GNOME Bugzilla – Bug 739951
[regression] Doesn't run GTlsConnection for https:// requests
Last modified: 2014-12-01 20:07:22 UTC
Created attachment 290405 [details] test-soup.c I just realized I cannot connect to a server using https:// GET with libsoup 2.48.0 and glib-networking 2.42.0, but 2.40.0 is also broken. The problem is that if the server uses a certificate with an unknown CA, then the handshake fails with "Unacceptable TLS certificate", instead of expected "SSL handshake failed" (the case for libsoup-2.44.2 and glib-networking-2.38.2). Further investigation showed that the "network-event" of a SoupMessage uses GTcpConnection for G_SOCKET_CLIENT_TLS_HANDSHAKING, while it should use a GTlsConnection descendant, like GTlsClientConnectionGnutls in case of the older versions. This bug prevents evolution-data-server's CalDAV calendar to connect to servers with "bad" certificate (and possibly other parts using libsoup). Attached is a minimal reproducer. The network_event_cb() is simplified, evolution-data-server's code adds a signal handler for "accept-certificate" there [1]. [1] https://git.gnome.org/browse/evolution-data-server/tree/libebackend/e-soup-ssl-trust.c#n109
Thanks for the reproducer. Fixed in master. I didn't put out point releases for 3.14.1 or 3.14.2, so I'll probably do a stable release soon.
Does not see any change after applying the fix to 2.48.0 % ./test-soup Hello... network_event_cb: handshaking:0 (0) is tls:0 (null) network_event_cb: handshaking:0 (1) is tls:0 (null) network_event_cb: handshaking:0 (2) is tls:0 (GTcpConnection) network_event_cb: handshaking:0 (3) is tls:0 (GTcpConnection) network_event_cb: handshaking:1 (6) is tls:1 (GTlsClientConnectionGnutls) test_thread: Failed, certflags:1 code:6 reason:Unacceptable TLS certificate Bye... But libsoup-included test runs just fine % ./connection-test /connection/content-length-framing: OK /connection/persistent-connection-timeout: OK /connection/max-conns: OK /connection/non-persistent: OK /connection/non-idempotent: OK /connection/state: OK /connection/event: OK
are you sure "test-soup" is linked against the new libsoup build? (eg, what does "ldd ./test-soup" show?)
pretty much sure: % ldd ./test-soup | grep soup libsoup-2.4.so.1 => /usr/lib64/libsoup-2.4.so.1 (0x00007fa060f8b000) % file /usr/lib64/libsoup-2.4.so.1.7.0 /usr/lib64/libsoup-2.4.so.1.7.0: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=1bc3049df754a25dffe31d4098ad89391ee7cedf, stripped % file ~/builder/rpm/BUILD/libsoup-2.48.0/libsoup/.libs/libsoup-2.4.so.1.7.0 /home/users/fritz/builder/rpm/BUILD/libsoup-2.48.0/libsoup/.libs/libsoup-2.4.so.1.7.0: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=1bc3049df754a25dffe31d4098ad89391ee7cedf, not stripped [builder@builder64 libsoup-2.48.0]$ grep soup_socket_event ~/rpm/BUILD/libsoup-2.48.0/libsoup/*.c /home/users/builder/rpm/BUILD/libsoup-2.48.0/libsoup/soup-socket.c:soup_socket_event (SoupSocket *sock, /home/users/builder/rpm/BUILD/libsoup-2.48.0/libsoup/soup-socket.c: soup_socket_event (sock, event, connection); /home/users/builder/rpm/BUILD/libsoup-2.48.0/libsoup/soup-socket.c: soup_socket_event (sock, G_SOCKET_CLIENT_TLS_HANDSHAKING, priv->conn); /home/users/builder/rpm/BUILD/libsoup-2.48.0/libsoup/soup-socket.c: soup_socket_event (sock, G_SOCKET_CLIENT_TLS_HANDSHAKED, priv->conn); /home/users/builder/rpm/BUILD/libsoup-2.48.0/libsoup/soup-socket.c: soup_socket_event (sock, G_SOCKET_CLIENT_TLS_HANDSHAKED, priv->conn); /home/users/builder/rpm/BUILD/libsoup-2.48.0/libsoup/soup-socket.c: soup_socket_event (sock, G_SOCKET_CLIENT_TLS_HANDSHAKING, priv->conn);
*** Bug 740402 has been marked as a duplicate of this bug. ***
I can confirm that the fix [1] works. The thing is that this: > Hello... > network_event_cb: handshaking:0 (0) is tls:0 (null) > network_event_cb: handshaking:0 (1) is tls:0 (null) > network_event_cb: handshaking:0 (2) is tls:0 (GTcpConnection) > network_event_cb: handshaking:0 (3) is tls:0 (GTcpConnection) > network_event_cb: handshaking:1 (6) is tls:1 (GTlsClientConnectionGnutls) > test_thread: Failed, certflags:1 code:6 reason:Unacceptable TLS certificate used to be (before [1]): > Hello... > network_event_cb: handshaking:0 (0) is tls:0 (null) > network_event_cb: handshaking:0 (1) is tls:0 (null) > network_event_cb: handshaking:0 (2) is tls:0 (GTcpConnection) > network_event_cb: handshaking:0 (3) is tls:0 (GTcpConnection) > network_event_cb: handshaking:1 (6) is tls:0 (GTcpConnection) > test_thread: Failed, certflags:1 code:6 reason:Unacceptable TLS certificate aka the network_event 6 was not done on a TLS connection, which broke evolution-data-server. The change [1] still shows the same reason (the last line), but it's not an issue. [1] https://git.gnome.org/browse/libsoup/commit/?h=gnome-3-14&id=c8ff05b7308818b914ab7738fdaf3dbf5fa11e16
Dan, please do the release of libsoup, there will be more and more people affected, which is not good.
@Milan: thanks for clarification. So all these "Peer failed to perform TLS handshake" are not related... Sorry for the noise.