From unknown Tue Aug 19 12:50:54 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#34102 <34102@debbugs.gnu.org> To: bug#34102 <34102@debbugs.gnu.org> Subject: Status: [staging] Guix fails to download from TLSv1.3-enabled servers Reply-To: bug#34102 <34102@debbugs.gnu.org> Date: Tue, 19 Aug 2025 19:50:54 +0000 retitle 34102 [staging] Guix fails to download from TLSv1.3-enabled servers reassign 34102 guix submitter 34102 Marius Bakke severity 34102 serious thanks From debbugs-submit-bounces@debbugs.gnu.org Wed Jan 16 08:33:45 2019 Received: (at submit) by debbugs.gnu.org; 16 Jan 2019 13:33:45 +0000 Received: from localhost ([127.0.0.1]:60961 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gjlKD-0001Ld-4g for submit@debbugs.gnu.org; Wed, 16 Jan 2019 08:33:45 -0500 Received: from eggs.gnu.org ([209.51.188.92]:48594) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gjlKB-0001LQ-Ii for submit@debbugs.gnu.org; Wed, 16 Jan 2019 08:33:44 -0500 Received: from lists.gnu.org ([209.51.188.17]:42440) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gjlK4-0003OY-Cz for submit@debbugs.gnu.org; Wed, 16 Jan 2019 08:33:37 -0500 Received: from eggs.gnu.org ([209.51.188.92]:58755) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gjlK1-00085O-7x for bug-guix@gnu.org; Wed, 16 Jan 2019 08:33:36 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_LOW autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gjlJz-0003CA-71 for bug-guix@gnu.org; Wed, 16 Jan 2019 08:33:33 -0500 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:51673) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gjlJt-0002wy-MZ for bug-guix@gnu.org; Wed, 16 Jan 2019 08:33:27 -0500 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id D62E7200E3 for ; Wed, 16 Jan 2019 08:33:21 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute5.internal (MEProxy); Wed, 16 Jan 2019 08:33:21 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= from:to:subject:date:message-id:mime-version:content-type; s= fm1; bh=iqlwehj8OjAR9qPT3V0EKvcb4fdsTR/FQ0tEVLEJfaQ=; b=q0nl9K5T o4iRBCpeIHBbhtW7BVcOxwzby2BCzsbJ5O8TXMJHRNka8xABVMwokfUwrV6A6z97 KDcT0+2ytBObrTDeVE9zPjkhrE+J/aHqb4bqfgrdEu4ns971ObHgHy+zPyTDohY+ zNbyJugqMaIqYYwiElLHQGLk6Rq05p2gohYp3AoXCYDTCN7fieD09eHQAu2O45Cl Lc52FIwNAEHiwgrzF0j34oNpiOt+x+x6Gov/W8wySGZzEHvhJP2VfKV6YD7y4ULa 79K+AUNmULgIv87zKazWNoREARA7lJ2X2YHxkgmCcukyVi57ObkacB/089x3SWC9 nANZIoVdq6LWfQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=iqlwehj8OjAR9qPT3V0EKvcb4fdsT R/FQ0tEVLEJfaQ=; b=gg02blwSfUoWMNKKgaqHSvA/3BoytNFbN2JJRvIiHnu19 GBQn6ZlnPaakZfWteHp8iceOnbS8GVhjZ4/tpQo4zhxN4/z5SgotaH2IRiC0iShA zmfmG+RNM7yRw+Rk8RMZIG29CJ7nNEUgpQQAppco+LFUBnr36HX9ssjArOvo92hL yPtAVY8eyEc7Rl0kAj0ImgyC5qqfMWR4QOhsZeIP7yLzM2+qJ9YQs8/lBltcKPPy 5xshEbDpqWUkzRk75Jlwcse9D7wqyNksCsxdpjtTxxN6Dq235oqN279ho2m+yE7n 8uNse/IrEyfnHgcIfi00/U1JbTx+ptMTBFPYC9llg== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedtledrgeehgdehgecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfhuthenuceurghilhhouhhtmecufedt tdenucgoufhushhpvggtthffohhmrghinhculdegledmnecujfgurhephffvufgffffkgg gtsehgtderredtredtnecuhfhrohhmpeforghrihhushcuuegrkhhkvgcuoehmsggrkhhk vgesfhgrshhtmhgrihhlrdgtohhmqeenucffohhmrghinhepsghlohhgshhpohhtrdgtoh hmpdhirghnrgdrohhrghenucfkphepiedvrdduiedrvddviedrudegtdenucfrrghrrghm