l...@gnu.org (Ludovic Courtès) skribis:
> $ while ./pre-inst-env guix download https://mirror.hydra.gnu.org/index.html
> ; do : ; done
Interestingly, the same loop with wget (which uses the very same GnuTLS)
goes on forever.
It turns out that instead of the default TLS cipher suite priority
string (“NORMAL”), wget does:
--8<---------------cut here---------------start------------->8---
case secure_protocol_auto:
err = gnutls_priority_set_direct (session, "NORMAL:%COMPAT:-VERS-SSL3.0",
NULL);
break;
--8<---------------cut here---------------end--------------->8---
The code doesn’t explain why, but GnuTLS’s documentation has this bit
(info "(gnutls) Priority Strings"):
--8<---------------cut here---------------start------------->8---
%COMPAT will enable compatibility
mode. It might mean that
violations of the protocols
are allowed as long as maximum
compatibility with problematic
clients and servers is
achieved. More specifically
this string would disable TLS
record random padding,
tolerate packets over the
maximum allowed TLS record,
and add a padding to TLS
Client Hello packet to prevent
it being in the 256-512 range
which is known to be causing
issues with a commonly used
firewall.
--8<---------------cut here---------------end--------------->8---
Indeed, as soon as we add %COMPAT, ‘gnutls-cli’ et al. send a 253-byte
client hello (instead of 261) and the problem vanishes.
Commit 967ee481e893fd77ff8ca896188e20e425331bf2 does that.
Ludo’.
