On Sat, Jul 28, 2012 at 02:14:41PM +0100, Stuart Henderson wrote: > On 2012/07/28 13:48, Jan Stary wrote: > > > > gnutls_handshake failed -110 fatal 1 GNUTLS version is too old > > to provide human readable error. > > > > I am not very proficient in the ways of TLS, so please bare with me. > > Is this one error (namely, that my GNUTLS is too old to make a handshake), > > or two separate errors (namely, that the handshake failed, and moreover, > > it cannot provide a readable error)? > > I think you should forget about debugging in the browser and move to the > simpler tools, > > $ gnutls-cli --x509cafile /etc/ssl/cert.pem cz.mbank.eu > Processed 36 CA certificate(s). > Resolving 'cz.mbank.eu'... > Connecting to '193.41.230.85:443'... > *** Fatal error: The TLS connection was non-properly terminated. > No certificates found! > *** Handshake has failed > GnuTLS error: The TLS connection was non-properly terminated. > > So, as this basic gnutls tool also fails, there's no point trying to > debug via a browser. > > If you turn on debugging in gnutls-cli you see that gnutls writes > some data and then tries to read from the server but gets zero bytes > back, I imagine the remote side didn't like something sent to it > and dropped the connection.. Trying with --disable-extensions, same. > Might be worth playing with different --priorities strings perhaps. > > Do you have another OS handy with a recent gnutls 3.x you can test > to identify whether the problem is specific to OpenBSD or the port, > or whether it's a general gnutls problem? > > If it affects other OS too, you're probably better off reporting > it upstream.
### gnutls 2.12.18 on OpenBSD $ gnutls-cli --x509cafile /etc/ssl/cert.pem cz.mbank.eu Processed 36 CA certificate(s). Resolving 'cz.mbank.eu'... Connecting to '193.41.230.85:443'... *** Fatal error: A TLS packet with unexpected length was received. *** Handshake has failed GnuTLS error: A TLS packet with unexpected length was received. So it's not a regression. ### gnutls 3.0.21 on Arch Linux $ gnutls-cli --x509cafile /etc/ssl/cert.pem cz.mbank.eu Error setting the x509 trust file Resolving 'cz.mbank.eu'... Connecting to '193.41.230.85:443'... *** Fatal error: The TLS connection was non-properly terminated. No certificates found! *** Handshake has failed GnuTLS error: The TLS connection was non-properly terminated Same behavior on both Linux and OpenBSD regardless of the major version. -- Antoine