pehmrghilhhfrhhomhepmhgsrghkkhgvsehfrghsthhmrghilhdrtghomhenucevlhhush htvghrufhiiigvpedt X-ME-Proxy: Received: from localhost (140.226.16.62.customer.cdi.no [62.16.226.140]) by mail.messagingengine.com (Postfix) with ESMTPA id 411A9E455C for ; Wed, 16 Jan 2019 08:33:21 -0500 (EST) From: Marius Bakke To: bug-guix@gnu.org Subject: [staging] Guix fails to download from TLSv1.3-enabled servers User-Agent: Notmuch/0.28 (https://notmuchmail.org) Emacs/26.1 (x86_64-pc-linux-gnu) Date: Wed, 16 Jan 2019 14:33:15 +0100 Message-ID: <875zuoiv6s.fsf@fastmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 66.111.4.29 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Spam-Score: 0.7 (/) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.3 (/) --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hello! On the staging branch (with GnuTLS 3.6), `guix download` will negotiate TLSv1.3 with servers that support it, and fail shortly after the initial handshake: $ ./pre-inst-env guix download https://data.iana.org Starting download of /tmp/guix-file.vJ4v7h From=20https://data.iana.org... Throw to key `gnutls-error' with args `(# read_from_session_record_port)'. failed to download "/tmp/guix-file.vJ4v7h" from "https://data.iana.org" guix download: error: https://data.iana.org: download failed The GnuTLS maintainer have written a blog post about TLS 1.3 porting[0], and I suspect the problem is that Guix (or the GnuTLS Guile bindings) does not handle the "GNUTLS_E_REAUTH_REQUEST" error code; however my attempts at catching it (or any error code) has been unfruitful. This is an obvious merge blocker, help wanted! Disabling TLS1.3 in the priority string works as a last-resort workaround. [0] https://nikmav.blogspot.com/2018/05/gnutls-and-tls-13.html --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlw/MpsACgkQoqBt8qM6 VPrmBAf+Np1ZUW6Ig+q1x89okOiySN/6RlYhtDFOcB4VV3rvRa33HCXrsSpvauSw WTloJ3qz7mMow0QeG9bPt+3YsO8HnhNoe/vmJTPtRs7nzPRrvFK9dDEn/sgmIrvg Kxd95V2NLxnrEB3KiFzlf3rsZHMEC1zaBF9BgPEUYARheS2N0yH4N9U9HyieCH5S ckqUHMH+PMuWYsUaqgXkD1XBYD7d7L9Hy/uLI3X47cJpLytBQB0TEmaOr2pqEgrg bT1Gv0godCL1+bmRNv57DmKQXhKFNBgMsx+h12Lu/D/Z1rju+ywRxvJSS8jdLjY8 T6ldlxmOHUSfmYO9I1V+Tfi8bo+acg== =s8VF -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Fri Jan 25 08:32:38 2019 Received: (at control) by debbugs.gnu.org; 25 Jan 2019 13:32:38 +0000 Received: from localhost ([127.0.0.1]:44631 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gn1b3-000827-Oc for submit@debbugs.gnu.org; Fri, 25 Jan 2019 08:32:38 -0500 Received: from hera.aquilenet.fr ([185.233.100.1]:36978) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gn1b2-00081w-6v for control@debbugs.gnu.org; Fri, 25 Jan 2019 08:32:36 -0500 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 66EAEC39 for ; Fri, 25 Jan 2019 14:32:34 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iKiTnhOCRRQ6 for ; Fri, 25 Jan 2019 14:32:34 +0100 (CET) Received: from ribbon (unknown [IPv6:2001:660:6102:320:e120:2c8f:8909:cdfe]) by hera.aquilenet.fr (Postfix) with ESMTPSA id C987CC17 for ; Fri, 25 Jan 2019 14:32:33 +0100 (CET) Date: Fri, 25 Jan 2019 14:32:33 +0100 Message-Id: <875zucrhfy.fsf@gnu.org> To: control@debbugs.gnu.org From: =?utf-8?Q?Ludovic_Court=C3=A8s?