Daniel Silverstone & I have been trying to get some debug output of this bug during the Manchester BSP.
It strongly appears to be a bug in the gnutls library, rather than curl
and is also restricted to client certificates only. gnutls is failing
in the rehandshake for client certificates. This section of gtls.c:
if(ret == GNUTLS_E_REHANDSHAKE) {
/* BLOCKING call, this is bad but a work-around for now. Fixing
this "the proper way" takes a whole lot of work. */
CURLcode rc = handshake(conn, num, FALSE, FALSE);
if(rc)
/* handshake() writes error message on its own */
*curlcode = rc;
else
*curlcode = CURLE_AGAIN; /* then return as if this was a
wouldblock */ return -1;
}
Performing a manual glutls-cli does not work for client certificates
when the equivalent command with openssl s_client does work.
Tested with:
gnutls-cli --insecure -p 443
--x509certfile /etc/apt/client-certs/test-client.apt-test.aviatis.com.crt
--x509keyfile /etc/apt/client-certs/test-client.apt-test.aviatis.com.key
apt-test.aviatis.com
Also tested with libgnutls26 (2.10.2-1) from experimental.
Entering the data:
GET /apt-cacher/ftp.us.debian.org/debian/dists/squeeze/Release HTTP/1.1
Host: apt-test.aviatis.com
Gives:
*** Non fatal error: Rehandshake was requested by the peer.
*** Received rehandshake request
*** Fatal error: Unsafe renegotiation denied.
*** Rehandshake Failed.
*** Fatal error: An unexpected TLS packet was received.
*** Server has terminated the connection abnormally.
openssl command:
openssl s_client -key test-client.apt-test.aviatis.com.key -cert
test-client.apt-test.aviatis.com.crt -connect apt-test.aviatis.com:https
--
Neil Williams
=============
http://www.linux.codehelp.co.uk/
pgpZKHG2KeqcS.pgp
Description: PGP signature
