[Lynx-dev] Gnutls errors with TLS 1.3 hosts

lynx-dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Lynx-dev] Gnutls errors with TLS 1.3 hosts

From:	Andreas Metzler
Subject:	[Lynx-dev] Gnutls errors with TLS 1.3 hosts
Date:	Mon, 24 Dec 2018 10:32:37 +0100
User-agent:	Mutt/1.10.1 (2018-07-13)

Hello,

If built against GnuTLS with TLS 1.3 support (i.e. >= 3.6.5) lynx 2.8.9rel.1 
will fail to work with hosts offering TLS 1.3, e.g. gmail.com:

---------------------------------
(sid)address@hidden:/tmp/LXYNX/lynx-2.8.9rel.1$ SSL_CERT_FILE=/etc/ssl/certs/c
a-certificates.crt lynx -cfg=/dev/null -lss=/dev/null -dump https://gmail.com/

Looking up gmail.com
Making HTTPS connection to gmail.com
Verified connection to gmail.com (cert=gmail.com)
Certificate issued by: /C=US/O=Google Trust Services/CN=Google Internet 
Authority G3
Secure 256-bit TLS1.3 (ECDHE_RSA_AES_256_GCM_SHA384) HTTP connection
Sending HTTP request.
HTTP request sent; waiting for response.
Alert!: Unexpected network read error; connection aborted.
Can't Access `https://gmail.com/'
Alert!: Unable to access document.

lynx: Can't access startfile
---------------------------------

This sems to be an instance of 
https://gitlab.com/gnutls/gnutls/issues/644#note_123363338
<quote>
Sam Varshavchik:
| With TLS 1.3, gnutls will return GNUTLS_E_AGAIN even if the underlying
| transport socket is a blocking socket. I'm pretty sure that previously
| GNUTLS_E_AGAIN was getting returned only with non-blocking sockets as
| the underlying transport, when reading or writing to the socket came
| back with EAGAIN. GNUTLS_E_AGAIN was, basically, a passthrough for
| EAGAIN on the underlying socket.
| 
| All existing code that uses blocking sockets most likely handles any -1
| return from gnutls_record_send(), gnutls_record_recv(), and
| gnutls_handshake() as a fatal transport error. It doesn't know about
| special meaning of GNUTLS_E_AGAIN, because it was only seen, up until
| now, with non-blocking sockets.
| 
| Existing code that uses non-blocking sockets is unlikely to be affected,
| as it already understands GNUTLS_E_AGAIN.
<unquote>

https://www.gnutls.org/manual/html_node/Data-transfer-and-termination.html

Attached patch seems to work in quick test.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

tls13.fixes.diff
Description: Text Data

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

[Lynx-dev] Gnutls errors with TLS 1.3 hosts, Andreas Metzler <=
- Re: [Lynx-dev] Gnutls errors with TLS 1.3 hosts, Thomas Dickey, 2018/12/24

Prev by Date: Re: [Lynx-dev] [feature] form submission without submit button
Next by Date: Re: [Lynx-dev] Gnutls errors with TLS 1.3 hosts
Previous by thread: [Lynx-dev] [feature] form submission without submit button
Next by thread: Re: [Lynx-dev] Gnutls errors with TLS 1.3 hosts
Index(es):
- Date
- Thread