= Subject: control message for bug #34102 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) severity 34102 serious From debbugs-submit-bounces@debbugs.gnu.org Fri Jan 25 08:43:48 2019 Received: (at 34102) by debbugs.gnu.org; 25 Jan 2019 13:43:49 +0000 Received: from localhost ([127.0.0.1]:44639 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gn1ls-0008IJ-G7 for submit@debbugs.gnu.org; Fri, 25 Jan 2019 08:43:48 -0500 Received: from hera.aquilenet.fr ([185.233.100.1]:37090) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gn1lp-0008I8-Cc for 34102@debbugs.gnu.org; Fri, 25 Jan 2019 08:43:46 -0500 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 2461656BB; Fri, 25 Jan 2019 14:43:44 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mOBTZ-b9BvVL; Fri, 25 Jan 2019 14:43:42 +0100 (CET) Received: from ribbon (unknown [IPv6:2001:660:6102:320:e120:2c8f:8909:cdfe]) by hera.aquilenet.fr (Postfix) with ESMTPSA id 3D712361A; Fri, 25 Jan 2019 14:43:42 +0100 (CET) From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Marius Bakke Subject: Re: bug#34102: [staging] Guix fails to download from TLSv1.3-enabled servers References: <875zuoiv6s.fsf@fastmail.com> Date: Fri, 25 Jan 2019 14:43:41 +0100 In-Reply-To: <875zuoiv6s.fsf@fastmail.com> (Marius Bakke's message of "Wed, 16 Jan 2019 14:33:15 +0100") Message-ID: <87sgxgq2cy.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: 34102 Cc: 34102@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi Marius, Marius Bakke skribis: > On the staging branch (with GnuTLS 3.6), `guix download` will negotiate > TLSv1.3 with servers that support it, and fail shortly after the initial > handshake: > > $ ./pre-inst-env guix download https://data.iana.org > Starting download of /tmp/guix-file.vJ4v7h > From https://data.iana.org... > Throw to key `gnutls-error' with args `(# read_from_session_record_port)'. > failed to download "/tmp/guix-file.vJ4v7h" from "https://data.iana.org" > guix download: error: https://data.iana.org: download failed Ouch, thanks for the heads-up! > The GnuTLS maintainer have written a blog post about TLS 1.3 porting[0], > and I suspect the problem is that Guix (or the GnuTLS Guile bindings) > does not handle the "GNUTLS_E_REAUTH_REQUEST" error code; however my > attempts at catching it (or any error code) has been unfruitful. I think we need to update the Guile bindings to wrap GNUTLS_E_REAUTH_REQUEST, GNUTLS_POST_HANDSHAKE_AUTH, and =E2=80=98gnutls_reauth=E2=80=99, which are currently missing. Would you li= ke to give it a try? What=E2=80=99s unclear to me from the blog post is exactly when GNUTLS_E_REAUTH_REQUEST is delivered to the application. Is it the next time the application calls some (possibly unrelated) GnuTLS function? > This is an obvious merge blocker, help wanted! Disabling TLS1.3 in the > priority string works as a last-resort workaround. Yes, that=E2=80=99s a stop-gap measure we should probably apply for now: --=-=-= Content-Type: text/x-patch Content-Disposition: inline diff --git a/guix/build/download.scm b/guix/build/download.scm index c08221b3b2..23c9a4d466 100644 --- a/guix/build/download.scm +++ b/guix/build/download.scm @@ -268,7 +268,10 @@ host name without trailing dot." ;; "(gnutls) Priority Strings"); see . ;; Explicitly disable SSLv3, which is insecure: ;; . - (set-session-priorities! session "NORMAL:%COMPAT:-VERS-SSL3.0") + ;; + ;; FIXME: Since we currently fail to handle TLS 1.3, remove it; see + ;; . + (set-session-priorities! session "NORMAL:%COMPAT:-VERS-SSL3.0:-VERS-TLS1.3") (set-session-credentials! session (if (and verify-certificate? ca-certs) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Any objections? Thanks, Ludo=E2=80=99. --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Fri Jan 25 09:06:48 2019 Received: (at 34102) by debbugs.gnu.org; 25 Jan 2019 14:06:48 +0000 Received: from localhost ([127.0.0.1]:44658 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gn288-0002Ph-Eg for submit@debbugs.gnu.org; Fri, 25 Jan 2019 09:06:48 -0500 Received: from sender-of-o51.zoho.com ([135.84.80.216]:21082) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gn284-0002PY-QK for 34102@debbugs.gnu.org; Fri, 25 Jan 2019 09:06:46 -0500 ARC-Seal: i=1; a=rsa-sha256; t=1548425095; cv=none; d=zoho.com; s=zohoarc; b=MgxT/3zvkT9aKm3wXUt8FXBjE9uJaSyHHLT4WuwghHd5J7w0fEuuiiK+uKVp7kvd5TJxY+gcKqJUo+UPF0CUmxghqQ7C+IdpdsDNtzzR/7pq6PO0gWC0WZrcM+p8N39L65lqCd/cZ/OexsvqxYkZgEv+uKlqa5XisrwIy/Ms8FI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1548425095; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To:ARC-Authentication-Results; bh=M7+TyMeL+1i9vtlQl5GJ9sUFyssED+CKJh27JnUsiOA=; b=lvLZusAfOtaWsEs+/oQz6wItwSMvIsY2e22Aw3PFzLaqlg8pepwptQgmDCYmkST29ew7ma+KB+TTXn4ZZDKXsiTBEwW8r4Urs3XkBiizUHaiWzP368gbfBLNFcPhqS0bel3Xgk/qJDHc3F0aTfcm128NHPcw/wfB234cbQR6g9o= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass header.i=elephly.net; spf=pass smtp.mailfrom=rekado@elephly.net; dmarc=pass header.from= header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1548425095; s=zoho; d=elephly.net; i=rekado@elephly.net; h=References:From:To:Cc:Subject:In-reply-to:Date:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding; l=1185; bh=M7+TyMeL+1i9vtlQl5GJ9sUFyssED+CKJh27JnUsiOA=; b=SLl9gtXSDDKCS0mnlKcnnUDwCRVCbq59rPc6mLtaDnB+YGbjUDxRZy741NAMN0jF NaTJGQLkADn2ntregCW27+IK8XCiHLM6cYYHX3Vd+YF42tLit+spbiBQXzrilBB0B0g GZxtl1R65Dhfun+S2JzQmxeB7+4czppudgtts8WE= Received: from localhost (141.80.247.225 [141.80.247.225]) by mx.zohomail.com with SMTPS id 1548425094756541.0922710244927; Fri, 25 Jan 2019 06:04:54 -0800 (PST) References: <875zuoiv6s.fsf@fastmail.com> <87sgxgq2cy.fsf@gnu.org> User-agent: mu4e 1.0; emacs 26.1 From: Ricardo Wurmus To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: bug#34102: [staging] Guix fails to download from TLSv1.3-enabled servers In-reply-to: <87sgxgq2cy.fsf@gnu.org> X-URL: https://elephly.net X-PGP-Key: https://elephly.net/rekado.pubkey X-PGP-Fingerprint: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC Date: Fri, 25 Jan 2019 15:04:51 +0100 Message-ID: <87r2d0vnng.fsf@elephly.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-ZohoMailClient: External X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 34102 Cc: Marius Bakke , 34102@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Ludovic Court=C3=A8s writes: >> This is an obvious merge blocker, help wanted! Disabling TLS1.3 in the >> priority string works as a last-resort workaround. > > Yes, that=E2=80=99s a stop-gap measure we should probably apply for now: > > diff --git a/guix/build/download.scm