l...@gnu.org (Ludovic Courtès) skribis:
> Sometimes, TLS handshakes fail in strange ways (the following happens
> after a dozen of iterations; I’ve enabled GnuTLS debugging in (guix
> build download) here):
Can also be reproduced like this:
--8<---------------cut here---------------start------------->8---
$ while echo 'GET /index.html' | gnutls-cli mirror.hydra.gnu.org ; do : ; done
[...]
Resolving 'mirror.hydra.gnu.org'...
Connecting to '131.159.14.26:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
- subject `CN=hydra.gnunet.org', issuer `C=US,O=Let's Encrypt,CN=Let's Encrypt
Authority X1', RSA key 2048 bits, signed using RSA-SHA256, activated
`2016-03-19 22:26:00 UTC', expires `2016-06-17 22:26:00 UTC', SHA-1 fingerprint
`51c20b204469ccf4fa62b471f421f15a55146975'
Public Key ID:
ab678bd61d4e942cc835ee7c099be880d98eca89
Public key's random art:
+--[ RSA 2048]----+
| |
| o |
| . + o . |
| o + + |
| + +S* . |
| o o . =.= |
| o o ..= . |
|o o . oo+ o |
|E+ .oo.. |
+-----------------+
- Certificate[1] info:
- subject `C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X1', issuer
`O=Digital Signature Trust Co.,CN=DST Root CA X3', RSA key 2048 bits, signed
using RSA-SHA256, activated `2015-10-19 22:33:36 UTC', expires `2020-10-19
22:33:36 UTC', SHA-1 fingerprint `3eae91937ec85d74483ff4b77b07b43e2af36bf4'
- Status: The certificate is trusted.
- Description: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-256-GCM)
- Session ID:
3D:90:F6:7E:0A:B1:58:9B:FE:69:0C:3C:1C:8F:2F:7C:53:FB:5B:0B:86:26:59:C3:E3:98:CF:0C:1E:59:25:3E
- Ephemeral EC Diffie-Hellman parameters
- Using curve: SECP256R1
- Curve size: 256 bits
- Version: TLS1.2
- Key Exchange: ECDHE-RSA
- Server Signature: RSA-SHA512
- Cipher: AES-256-GCM
- MAC: AEAD
- Compression: NULL
- Options: safe renegotiation,
- Handshake was completed
- Simple Client Mode:
Processed 525 CA certificate(s).
Resolving 'mirror.hydra.gnu.org'...
Connecting to '131.159.14.26:443'...
*** Fatal error: The operation timed out
*** Handshake has failed
GnuTLS error: The operation timed out
$ gnutls-cli --version
gnutls-cli 3.4.7
--8<---------------cut here---------------end--------------->8---
… or by running this program:
--8<---------------cut here---------------start------------->8---
(use-modules (gnutls)
(ice-9 match))
(match (getaddrinfo "mirror.hydra.gnu.org" "https")
((addrinfo _ ...)
(let ((addr (addrinfo:addr addrinfo)))
(let loop ((i 0))
(pk 'try i)
(let ((socket (socket (addrinfo:fam addrinfo)
SOCK_STREAM (addrinfo:protocol addrinfo))))
(connect socket addr)
(let ((session (make-session connection-end/client)))
(set-session-server-name! session server-name-type/dns
"mirror.hydra.gnu.org")
(set-session-transport-fd! session (fileno socket))
(set-session-default-priority! session)
(set-session-credentials! session (make-certificate-credentials))
(handshake session)
(close-port socket)
(loop (1+ i))))))))
--8<---------------cut here---------------end--------------->8---
… like this:
--8<---------------cut here---------------start------------->8---
$ guile ./tls.scm
[...]
;;; (try 75)
Backtrace:
In ice-9/boot-9.scm:
155: 8 [catch #t #<catch-closure 28887e0> ...]
In unknown file:
?: 7 [apply-smob/1 #<catch-closure 28887e0>]
In ice-9/boot-9.scm:
61: 6 [call-with-prompt prompt0 ...]
In ice-9/eval.scm:
432: 5 [eval # #]
In ice-9/boot-9.scm:
2401: 4 [save-module-excursion #<procedure 28d2a40 at ice-9/boot-9.scm:4045:3
()>]
4052: 3 [#<procedure 28d2a40 at ice-9/boot-9.scm:4045:3 ()>]
In unknown file:
?: 2 [load-compiled/vm
"/home/ludo/.cache/guile/ccache/2.0-LE-8-2.0/home/ludo/src/guix/tls.scm.go"]
In /home/ludo/src/guix/./tls.scm:
18: 1 [#<procedure 29f34a0 ()>]
In unknown file:
?: 0 [handshake #<session 2e0c680>]
ERROR: In procedure handshake:
ERROR: Throw to key `gnutls-error' with args `(#<gnutls-error-enum The TLS
connection was non-properly terminated.> handshake)'.
--8<---------------cut here---------------end--------------->8---
Ludo’.
