Bug 740087 – SSL Handshake failing

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 740087 - SSL Handshake failing


Summary:	SSL Handshake failing


Status:	RESOLVED FIXED

Product:	glib
Classification:	Platform
Component:	network
Version:	2.36.x
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	gtkdev
QA Contact:	gtkdev

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2014-11-13 22:46 UTC by nhrdls
Modified:	2014-12-07 10:05 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description nhrdls 2014-11-13 22:46:02 UTC

SSL Handshake fails when using webkit to connect to site https://www.pge.com/eum/login.

I did ask questions on webkit and gnuTLS web site. GnuTLS guys are saying glib networking may have to change default value. More details at the thread http://lists.gnutls.org/pipermail/gnutls-help/2014-November/003672.html

<quote>
It seems that following poodle many sites incorrectly banned SSL 3.0
record packet versions. Since gnutls uses an SSL 3.0 record to
advertise TLS 1.2, they are effectively banning it even if it doesn't
advertise SSL 3.0. That is a server issue, but it can be worked around
by using the modifier %LATEST_RECORD_VERSION, e.g.,
gnutls-cli www.pge.com --priority "NORMAL:%LATEST_RECORD_VERSION"
should work.

That seems like a good opportunity to make that the default.
</quote>

Comment 1 Dan Winship 2014-12-07 10:05:30 UTC

This is now fixed in glib-networking 2.42.1 and 2.43.1; %LATEST_RECORD_VERSION is now used by default, but will be removed from the priority string in the "fallback" mode (aka "use-ssl3" mode, but now it means "use the lowest allowed ssl/tls version", so it really means "use-tls-1.0" if SSLv3 is disabled).