Bug#806426: Some TLS certificates not suppoprted

2015-12-01 Thread Aleś Bułojčyk 
Hi Daniel, Andreas.

On 30 November 2015 at 22:42, Daniel Kahn Gillmor 
wrote:

>
>
> This is bizarre and looks to me like a packet being tampered with on the
> wire.
>
>
You are right. It was my wrong firewall rules for 443->4443 port forwarding
for be able to run server on non-privileged port.

I'm terrible sorry. After disable this firewall rule, I'm able to connect
to all https without problem.

Could you please to close bug ? Sorry again.

WBR, Alex.

Bug#806426: Some TLS certificates not suppoprted

2015-11-30 Thread Aleś Bułojčyk 
Hi Andres.

On 30 November 2015 at 20:31, Andreas Metzler  wrote:

> I am stumped, could you plese post the output of
> gnutls-cli -V -d 4711 freedns.afraid.org
>
>
 $ gnutls-cli --version
gnutls-cli 3.3.8
...


$ gnutls-cli -V -d 4711 freedns.afraid.org
Processed 173 CA certificate(s).
Resolving 'freedns.afraid.org'...
Connecting to '50.23.197.94:443'...
|<5>| REC[0x239b450]: Allocating epoch #0
|<3>| ASSERT: gnutls_constate.c:586
|<5>| REC[0x239b450]: Allocating epoch #1
|<4>| HSK[0x239b450]: Keeping ciphersuite: ECDHE_ECDSA_AES_128_GCM_SHA256
(C0.2B)
|<4>| HSK[0x239b450]: Keeping ciphersuite: ECDHE_ECDSA_AES_256_GCM_SHA384
(C0.2C)
|<4>| HSK[0x239b450]: Keeping ciphersuite:
ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256 (C0.86)
|<4>| HSK[0x239b450]: Keeping ciphersuite:
ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384 (C0.87)
|<4>| HSK[0x239b450]: Keeping ciphersuite: ECDHE_ECDSA_AES_128_CBC_SHA1
(C0.09)
|<4>| HSK[0x239b450]: Keeping ciphersuite: ECDHE_ECDSA_AES_128_CBC_SHA256
(C0.23)
|<4>| HSK[0x239b450]: Keeping ciphersuite: ECDHE_ECDSA_AES_256_CBC_SHA1
(C0.0A)
|<4>| HSK[0x239b450]: Keeping ciphersuite: ECDHE_ECDSA_AES_256_CBC_SHA384
(C0.24)
|<4>| HSK[0x239b450]: Keeping ciphersuite:
ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256 (C0.72)
|<4>| HSK[0x239b450]: Keeping ciphersuite:
ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384 (C0.73)
|<4>| HSK[0x239b450]: Keeping ciphersuite: ECDHE_ECDSA_3DES_EDE_CBC_SHA1
(C0.08)
|<4>| HSK[0x239b450]: Keeping ciphersuite: ECDHE_ECDSA_ARCFOUR_128_SHA1
(C0.07)
|<4>| HSK[0x239b450]: Keeping ciphersuite: ECDHE_RSA_AES_128_GCM_SHA256
(C0.2F)
|<4>| HSK[0x239b450]: Keeping ciphersuite: ECDHE_RSA_AES_256_GCM_SHA384
(C0.30)
|<4>| HSK[0x239b450]: Keeping ciphersuite:
ECDHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.8A)
|<4>| HSK[0x239b450]: Keeping ciphersuite:
ECDHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.8B)
|<4>| HSK[0x239b450]: Keeping ciphersuite: ECDHE_RSA_AES_128_CBC_SHA1
(C0.13)
|<4>| HSK[0x239b450]: Keeping ciphersuite: ECDHE_RSA_AES_128_CBC_SHA256
(C0.27)
|<4>| HSK[0x239b450]: Keeping ciphersuite: ECDHE_RSA_AES_256_CBC_SHA1
(C0.14)
|<4>| HSK[0x239b450]: Keeping ciphersuite: ECDHE_RSA_AES_256_CBC_SHA384
(C0.28)
|<4>| HSK[0x239b450]: Keeping ciphersuite:
ECDHE_RSA_CAMELLIA_128_CBC_SHA256 (C0.76)
|<4>| HSK[0x239b450]: Keeping ciphersuite:
ECDHE_RSA_CAMELLIA_256_CBC_SHA384 (C0.77)