b/guix/build/download.scm > index c08221b3b2..23c9a4d466 100644 > --- a/guix/build/download.scm > +++ b/guix/build/download.scm > @@ -268,7 +268,10 @@ host name without trailing dot." > ;; "(gnutls) Priority Strings"); see . > ;; Explicitly disable SSLv3, which is insecure: > ;; . > - (set-session-priorities! session "NORMAL:%COMPAT:-VERS-SSL3.0") > + ;; > + ;; FIXME: Since we currently fail to handle TLS 1.3, remove it; see > + ;; . > + (set-session-priorities! session "NORMAL:%COMPAT:-VERS-SSL3.0:-VERS-= TLS1.3") >=20=20 > (set-session-credentials! session > (if (and verify-certificate? ca-certs) > > Any objections? I think it=E2=80=99s fine to do this to allow us to merge the staging branch before fixing the problem in the Guile bindings. --=20 Ricardo From debbugs-submit-bounces@debbugs.gnu.org Sun Jan 27 10:54:44 2019 Received: (at 34102) by debbugs.gnu.org; 27 Jan 2019 15:54:44 +0000 Received: from localhost ([127.0.0.1]:47745 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gnmlg-0008IO-0K for submit@debbugs.gnu.org; Sun, 27 Jan 2019 10:54:44 -0500 Received: from hera.aquilenet.fr ([185.233.100.1]:48910) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gnmle-0008IF-Px for 34102@debbugs.gnu.org; Sun, 27 Jan 2019 10:54:43 -0500 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 2B3CC7E37; Sun, 27 Jan 2019 16:54:42 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f9400vIp5zXQ; Sun, 27 Jan 2019 16:54:40 +0100 (CET) Received: from ribbon (unknown [IPv6:2a01:e0a:1d:7270:af76:b9b:ca24:c465]) by hera.aquilenet.fr (Postfix) with ESMTPSA id 5D9957E30; Sun, 27 Jan 2019 16:54:40 +0100 (CET) From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Ricardo Wurmus Subject: Re: bug#34102: [staging] Guix fails to download from TLSv1.3-enabled servers References: <875zuoiv6s.fsf@fastmail.com> <87sgxgq2cy.fsf@gnu.org> <87r2d0vnng.fsf@elephly.net> Date: Sun, 27 Jan 2019 16:54:39 +0100 In-Reply-To: <87r2d0vnng.fsf@elephly.net> (Ricardo Wurmus's message of "Fri, 25 Jan 2019 15:04:51 +0100") Message-ID: <877eeqf64g.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: 34102 Cc: Marius Bakke , 34102@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) Hello, Ricardo Wurmus skribis: > Ludovic Court=C3=A8s writes: > >>> This is an obvious merge blocker, help wanted! Disabling TLS1.3 in the >>> priority string works as a last-resort workaround. [...] > I think it=E2=80=99s fine to do this to allow us to merge the staging bra= nch > before fixing the problem in the Guile bindings. I pushed a variant of this patch as commit e4ee84202633636b4c8cef4a332f0c74912a3b23. Thanks, Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Wed Jun 12 08:35:08 2019 Received: (at 34102) by debbugs.gnu.org; 12 Jun 2019 12:35:08 +0000 Received: from localhost ([127.0.0.1]:60848 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hb2T1-00067I-Ux for submit@debbugs.gnu.org; Wed, 12 Jun 2019 08:35:07 -0400 Received: from eggs.gnu.org ([209.51.188.92]:43543) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1hb2Sx-00066i-9S for 34102@debbugs.gnu.org; Wed, 12 Jun 2019 08:35:02 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:37183) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hb2Ss-0003ta-3X; Wed, 12 Jun 2019 08:34:54 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=42800 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1hb2Sj-00054r-Ru; Wed, 12 Jun 2019 08:34:47 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Marius Bakke Subject: Re: bug#34102: [staging] Guix fails to download from TLSv1.3-enabled servers References: <875zuoiv6s.fsf@fastmail.com> Date: Wed, 12 Jun 2019 14:34:44 +0200 In-Reply-To: <875zuoiv6s.fsf@fastmail.com> (Marius Bakke's message of "Wed, 16 Jan 2019 14:33:15 +0100") Message-ID: <87sgsfvv6j.