Greetings,
I am getting ssl handshake error while visiting site https://www.pge.com/eum/login and some other sites using Webkit GTK 2.2.6 on Ubuntu 12.04. I am really not certain which version of TLS library is getting used, but it appears that glib-networking version is 2.36.1.
I raised the question on webkit gtk list and nice person [email protected] did some initial steps for debugging the issue and directed me to this mailing list for support. Following mail contains his analysis.
What can I do to solve this problem? n Wed, 2014-11-12 at 11:44 -0800, Niranjan Rao wrote:
Greetings, On Webkit 2.2.6/Ubuntu 12.04 When visiting some sites, I get error SLS handshake error. For example sitehttps://www.pge.com/eum/login gives SSL handshake error when using MiniBrowser. Usual browsers are doing ok when visiting the site. Is there any way to mitigate this problem?
Each such site requires individual investigation, unfortunately.
I saw some documentation about TLS errors in webkitgtk web site. Not clear if this applies to me or not.
Well, that documentation describes how to handle "successful" TLS connections with unverified TLS certificates, which is important for developers because older versions of WebKitGTK+ handle this insecurely by default. But it's not relevant here, since this connection has failed completely. We use GnuTLS to handle TLS; here's what its command line debug tool tells us: $ gnutls-cliwww.pge.com Processed 153 CA certificate(s). Resolving 'www.pge.com'... Connecting to '131.89.128.67:443'... *** Fatal error: The TLS connection was non-properly terminated. *** Handshake has failed GnuTLS error: The TLS connection was non-properly terminated. That error message is misleading: $ gnutls-cli-debugwww.pge.com Resolving 'www.pge.com'... Connecting to '131.89.128.67:443'... Checking for SSL 3.0 support... no Connecting to '131.89.128.67:443'... Checking whether %COMPAT is required... yes Connecting to '131.89.128.67:443'... Checking for TLS 1.0 support... no Connecting to '131.89.128.67:443'... Checking for TLS 1.1 support... no Connecting to '131.89.128.67:443'... Checking fallback from TLS 1.1 to... failed Connecting to '131.89.128.67:443'... Checking for TLS 1.2 support... no Connecting to '131.89.128.67:443'... Checking whether we need to disable TLS 1.2... yes So GnuTLS thinks this server apparently does not support any TLS protocol, and you get no connection. But for a second opinion I went to https://www.ssllabs.com/ssltest/analyze.html?d=pge.com which was able to connect via TLS 1.0. The server supports very few cipher suites (you can see that the site is completely inaccessible with the latest Safari, for example), but we share three in common so I'm not sure what's wrong. The next step would be to ask on the gnutls-help mailing list [1] to find out whether there is a GnuTLS bug (not really likely) or why it's refusing to connect if not. Please do CC me; I'm curious! Michael [1]http://lists.gnutls.org/mailman/listinfo/gnutls-help _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
