Bug 628059

Summary: Gnutls: A TLS packet with unexpected length was received
Product: [Fedora] Fedora Reporter: W. Michael Petullo <mike>
Component: gnutlsAssignee: Tomas Mraz <tmraz>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 14CC: jorton, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-09-07 15:47:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description W. Michael Petullo 2010-08-27 18:28:28 UTC 
Description of problem:
Epiphany will not connect to certain websites that use TLS. This includes, bugzilla.redhat.com (Connection terminated unexpectedly), www.us.army.mil (SSL handshake failed: A TLS packet with unexpected length was received) and my bank's website (receive an HTML error page). After investigating this issue, I have concluded that the problem is in gnutls.

Version-Release number of selected component (if applicable):
gnutls-2.8.6-2.fc14.x86_64

How reproducible:
Everytime

Steps to Reproduce:
1. Use epiphany to visit bugzilla.redhat.com or www.us.army.mil.
2. Do the same using gnutls-cli (see below)
  
Actual results:
Connection terminated unexpectedly, (SSL handshake failed: A TLS packet with unexpected length was received or HTML error page.

Expected results:
TLS should provide a secure tunnel for HTTP.

Additional info:
Connect to www.us.army.mil using gnutls-cli:

> gnutls-cli -p 443 www.us.army.mil
Resolving 'www.us.army.mil'...
Connecting to '143.69.251.36:443'...
- Certificate type: X.509
 - Got a certificate list of 1 certificates.
 - Certificate[0] info:
  - subject `C=US,O=U.S.Government,OU=DoD,OU=PKI,OU=USA,CN=www.us.army.mil', issuer `C=US,O=U.S. Government,OU=DoD,OU=PKI,CN=DOD CA-17', RSA key 2048 bits, signed using RSA-SHA, activated `2009-04-08 19:46:31 UTC', expires `2012-04-08 19:46:31 UTC', SHA-1 fingerprint `0a10a8b598578c5eae81813aa81ca0129c98f4ef'
- The hostname in the certificate matches 'www.us.army.mil'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.0
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed

- Simple Client Mode:

GET / HTTP/1.1
*** Fatal error: A TLS packet with unexpected length was received.
*** Server has terminated the connection abnormally.

Connect to bugzilla.redhat.com using gnutls-cli:

> gnutls-cli -p 443 bugzilla.redhat.com
Resolving 'bugzilla.redhat.com'...
Connecting to '209.132.183.69:443'...
- Ephemeral Diffie-Hellman parameters
 - Using prime: 1024 bits
 - Secret key: 1020 bits
 - Peer's public key: 1024 bits
- Certificate type: X.509
 - Got a certificate list of 1 certificates.
 - Certificate[0] info:
  - subject `C=US,ST=North Carolina,L=Raleigh,O=Red Hat Inc,OU=Information Systems,CN=bugzilla.redhat.com', issuer `C=US,O=Equifax,OU=Equifax Secure Certificate Authority', RSA key 1024 bits, signed using RSA-SHA, activated `2009-01-07 16:17:33 UTC', expires `2011-02-07 16:17:33 UTC', SHA-1 fingerprint `5748e94a2dce5262b7a53fc93527f22add2e3711'
- The hostname in the certificate matches 'bugzilla.redhat.com'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.0
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed

- Simple Client Mode:

GET / HTTP/1.1

HTTP/1.1 400 Bad Request
Date: Fri, 27 Aug 2010 18:25:33 GMT
Server: Apache
Content-Length: 296
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache Server at bugzilla.redhat.com Port 443</address>
</body></html>
- Peer has closed the GNUTLS connection
Comment 1 Tomas Mraz 2010-09-01 07:04:56 UTC 
The bugzilla.redhat.com case is just your mistake when sending the HTTP/1.1 request - you should either send 1.0 request or add proper Host header to the request. So no gnutls error there.

In the case of www.us.army.mil there looks like to be some kind of bug on the server side where it does not terminate the TCP/IP connection properly - it should first sent SSL close_notify alert.

So most probably this is NOTABUG.
Comment 2 W. Michael Petullo 2010-09-07 15:47:43 UTC 
It seems Tomas is right. After I cleared all of Epiphany's settings in GConf2 and .gnome2/epiphany, bugzilla.gnome.org and my bank's website worked fine. I will engage www.us.army.mil about their possible TLS issue and will open a different bug if I find the problem is still on the client side.
Comment 3 W. Michael Petullo 2011-06-13 19:44:14 UTC 
For the record, the I can connect to AKO with the following:

gnutls-cli -d 255 -p 443 www.us.army.mil --priority "NORMAL:-VERS-TLS1.1:-VERS-TLS1.2:%COMPAT"

One of the GnuTLS developers suggested using "--priority".