|<4>| HSK[0x239b450]: Keeping ciphersuite: ECDHE_RSA_3DES_EDE_CBC_SHA1
(C0.12)
|<4>| HSK[0x239b450]: Keeping ciphersuite: ECDHE_RSA_ARCFOUR_128_SHA1
(C0.11)
|<4>| HSK[0x239b450]: Keeping ciphersuite: RSA_AES_128_GCM_SHA256 (00.9C)
|<4>| HSK[0x239b450]: Keeping ciphersuite: RSA_AES_256_GCM_SHA384 (00.9D)
|<4>| HSK[0x239b450]: Keeping ciphersuite: RSA_CAMELLIA_128_GCM_SHA256
(C0.7A)
|<4>| HSK[0x239b450]: Keeping ciphersuite: RSA_CAMELLIA_256_GCM_SHA384
(C0.7B)
|<4>| HSK[0x239b450]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1 (00.2F)
|<4>| HSK[0x239b450]: Keeping ciphersuite: RSA_AES_128_CBC_SHA256 (00.3C)
|<4>| HSK[0x239b450]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1 (00.35)
|<4>| HSK[0x239b450]: Keeping ciphersuite: RSA_AES_256_CBC_SHA256 (00.3D)
|<4>| HSK[0x239b450]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1 (00.41)
|<4>| HSK[0x239b450]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA256 (
00.BA)
|<4>| HSK[0x239b450]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1 (00.84)
|<4>| HSK[0x239b450]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA256
(00.C0)
|<4>| HSK[0x239b450]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1 (00.0A)
|<4>| HSK[0x239b450]: Keeping ciphersuite: RSA_ARCFOUR_128_SHA1 (00.05)
|<4>| HSK[0x239b450]: Keeping ciphersuite: RSA_ARCFOUR_128_MD5 (00.04)
|<4>| HSK[0x239b450]: Keeping ciphersuite: DHE_RSA_AES_128_GCM_SHA256
(00.9E)
|<4>| HSK[0x239b450]: Keeping ciphersuite: DHE_RSA_AES_256_GCM_SHA384
(00.9F)
|<4>| HSK[0x239b450]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_GCM_SHA256
(C0.7C)
|<4>| HSK[0x239b450]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_GCM_SHA384
(C0.7D)
|<4>| HSK[0x239b450]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1 (00.33)
|<4>| HSK[0x239b450]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA256
(00.67)
|<4>| HSK[0x239b450]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1 (00.39)
|<4>| HSK[0x239b450]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA256
(00.6B)
|<4>| HSK[0x239b450]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1
(00.45)
|<4>| HSK[0x239b450]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA256 (
00.BE)
|<4>| HSK[0x239b450]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1
(00.88)
|<4>| HSK[0x239b450]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA256
(00.C4)
|<4>| HSK[0x239b450]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1 (00.16)
|<4>| HSK[0x239b450]: Keeping ciphersuite: DHE_DSS_AES_128_GCM_SHA256
(00.A2)
|<4>| HSK[0x239b450]: Keeping ciphersuite: DHE_DSS_AES_256_GCM_SHA384
(00.A3)
|<4>| HSK[0x239b450]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_GCM_SHA256
(C0.80)
|<4>| HSK[0x239b450]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_GCM_SHA384
(C0.81)
|<4>| HSK[0x239b450]: Keeping ciphersuite:

Bug#806426: Some TLS certificates not suppoprted

2015-11-29 Thread Aleś Bułojčyk 
Hi Andres.

It shouldn't be a local issue. It's fresh installation of latest Debian
amd64 into VirtualBox(without VirtualBox guest additions).

