Control: tags 945507 + patch On Mon 2019-11-25 21:18:02 -0500, Daniel Kahn Gillmor wrote: > Note from the pcaps that the gnutls-cli connection manages to negotiate > TLS 1.3, while the systemd-resolved connection only manages to elicit a > TLS 1.2 response from the server for some reason. > > I'm seeing this error in systemd-resolved with libgnutls30 3.6.10-5, but > I also tried this while rolling back to older versions of libgnutls30 -- > version 3.6.7-4 from buster, for example -- and it didn't fix the > problem. > > So i think the issue is something to do with the way that libgnutls is > being initialized in this version of systemd.
I think this might be related to upstream commit 68805580209cfaa50b2400d1a2e6c66500001395, which fixes https://github.com/systemd/systemd/issues/13528 I'm attaching an attempt at importing this patch from upstream. It applies and builds fine, but an unrelated part of the dh_auto_test failed for me (https://github.com/systemd/systemd/issues/14152) --dkg
From c0f72da3630655cdfdc8a7c2605501b91ad9aa90 Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <d...@fifthhorseman.net>
Date: Mon, 25 Nov 2019 21:49:46 -0500
Subject: [PATCH 1/1] try to address #945507
---
...ion-failures-with-TLS-1.3-and-GnuTLS.patch | 31 +++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 32 insertions(+)
create mode 100644 debian/patches/resolved-fix-connection-failures-with-TLS-1.3-and-GnuTLS.patch
diff --git a/debian/patches/resolved-fix-connection-failures-with-TLS-1.3-and-GnuTLS.patch b/debian/patches/resolved-fix-connection-failures-with-TLS-1.3-and-GnuTLS.patch
new file mode 100644
index 0000000000..0a9e3b4194
--- /dev/null
+++ b/debian/patches/resolved-fix-connection-failures-with-TLS-1.3-and-GnuTLS.patch
@@ -0,0 +1,31 @@
+From: Peter Wu <pe...@lekensteyn.nl>
+Date: Sun, 20 Oct 2019 18:10:31 +0100
+Subject: resolved: fix connection failures with TLS 1.3 and GnuTLS
+
+Prefer TLS 1.3 before TLS 1.2 for DNS-over-TLS support, otherwise
+servers compliant with RFC 8446 might end up agreeing TLS 1.2 plus a
+downgrade signal which is not expected by GnuTLS clients. This manifests
+in the following error:
+
+ Failed to invoke gnutls_handshake: An illegal parameter has been received.
+
+Fixes: #13528
+Fixes: v242-962-g9c0624dcdb ("resolved: support TLS 1.3 when using GnuTLS for DNS-over-TLS")
+(cherry picked from commit 68805580209cfaa50b2400d1a2e6c66500001395)
+---
+ src/resolve/resolved-dnstls-gnutls.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/resolve/resolved-dnstls-gnutls.c b/src/resolve/resolved-dnstls-gnutls.c
+index 06d635f..7ad9662 100644
+--- a/src/resolve/resolved-dnstls-gnutls.c
++++ b/src/resolve/resolved-dnstls-gnutls.c
+@@ -10,7 +10,7 @@
+ #include "resolved-dnstls.h"
+
+ #if GNUTLS_VERSION_NUMBER >= 0x030600
+-#define PRIORTY_STRING "NORMAL:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3"
++#define PRIORTY_STRING "NORMAL:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2"
+ #else
+ #define PRIORTY_STRING "NORMAL:-VERS-ALL:+VERS-TLS1.2"
+ #endif
diff --git a/debian/patches/series b/debian/patches/series
index 0735c48a53..fb0ff26618 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -106,3 +106,4 @@ debian/Drop-seccomp-system-call-filter-for-udev.patch
debian/blacklist-upstream-test-25.patch
debian/blacklist-upstream-test-24-ppc64el.patch
udev-drop-SystemCallArchitectures-native-from-systemd-ude.patch
+resolved-fix-connection-failures-with-TLS-1.3-and-GnuTLS.patch
--
2.24.0
signature.asc
Description: PGP signature
