Hello, this is http://bugs.debian.org/797059 originally submitted by Enrico Zini: | thank you for maintaining lynx. A simple | lynx https://contributors.debian.org currently fails: | | $ lynx -dump -nolist https://contributors.debian.org | | Looking up contributors.debian.org | Making HTTPS connection to contributors.debian.org | Verified connection to contributors.debian.org (cert=contributors.debian.org) | Certificate issued by: /C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2 | Secure 256-bit TLS1.2 (ECDHE_RSA_AES_256_GCM_SHA384) HTTP connection | Sending HTTP request. | HTTP request sent; waiting for response. | Alert!: Unexpected network read error; connection aborted. | Can't Access `https://contributors.debian.org/' | Alert!: Unable to access document. | | lynx: Can't access startfile | | We currently added "SSLVerifyClient optional" to the server | configuration to support authentication with client certificates, but | client certificates are not required to connect. The relevant apache | configuration is here: | | https://wiki.debian.org/DebianSingleSignOn#Documentation_for_web_application_owners-1 | | links can access the site.
Simon Kainz <[email protected]> has diagnosed this as missing rehandshaking support and has even provided the attached patch to fix this. I would appreciate some review and integration into lynx upstream. Thanks in advance, kind regards Andreas ============================================================================ Description: Add support for GNUTLS rehandshake Author: Simon Kainz <[email protected]> Bug-Debian: https://bugs.debian.org/797059 --- Origin: other Bug-Debian: https://bugs.debian.org/797059 Forwarded: no --- lynx-cur-2.8.9dev6.orig/WWW/Library/Implementation/tidy_tls.h +++ lynx-cur-2.8.9dev6/WWW/Library/Implementation/tidy_tls.h @@ -98,6 +98,9 @@ struct _SSL { gnutls_transport_ptr_t rfd; gnutls_transport_ptr_t wfd; + + void *sendbuffer; + int bytes_sent; }; /* use either SSL_VERIFY_NONE or SSL_VERIFY_PEER, the last 2 options --- lynx-cur-2.8.9dev6.orig/src/tidy_tls.c +++ lynx-cur-2.8.9dev6/src/tidy_tls.c @@ -530,7 +530,6 @@ SSL *SSL_new(SSL_CTX * ctx) { SSL *ssl; int rc; - if ((ssl = typeCalloc(SSL)) != 0) { rc = gnutls_certificate_allocate_credentials(&ssl->gnutls_cred); @@ -564,6 +563,9 @@ SSL *SSL_new(SSL_CTX * ctx) ssl->wfd = (gnutls_transport_ptr_t) (-1); } } + ssl->bytes_sent=0; + ssl->sendbuffer=0; + return ssl; } @@ -576,13 +578,22 @@ int SSL_read(SSL * ssl, void *buffer, in int rc; rc = gnutls_record_recv(ssl->gnutls_state, buffer, length); - ssl->last_error = rc; + if ( rc <0 && gnutls_error_is_fatal(rc) == 0) { + if (rc == GNUTLS_E_REHANDSHAKE ) { + rc=gnutls_handshake(ssl->gnutls_state); + gnutls_record_send(ssl->gnutls_state,ssl->sendbuffer,ssl->bytes_sent); + rc = gnutls_record_recv(ssl->gnutls_state, buffer, length); + } + } + + ssl->last_error = rc; + if (rc < 0) { - last_error = rc; - rc = 0; + last_error = rc; + rc = 0; } - + return rc; } @@ -611,6 +622,15 @@ int SSL_write(SSL * ssl, const void *buf last_error = rc; rc = 0; } + else { + if (ssl->sendbuffer) + { + free(ssl->sendbuffer); + } + ssl->sendbuffer=malloc(rc); + ssl->bytes_sent=rc; + } + return rc; } _______________________________________________ Lynx-dev mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/lynx-dev
