Your message dated Fri, 29 Nov 2019 21:04:42 +0000 with message-id <[email protected]> and subject line Bug#945507: fixed in systemd 243-9 has caused the Debian Bug report #945507, regarding systemd-resolved rejects DNS-over-TLS based on GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER even though gnutls-cli works fine to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 945507: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945507 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: systemd Version: 243-8 On an amd64 system running sid, with the following settings reported by resolvectl: DNSOverTLS setting: opportunistic DNSSEC setting: allow-downgrade DNSSEC supported: no Current DNS Server: 199.58.81.218 DNS Servers: 199.58.81.218 2001:470:1c:76d::53 The TLS connections don't work for some reason (the host above is dns.cmrg.net, which only offers DNS-over-TLS). /etc/resolv.conf is a symlink to /lib/systemd/resolv.conf I attached ltrace to the systemd-resolved process, while trying to elicit a domain name with "ping" and saw this interaction with GnuTLS: 3437 20:49:39 gnutls_init(0x7ffcfe82eae8, 266, 16, 608) = 0 3437 20:49:39 gnutls_priority_set_direct(0x55f47918c140, 0x55f4772712b8, 0, 0) = 0 3437 20:49:39 gnutls_credentials_set(0x55f47918c140, 1, 0x55f478eb0140, 0) = 0 3437 20:49:39 gnutls_handshake_set_timeout(0x55f47918c140, 0xffffffff, 0, 0x55f47918a930) = 0x9c40 3437 20:49:39 gnutls_transport_set_ptr2(0x55f47918c140, 19, 0x55f47918a680, 0x55f47918a930) = 0x9c40 3437 20:49:39 gnutls_transport_set_vec_push_function(0x55f47918c140, 0x55f47723cc80, 0x55f47918a680, 0x55f47918a930) = 0x9c40 3437 20:49:39 gnutls_handshake(0x55f47918c140, 0x55f47723cc80, 0x55f47918a680, 0x55f47918a930 <unfinished ...> 3437 20:49:39 sendmsg(19, 0x7ffcfe82e630, 0x20000000, 1) = -1 3437 20:49:39 __errno_location() = 0x7fc6d84bbac0 3437 20:49:39 __errno_location() = 0x7fc6d84bbac0 3437 20:49:39 <... gnutls_handshake resumed> ) = 0xffffffe4 3437 20:49:39 gnutls_error_is_fatal(0xffffffe4, 0, -128, 0) = 0 0xffffffe4 is -55, which is GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER, according to: https://gnutls.org/manual/gnutls.html#Error-codes I'm attaching a pcap for all the traffic on port 853 from the above attempt. I don't see any obviously illegal parameters there. In further debugging, i tried using gnutls-cli to connect directly to it, and that worked fine: $ gnutls-cli --sni-hostname=dns.cmrg.net --verify-hostname=dns.cmrg.net 199.58.81.218:853 Processed 128 CA certificate(s). Resolving '199.58.81.218:853'... Connecting to '199.58.81.218:853'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: - subject `CN=dns.cmrg.net', issuer `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', serial 0x03a4d7448cc89c9444776bbf992fe74a4252, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-11-01 06:00:16 UTC', expires `2020-01-30 06:00:16 UTC', pin-sha256="3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo=" Public Key ID: sha1:44be3735f2f6cf668b6143335d8189250a7c5cd3 sha256:dc8387492e3c28e73fce590a1ad238e9af5363d3cf283546844dd6d994b8259a Public Key PIN: pin-sha256:3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo= - Certificate[1] info: - subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=" - Status: The certificate is trusted. - Description: (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM) - Options: - Handshake was completed - Simple Client Mode: I'm attaching a pcap from the gnutls-cli connection as well. Note from the pcaps that the gnutls-cli connection manages to negotiate TLS 1.3, while the systemd-resolved connection only manages to elicit a TLS 1.2 response from the server for some reason. I'm seeing this error in systemd-resolved with libgnutls30 3.6.10-5, but I also tried this while rolling back to older versions of libgnutls30 -- version 3.6.7-4 from buster, for example -- and it didn't fix the problem. So i think the issue is something to do with the way that libgnutls is being initialized in this version of systemd. I do not see this misbehavior on a comparable VM running debian buster (with systemd 241-7~deb10u2). on the buster VM, the nameservice works fine with systemd-resolved. let me know if you want me to try some other debugging step. --dkg
systemd-resolved.pcapng
Description: Binary data
Description: Binary data
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: systemd Source-Version: 243-9 We believe that the bug you reported is fixed in the latest version of systemd, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Michael Biebl <[email protected]> (supplier of updated systemd package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 29 Nov 2019 21:33:19 +0100 Source: systemd Architecture: source Version: 243-9 Distribution: unstable Urgency: medium Maintainer: Debian systemd Maintainers <[email protected]> Changed-By: Michael Biebl <[email protected]> Closes: 945507 Changes: systemd (243-9) unstable; urgency=medium . [ Daniel Kahn Gillmor ] * resolved: fix connection failures with TLS 1.3 and GnuTLS (Closes: #945507) Checksums-Sha1: 07a6277264fe44b1e53d8b22dc96382c739ee738 4973 systemd_243-9.dsc e72b318be925475fcd51249e3cfd57c010c324df 186324 systemd_243-9.debian.tar.xz d1d771a49dffad3678dc0d74846e7e18cd7f6a3d 9551 systemd_243-9_source.buildinfo Checksums-Sha256: 116bfb0c78cec213e05d100c7224ff6a0a44d46e84f09f84bd86c7b6d1b04243 4973 systemd_243-9.dsc 526eca42b1ae38c83fa3843adbf2679d8499324c5f99c4d01a19f1fb901ee3b5 186324 systemd_243-9.debian.tar.xz 9416b58a7f57a134ca4304b6a15be5e8d23153506053066ec114cc39e64dee13 9551 systemd_243-9_source.buildinfo Files: 33845bb478f58bd3a85ef825ffa69eeb 4973 admin optional systemd_243-9.dsc e9d5b0eebaacea2fe910bf4a9cb10b1f 186324 admin optional systemd_243-9.debian.tar.xz ba553e2f9b008a4ca94c75ea11b6358d 9551 admin optional systemd_243-9_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEECbOsLssWnJBDRcxUauHfDWCPItwFAl3hgM8ACgkQauHfDWCP Itwi7A/7BrdXakVba2UPfVrRyzZIo96XtGgaCOvCSeqSYxjVp6mX8bg+nB2p5F/5 tMBg2mKSe/jqIIadzcsXsT0G/jUTUICDR3U9Shk63I0YuTveaclxQpK126/OFRi7 crbit32urU2LA+UpAnwnTtxRceGK0r1Mr0hZD1ARw/Bzax0Rbo50+uhOVWzZllRb simlHNKLTtayGk94s/f/FCFUu4HbnFhwepS/QpCnsGorLpZ6TOiHCeaHNl3ckRMC V9z+CbvY/fAFI3DYYfEovqo9xZm8zC/3RmopTysA/nWpt9PccMalK9MxFWFLu3Ko avo/vL1YiEfTBESFjRdCx4rNRQw1Mr6DIf4dfq4Dd8mnGuDT+oUuXmzsu9h9nS2j AHxaqjO/HOWNS+jIHUQphryrf/Me6tgpO90u4JhCta6Sf/gUoHMcE/u9skGq2qK/ 5IdM6waIu6WWl9vcO83lZuOQ6dvkdxqQucmt9Q8XPfCVA9hOzUZ6oYGp6RmvXlN2 J8fawXRLjHJpXasvUTBaPACIGjRAR/8RbZOr5pyJkh9uvtVo8PgRgKJXMWPR3DPB v6va3BYfrYqtcft2AjBq22lkpCMU0szWpTSekhobhu42Yi6G7r0hsHalxRg3UIK0 2oc+lnKaVFw+bhmJWLFn3tsq3f9HFihr27MxX5PM13DyFf4NXW8= =THeh -----END PGP SIGNATURE-----
--- End Message ---
