[gnutls-help] Chrome and GNUTLS_E_PREMATURE_TERMINATION

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Oct 3 15:33:05 CEST 2013


On 10/03/2013 08:16 AM, MK wrote:
> Actually what I meant by "retries until gets what it is looking for" is
> the web page; what it's looking for beyond/before that with the
> "improperly terminated connections" I dunno.  Here's an example of what
> happens in wireshark: 


> 1) Chrome initiates a connection (actually, it usually initiates *two*
> connections simultaneously, but they both do the same thing -- this
> appears interleaved as both client and server are otherwise idle). That
> goes through a normal SYN, SYN, ACK shake then there is a TLS 1.1 Client
> Hello.  The server says Hello in return with a certificate, then Server
> Hello Done.
> 
> 2) Client sends Client Key Exchange together with a Change Cipher Spec
> and Encrypted Handshake.  The server responds with a Change Cipher Spec
> and Encrypted Handshake.
> 
> 3) The client sends a FIN.  The server sends an ACK back but no FIN --
> instead there is a TLS "Encryption Alert".
> 
> 4) The client sends a RST.  It then initiates a new connection, which
> goes through #1 and #2 but then proceeds properly.

I think you want to compare the details of the TLS version numbers and
the cipher suites offered in the Server and Client Hellos from stages
(1) and (4) to see what chrome is doing differently on the second
attempt.  You may also want to examine if there are changes in the TLS
extensions offered.

hth,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20131003/3c2d94a1/attachment.sig>


More information about the Gnutls-help mailing list