Update to libgnutls26-2.12.23-12ubuntu2.5 broke ldapsearch and Apache
Directory Studio for me in particular. Whatever the previous version
was worked fine. Now, when trying to connect via TLS or SSL to our ldap
server, I get the following with gnutls-cli:
# gnutls-cli --print-cert -p 636 192.168.125.187
Connecting to '192.168.125.187:636'...
*** Fatal error: A TLS packet with unexpected length was received.
*** Handshake has failed
GnuTLS error: A TLS packet with unexpected length was received.
But, works fine with openssl:
# openssl s_client -connect 192.168.125.187:636 -CApath /etc/ssl/certs/
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN =
AddTrust External CA Root
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN
= USERTrust RSA Certification Authority
verify return:1
depth=1 C = US, ST = MI, L = Ann Arbor, O = Internet2, OU = InCommon, CN =
InCommon RSA Server CA
verify return:1
depth=0 C = US, postalCode = MyZip, ST = GA, L = MyTown, street =
MyStreetAddress, O = MyOrg, CN = 192.168.125.187
verify return:1
---
Certificate chain
0
s:/C=US/postalCode=MyZip/ST=MyState/L=MyTown/street=MyStreetAddress/O=MyOrg/CN=192.168.125.187
i:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
1 s:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA
Certification Authority
2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA
Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External
CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHIDCCBgigAwIBAgIQeJi0ZL9m+H676krkb1nDDDANBgkqhkiG9w0BAQsFADB2
MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjES
MBAGA1UEChMJSW50ZXJuZXQyMREwDwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMW
SW5Db21tb24gUlNBIFNlcnZlciBDQTAeFw0xNTAyMDMwMDAwMDBaFw0xODAyMDIy
MzU5NTlaMIGaMQswCQYDVQQGEwJVUzEOMAwGA1UEERMFMzAzMjIxCzAJBgNVBAgT
AkdBMRAwDgYDVQQHEwdBdGxhbnRhMR0wGwYDVQQJExQxNzg0IE4gRGVjYXR1ciBS
ZCBORTEZMBcGA1UEChMQRW1vcnkgVW5pdmVyc2l0eTEiMCAGA1UEAxMZbGRzYXV0
aC5zZXJ2aWNlLmVtb3J5LmVkdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAM1fBQTBn8MuVC07NkkR5nvQppHUOk7l8KOu0MFCnyTaQFE0lOC7k4cGcsHS
0LmKFPwDaMUsGs23ER5+TfBa9JRLfKVbgvF7Uqt3X9CwGnTJvLjest59mWd4oGZm
vKBPcV3WwkAGgC2UJKUcYrQXLp5yTAjlBhgmoz5ZKa2fIRS1jPWDI5Pn9yzssw5j
OIwuoHo68jocpz8sSIN3gQ6gIM+5rIs1rgJ/SVS40sRrtBAneP3Qnr6MF3DQrSYP
8TbkCAEjf4xYqVa5f3Oy8NdC2v4Jk7VVTDoiNDpEzFbLzoCI0NpYvZKWPx3l3xr/
jZoYM+Mi+rviCqW8M88KpxBoTf0CAwEAAaOCA4MwggN/MB8GA1UdIwQYMBaAFB4F
o3ePbJbiW4dLprSGrHEADOc4MB0GA1UdDgQWBBSJE3N+JO9Yhb3bxPnUC90OhJy0
xjAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwZwYDVR0gBGAwXjBSBgwrBgEEAa4jAQQDAQEwQjBABggr
BgEFBQcCARY0aHR0cHM6Ly93d3cuaW5jb21tb24ub3JnL2NlcnQvcmVwb3NpdG9y
eS9jcHNfc3NsLnBkZjAIBgZngQwBAgIwRAYDVR0fBD0wOzA5oDegNYYzaHR0cDov
L2NybC5pbmNvbW1vbi1yc2Eub3JnL0luQ29tbW9uUlNBU2VydmVyQ0EuY3JsMHUG
CCsGAQUFBwEBBGkwZzA+BggrBgEFBQcwAoYyaHR0cDovL2NydC51c2VydHJ1c3Qu
Y29tL0luQ29tbW9uUlNBU2VydmVyQ0FfMi5jcnQwJQYIKwYBBQUHMAGGGWh0dHA6
Ly9vY3NwLnVzZXJ0cnVzdC5jb20wggHYBgNVHREEggHPMIIBy4IZbGRzYXV0aC5z
ZXJ2aWNlLmVtb3J5LmVkdYIZbGRzYXV0aHByb2QxLmNjLmVtb3J5LmVkdYIZbGRz