$ which gnutls-cli
/usr/bin/gnutls-cli

$ ldd `which gnutls-cli`
linux-vdso.so.1 (0x7ffd2f58c000)
libgnutls-deb0.so.28 => /usr/lib/x86_64-linux-gnu/libgnutls-deb0.so.28
(0x7fde9b6da000)
libopts.so.25 => /usr/lib/x86_64-linux-gnu/libopts.so.25
(0x7fde9b4b9000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x7fde9b11)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x7fde9aef5000)
libp11-kit.so.0 => /usr/lib/x86_64-linux-gnu/libp11-kit.so.0
(0x7fde9acaf000)
libtasn1.so.6 => /usr/lib/x86_64-linux-gnu/libtasn1.so.6
(0x7fde9aa9b000)
libnettle.so.4 => /usr/lib/x86_64-linux-gnu/libnettle.so.4
(0x7fde9a869000)
libhogweed.so.2 => /usr/lib/x86_64-linux-gnu/libhogweed.so.2
(0x7fde9a63a000)
libgmp.so.10 => /usr/lib/x86_64-linux-gnu/libgmp.so.10
(0x7fde9a3b7000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x7fde9a0b6000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x7fde99eb2000)
/lib64/ld-linux-x86-64.so.2 (0x7fde9b9f9000)
libffi.so.6 => /usr/lib/x86_64-linux-gnu/libffi.so.6
(0x7fde99caa000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
(0x7fde99a8d000)


WBR, Alex.


On 28 November 2015 at 22:07, Andreas Metzler <ametz...@bebt.de> wrote:

> On 2015-11-27 Aleś Bułojčyk <alex73m...@gmail.com> wrote:
> > Package: libgnutls-deb0-28
> > Version: 3.3.8-6+deb8u3
>
> > I can't connect to many https hosts using Debian 8.2:
>
> > $ gnutls-cli google.com
> > Processed 173 CA certificate(s).
> > Resolving 'google.com'...
> > Connecting to '216.58.209.142:443'...
> > |<1>| Received record packet of unknown type 72
> > *** Fatal error: An unexpected TLS packet was received.
> > *** Handshake has failed
> > GnuTLS error: An unexpected TLS packet was received.
> [...]
>
>
> Hello,
>
> I don not see the error, are you positive that there is no local
> breakage?
>
> which gnutls-cli
> ldd `which gnutls-cli`
>
> cu Andreas
> --
> `What a good friend you are to him, Dr. Maturin. His other friends are
> so grateful to you.'
> `I sew his ears on from time to time, sure'
>

Bug#806426: Some TLS certificates not suppoprted

2015-11-27 Thread Aleś Bułojčyk 
Package: libgnutls-deb0-28
Version: 3.3.8-6+deb8u3

I can't connect to many https hosts using Debian 8.2:

$ gnutls-cli google.com
Processed 173 CA certificate(s).
Resolving 'google.com'...
Connecting to '216.58.209.142:443'...
|<1>| Received record packet of unknown type 72
*** Fatal error: An unexpected TLS packet was received.
*** Handshake has failed
GnuTLS error: An unexpected TLS packet was received.


$ gnutls-cli freedns.afraid.org
Processed 173 CA certificate(s).
Resolving 'freedns.afraid.org'...
Connecting to '50.23.197.94:443'...
|<1>| Received record packet of unknown type 72
*** Fatal error: An unexpected TLS packet was received.
*** Handshake has failed
GnuTLS error: An unexpected TLS packet was received.


$ wget https://google.com
converted 'https://google.com' (ANSI_X3.4-1968) -> 'https://google.com'
(UTF-8)
--2015-11-27 14:05:55--  https://google.com/
Resolving google.com (google.com)... 216.58.209.142,
2a00:1450:400f:804::200e
Connecting to google.com (google.com)|216.58.209.142|:443... connected.
GnuTLS: An unexpected TLS packet was received.
Unable to establish SSL connection.