Good Morning Kurt, just one question. I think Alessandro reasigned the bug to both libssl and libgnutls. Am I correct?
Question is because specifying the protocol solves the problem with libssl, not with libgnutls. When I test wget with --secure-protocol it works fine when compiled with libssl but it keeps failing with libgnutls. Could you please confirm the fact that the case is still open in libgnutls or should I file a new bug? Best regards. Francisco. ________________________________ De: Debian Bug Tracking System <ow...@bugs.debian.org> Para: rodrifra <sable_la...@yahoo.es> Enviado: Miércoles 22 de Mayo de 2013 18:21 Asunto: Bug#709292 closed by Kurt Roeckx <k...@roeckx.be> (Re: Bug#709292: curl: Connection to https server produces SSL error.) This is an automatic notification regarding your Bug report which was filed against the libssl1.0.0 package: #709292: libssl1.0.0: "decryption failed or bad record mac" during handshake It has been closed by Kurt Roeckx <k...@roeckx.be>. Their explanation is attached below along with your original report. If this explanation is unsatisfactory and you have not received a better one in a separate message then please contact Kurt Roeckx <k...@roeckx.be> by replying to this email. -- 709292: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=709292 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems On Wed, May 22, 2013 at 02:32:29PM +0200, Alessandro Ghedini wrote: > reassign 709292 libssl1.0.0 > retitle 709292 libssl1.0.0: "decryption failed or bad record mac" during > handshake > clone 709292 -1 > reassign -1 libgnutls26 > retitle -1 libgnutls26: segfaults during handshake > severity -1 important > affects -1 wget > kthxbye > > On Wed, May 22, 2013 at 01:37:35PM +0200, rodrifra wrote: > > Package: curl > > Version: 7.26.0-1+wheezy2 > > Severity: normal > > > > Dear Maintainer, > > > > Executing the following: > > curl -o pruebacurl.html > > https://sede.dgt.gob.es/sede/faces/paginas/testra/testraIframe.xhtml?pagina=consulta.html > > Produced the next error: > > error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad > > record mac > > > > Forcing SSLv3 solves the problem: > > curl -3 -o pruebacurl.html > > https://sede.dgt.gob.es/sede/faces/paginas/testra/testraIframe.xhtml?pagina=consulta.html > > If there's any bug, it's probably in the server's SSL implementation, since it > can't do a proper TLS handshake, in any case it's not curl's fault. I'm > reassigning this to openssl (which is what curl uses) to make sure there's > nothing wrong with it. Yes, this is the server's problems, nothing you can do about it other than downgrading to a lower TLS version. TLS 1.0 should work in most cases. About 1% of the servers are known to have this problem. The problem is that we announce that we support TLS 1.2 to the server, and the server should reply that it only supports 1.0, but just closes the connection or does something else weird. This is why you also see this with gnutls. There is nothing we can do in openssl or gnutls about this. What could be done is that something like curl or wget tries to connect again with a lower TLS version. But if you automate this, you also need to think about version downgrade attacks. Since we can't actually fix anything, and curl and wget have options to use a lower protocol version, I'm just going to close this bug. KurtPackage: curl Version: 7.26.0-1+wheezy2 Severity: normal Dear Maintainer, Executing the following: curl -o pruebacurl.html https://sede.dgt.gob.es/sede/faces/paginas/testra/testraIframe.xhtml?pagina=consulta.html Produced the next error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac Forcing SSLv3 solves the problem: curl -3 -o pruebacurl.html https://sede.dgt.gob.es/sede/faces/paginas/testra/testraIframe.xhtml?pagina=consulta.html wget has same problem in latest stable version, but oldstable works fine. -- System Information: Debian Release: 7.0 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages curl depends on: ii libc6 2.13-38 ii libcurl3 7.26.0-1+wheezy2 ii zlib1g 1:1.2.7.dfsg-13 curl recommends no packages. curl suggests no packages. -- no debconf information