On Wed, 02 Oct 2013 00:28:55 +0200 Nikos Mavrogiannopoulos <[email protected]> wrote:
> On 10/01/2013 05:41 PM, MK wrote: >> I have an HTTP server under development using gnuTLS, and notice a >> strange issue when testing with Chrome specifically -- the first >> gnutls_record_recv() on a new connection will frequently fail with >> GNUTLS_E_PREMATURE_TERMINATION. > > That means that the other party terminated the connection. > >> Chrome retries until it gets what it is looking for, so this is not >>noticeable to the user, > > You may see what chrome is looking for by checking the connections > using wireshark. I suspect that chrome is trying to determine the > highest TLS version number supported by the server. Actually what I meant by "retries until gets what it is looking for" is the web page; what it's looking for beyond/before that with the "improperly terminated connections" I dunno. Here's an example of what happens in wireshark: 1) Chrome initiates a connection (actually, it usually initiates *two* connections simultaneously, but they both do the same thing -- this appears interleaved as both client and server are otherwise idle). That goes through a normal SYN, SYN, ACK shake then there is a TLS 1.1 Client Hello. The server says Hello in return with a certificate, then Server Hello Done. 2) Client sends Client Key Exchange together with a Change Cipher Spec and Encrypted Handshake. The server responds with a Change Cipher Spec and Encrypted Handshake. 3) The client sends a FIN. The server sends an ACK back but no FIN -- instead there is a TLS "Encryption Alert". 4) The client sends a RST. It then initiates a new connection, which goes through #1 and #2 but then proceeds properly. Is this consistent with what you have said about trying to determine the TLS version? MK -- "You are lost in the Real." -- Jean Baudrillard _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