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.2 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 34102 Cc: 34102@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi Marius, Marius Bakke skribis: > $ ./pre-inst-env guix download https://data.iana.org > Starting download of /tmp/guix-file.vJ4v7h > From https://data.iana.org... > Throw to key `gnutls-error' with args `(# read_from_session_record_port)'. > failed to download "/tmp/guix-file.vJ4v7h" from "https://data.iana.org" > guix download: error: https://data.iana.org: download failed > > The GnuTLS maintainer have written a blog post about TLS 1.3 porting[0], > and I suspect the problem is that Guix (or the GnuTLS Guile bindings) > does not handle the "GNUTLS_E_REAUTH_REQUEST" error code; however my > attempts at catching it (or any error code) has been unfruitful. > > This is an obvious merge blocker, help wanted! Disabling TLS1.3 in the > priority string works as a last-resort workaround. > > [0] https://nikmav.blogspot.com/2018/05/gnutls-and-tls-13.html I=E2=80=99ve submitted a bunch of changes upstream to better support post-handshake re-authentication: https://gitlab.com/gnutls/gnutls/merge_requests/1026 In particular, this adds =E2=80=98connection-flag/post-handshake-auth=E2=80= =99 and =E2=80=98connection-flag/auto-reauth=E2=80=99, which can be passed to =E2= =80=98make-session=E2=80=99. But as it turns out, there=E2=80=99s one patch that, alone, appears to fix = the issue above: https://gitlab.com/civodul/gnutls/commit/7421ca2cfd2d9f4ac89bdec786eb7455= 33430316 Ideally we=E2=80=99d wait for the next GnuTLS release that includes all of = this. However, if that helps, we can apply this patch to the =E2=80=98gnutls=E2= =80=99 package in =E2=80=98core-updates=E2=80=99 in the meantime. WDYT? Ludo=E2=80=99. --=-=-= Content-Type: text/x-patch; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable commit 7421ca2cfd2d9f4ac89bdec786eb745533430316 Author: Ludovic Court=C3=A8s Date: Wed Jun 12 11:32:19 2019 +0200 guile: Loop upon EAGAIN or EINTR. =20=20=20=20 * guile/src/core.c (do_fill_port) [USING_GUILE_BEFORE_2_2]: Loop while 'gnutls_record_recv' returns GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED. (read_from_session_record_port) [!USING_GUILE_BEFORE_2_2]: Likewise. =20=20=20=20 Signed-off-by: Ludovic Court=C3=A8s diff --git a/guile/src/core.c b/guile/src/core.c index 546d63a1e3..8b9aa62560 100644 --- a/guile/src/core.c +++ b/guile/src/core.c @@ -1,5 +1,5 @@ /* GnuTLS --- Guile bindings for GnuTLS. - Copyright (C) 2007-2014, 2016 Free Software Foundation, Inc. + Copyright (C) 2007-2014, 2016, 2019 Free Software Foundation, Inc. =20 GnuTLS is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public @@ -869,8 +869,12 @@ do_fill_port (void *data) const fill_port_data_t *args =3D (fill_port_data_t *) data; =20 c_port =3D args->c_port; - result =3D gnutls_record_recv (args->c_session, - c_port->read_buf, c_port->read_buf_size); + + do + result =3D gnutls_record_recv (args->c_session, + c_port->read_buf, c_port->read_buf_size); + while (result =3D=3D GNUTLS_E_AGAIN || result =3D=3D GNUTLS_E_INTERRUPTE= D); + if (EXPECT_TRUE (result > 0)) { c_port->read_pos =3D c_port->read_buf; @@ -1002,7 +1006,12 @@ read_from_session_record_port (SCM port, SCM dst, si= ze_t start, size_t count) =20 /* XXX: Leave guile mode when SCM_GNUTLS_SESSION_TRANSPORT_IS_FD is true? */ - result =3D gnutls_record_recv (c_session, read_buf, count); + /* We can get EAGAIN for example if we received a reauth request, even w= hen + GNUTLS_AUTO_REAUTH is set. In that case, loop again. */ + do + result =3D gnutls_record_recv (c_session, read_buf, count); + while (result =3D=3D GNUTLS_E_AGAIN || result =3D=3D GNUTLS_E_INTERRUPTE= D); + if (EXPECT_FALSE (result < 0)) /* FIXME: Silently swallowed! */ scm_gnutls_error (result, FUNC_NAME); --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Fri Mar 27 04:07:20 2020 Received: (at 34102-done) by debbugs.gnu.org; 27 Mar 2020 08:07:20 +0000 Received: from localhost ([127.0.0.1]:60499 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jHk1Q-0008Bi-66 for submit@debbugs.gnu.org; Fri, 27 Mar 2020 04:07:20 -0400 Received: from eggs.gnu.org ([209.51.188.92]:41552) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jHk1N-0008BO-Fb for 34102-done@debbugs.gnu.org; Fri, 27 Mar 2020 04:07:18 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:52282) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1jHk1I-0007Rc-Bp; Fri, 27 Mar 2020 04:07:12 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=39076 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1jHk1F-0002Z3-CH; Fri, 27 Mar 2020 04:07:11 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Marius Bakke Subject: Re: bug#34102: [staging] Guix fails to download from TLSv1.3-enabled servers References: <875zuoiv6s.fsf@fastmail.com> <87sgsfvv6j.fsf@gnu.org> Date: Fri, 27 Mar 2020 09:07:06 +0100 In-Reply-To: <87sgsfvv6j.fsf@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\= \=\?utf-8\?Q\?s\?\= message of "Wed, 12 Jun 2019 14:34:44 +0200") Message-ID: <87369u8bmd.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 34102-done Cc: 34102-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Ludovic Court=C3=A8s skribis: > I=E2=80=99ve submitted a bunch of changes upstream to better support > post-handshake re-authentication: > > https://gitlab.com/gnutls/gnutls/merge_requests/1026 > > In particular, this adds =E2=80=98connection-flag/post-handshake-auth=E2= =80=99 and > =E2=80=98connection-flag/auto-reauth=E2=80=99, which can be passed to =E2= =80=98make-session=E2=80=99. > > But as it turns out, there=E2=80=99s one patch that, alone, appears to fi= x the > issue above: > > https://gitlab.com/civodul/gnutls/commit/7421ca2cfd2d9f4ac89bdec786eb74= 5533430316 This was fixed a while back in Guix proper, with commit 621fb83a1fde948b3b7eea37bdc378cbf1b3d11e. Ludo=E2=80=99. From unknown Tue Aug 19 12:50:54 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Fri, 24 Apr 2020 11:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator