Red Hat Bugzilla – Bug 826293
Client using gnutls hangs forever because gnutls_record_get_direction() lies.
Last modified: 2012-06-18 08:50:08 EDT
Non-blocking use of GnuTLS in an HTTP client. It returns GNUTLS_E_AGAIN and gnutls_record_get_direction() returns zero indicating that it was trying to *read* from the server. But gnutls_record_get_direction() lied. It was trying to *write*, and then we end up waiting for ever for the socket to become readable, while the server is still waiting for us to finish sending the request.
This works if I run my client against libgnutls from Fedora 17. Looks like it was fixed in 2.2.16: http://git.savannah.gnu.org/cgit/gnutls.git/commit/?h=gnutls_2_12_x&id=8fad624a274df3030cf65ceaaedf0b30dcd9fbbe
gnutls-2.12.14-3.fc16 has been submitted as an update for Fedora 16.
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing gnutls-2.12.14-3.fc16'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
gnutls-2.12.14-3.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
Hm, why not just update to at least 2.12.16?
There's no easy check for this bug, except the version of GnuTLS. This was the *only* bug fixed in 2.12.16, and there were only two changes in 2.12.15 too; one of which looks like a security bug fix (disable signature algorithms that are not supported for client certificate verification). So updating from 2.12.14 to 2.12.16 should have almost no risk. Going all the way to 2.12.19 should be sane too, and we're already shipping 2.12.19 in Fedora 17 anyway.
If we updated at least to 2.12.16 I'd be able to build upstream OpenConnect as-is.
As things are, for Fedora 16 I have to hack the pkgconfig version check in OpenConnect's configure script. Which is horrid.
We could update to 2.12.16 but not later as 2.12.17 already requires p11-kit version that we do not have in Fedora 16. But I won't release additional update without really serious reason.
As for the alleged security fix in 2.12.15 - I do not quite see this as security issue and the gnutls team does not either as they did not announce it as such.