GNU bug report logs -
#18526
Failure to download from github due to TLS fatal alert
Previous Next
Reported by: ludo <at> gnu.org (Ludovic Courtès)
Date: Mon, 22 Sep 2014 12:34:01 UTC
Severity: normal
Merged with 18524
Done: ludo <at> gnu.org (Ludovic Courtès)
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 18526 in the body.
You can then email your comments to 18526 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org
:
bug#18526
; Package
guix
.
(Mon, 22 Sep 2014 12:34:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
ludo <at> gnu.org (Ludovic Courtès)
:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org
.
(Mon, 22 Sep 2014 12:34:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
From guix-devel.
[Message part 2 (message/rfc822, inline)]
Mark H Weaver <mhw <at> netris.org> skribis:
> Here's what happens:
>
> $ guix download https://github.com/downloads/magit/magit/magit-1.2.0.tar.gz
> starting download of `guix-file.cszPnB' from `https://github.com/downloads/magit/magit/magit-1.2.0.tar.gz'...
> following redirection to `https://cloud.github.com/downloads/magit/magit/magit-1.2.0.tar.gz'...
> ERROR: Throw to key `gnutls-error' with args `(#<gnutls-error-enum A TLS fatal alert has been received.> handshake)'.
> failed to download "guix-file.cszPnB" from "https://github.com/downloads/magit/magit/magit-1.2.0.tar.gz"
> guix download: error: https://github.com/downloads/magit/magit/magit-1.2.0.tar.gz: download failed
I see that as well. However, other github.com URLs works:
--8<---------------cut here---------------start------------->8---
$ guix download https://github.com/flavio/qjson/archive/0.8.1.tar.gz
starting download of `guix-file.tL8gal' from `https://github.com/flavio/qjson/archive/0.8.1.tar.gz'...
following redirection to `https://codeload.github.com/flavio/qjson/tar.gz/0.8.1'...
https://codeload.github.com/.../0.8.1 100.0% of 71.6 KiB
/gnu/store/fqfm3zm9pzwgic9sz2x8hk8ykm9yhkqw-0.8.1.tar.gz
163fspi0xc705irv79qw861fmh68pjyla9vx3kqiq6xrdhb9834j
$ guix download https://github.com/maebert/jrnl/archive/1.8.4.tar.gz
starting download of `guix-file.oK809e' from `https://github.com/maebert/jrnl/archive/1.8.4.tar.gz'...
following redirection to `https://codeload.github.com/maebert/jrnl/tar.gz/1.8.4'...
https://codeload.github.com/.../1.8.4 100.0% of 162.4 KiB
/gnu/store/cb39bf5ljrglj72bxarcsws241qhw5a8-1.8.4.tar.gz
019ky09sj5i7frmca0imv4jm46mn3f4lzah2wmiwxh22cisj7ksn
--8<---------------cut here---------------end--------------->8---
With debugging enabled in build/download.scm, the relevant part is:
--8<---------------cut here---------------start------------->8---
gnutls: [699|3] HSK[0x104e530]: CLIENT HELLO was queued [249 bytes]
gnutls: [699|7] HWRITE: enqueued [CLIENT HELLO] 249. Total 249 bytes.
gnutls: [699|7] HWRITE FLUSH: 249 bytes in buffer.
gnutls: [699|4] REC[0x104e530]: Preparing Packet Handshake(22) with length: 249 and min pad: 0
gnutls: [699|9] ENC[0x104e530]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
gnutls: [699|7] WRITE: enqueued 254 bytes for 0xe. Total 254 bytes.
gnutls: [699|4] REC[0x104e530]: Sent Packet[1] Handshake(22) in epoch 0 and length: 254
gnutls: [699|7] HWRITE: wrote 1 bytes, 0 bytes left.
gnutls: [699|7] WRITE FLUSH: 254 bytes in buffer.
gnutls: [699|7] WRITE: wrote 254 bytes, 0 bytes left.
gnutls: [699|2] ASSERT: gnutls_buffers.c:1075
gnutls: [699|7] READ: Got 5 bytes from 0xe
gnutls: [699|7] READ: read 5 bytes from 0xe
gnutls: [699|7] RB: Have 0 bytes into buffer. Adding 5 bytes.
gnutls: [699|7] RB: Requested 5 bytes
gnutls: [699|4] REC[0x104e530]: SSL 3.3 Alert packet received. Epoch 0, length: 2
gnutls: [699|4] REC[0x104e530]: Expected Packet Handshake(22)
gnutls: [699|4] REC[0x104e530]: Received Packet Alert(21) with length: 2
gnutls: [699|7] READ: Got 2 bytes from 0xe
gnutls: [699|7] READ: read 2 bytes from 0xe
gnutls: [699|7] RB: Have 5 bytes into buffer. Adding 2 bytes.
