Your message dated Sat, 14 Sep 2019 12:19:09 +0000 with message-id <[email protected]> and subject line Bug#933538: fixed in gnutls28 3.6.9-5 has caused the Debian Bug report #933538, regarding libgnutls30: still fails with older servers to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 933538: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933538 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: libgnutls30 Version: 3.6.7-4 Severity: important Dear Maintainer, * What led up to the situation? First, I had problems using sogo-tool for a sogo instance connected to an older LDAP Server. Restoring a user gave this error: 2019-07-31 12:51:37.411 sogo-tool[11248:11248] Received packet with illegal length: 16624 2019-07-31 12:51:37.411 sogo-tool[11248:11248] Fatal LDAP error during ldap_result: Can't contact LDAP server * What exactly did you do (or not do) that was effective (or ineffective)? In order to isolate the problem, I used gnutls-utils for opening a server on the older LDAP machine: gnutls-serv --echo --x509keyfile /etc/ssl/private/ssl-cert-snakeoil.key --x509certfile /etc/ssl/certs/ssl-cert-snakeoil.pem The server runs libgnutls26 2.12.23-12ubuntu2.8 On the client machine (buster) I tried pwgen 16383 | gnutls-cli --no-ca-verification --port 5556 server * What was the outcome of this action? On the client I get something like this: root@groupware-beta:~# pwgen 16383 | gnutls-cli --no-ca-verification --port 5556 ldap.company.x Processed 130 CA certificate(s). Resolving 'redacted'... Connecting to 'redacted:5556'... - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: - subject `CN=redacted', issuer `CN=redacted', serial 0x00e120b43d69e2e4d8, RSA key 2048 bits, signed using RSA-SHA256, activated `2017-07-06 10:03:48 UTC', expires `2027-07-04 10:03:48 UTC', pin-sha256="SxggXxyfEDi9fmVyLwzPN9yE5y69T92aF8CBdGMe9Rc=" Public Key ID: sha1:21c8b2ecfc2b23da00de3371a4aa7bb8b8fc13bc sha256:4b18205f1c9f1038bd7e65722f0ccf37dc84e72ebd4fdd9a17c08174631ef517 Public Key PIN: pin-sha256:SxggXxyfEDi9fmVyLwzPN9yE5y69T92aF8CBdGMe9Rc= - Successfully sent 0 certificate(s) to server. - Description: (TLS1.2)-(RSA)-(AES-256-CBC)-(SHA1) - Session ID: 74:27:72:45:ED:A4:AA:BD:4C:06:1C:43:3D:1C:71:3D:AE:02:14:06:7D:72:25:01:ED:4F:50:BF:C5:67:1C:79 - Options: safe renegotiation, - Handshake was completed - Simple Client Mode: |<1>| Received packet with illegal length: 16624 *** Fatal error: A TLS record packet with invalid length was received. *** Server has terminated the connection abnormally. The server does not show anything abnormal: * Successful handshake from IPv4 REDACTED_IP port 43420 - Given server name[1]: ldap.indurad.x - Certificate type: X.509 No certificates found! - Could not verify certificate (err: The peer did not send any certificate.) - Version: TLS1.2 - Key Exchange: RSA - Cipher: AES-256-CBC - MAC: SHA1 - Compression: NULL received: pheedei [...] * What outcome did you expect instead? Successful connection to server and echo of the sent bytes. I also tried this with libgnutls30 3.6.8-2 on the client side (taken from testing). Same problem persists. -- System Information: Debian Release: 10.0 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-5-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libgnutls30 depends on: ii libc6 2.28-10 ii libgmp10 2:6.1.2+dfsg-4 ii libhogweed4 3.4.1-1 ii libidn2-0 2.0.5-1 ii libnettle6 3.4.1-1 ii libp11-kit0 0.23.15-2 ii libtasn1-6 4.13-3 ii libunistring2 0.9.10-1 libgnutls30 recommends no packages. Versions of packages libgnutls30 suggests: ii gnutls-bin 3.6.7-4 -- no debconf information
--- End Message ---
--- Begin Message ---Source: gnutls28 Source-Version: 3.6.9-5 We believe that the bug you reported is fixed in the latest version of gnutls28, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Andreas Metzler <[email protected]> (supplier of updated gnutls28 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 14 Sep 2019 13:38:41 +0200 Source: gnutls28 Architecture: source Version: 3.6.9-5 Distribution: unstable Urgency: medium Maintainer: Debian GnuTLS Maintainers <[email protected]> Changed-By: Andreas Metzler <[email protected]> Closes: 933538 Changes: gnutls28 (3.6.9-5) unstable; urgency=medium . * 40_gnutls_epoch_set_keys-do-not-forbid-random-padding-.patch from upstream GIT master: Fix interop problems with gnutls 2.x. Closes: #933538 Checksums-Sha1: f6805b569dc336b0544ef84b3007a13c70412bdf 3377 gnutls28_3.6.9-5.dsc 815719c0d8d4ca32ca24b91ce5997d377bca97f4 69956 gnutls28_3.6.9-5.debian.tar.xz Checksums-Sha256: c8b3fc96c7054b18fa73bb1606a48bb1d27dce6d582aff255e0913545e2ae05f 3377 gnutls28_3.6.9-5.dsc 821eee764acfed3a10fa899b142c781a92adbdfd935d1f1a2a6c606e22a16f29 69956 gnutls28_3.6.9-5.debian.tar.xz Files: 52e1832fc6f6263bf9785238209fda21 3377 libs optional gnutls28_3.6.9-5.dsc fe165b268822aaf9b42216453a606ffb 69956 libs optional gnutls28_3.6.9-5.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE0uCSA5741Jbt9PpepU8BhUOCFIQFAl181o4ACgkQpU8BhUOC FIS1WBAAmxYkDwh9y2h9RjW5QtfX0bkFEb5yKyWxRxySuO8AYWcOBEs/P6CihTQH /lCchwApPhWKtowv1YeKKDi3lRSBmYLVhdKBxXNn/K/PLwxjbtAmmcI4XS4YEWfn MhP6zKNKjmG1tY9+/TWuE6l3z3MWyiaWR68f3amtjoucpRLEE4o/QwMa/FCYOU/m b6H7aj2yJxhnRb9GKHPigLjqm24ys4yE++uIXy5si4SSbjeqpB+jbAb0Oimp3kbF Q/sC/x0pzbA/1Z3AX4c5MLHnjzAVTgds2i+Fs77pgt2NkhvYs1OUxDDy4LkWhyGU KqDFUPCEjH7rKA4DObcqrnto7su/FYv9vfwdLKkQhv6V06XG4sZ6UqDzjWEgDqwy u8M+s/goj83yPP3pXCS0+l6kNpWRrL8Gy48/PbqKUxgcGYLkDXANqS2ow1mhWpQA GnYzpjlJUBkjC8IVKg5BHFtRd1yr/f1Pg7B8zdvE1T8SfvFc77jMMRdBrJxalbzD 4aHOPQ9PO4E0ZSm/EwjM8nTGKUpSggRb2w9F05QBdQ4rVef+KX6jf1u3vm7CvmW0 rWeukOVEJXxNwc3rNT8zgU5k5ipTHED2reY5jTQoOvBT9YquFKA09ORTBEzbg7SW ZWxLy26fnUjo0aHTKFqyjfmOucARpli8QNnxAf92hqvbkmtaeQQ= =nxxp -----END PGP SIGNATURE-----
--- End Message ---
