Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1003874

Summary: Connection via protocols DTLS0.9 and DTLS1.0 terminates with an internal error
Product: Red Hat Enterprise Linux 7 Reporter: Ondrej Moriš <omoris>
Component: gnutlsAssignee: Tomas Mraz <tmraz>
Status: CLOSED NOTABUG QA Contact: Ondrej Moriš <omoris>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0   
Target Milestone: beta   
Target Release: 7.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-22 13:50:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
CA certificate
none
CA key
none
Server certificate
none
Server key none

Description Ondrej Moriš 2013-09-03 12:12:32 UTC 
Description of problem:

When a protocols DTLS0.9 or DTLS1.0 is required by gnutls-cli, handshake terminates with "*** Fatal error: GnuTLS internal error.". 

Version-Release number of selected component (if applicable):

gnutls-3.1.13-1.el7

How reproducible:

100%

Steps to Reproduce:

1. Add '127.0.0.1 www.example.com' to /etc/hosts.
2. Start gnutl-serv using attached certificates as follows:
   # gnutls-serv --x509certfile server.crt --x509keyfile server.key -p 5000
3. Start gnutls-cli and ask for DTSL0.9 and DTL1.0 protocols, respectively:
   # gnutls-cli --priority NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2:-VERS-DTLS1.0:+VERS-DTLS0.9 --x509cafile ca.crt -p 5000 www.example.com
   # gnutls-cli --priority NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2:-VERS-DTLS0.9:+VERS-DTLS1.0 --x509cafile ca.crt -p 5000 www.example.com

Actual results:

Server:
|<2>| Intel AES accelerator was detected
|<2>| Intel GCM accelerator was detected
|<2>| p11: loaded provider 'p11-kit-trust'
|<2>| ASSERT: pkcs11.c:425
|<2>| ASSERT: mpi.c:246
|<2>| ASSERT: gnutls_dh_primes.c:289
Set static Diffie-Hellman parameters, consider --dhparams.
HTTP Server listening on IPv4 0.0.0.0 port 5000...done
HTTP Server listening on IPv6 :: port 5000...done
|<4>| REC[0x17c7ca0]: Allocating epoch #0
|<2>| ASSERT: session_ticket.c:546

* Accepted connection from IPv4 127.0.0.1 port 38272 on Tue Sep  3 08:09:23 2013
|<2>| ASSERT: gnutls_constate.c:715
|<4>| REC[0x17c7ca0]: Allocating epoch #1
|<2>| ASSERT: gnutls_buffers.c:1015
|<7>| READ: Got 5 bytes from 0x6
|<7>| READ: read 5 bytes from 0x6
|<7>| RB: Have 0 bytes into buffer. Adding 5 bytes.
|<7>| RB: Requested 5 bytes
|<4>| REC[0x17c7ca0]: SSL 254.255 Alert packet received. Epoch 0, length: 2
|<2>| ASSERT: gnutls_record.c:657
|<4>| REC[0x17c7ca0]: INVALID VERSION PACKET: (1) 254.255
|<2>| ASSERT: gnutls_record.c:1045
|<2>| ASSERT: gnutls_record.c:1120
|<2>| ASSERT: gnutls_buffers.c:1225
|<2>| ASSERT: gnutls_handshake.c:1357
|<2>| ASSERT: gnutls_handshake.c:2986
Error in handshake
Error: A record packet with illegal version was received.
|<4>| REC: Sending Alert[2|70] - Error in protocol version
|<4>| REC[0x17c7ca0]: Preparing Packet Alert(21) with length: 2 and target length: 2
|<9>| ENC[0x17c7ca0]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
|<7>| WRITE: enqueued 7 bytes for 0x6. Total 7 bytes.
|<7>| WRITE FLUSH: 7 bytes in buffer.
|<7>| WRITE: wrote 7 bytes, 0 bytes left.
|<4>| REC[0x17c7ca0]: Sent Packet[1] Alert(21) in epoch 0 and length: 7
|<2>| ASSERT: gnutls_record.c:346
|<4>| REC[0x17c7ca0]: Start of epoch cleanup
|<4>| REC[0x17c7ca0]: End of epoch cleanup
|<4>| REC[0x17c7ca0]: Epoch #0 freed
|<4>| REC[0x17c7ca0]: Epoch #1 freed

Client:
|<2>| Intel AES accelerator was detected
|<2>| Intel GCM accelerator was detected
|<2>| p11: loaded provider 'p11-kit-trust'
|<2>| ASSERT: pkcs11.c:425
Processed 1 CA certificate(s).
Resolving 'www.example.com'...
Connecting to '127.0.0.1:5000'...
|<4>| REC[0xa13de0]: Allocating epoch #0
|<2>| ASSERT: gnutls_constate.c:715
|<4>| REC[0xa13de0]: Allocating epoch #1
|<2>| ASSERT: gnutls_handshake.c:1896
|<2>| ASSERT: gnutls_handshake.c:2609
*** Fatal error: GnuTLS internal error.
|<4>| REC: Sending Alert[2|80] - Internal error
|<4>| REC[0xa13de0]: Preparing Packet Alert(21) with length: 2 and target length: 2
|<9>| ENC[0xa13de0]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
|<7>| WRITE: enqueued 7 bytes for 0x4. Total 7 bytes.
|<7>| WRITE FLUSH: 7 bytes in buffer.
|<7>| WRITE: wrote 7 bytes, 0 bytes left.
|<4>| REC[0xa13de0]: Sent Packet[1] Alert(21) in epoch 0 and length: 7
*** Handshake has failed
GnuTLS error: GnuTLS internal error.
|<4>| REC[0xa13de0]: Start of epoch cleanup
|<4>| REC[0xa13de0]: End of epoch cleanup
|<4>| REC[0xa13de0]: Epoch #0 freed
|<4>| REC[0xa13de0]: Epoch #1 freed

Expected results:

Successful handshake.

Additional info:

N/A
Comment 1 Ondrej Moriš 2013-09-03 12:16:26 UTC 
Created attachment 793156 [details]
CA certificate
Comment 2 Ondrej Moriš 2013-09-03 12:16:49 UTC 
Created attachment 793157 [details]
CA key
Comment 3 Ondrej Moriš 2013-09-03 12:18:40 UTC 
Created attachment 793158 [details]
Server certificate
Comment 4 Ondrej Moriš 2013-09-03 12:21:20 UTC 
Created attachment 793163 [details]
Server key
Comment 5 Tomas Mraz 2013-10-22 13:50:19 UTC 
You have to use -u option to use UDP with both gnutls-serv and gnutls-cli. DTLS purpose is to be used on datagram protocols and not on TCP.