On Wed, 2014-11-12 at 11:44 -0800, Niranjan Rao wrote: > Greetings, > > On Webkit 2.2.6/Ubuntu 12.04 > > When visiting some sites, I get error SLS handshake error. For example > site https://www.pge.com/eum/login gives SSL handshake error when using > MiniBrowser. Usual browsers are doing ok when visiting the site. > > Is there any way to mitigate this problem?
Each such site requires individual investigation, unfortunately. > I saw some documentation about TLS errors in webkitgtk web site. Not > clear if this applies to me or not. Well, that documentation describes how to handle "successful" TLS connections with unverified TLS certificates, which is important for developers because older versions of WebKitGTK+ handle this insecurely by default. But it's not relevant here, since this connection has failed completely. We use GnuTLS to handle TLS; here's what its command line debug tool tells us: $ gnutls-cli www.pge.com Processed 153 CA certificate(s). Resolving 'www.pge.com'... Connecting to '131.89.128.67:443'... *** Fatal error: The TLS connection was non-properly terminated. *** Handshake has failed GnuTLS error: The TLS connection was non-properly terminated. That error message is misleading: $ gnutls-cli-debug www.pge.com Resolving 'www.pge.com'... Connecting to '131.89.128.67:443'... Checking for SSL 3.0 support... no Connecting to '131.89.128.67:443'... Checking whether %COMPAT is required... yes Connecting to '131.89.128.67:443'... Checking for TLS 1.0 support... no Connecting to '131.89.128.67:443'... Checking for TLS 1.1 support... no Connecting to '131.89.128.67:443'... Checking fallback from TLS 1.1 to... failed Connecting to '131.89.128.67:443'... Checking for TLS 1.2 support... no Connecting to '131.89.128.67:443'... Checking whether we need to disable TLS 1.2... yes So GnuTLS thinks this server apparently does not support any TLS protocol, and you get no connection. But for a second opinion I went to https://www.ssllabs.com/ssltest/analyze.html?d=pge.com which was able to connect via TLS 1.0. The server supports very few cipher suites (you can see that the site is completely inaccessible with the latest Safari, for example), but we share three in common so I'm not sure what's wrong. The next step would be to ask on the gnutls-help mailing list [1] to find out whether there is a GnuTLS bug (not really likely) or why it's refusing to connect if not. Please do CC me; I'm curious! Michael [1] http://lists.gnutls.org/mailman/listinfo/gnutls-help _______________________________________________ webkit-gtk mailing list [email protected] https://lists.webkit.org/mailman/listinfo/webkit-gtk
