nc: random failure with TLS: no protocols available / libtls patch

Sat, 09 Dec 2017 00:24:08 -0800 

Hi,

With latest snapshot on amd64 (OpenBSD 6.2-current (GENERIC.MP) #263: Fri Dec  
8 18:19:04 MST 2017), I have random failure with nc when using TLS.


$ date ; nc -vvc www.free.fr 443
Sat Dec  9 09:05:34 CET 2017
Connection to www.free.fr 443 port [tcp/https] succeeded!
nc: tls handshake failed (handshake failed: error:140020BF:SSL 
routines:CONNECT_CW_CLNT_HELLO:no protocols available)

$ date ; nc -vvc www.free.fr 443
Sat Dec  9 09:05:35 CET 2017
Connection to www.free.fr 443 port [tcp/https] succeeded!
TLS handshake negotiated TLSv1.2/ECDHE-RSA-AES128-GCM-SHA256 with host 
www.free.fr
Peer name: www.free.fr
Subject: /CN=*.free.fr
Issuer: /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
Valid From: Thu Jul 27 02:00:00 2017
Valid Until: Thu Aug  8 01:59:59 2019
Cert Hash: 
SHA256:9f32a1e1feee258fe14d103af98a017f208cd4795d88c681130919031e5d817d
OCSP URL: http://gp.symcd.com
^C

If I pass additional "-T protocols=default", it seems to connect
reliably. 

I dig a bit inside nc code source without finding any problem. But in
tls_config_parse_protocols(), it could be one.

tls_config_parse_protocols() should return 0 or -1 and put the result
inside *protocols parameter.

man page:
     The tls_config_parse_protocols() utility function parses a protocol
     string and returns the corresponding value via the protocols argument.

If the protostr is NULL, it currently returns TLS_PROTOCOLS_DEFAULT
instead of put it inside *protocols.


but I am unsure with nc(1) works sometimes...

by recompiling and installing the patched libtls (and recompiling nc),
it seems to problem is corrected.

thanks.
-- 
Sebastien Marie


Index: tls_config.c
===================================================================
RCS file: /cvs/src/lib/libtls/tls_config.c,v
retrieving revision 1.44
diff -u -p -r1.44 tls_config.c
--- tls_config.c        25 Sep 2017 18:07:03 -0000      1.44
+++ tls_config.c        9 Dec 2017 08:17:02 -0000
@@ -311,8 +311,10 @@ tls_config_parse_protocols(uint32_t *pro
        char *s, *p, *q;
        int negate;
 
-       if (protostr == NULL)
-               return TLS_PROTOCOLS_DEFAULT;
+       if (protostr == NULL) {
+               *protocols = TLS_PROTOCOLS_DEFAULT;
+               return (0);
+       }
 
        if ((s = strdup(protostr)) == NULL)
                return (-1);

Reply via email to