826293 – Client using gnutls hangs forever because gnutls_record_get_direction() lies.

Bug 826293 - Client using gnutls hangs forever because gnutls_record_get_direction() lies.

Summary: Client using gnutls hangs forever because gnutls_record_get_direction() lies.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	gnutls
Sub Component:
Version:	16
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Tomas Mraz
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-05-29 23:32 UTC by David Woodhouse
Modified:	2012-06-18 12:50 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2012-06-15 12:24:07 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description David Woodhouse 2012-05-29 23:32:45 UTC

Non-blocking use of GnuTLS in an HTTP client. It returns GNUTLS_E_AGAIN and gnutls_record_get_direction() returns zero indicating that it was trying to *read* from the server. But gnutls_record_get_direction() lied. It was trying to *write*, and then we end up waiting for ever for the socket to become readable, while the server is still waiting for us to finish sending the request.

This works if I run my client against libgnutls from Fedora 17. Looks like it was fixed in 2.2.16: http://git.savannah.gnu.org/cgit/gnutls.git/commit/?h=gnutls_2_12_x&id=8fad624a274df3030cf65ceaaedf0b30dcd9fbbe

Comment 1 Fedora Update System 2012-05-30 07:18:24 UTC

gnutls-2.12.14-3.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/gnutls-2.12.14-3.fc16

Comment 2 Fedora Update System 2012-05-31 00:53:18 UTC

Package gnutls-2.12.14-3.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing gnutls-2.12.14-3.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-8617/gnutls-2.12.14-3.fc16
then log in and leave karma (feedback).

Comment 3 Fedora Update System 2012-06-15 12:24:07 UTC

gnutls-2.12.14-3.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 4 David Woodhouse 2012-06-18 10:18:43 UTC

Hm, why not just update to at least 2.12.16?

There's no easy check for this bug, except the version of GnuTLS. This was the *only* bug fixed in 2.12.16, and there were only two changes in 2.12.15 too; one of which looks like a security bug fix (disable signature algorithms that are not supported for client certificate verification). So updating from 2.12.14 to 2.12.16 should have almost no risk. Going all the way to 2.12.19 should be sane too, and we're already shipping 2.12.19 in Fedora 17 anyway.

If we updated at least to 2.12.16 I'd be able to build upstream OpenConnect as-is.

As things are, for Fedora 16 I have to hack the pkgconfig version check in OpenConnect's configure script. Which is horrid.

Comment 5 Tomas Mraz 2012-06-18 12:50:08 UTC

We could update to 2.12.16 but not later as 2.12.17 already requires p11-kit version that we do not have in Fedora 16. But I won't release additional update without really serious reason.

As for the alleged security fix in 2.12.15 - I do not quite see this as security issue and the gnutls team does not either as they did not announce it as such.

Note You need to log in before you can comment on or make changes to this bug.