We encountered this bug today and it has the potential to be pretty nasty if you're unfortunate enough to hit it. In our case we have several systems which perform authentication against a Windows domain using LDAPS. We recently updated the TLS certificate on those systems and all the services which perform LDAPS authentication starting failing with the symptoms described earlier in this bug.
The new TLS certificate we installed had the same key size and hash algorithm, but it turned out the root CA & intermediate certificate were using SHA384 as the signature hash. This in turn caused the LDAPS connections to stop working. Given the CA's certificates were using SHA384 reissuing the certificate wasn't going to help and downgrading the TLS version was not at all desirable given the potential security implications. I've backported the commit referenced by Marc and confirmed it resolves the problem for us. In my view it'd be wise to push this out to 14.04 users as this issue is going to presumably become more prominent as more certificates start using stronger hash algorithms and TLS 1.2 becomes more prevalent. ** Patch added: "fix-tls12-handshake.diff" https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1444656/+attachment/4837425/+files/fix-tls12-handshake.diff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gnutls26 in Ubuntu. https://bugs.launchpad.net/bugs/1444656 Title: GnuTLS TLS 1.2 handshake failure Status in gnutls26 package in Ubuntu: Invalid Status in gnutls26 source package in Trusty: Triaged Bug description: I'm experiencing the same issue as here: http://comments.gmane.org/gmane.network.gnutls.general/3713 I came across a SSL handshake problem with gnutls-cli when connecting to some websites, see below. It is somehow specific to gnutls as openssl/Chrome/Firefox can connect fine. Is this is a bug in gnutls or do you have any ideas how to troubleshoot it? $ gnutls-cli --version gnutls-cli (GnuTLS) 2.12.23 Packaged by Debian (2.12.23-12ubuntu2.1) $ gnutls-cli www.openlearning.com Resolving 'www.openlearning.com'... Connecting to '119.9.9.205:443'... *** Fatal error: A TLS fatal alert has been received. *** Received alert [40]: Handshake failed *** Handshake has failed GnuTLS error: A TLS fatal alert has been received. $ gnutls-cli sequencewiz.com Resolving 'sequencewiz.com'... Connecting to '50.112.144.117:443'... *** Fatal error: A TLS packet with unexpected length was received. *** Handshake has failed GnuTLS error: A TLS packet with unexpected length was received. Thank you, Please back port the latest GnuTLS to Trusty as it is an LTS release and clearly GnuTLS 2.12 is an old branch. I've also attached packet captures of this. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1444656/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
