Bug 826293 - Client using gnutls hangs forever because gnutls_record_get_direction() lies.
Client using gnutls hangs forever because gnutls_record_get_direction() lies.
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: gnutls (Show other bugs)
16
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-29 19:32 EDT by David Woodhouse
Modified: 2012-06-18 08:50 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-15 08:24:07 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Woodhouse 2012-05-29 19:32:45 EDT
Non-blocking use of GnuTLS in an HTTP client. It returns GNUTLS_E_AGAIN and gnutls_record_get_direction() returns zero indicating that it was trying to *read* from the server. But gnutls_record_get_direction() lied. It was trying to *write*, and then we end up waiting for ever for the socket to become readable, while the server is still waiting for us to finish sending the request.

This works if I run my client against libgnutls from Fedora 17. Looks like it was fixed in 2.2.16: http://git.savannah.gnu.org/cgit/gnutls.git/commit/?h=gnutls_2_12_x&id=8fad624a274df3030cf65ceaaedf0b30dcd9fbbe
Comment 1 Fedora Update System 2012-05-30 03:18:24 EDT
gnutls-2.12.14-3.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/gnutls-2.12.14-3.fc16
Comment 2 Fedora Update System 2012-05-30 20:53:18 EDT
Package gnutls-2.12.14-3.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing gnutls-2.12.14-3.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-8617/gnutls-2.12.14-3.fc16
then log in and leave karma (feedback).
Comment 3 Fedora Update System 2012-06-15 08:24:07 EDT
gnutls-2.12.14-3.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 David Woodhouse 2012-06-18 06:18:43 EDT
Hm, why not just update to at least 2.12.16?

There's no easy check for this bug, except the version of GnuTLS. This was the *only* bug fixed in 2.12.16, and there were only two changes in 2.12.15 too; one of which looks like a security bug fix (disable signature algorithms that are not supported for client certificate verification). So updating from 2.12.14 to 2.12.16 should have almost no risk. Going all the way to 2.12.19 should be sane too, and we're already shipping 2.12.19 in Fedora 17 anyway.

If we updated at least to 2.12.16 I'd be able to build upstream OpenConnect as-is.

As things are, for Fedora 16 I have to hack the pkgconfig version check in OpenConnect's configure script. Which is horrid.
Comment 5 Tomas Mraz 2012-06-18 08:50:08 EDT
We could update to 2.12.16 but not later as 2.12.17 already requires p11-kit version that we do not have in Fedora 16. But I won't release additional update without really serious reason.

As for the alleged security fix in 2.12.15 - I do not quite see this as security issue and the gnutls team does not either as they did not announce it as such.

Note You need to log in before you can comment on or make changes to this bug.