[gnutls-devel] GnuTLS | Bug Connecting to a TLS1.3 Only Server (#1637)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Tue Jan 7 16:36:49 CET 2025 



Gene commented: https://gitlab.com/gnutls/gnutls/-/issues/1637#note_2285216840


Sort of - here is summary of tcpdump - note that since I am on the internal network now I have replaced the IPs with client/server below and I am unable to share the full pcap file(s) for this reason. 

But of course you can also run gnutle-cli client along with tcpdump on your end and compare with what happens using other clients.

I ran twice once with gnutls-cli and once with curl www.sapience.com/sitemap.xml
The first difference is at step 6 where server issues HRR to gnutls while for curl it replies with 'Server Hello'.

Within that client hello packet curl is sending key_share X25519 while gnutls sends 'secp256r1, x25519'.

There are other differences too. My apologies for not being able to share more but you can get a pcap on your client side too, though more work for you - sorry.

This is the summary of gnutls:

```
No  Time        Source  Dest    Proto   Length  Info
------------------------------------------------------------
1   0.000000    client  server  TCP 74  50170 → 443 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM TSval=644306766 TSecr=0 WS=128

2   0.002485    server  client  TCP 74  443 → 50170 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM TSval=1428335904 TSecr=644306766 WS=128

3   0.002526    client  server  TCP 66  50170 → 443 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=644306769 TSecr=1428335904

4   0.002931    client  server  TLSv1.3 464 Client Hello (SNI=www.sapience.com)
5   0.004983    server  client  TCP 66  443 → 50170 [ACK] Seq=1 Ack=399 Win=64768 Len=0 TSval=1428335907 TSecr=644306769
6   0.005294    server  client  TLSv1.3 159 Hello Retry Request 

7   0.005295    server  client  TLSv1.3 72  Change Cipher Spec
8   0.005325    client  server  TCP 66  50170 → 443 [ACK] Seq=399 Ack=94 Win=64256 Len=0 TSval=644306771 TSecr=1428335907
9   0.005346    client  server  TCP 66  50170 → 443 [ACK] Seq=399 Ack=100 Win=64256 Len=0 TSval=644306772 TSecr=1428335907
10  0.005561    client  server  TLSv1.3 395 Client Hello (SNI=www.sapience.com)
11  0.008015    server  client  TLSv1.3 73  Alert (Level: Fatal, Description: Illegal Parameter)
12  0.008017    server  client  TCP 66  443 → 50170 [FIN, ACK] Seq=107 Ack=728 Win=64512 Len=0 TSval=1428335910 TSecr=644306772
13  0.008122    client  server  TCP 66  50170 → 443 [FIN, ACK] Seq=728 Ack=108 Win=64256 Len=0 TSval=644306774 TSecr=1428335910
14  0.009992    server  client  TCP 66  443 → 50170 [ACK] Seq=108 Ack=729 Win=64512 Len=0 TSval=1428335912 TSecr=644306774
```

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1637#note_2285216840
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20250107/70a7a38a/attachment.html>

More information about the Gnutls-devel mailing list