YXV0aHByb2QxLmV1LmVtb3J5LmVkdYIZbGRzYXV0aHByb2QyLmNjLmVtb3J5LmVk
dYIZbGRzYXV0aHByb2QyLmV1LmVtb3J5LmVkdYIZbGRzYXV0aHByb2QzLmNjLmVt
b3J5LmVkdYIZbGRzYXV0aHByb2QzLmV1LmVtb3J5LmVkdYIZbGRzYXV0aHByb2Q0
LmNjLmVtb3J5LmVkdYIZbGRzYXV0aHByb2Q0LmV1LmVtb3J5LmVkdYIZbGRzYXV0
aHByb2Q1LmNjLmVtb3J5LmVkdYIZbGRzYXV0aHByb2Q1LmV1LmVtb3J5LmVkdYIZ
bGRzYXV0aHByb2Q2LmNjLmVtb3J5LmVkdYIZbGRzYXV0aHByb2Q2LmV1LmVtb3J5
LmVkdYIZbGRzYXV0aHByb2Q3LmNjLmVtb3J5LmVkdYIZbGRzYXV0aHByb2Q3LmV1
LmVtb3J5LmVkdYIZbGRzYXV0aHByb2Q4LmNjLmVtb3J5LmVkdYIZbGRzYXV0aHBy
b2Q4LmV1LmVtb3J5LmVkdTANBgkqhkiG9w0BAQsFAAOCAQEAYP3rmVUa7lz+aT1Z
qYNw+08WiM6zLJDTlDAH6bfMOifqOg42rNL4QiiAaldCSkvCjqS5nUwOyLjy3Mr1
1/77dJsuDxtUE7brhLyCRrktsQ4aytTrbTowPhJzOFKZaYZ0Bq/Im31N2IluGVRu
C1sqHsSCsYhv/qcxJkwXDA4/luH21Uc55RJvr2AcZ09qddo1UOMVpSfAM6fBooB+
0T0bOFoYXXpc7dGS6Ffwos2T9+LkFlPCBHWD7vPoLzywSbDK2mJVCWjELowVwX50
pKsD/8qFB22FZe3arjFRb17hkJERDyFrcrbUv84WAeM9gisskoloMORNWMc6BOFZ
+DSClw==
-----END CERTIFICATE-----
subject=/C=US/postalCode=MyZip/ST=MyState/L=MyTown/street=MyStreetAddress/O=MyOrg/CN=192.168.125.187
issuer=/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
---
No client certificate CA names sent
---
SSL handshake has read 5340 bytes and written 489 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID: 9D3700003CBC5A44A8B0869C88E432ABD6DFAAEF4EC8268126E4DC6E8398E93B
Session-ID-ctx:
Master-Key:
34CD7A397FB10369831C94F74B048DF1CDE325B4207F15D0354F2487E2E7B697E477ACCA7D0214F98207820A1A4E5D30
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1457420252
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to gnutls26 in Ubuntu.
https://bugs.launchpad.net/bugs/1444656
Title:
GnuTLS TLS 1.2 handshake failure
Status in gnutls26 package in Ubuntu:
Invalid
Status in gnutls26 source package in Trusty:
Triaged
Bug description:
I'm experiencing the same issue as here:
http://comments.gmane.org/gmane.network.gnutls.general/3713
I came across a SSL handshake problem with gnutls-cli when connecting to
some websites, see below. It is somehow specific to gnutls as
openssl/Chrome/Firefox can connect fine.
Is this is a bug in gnutls or do you have any ideas how to
troubleshoot it?
$ gnutls-cli --version
gnutls-cli (GnuTLS) 2.12.23
Packaged by Debian (2.12.23-12ubuntu2.1)
$ gnutls-cli www.openlearning.com
Resolving 'www.openlearning.com'...
Connecting to '119.9.9.205:443'...
*** Fatal error: A TLS fatal alert has been received.
*** Received alert [40]: Handshake failed
*** Handshake has failed
GnuTLS error: A TLS fatal alert has been received.
$ gnutls-cli sequencewiz.com
Resolving 'sequencewiz.com'...
Connecting to '50.112.144.117:443'...
*** Fatal error: A TLS packet with unexpected length was received.
*** Handshake has failed
GnuTLS error: A TLS packet with unexpected length was received.
Thank you,
Please back port the latest GnuTLS to Trusty as it is an LTS release and
clearly GnuTLS 2.12 is an old branch.
I've also attached packet captures of this.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1444656/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
