Bug#806426: Some TLS certificates not suppoprted
Hi Daniel, Andreas. On 30 November 2015 at 22:42, Daniel Kahn Gillmorwrote: > > > This is bizarre and looks to me like a packet being tampered with on the > wire. > > You are right. It was my wrong firewall rules for 443->4443 port forwarding for be able to run server on non-privileged port. I'm terrible sorry. After disable this firewall rule, I'm able to connect to all https without problem. Could you please to close bug ? Sorry again. WBR, Alex.
Bug#806426: Some TLS certificates not suppoprted
Hi Andres. On 30 November 2015 at 20:31, Andreas Metzlerwrote: > I am stumped, could you plese post the output of > gnutls-cli -V -d 4711 freedns.afraid.org > > $ gnutls-cli --version gnutls-cli 3.3.8 ... $ gnutls-cli -V -d 4711 freedns.afraid.org Processed 173 CA certificate(s). Resolving 'freedns.afraid.org'... Connecting to '50.23.197.94:443'... |<5>| REC[0x239b450]: Allocating epoch #0 |<3>| ASSERT: gnutls_constate.c:586 |<5>| REC[0x239b450]: Allocating epoch #1 |<4>| HSK[0x239b450]: Keeping ciphersuite: ECDHE_ECDSA_AES_128_GCM_SHA256 (C0.2B) |<4>| HSK[0x239b450]: Keeping ciphersuite: ECDHE_ECDSA_AES_256_GCM_SHA384 (C0.2C) |<4>| HSK[0x239b450]: Keeping ciphersuite: ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256 (C0.86) |<4>| HSK[0x239b450]: Keeping ciphersuite: ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384 (C0.87) |<4>| HSK[0x239b450]: Keeping ciphersuite: ECDHE_ECDSA_AES_128_CBC_SHA1 (C0.09) |<4>| HSK[0x239b450]: Keeping ciphersuite: ECDHE_ECDSA_AES_128_CBC_SHA256 (C0.23) |<4>| HSK[0x239b450]: Keeping ciphersuite: ECDHE_ECDSA_AES_256_CBC_SHA1 (C0.0A) |<4>| HSK[0x239b450]: Keeping ciphersuite: ECDHE_ECDSA_AES_256_CBC_SHA384 (C0.24) |<4>| HSK[0x239b450]: Keeping ciphersuite: ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256 (C0.72) |<4>| HSK[0x239b450]: Keeping ciphersuite: ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384 (C0.73) |<4>| HSK[0x239b450]: Keeping ciphersuite: ECDHE_ECDSA_3DES_EDE_CBC_SHA1 (C0.08) |<4>| HSK[0x239b450]: Keeping ciphersuite: ECDHE_ECDSA_ARCFOUR_128_SHA1 (C0.07) |<4>| HSK[0x239b450]: Keeping ciphersuite: ECDHE_RSA_AES_128_GCM_SHA256 (C0.2F) |<4>| HSK[0x239b450]: Keeping ciphersuite: ECDHE_RSA_AES_256_GCM_SHA384 (C0.30) |<4>| HSK[0x239b450]: Keeping ciphersuite: ECDHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.8A) |<4>| HSK[0x239b450]: Keeping ciphersuite: ECDHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.8B) |<4>| HSK[0x239b450]: Keeping ciphersuite: ECDHE_RSA_AES_128_CBC_SHA1 (C0.13) |<4>| HSK[0x239b450]: Keeping ciphersuite: ECDHE_RSA_AES_128_CBC_SHA256 (C0.27) |<4>| HSK[0x239b450]: Keeping ciphersuite: ECDHE_RSA_AES_256_CBC_SHA1 (C0.14) |<4>| HSK[0x239b450]: Keeping ciphersuite: ECDHE_RSA_AES_256_CBC_SHA384 (C0.28) |<4>| HSK[0x239b450]: Keeping ciphersuite: ECDHE_RSA_CAMELLIA_128_CBC_SHA256 (C0.76) |<4>| HSK[0x239b450]: Keeping ciphersuite: ECDHE_RSA_CAMELLIA_256_CBC_SHA384 (C0.77) |<4>| HSK[0x239b450]: Keeping ciphersuite: ECDHE_RSA_3DES_EDE_CBC_SHA1 (C0.12) |<4>| HSK[0x239b450]: Keeping ciphersuite: ECDHE_RSA_ARCFOUR_128_SHA1 (C0.11) |<4>| HSK[0x239b450]: Keeping ciphersuite: RSA_AES_128_GCM_SHA256 (00.9C) |<4>| HSK[0x239b450]: Keeping ciphersuite: RSA_AES_256_GCM_SHA384 (00.9D) |<4>| HSK[0x239b450]: Keeping ciphersuite: RSA_CAMELLIA_128_GCM_SHA256 (C0.7A) |<4>| HSK[0x239b450]: Keeping ciphersuite: RSA_CAMELLIA_256_GCM_SHA384 (C0.7B) |<4>| HSK[0x239b450]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1 (00.2F) |<4>| HSK[0x239b450]: Keeping ciphersuite: RSA_AES_128_CBC_SHA256 (00.3C) |<4>| HSK[0x239b450]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1 (00.35) |<4>| HSK[0x239b450]: Keeping ciphersuite: RSA_AES_256_CBC_SHA256 (00.3D) |<4>| HSK[0x239b450]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1 (00.41) |<4>| HSK[0x239b450]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA256 ( 00.BA) |<4>| HSK[0x239b450]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1 (00.84) |<4>| HSK[0x239b450]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA256 (00.C0) |<4>| HSK[0x239b450]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1 (00.0A) |<4>| HSK[0x239b450]: Keeping ciphersuite: RSA_ARCFOUR_128_SHA1 (00.05) |<4>| HSK[0x239b450]: Keeping ciphersuite: RSA_ARCFOUR_128_MD5 (00.04) |<4>| HSK[0x239b450]: Keeping ciphersuite: DHE_RSA_AES_128_GCM_SHA256 (00.9E) |<4>| HSK[0x239b450]: Keeping ciphersuite: DHE_RSA_AES_256_GCM_SHA384 (00.9F) |<4>| HSK[0x239b450]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_GCM_SHA256 (C0.7C) |<4>| HSK[0x239b450]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_GCM_SHA384 (C0.7D) |<4>| HSK[0x239b450]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1 (00.33) |<4>| HSK[0x239b450]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA256 (00.67) |<4>| HSK[0x239b450]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1 (00.39) |<4>| HSK[0x239b450]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA256 (00.6B) |<4>| HSK[0x239b450]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1 (00.45) |<4>| HSK[0x239b450]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA256 ( 00.BE) |<4>| HSK[0x239b450]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1 (00.88) |<4>| HSK[0x239b450]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA256 (00.C4) |<4>| HSK[0x239b450]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1 (00.16) |<4>| HSK[0x239b450]: Keeping ciphersuite: DHE_DSS_AES_128_GCM_SHA256 (00.A2) |<4>| HSK[0x239b450]: Keeping ciphersuite: DHE_DSS_AES_256_GCM_SHA384 (00.A3) |<4>| HSK[0x239b450]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_GCM_SHA256 (C0.80) |<4>| HSK[0x239b450]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_GCM_SHA384 (C0.81) |<4>| HSK[0x239b450]: Keeping ciphersuite:
Bug#806426: Some TLS certificates not suppoprted
Hi Andres. It shouldn't be a local issue. It's fresh installation of latest Debian amd64 into VirtualBox(without VirtualBox guest additions). $ which gnutls-cli /usr/bin/gnutls-cli $ ldd `which gnutls-cli` linux-vdso.so.1 (0x7ffd2f58c000) libgnutls-deb0.so.28 => /usr/lib/x86_64-linux-gnu/libgnutls-deb0.so.28 (0x7fde9b6da000) libopts.so.25 => /usr/lib/x86_64-linux-gnu/libopts.so.25 (0x7fde9b4b9000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x7fde9b11) libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x7fde9aef5000) libp11-kit.so.0 => /usr/lib/x86_64-linux-gnu/libp11-kit.so.0 (0x7fde9acaf000) libtasn1.so.6 => /usr/lib/x86_64-linux-gnu/libtasn1.so.6 (0x7fde9aa9b000) libnettle.so.4 => /usr/lib/x86_64-linux-gnu/libnettle.so.4 (0x7fde9a869000) libhogweed.so.2 => /usr/lib/x86_64-linux-gnu/libhogweed.so.2 (0x7fde9a63a000) libgmp.so.10 => /usr/lib/x86_64-linux-gnu/libgmp.so.10 (0x7fde9a3b7000) libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x7fde9a0b6000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x7fde99eb2000) /lib64/ld-linux-x86-64.so.2 (0x7fde9b9f9000) libffi.so.6 => /usr/lib/x86_64-linux-gnu/libffi.so.6 (0x7fde99caa000) libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x7fde99a8d000) WBR, Alex. On 28 November 2015 at 22:07, Andreas Metzler <ametz...@bebt.de> wrote: > On 2015-11-27 Aleś Bułojčyk <alex73m...@gmail.com> wrote: > > Package: libgnutls-deb0-28 > > Version: 3.3.8-6+deb8u3 > > > I can't connect to many https hosts using Debian 8.2: > > > $ gnutls-cli google.com > > Processed 173 CA certificate(s). > > Resolving 'google.com'... > > Connecting to '216.58.209.142:443'... > > |<1>| Received record packet of unknown type 72 > > *** Fatal error: An unexpected TLS packet was received. > > *** Handshake has failed > > GnuTLS error: An unexpected TLS packet was received. > [...] > > > Hello, > > I don not see the error, are you positive that there is no local > breakage? > > which gnutls-cli > ldd `which gnutls-cli` > > cu Andreas > -- > `What a good friend you are to him, Dr. Maturin. His other friends are > so grateful to you.' > `I sew his ears on from time to time, sure' >
Bug#806426: Some TLS certificates not suppoprted
Package: libgnutls-deb0-28 Version: 3.3.8-6+deb8u3 I can't connect to many https hosts using Debian 8.2: $ gnutls-cli google.com Processed 173 CA certificate(s). Resolving 'google.com'... Connecting to '216.58.209.142:443'... |<1>| Received record packet of unknown type 72 *** Fatal error: An unexpected TLS packet was received. *** Handshake has failed GnuTLS error: An unexpected TLS packet was received. $ gnutls-cli freedns.afraid.org Processed 173 CA certificate(s). Resolving 'freedns.afraid.org'... Connecting to '50.23.197.94:443'... |<1>| Received record packet of unknown type 72 *** Fatal error: An unexpected TLS packet was received. *** Handshake has failed GnuTLS error: An unexpected TLS packet was received. $ wget https://google.com converted 'https://google.com' (ANSI_X3.4-1968) -> 'https://google.com' (UTF-8) --2015-11-27 14:05:55-- https://google.com/ Resolving google.com (google.com)... 216.58.209.142, 2a00:1450:400f:804::200e Connecting to google.com (google.com)|216.58.209.142|:443... connected. GnuTLS: An unexpected TLS packet was received. Unable to establish SSL connection.