628059 – Gnutls: A TLS packet with unexpected length was received

Bug 628059 - Gnutls: A TLS packet with unexpected length was received

Summary: Gnutls: A TLS packet with unexpected length was received

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	gnutls
Sub Component:
Version:	14
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Tomas Mraz
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-08-27 18:28 UTC by W. Michael Petullo
Modified:	2011-06-13 19:44 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2010-09-07 15:47:43 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description W. Michael Petullo 2010-08-27 18:28:28 UTC

Description of problem:
Epiphany will not connect to certain websites that use TLS. This includes, bugzilla.redhat.com (Connection terminated unexpectedly), www.us.army.mil (SSL handshake failed: A TLS packet with unexpected length was received) and my bank's website (receive an HTML error page). After investigating this issue, I have concluded that the problem is in gnutls.

Version-Release number of selected component (if applicable):
gnutls-2.8.6-2.fc14.x86_64

How reproducible:
Everytime

Steps to Reproduce:
1. Use epiphany to visit bugzilla.redhat.com or www.us.army.mil.
2. Do the same using gnutls-cli (see below)
  
Actual results:
Connection terminated unexpectedly, (SSL handshake failed: A TLS packet with unexpected length was received or HTML error page.

Expected results:
TLS should provide a secure tunnel for HTTP.

Additional info:
Connect to www.us.army.mil using gnutls-cli:

> gnutls-cli -p 443 www.us.army.mil
Resolving 'www.us.army.mil'...
Connecting to '143.69.251.36:443'...
- Certificate type: X.509
 - Got a certificate list of 1 certificates.
 - Certificate[0] info:
  - subject `C=US,O=U.S.Government,OU=DoD,OU=PKI,OU=USA,CN=www.us.army.mil', issuer `C=US,O=U.S. Government,OU=DoD,OU=PKI,CN=DOD CA-17', RSA key 2048 bits, signed using RSA-SHA, activated `2009-04-08 19:46:31 UTC', expires `2012-04-08 19:46:31 UTC', SHA-1 fingerprint `0a10a8b598578c5eae81813aa81ca0129c98f4ef'
- The hostname in the certificate matches 'www.us.army.mil'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.0
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed

- Simple Client Mode:

GET / HTTP/1.1
*** Fatal error: A TLS packet with unexpected length was received.
*** Server has terminated the connection abnormally.

Connect to bugzilla.redhat.com using gnutls-cli:

> gnutls-cli -p 443 bugzilla.redhat.com
Resolving 'bugzilla.redhat.com'...
Connecting to '209.132.183.69:443'...
- Ephemeral Diffie-Hellman parameters
 - Using prime: 1024 bits
 - Secret key: 1020 bits
 - Peer's public key: 1024 bits
- Certificate type: X.509
 - Got a certificate list of 1 certificates.
 - Certificate[0] info:
  - subject `C=US,ST=North Carolina,L=Raleigh,O=Red Hat Inc,OU=Information Systems,CN=bugzilla.redhat.com', issuer `C=US,O=Equifax,OU=Equifax Secure Certificate Authority', RSA key 1024 bits, signed using RSA-SHA, activated `2009-01-07 16:17:33 UTC', expires `2011-02-07 16:17:33 UTC', SHA-1 fingerprint `5748e94a2dce5262b7a53fc93527f22add2e3711'
- The hostname in the certificate matches 'bugzilla.redhat.com'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.0
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed

- Simple Client Mode:

GET / HTTP/1.1

HTTP/1.1 400 Bad Request
Date: Fri, 27 Aug 2010 18:25:33 GMT
Server: Apache
Content-Length: 296
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache Server at bugzilla.redhat.com Port 443</address>
</body></html>
- Peer has closed the GNUTLS connection

Comment 1 Tomas Mraz 2010-09-01 07:04:56 UTC

The bugzilla.redhat.com case is just your mistake when sending the HTTP/1.1 request - you should either send 1.0 request or add proper Host header to the request. So no gnutls error there.

In the case of www.us.army.mil there looks like to be some kind of bug on the server side where it does not terminate the TCP/IP connection properly - it should first sent SSL close_notify alert.

So most probably this is NOTABUG.

Comment 2 W. Michael Petullo 2010-09-07 15:47:43 UTC

It seems Tomas is right. After I cleared all of Epiphany's settings in GConf2 and .gnome2/epiphany, bugzilla.gnome.org and my bank's website worked fine. I will engage www.us.army.mil about their possible TLS issue and will open a different bug if I find the problem is still on the client side.

Comment 3 W. Michael Petullo 2011-06-13 19:44:14 UTC

For the record, the I can connect to AKO with the following:

gnutls-cli -d 255 -p 443 www.us.army.mil --priority "NORMAL:-VERS-TLS1.1:-VERS-TLS1.2:%COMPAT"

One of the GnuTLS developers suggested using "--priority".

Note You need to log in before you can comment on or make changes to this bug.