GNU bug report logs - #34102
[staging] Guix fails to download from TLSv1.3-enabled servers

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Marius Bakke <mbakke <at> fastmail.com>
Subject: bug#34102: closed (Re: bug#34102: [staging] Guix fails to
 download from TLSv1.3-enabled servers)
Date: Fri, 27 Mar 2020 08:08:02 +0000

[Message part 1 (text/plain, inline)]

Your bug report

#34102: [staging] Guix fails to download from TLSv1.3-enabled servers

which was filed against the guix package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 34102 <at> debbugs.gnu.org.

-- 
34102: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=34102
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Ludovic Courtès <ludo <at> gnu.org>
To: Marius Bakke <mbakke <at> fastmail.com>
Cc: 34102-done <at> debbugs.gnu.org
Subject: Re: bug#34102: [staging] Guix fails to download from TLSv1.3-enabled
 servers
Date: Fri, 27 Mar 2020 09:07:06 +0100

Ludovic Courtès <ludo <at> gnu.org> skribis:

> I’ve submitted a bunch of changes upstream to better support
> post-handshake re-authentication:
>
>   https://gitlab.com/gnutls/gnutls/merge_requests/1026
>
> In particular, this adds ‘connection-flag/post-handshake-auth’ and
> ‘connection-flag/auto-reauth’, which can be passed to ‘make-session’.
>
> But as it turns out, there’s one patch that, alone, appears to fix the
> issue above:
>
>   https://gitlab.com/civodul/gnutls/commit/7421ca2cfd2d9f4ac89bdec786eb745533430316

This was fixed a while back in Guix proper, with commit
621fb83a1fde948b3b7eea37bdc378cbf1b3d11e.

Ludo’.

[Message part 3 (message/rfc822, inline)]

From: Marius Bakke <mbakke <at> fastmail.com>
To: bug-guix <at> gnu.org
Subject: [staging] Guix fails to download from TLSv1.3-enabled servers
Date: Wed, 16 Jan 2019 14:33:15 +0100

[Message part 4 (text/plain, inline)]

Hello!

On the staging branch (with GnuTLS 3.6), `guix download` will negotiate
TLSv1.3 with servers that support it, and fail shortly after the initial
handshake:

$ ./pre-inst-env guix download https://data.iana.org
Starting download of /tmp/guix-file.vJ4v7h
From https://data.iana.org...
Throw to key `gnutls-error' with args `(#<gnutls-error-enum Resource temporarily unavailable, try again.> read_from_session_record_port)'.
failed to download "/tmp/guix-file.vJ4v7h" from "https://data.iana.org"
guix download: error: https://data.iana.org: download failed

The GnuTLS maintainer have written a blog post about TLS 1.3 porting[0],
and I suspect the problem is that Guix (or the GnuTLS Guile bindings)
does not handle the "GNUTLS_E_REAUTH_REQUEST" error code; however my
attempts at catching it (or any error code) has been unfruitful.

This is an obvious merge blocker, help wanted!  Disabling TLS1.3 in the
priority string works as a last-resort workaround.

[0] https://nikmav.blogspot.com/2018/05/gnutls-and-tls-13.html

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.