1003874 – Connection via protocols DTLS0.9 and DTLS1.0 terminates with an internal error

Bug 1003874 - Connection via protocols DTLS0.9 and DTLS1.0 terminates with an internal error

Summary: Connection via protocols DTLS0.9 and DTLS1.0 terminates with an internal error

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	gnutls
Sub Component:
Version:	7.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	beta
Target Release:	7.0
Assignee:	Tomas Mraz
QA Contact:	Ondrej Moriš
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-09-03 12:12 UTC by Ondrej Moriš
Modified:	2013-10-22 13:50 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-10-22 13:50:19 UTC
Target Upstream Version:

Attachments	(Terms of Use)
CA certificate (1.45 KB, text/plain) 2013-09-03 12:16 UTC, Ondrej Moriš	no flags	Details
CA key (6.63 KB, text/plain) 2013-09-03 12:16 UTC, Ondrej Moriš	no flags	Details
Server certificate (1.47 KB, text/plain) 2013-09-03 12:18 UTC, Ondrej Moriš	no flags	Details
Server key (6.63 KB, text/plain) 2013-09-03 12:21 UTC, Ondrej Moriš	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Ondrej Moriš 2013-09-03 12:12:32 UTC

Description of problem:

When a protocols DTLS0.9 or DTLS1.0 is required by gnutls-cli, handshake terminates with "*** Fatal error: GnuTLS internal error.". 

Version-Release number of selected component (if applicable):

gnutls-3.1.13-1.el7

How reproducible:

100%

Steps to Reproduce:

1. Add '127.0.0.1 www.example.com' to /etc/hosts.
2. Start gnutl-serv using attached certificates as follows:
   # gnutls-serv --x509certfile server.crt --x509keyfile server.key -p 5000
3. Start gnutls-cli and ask for DTSL0.9 and DTL1.0 protocols, respectively:
   # gnutls-cli --priority NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2:-VERS-DTLS1.0:+VERS-DTLS0.9 --x509cafile ca.crt -p 5000 www.example.com
   # gnutls-cli --priority NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2:-VERS-DTLS0.9:+VERS-DTLS1.0 --x509cafile ca.crt -p 5000 www.example.com

Actual results:

Server:
|<2>| Intel AES accelerator was detected
|<2>| Intel GCM accelerator was detected
|<2>| p11: loaded provider 'p11-kit-trust'
|<2>| ASSERT: pkcs11.c:425
|<2>| ASSERT: mpi.c:246
|<2>| ASSERT: gnutls_dh_primes.c:289
Set static Diffie-Hellman parameters, consider --dhparams.
HTTP Server listening on IPv4 0.0.0.0 port 5000...done
HTTP Server listening on IPv6 :: port 5000...done
|<4>| REC[0x17c7ca0]: Allocating epoch #0
|<2>| ASSERT: session_ticket.c:546

* Accepted connection from IPv4 127.0.0.1 port 38272 on Tue Sep  3 08:09:23 2013
|<2>| ASSERT: gnutls_constate.c:715
|<4>| REC[0x17c7ca0]: Allocating epoch #1
|<2>| ASSERT: gnutls_buffers.c:1015
|<7>| READ: Got 5 bytes from 0x6
|<7>| READ: read 5 bytes from 0x6
|<7>| RB: Have 0 bytes into buffer. Adding 5 bytes.
|<7>| RB: Requested 5 bytes
|<4>| REC[0x17c7ca0]: SSL 254.255 Alert packet received. Epoch 0, length: 2
|<2>| ASSERT: gnutls_record.c:657
|<4>| REC[0x17c7ca0]: INVALID VERSION PACKET: (1) 254.255
|<2>| ASSERT: gnutls_record.c:1045
|<2>| ASSERT: gnutls_record.c:1120
|<2>| ASSERT: gnutls_buffers.c:1225
|<2>| ASSERT: gnutls_handshake.c:1357
|<2>| ASSERT: gnutls_handshake.c:2986
Error in handshake
Error: A record packet with illegal version was received.
|<4>| REC: Sending Alert[2|70] - Error in protocol version
|<4>| REC[0x17c7ca0]: Preparing Packet Alert(21) with length: 2 and target length: 2
|<9>| ENC[0x17c7ca0]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
|<7>| WRITE: enqueued 7 bytes for 0x6. Total 7 bytes.
|<7>| WRITE FLUSH: 7 bytes in buffer.
|<7>| WRITE: wrote 7 bytes, 0 bytes left.
|<4>| REC[0x17c7ca0]: Sent Packet[1] Alert(21) in epoch 0 and length: 7
|<2>| ASSERT: gnutls_record.c:346
|<4>| REC[0x17c7ca0]: Start of epoch cleanup
|<4>| REC[0x17c7ca0]: End of epoch cleanup
|<4>| REC[0x17c7ca0]: Epoch #0 freed
|<4>| REC[0x17c7ca0]: Epoch #1 freed

Client:
|<2>| Intel AES accelerator was detected
|<2>| Intel GCM accelerator was detected
|<2>| p11: loaded provider 'p11-kit-trust'
|<2>| ASSERT: pkcs11.c:425
Processed 1 CA certificate(s).
Resolving 'www.example.com'...
Connecting to '127.0.0.1:5000'...
|<4>| REC[0xa13de0]: Allocating epoch #0
|<2>| ASSERT: gnutls_constate.c:715
|<4>| REC[0xa13de0]: Allocating epoch #1
|<2>| ASSERT: gnutls_handshake.c:1896
|<2>| ASSERT: gnutls_handshake.c:2609
*** Fatal error: GnuTLS internal error.
|<4>| REC: Sending Alert[2|80] - Internal error
|<4>| REC[0xa13de0]: Preparing Packet Alert(21) with length: 2 and target length: 2
|<9>| ENC[0xa13de0]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
|<7>| WRITE: enqueued 7 bytes for 0x4. Total 7 bytes.
|<7>| WRITE FLUSH: 7 bytes in buffer.
|<7>| WRITE: wrote 7 bytes, 0 bytes left.
|<4>| REC[0xa13de0]: Sent Packet[1] Alert(21) in epoch 0 and length: 7
*** Handshake has failed
GnuTLS error: GnuTLS internal error.
|<4>| REC[0xa13de0]: Start of epoch cleanup
|<4>| REC[0xa13de0]: End of epoch cleanup
|<4>| REC[0xa13de0]: Epoch #0 freed
|<4>| REC[0xa13de0]: Epoch #1 freed

Expected results:

Successful handshake.

Additional info:

N/A

Comment 1 Ondrej Moriš 2013-09-03 12:16:26 UTC

Created attachment 793156 [details]
CA certificate

Comment 2 Ondrej Moriš 2013-09-03 12:16:49 UTC

Created attachment 793157 [details]
CA key

Comment 3 Ondrej Moriš 2013-09-03 12:18:40 UTC

Created attachment 793158 [details]
Server certificate

Comment 4 Ondrej Moriš 2013-09-03 12:21:20 UTC

Created attachment 793163 [details]
Server key

Comment 5 Tomas Mraz 2013-10-22 13:50:19 UTC

You have to use -u option to use UDP with both gnutls-serv and gnutls-cli. DTLS purpose is to be used on datagram protocols and not on TCP.

Note You need to log in before you can comment on or make changes to this bug.