gnutls: [699|7] RB: Requested 7 bytes
gnutls: [699|4] REC[0x104e530]: Decrypted Packet[0] Alert(21) with length: 2
gnutls: [699|4] REC[0x104e530]: Alert[2|40] - Handshake failed - was received
--8<---------------cut here---------------end--------------->8---
Wget can be made to fail similarly:
--8<---------------cut here---------------start------------->8---
$ wget --secure-protocol=SSLv3 -O /dev/null https://github.com/downloads/magit/magit/magit-1.2.0.tar.gz
--2014-08-13 23:48:53-- https://github.com/downloads/magit/magit/magit-1.2.0.tar.gz
Resolving github.com... 192.30.252.128
Connecting to github.com|192.30.252.128|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://cloud.github.com/downloads/magit/magit/magit-1.2.0.tar.gz [following]
--2014-08-13 23:48:54-- https://cloud.github.com/downloads/magit/magit/magit-1.2.0.tar.gz
Resolving cloud.github.com... 54.230.44.78, 54.230.44.145, 54.230.44.189, ...
Connecting to cloud.github.com|54.230.44.78|:443... connected.
GnuTLS: A TLS fatal alert has been received.
GnuTLS: received alert [40]: Handshake failed
Unable to establish SSL connection.
--8<---------------cut here---------------end--------------->8---
But its default --secure-protocol=auto just works, although its gnutls.c
just seems to use the default priorities like we do.
Further investigation needed...
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org
:
bug#18526
; Package
guix
.
(Mon, 22 Sep 2014 13:33:04 GMT)
Full text and
rfc822 format available.
Message #8 received at 18526 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
The culprit is that our client would not support the TLS ‘SERVER NAME’
extension, unlike the wget and gnutls-cli (this is enabled simply by
calling ‘gnutls_server_name_set’.) Here’s a proof-of-concept
workaround:
[Message part 2 (text/x-patch, inline)]
diff --git a/guix/build/download.scm b/guix/build/download.scm
index d98933a..b44302f 100644
--- a/guix/build/download.scm
+++ b/guix/build/download.scm
@@ -112,6 +112,24 @@ abbreviation of URI showing the scheme, host, and basename of the file."
"Hold a weak reference from FROM to TO."
(hashq-set! table from to))))
+(use-modules (system foreign))
+
+(define set-server-name!
+ (let* ((lib (string-append (getenv "HOME") "/.guix-profile/lib/libgnutls"))
+ (ptr (dynamic-func "gnutls_server_name_set"
+ (dynamic-link lib)))
+ (proc (pointer->procedure int ptr
+ (list '* int '* size_t))))
+ (lambda (session type name)
+ ;; SESSION is a SMOB, and the 'gnutls_session_t' pointer is in its
+ ;; second cell.
+ (let* ((cell (make-pointer (+ (sizeof '*) (object-address session))))
+ (session (dereference-pointer cell)))
+ (zero? (proc session type
+ (string->pointer name) (string-length name)))))))
+
+(define GNUTLS_NAME_DNS 1)
+
(define (tls-wrap port)
"Return PORT wrapped in a TLS connection."
(define (log level str)
@@ -119,6 +137,7 @@ abbreviation of URI showing the scheme, host, and basename of the file."
"gnutls: [~a|~a] ~a" (getpid) level str))
(let ((session (make-session connection-end/client)))
+ (set-server-name! session GNUTLS_NAME_DNS "cloud.github.com")
(set-session-transport-fd! session (fileno port))
(set-session-default-priority! session)
(set-session-credentials! session (make-certificate-credentials))
[Message part 3 (text/plain, inline)]
I’ll add bindings for ‘gnutls_server_name_set’ in GnuTLS proper, and
then we can correctly address this bug.
Ludo’.
Reply sent
to
ludo <at> gnu.org (Ludovic Courtès)
:
You have taken responsibility.
(Mon, 22 Sep 2014 19:20:03 GMT)
Full text and
rfc822 format available.
Notification sent
to
ludo <at> gnu.org (Ludovic Courtès)
:
bug acknowledged by developer.
(Mon, 22 Sep 2014 19:20:03 GMT)
Full text and
rfc822 format available.
Message #13 received at 18526-done <at> debbugs.gnu.org (full text, mbox):
Commit 077bd18 fixes it, using the ‘set-session-server-name!’ procedure
introduced in GnuTLS commit e9fc746:
https://gitorious.org/gnutls/gnutls/commit/e9fc74641dae2747b98bc9f79afc041805819339
It should be in the next GnuTLS release.
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org
:
bug#18526
; Package
guix
.
(Mon, 13 Oct 2014 21:36:01 GMT)
Full text and
rfc822 format available.
Message #16 received at 18526 <at> debbugs.gnu.org (full text, mbox):
Commit 3de9a59 pushed an update to GnuTLS 3.2.19, which brings the new
‘set-server-name!’ procedure.
Ludo’.
Merged 18524 18526.
Request was from
ludo <at> gnu.org (Ludovic Courtès)
to
control <at> debbugs.gnu.org
.
(Sun, 02 Nov 2014 22:14:02 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Mon, 01 Dec 2014 12:24:05 GMT)
Full text and
rfc822 format available.
This bug report was last modified 9 years and 120 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.