Le Sun, 26 Oct 2014 16:52:18 -0700, Troy Sankey <[email protected]> a écrit :
Hello, I've added the maintainers of openssl and gnutls in the loop, sorry for the noise. > When I use any web browser (that uses libsoup) to access the URL > <https://be.my.ucla.edu/> I get the following error: > > Unable to load page > Problem occurred while loading the URL https://be.my.ucla.edu/ > SSL handshake failed > > Affected web browsers include midori, dwb, uzbl, surf, and luakit. > Browsers that work for me are firefox and rekonq, both of which don't > use libsoup. I haven't tried Chromium. > > The openssl command line program successfully connects to the server: > > $ printf "GET / HTTP/1.1\n\n" | \ > openssl s_client -ign_eof -connect be.my.ucla.edu:443 > [...] > HTTP/1.1 302 Please Wait > [...] > > See full output in the attachment "openssl.txt" Thanks for the bug report. libsoup seems to use GnuTLS instead of openssl. I just tried with wget which is also using GnuTLS and I also get an error: $ wget -O - https://be.my.ucla.edu/ --2014-10-27 08:11:49-- https://be.my.ucla.edu/ Resolving be.my.ucla.edu (be.my.ucla.edu)... 128.97.52.156 Connecting to be.my.ucla.edu (be.my.ucla.edu)|128.97.52.156|:443... connected. HTTP request sent, awaiting response... 302 Please Wait Location: https://shb.ais.ucla.edu/shibboleth-idp/profile/Shibboleth/SSO?shire=https%3A%2F%2Fbe.my.ucla.edu%2FShibboleth.sso%2FSAML%2FPOST&time=1414393910&target=cookie%3A1414393910_8276&providerId=https%3A%2F%2Fbe.my.ucla.edu%2Fshibboleth-sp%2F [following] --2014-10-27 08:11:50-- https://shb.ais.ucla.edu/shibboleth-idp/profile/Shibboleth/SSO?shire=https%3A%2F%2Fbe.my.ucla.edu%2FShibboleth.sso%2FSAML%2FPOST&time=1414393910&target=cookie%3A1414393910_8276&providerId=https%3A%2F%2Fbe.my.ucla.edu%2Fshibboleth-sp%2F Resolving shb.ais.ucla.edu (shb.ais.ucla.edu)... 164.67.228.230 Connecting to shb.ais.ucla.edu (shb.ais.ucla.edu)|164.67.228.230|:443... connected. GnuTLS: The TLS connection was non-properly terminated. Unable to establish SSL connection. As you can see there is a redirection, to shb.ais.ucla.edu. Running both openssl s_client and gnutls-cli on this URL gives me an error. Forcing openssl to use TLS1.0 works. (Not sure how to do the same with gnutls-cli though). Also Running the following external test tool on this url gives a warning: "This site is intolerant to newer protocol versions, which might cause connection failures." See: https://www.ssllabs.com/ssltest/analyze.html?d=shb.ais.ucla.edu So it seems that both openssl and gnutls have issues with this (and probably all the) sites that are only supporting tls1.0. I also had issues in the past (with both debian and ubuntu) when trying to connect some old linksys AP. Other users running Arch where able to connect to it. This might be related. So I'm a bit confused here, did we explicitly disable TLS1.0 in debian? The initial bug reporter is running stable and I'm running unstable. Cheers, Laurent Bigonville -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
