'client hello'
|<4>| EXT[0x55a4f0103cd0]: Preparing extension (Early Data/42) for 'client hello'
|<4>| EXT[0x55a4f0103cd0]: Preparing extension (PSK Key Exchange Modes/45) for 'client hello'
|<4>| EXT[0x55a4f0103cd0]: Sending extension PSK Key Exchange Modes/45 (3 bytes)
|<4>| EXT[0x55a4f0103cd0]: Preparing extension (Record Size Limit/28) for 'client hello'
|<4>| EXT[0x55a4f0103cd0]: Sending extension Record Size Limit/28 (2 bytes)
|<4>| EXT[0x55a4f0103cd0]: Preparing extension (Maximum Record Size/1) for 'client hello'
|<4>| EXT[0x55a4f0103cd0]: Preparing extension (Compress Certificate/27) for 'client hello'
|<4>| EXT[0x55a4f0103cd0]: Preparing extension (ClientHello Padding/21) for 'client hello'
|<4>| EXT[0x55a4f0103cd0]: Preparing extension (Pre Shared Key/41) for 'client hello'
|<4>| HSK[0x55a4f0103cd0]: CLIENT HELLO was queued [387 bytes]
|<11>| HWRITE: enqueued [CLIENT HELLO] 387. Total 387 bytes.
|<11>| HWRITE FLUSH: 387 bytes in buffer.
|<5>| REC[0x55a4f0103cd0]: Preparing Packet Handshake(22) with length: 387 and min pad: 0
|<9>| ENC[0x55a4f0103cd0]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
|<11>| WRITE: enqueued 392 bytes for 0x3. Total 392 bytes.
|<5>| REC[0x55a4f0103cd0]: Sent Packet[1] Handshake(22) in epoch 0 and length: 392
|<11>| HWRITE: wrote 1 bytes, 0 bytes left.
|<11>| WRITE FLUSH: 392 bytes in buffer.
|<11>| WRITE: wrote 392 bytes, 0 bytes left.
|<3>| ASSERT: ../../lib/buffers.c[get_last_packet]:1185
|<10>| READ: Got 5 bytes from 0x3
|<10>| READ: read 5 bytes from 0x3
|<10>| RB: Have 0 bytes into buffer. Adding 5 bytes.
|<10>| RB: Requested 5 bytes
|<5>| REC[0x55a4f0103cd0]: SSL 84.84 Unknown Packet packet received. Epoch 0, length: 20527
|<3>| ASSERT: ../../lib/record.c[check_recv_type]:634
|<1>| Received record packet of unknown type 72
|<3>| ASSERT: ../../lib/record.c[recv_headers]:1228
|<3>| ASSERT: ../../lib/record.c[_gnutls_recv_in_buffers]:1321
|<3>| ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1467
|<3>| ASSERT: ../../lib/handshake.c[_gnutls_recv_handshake]:1600
|<3>| ASSERT: ../../lib/handshake.c[handshake_client]:3075
|<13>| BUF[HSK]: Emptied buffer
*** Fatal error: An unexpected TLS packet was received.
|<5>| REC: Sending Alert[2|10] - Unexpected message
|<5>| REC[0x55a4f0103cd0]: Preparing Packet Alert(21) with length: 2 and min pad: 0
|<9>| ENC[0x55a4f0103cd0]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
|<11>| WRITE: enqueued 7 bytes for 0x3. Total 7 bytes.
|<11>| WRITE FLUSH: 7 bytes in buffer.
|<11>| WRITE: wrote 7 bytes, 0 bytes left.
|<5>| REC[0x55a4f0103cd0]: Sent Packet[2] Alert(21) in epoch 0 and length: 7
```
## Version of gnutls used:
libgnutls30 3.7.9-2+deb12u2
## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Debian Bookworm (stable)
## How reproducible:
Steps to Reproduce:
* git clone https://github.com/MythTV/mythtv.git
## Actual results:
gnutls[1]: Received record packet of unknown type 72
fatal: unable to access 'https://github.com/MythTV/mythtv.git/': gnutls_handshake() failed: An unexpected TLS packet was received.
```
## Expected results:
TLS connection established.
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1551
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20240524/e2f555c1/attachment-0001.html>
More information about the Gnutls-devel
mailing list