[Bug 1444656] Re: GnuTLS TLS 1.2 handshake failure

Marc Deslauriers marc.deslauriers at canonical.com
Thu Mar 10 18:03:31 UTC 2016 

It looks like the servers listed in the bug description require SIGN-
RSA-SHA384, which gnutls26 doesn't support.

The issue can be reproduced with gnutls28 by disabling the additional
signature algorithms:

gnutls-cli --priority "NORMAL:-SIGN-ECDSA-SHA256:-SIGN-RSA-SHA384:-SIGN-
ECDSA-SHA384:-SIGN-RSA-SHA512:-SIGN-ECDSA-SHA512:-SIGN-RSA-SHA224:-SIGN-
DSA-SHA224:-SIGN-ECDSA-SHA224:-SIGN-ECDSA-SHA1" -d 256 sequencewiz.com

Fixing this likely requires at least the following commit to be
backported:

https://gitlab.com/gnutls/gnutls/commit/75b493132239e824d671f4b09d1dfd0f7ca6a8b1

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnutls26 in Ubuntu.
https://bugs.launchpad.net/bugs/1444656

Title:
  GnuTLS TLS 1.2 handshake failure

Status in gnutls26 package in Ubuntu:
  Invalid
Status in gnutls26 source package in Trusty:
  Triaged

Bug description:
  I'm experiencing the same issue as here:

  http://comments.gmane.org/gmane.network.gnutls.general/3713

  
  I came across a SSL handshake problem with gnutls-cli when connecting to 
  some websites, see below. It is somehow specific to gnutls as 
  openssl/Chrome/Firefox can connect fine. 

  Is this is a bug in gnutls or do you have any ideas how to
  troubleshoot it?

  $ gnutls-cli --version
  gnutls-cli (GnuTLS) 2.12.23
  Packaged by Debian (2.12.23-12ubuntu2.1)

  $ gnutls-cli www.openlearning.com
  Resolving 'www.openlearning.com'...
  Connecting to '119.9.9.205:443'...
  *** Fatal error: A TLS fatal alert has been received.
  *** Received alert [40]: Handshake failed
  *** Handshake has failed
  GnuTLS error: A TLS fatal alert has been received.

  $ gnutls-cli sequencewiz.com
  Resolving 'sequencewiz.com'...
  Connecting to '50.112.144.117:443'...
  *** Fatal error: A TLS packet with unexpected length was received.
  *** Handshake has failed
  GnuTLS error: A TLS packet with unexpected length was received.

  Thank you,

  
  Please back port the latest GnuTLS to Trusty as it is an LTS release and clearly GnuTLS 2.12 is an old branch.

  I've also attached packet captures of this.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1444656/+subscriptions

More information about the foundations-bugs mailing list