A new bug number has been assigned to your report, #532752. Mike <st...@mikepalmer.net> writes:
> Simon Josefsson wrote: >> I just realized I wasn't clear what the likely cause of your problem is. >> The problem may be caused by the server you are talking to. Can you >> access the servers that your clients use from your location? Then >> running 'gnutls-cli -d 4711' against that host may give enough details >> to resolve it. >> >> Earlier bug reports of this kind suggests that the server is buggy >> (which can be worked around), but it may also be that the Cisco box is >> filtering out the traffic if you are only seeing the problem behind >> those boxes. >> >> /Simon >> > > Hi Simon, > > I'm not really supposed to be doing this but this is the from the > Cisco ASA network. I have no admin on anything outside of this box so > I won't understand the configuration past seeing it dynamically > redirect packets down different routes: > > # gnutls-cli -d 4711 <our_host_here> ... > |<7>| READ: -1 returned from 4, errno=104 gerrno=0 The server disconnects after seeing the client hello. Please try these variants: disable TLS1.1: gnutls-cli -d 4711 <our_host_here> --priority NORMAL:-VERS-TLS1.1 disable ctype extension: gnutls-cli -d 4711 <our_host_here> --priority NORMAL:-CTYPE-OPENPGP disable server name extension: gnutls-cli -d 4711 <our_host_here> --disable-extensions disable ctype+servername (i.e., all) extensions: gnutls-cli -d 4711 <our_host_here> --priority NORMAL:-CTYPE-OPENPGP --disable-extensions disable TLS1.1 and all extensions: gnutls-cli -d 4711 <our_host_here> --priority NORMAL:-VERS-TLS1.1:-CTYPE-OPENPGP --disable-extensions > But lets try a known example like www.yahoo.com from the same network: > > gnutls-cli -d 4711 www.yahoo.com ... > |<7>| READ: -1 returned from 4, errno=104 gerrno=0 Yeah, the firewall drops the connection. Connecting from my network works fine. > Now for outside verification with an example you can try yourself > (this one is on my home network and should work for you too): > > > # gnutls-cli -d 4711 www1.banking.first-direct.com ... > |<7>| READ: Got 0 bytes from 4 This error is actually different. It doesn't disconnect, but just sends a zero byte response which causes the client to disconnect. This works: gnutls-cli -d 4711 www1.banking.first-direct.com --priority NORMAL:-VERS-TLS1.1 > All of these handshake correctly without problems under openssl on the > same systems in the same networks against the same targets. Let me > know if I can do anything else I can do to help identify anything with > gnutls. OpenSSL does not use any of TLS 1.1, server name extension, or ctype extension. I guess one or more of them triggers the problem. To work around the problem, you need to disable the feature causing the problem. I don't think this indicate any GnuTLS problem. /Simon -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
