From debbugs-submit-bounces@debbugs.gnu.org Tue Jun 15 05:17:06 2021 Received: (at submit) by debbugs.gnu.org; 15 Jun 2021 09:17:06 +0000 Received: from localhost ([127.0.0.1]:48404 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lt5By-00030E-2K for submit@debbugs.gnu.org; Tue, 15 Jun 2021 05:17:06 -0400 Received: from lists.gnu.org ([209.51.188.17]:60242) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lt5Bv-000304-Ae for submit@debbugs.gnu.org; Tue, 15 Jun 2021 05:17:04 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52418) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lt5Bv-0007kb-2D for bug-guix@gnu.org; Tue, 15 Jun 2021 05:17:03 -0400 Received: from mail2-relais-roc.national.inria.fr ([192.134.164.83]:33000) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lt5Bo-00076p-LW for bug-guix@gnu.org; Tue, 15 Jun 2021 05:16:58 -0400 IronPort-HdrOrdr: =?us-ascii?q?A9a23=3AAhvPyK7WXpRWPUzftwPXwZGBI+orL9Y04lQ7?= =?us-ascii?q?vn1ZYxpTb8CeioSqlPMUyRf7hF8qKRcdcUfpAtjmfZoGz+8Q3WB/B8bAYOCLgg?= =?us-ascii?q?SVxFIL1/qG/9WWcBefygc1784JGcVD4fLLYWSS5vyV3ODXKbcdKZW8gcKVbbi3?= =?us-ascii?q?9RxQZDAvV6Zh6wc8LwaRCUUzaDN4LfMCZeGhz/sCmz2hfXRSS8SxHXFAc9L9j5?= =?us-ascii?q?nlj5TjCCR2fSIP2U2zijOt6PreExOC1lMzaQxmhZcOmFK16zDR1+GetPG+ylv4?= =?us-ascii?q?12TJ59B7ouTIjvtFC8qWjsAJKjPq4zzYHbhJavm/uzAwoKWL6F0wmJ3hmSgJe/?= =?us-ascii?q?p69n/Lemmvo3LWqnTd7Ao=3D?= X-IronPort-AV: E=Sophos;i="5.83,275,1616454000"; d="scan'208";a="513575303" Received: from 91-160-117-201.subs.proxad.net (HELO ribbon) ([91.160.117.201]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 15 Jun 2021 11:16:51 +0200 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Subject: Git 2.32.0 fails with =?utf-8?Q?=E2=80=98gnutls=5Fhandshake?= =?utf-8?Q?=E2=80=99?= error X-Debbugs-Cc: Emmanuel Agullo X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 27 Prairial an 229 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Tue, 15 Jun 2021 11:16:50 +0200 Message-ID: <871r93v665.fsf@inria.fr> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=192.134.164.83; envelope-from=ludovic.courtes@inria.fr; helo=mail2-relais-roc.national.inria.fr X-Spam_score_int: -40 X-Spam_score: -4.1 X-Spam_bar: ---- X-Spam_report: (-4.1 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_SBL_A=0.1 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -0.6 (/) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.6 (-) Hello, We came across this problem with the latest Git upgrade, that wasn=E2=80=99t present in Git 2.31.1 as available on June 1st: --8<---------------cut here---------------start------------->8--- $ guix time-machine --commit=3D0b76b25a0eff7a422f8ebcc8c095d7ede82c8863 -- = environment -CN --ad-hoc git nss-certs -- git clone https://bitbucket.org/= oseledets/rectcross /tmp/rectcross Cloning into '/tmp/rectcross'... Receiving objects: 100% (112/112), 23.43 KiB | 255.00 KiB/s, done. Resolving deltas: 100% (56/56), done. $ rm -rf /tmp/rectcross $ guix time-machine --commit=3D0b76b25a0eff7a422f8ebcc8c095d7ede82c8863 -- = package -A ^git$ git 2.31.1 out,send-email,svn,credential-netrc,credential-libsecret,subtree= ,gui gnu/packages/version-control.scm:176:2 $ guix environment -CN --ad-hoc git nss-certs -- git clone https://bitbucke= t.org/oseledets/rectcross /tmp/rectcross Cloning into '/tmp/rectcross'... fatal: unable to access 'https://bitbucket.org/oseledets/rectcross/': gnutl= s_handshake() failed: An illegal parameter has been received. $ guix describe Generacio 185 Jun 07 2021 15:07:46 (nuna) guix e3611cc repository URL: https://git.savannah.gnu.org/git/guix.git branch: master commit: e3611cc412e7b1c750a56d17fb1b7cde684baa3f $ guix package -A '^git$' git 2.32.0 out,send-email,svn,credential-netrc,credential-libsecret,subtree= ,gui gnu/packages/version-control.scm:176:2 --8<---------------cut here---------------end--------------->8--- Thoughts? Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Tue Jun 15 06:33:37 2021 Received: (at control) by debbugs.gnu.org; 15 Jun 2021 10:33:37 +0000 Received: from localhost ([127.0.0.1]:48480 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lt6O0-00053D-Sv for submit@debbugs.gnu.org; Tue, 15 Jun 2021 06:33:36 -0400 Received: from mail3-relais-sop.national.inria.fr ([192.134.164.104]:36787) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lt6Nz-00052x-V8 for control@debbugs.gnu.org; Tue, 15 Jun 2021 06:33:36 -0400 IronPort-HdrOrdr: =?us-ascii?q?A9a23=3A2tUdZazy3eWEvr59UWvpKrPwSL1zdoMgy1kn?= =?us-ascii?q?xilNoHtuEvBwTPrOoB1173TJYVoqNE3JSri7VpVoP0m3yXcd2+B4AV7IZmbbUQ?= =?us-ascii?q?WTQb1f0Q=3D=3D?= X-IronPort-AV: E=Sophos;i="5.83,275,1616454000"; d="scan'208";a="384495497" Received: from 91-160-117-201.subs.proxad.net (HELO ribbon) ([91.160.117.201]) by mail3-relais-sop.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 15 Jun 2021 12:33:29 +0200 Date: Tue, 15 Jun 2021 12:33:28 +0200 Message-Id: <87wnqvs9hj.fsf@gnu.org> To: control@debbugs.gnu.org From: =?utf-8?Q?Ludovic_Court=C3=A8s?= Subject: control message for bug #49035 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) severity 49035 important quit From debbugs-submit-bounces@debbugs.gnu.org Tue Jun 15 08:39:07 2021 Received: (at 49035) by debbugs.gnu.org; 15 Jun 2021 12:39:07 +0000 Received: from localhost ([127.0.0.1]:48634 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lt8LT-0004FQ-5q for submit@debbugs.gnu.org; Tue, 15 Jun 2021 08:39:07 -0400 Received: from eggs.gnu.org ([209.51.188.92]:48166) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lt8LR-0004Es-Ik for 49035@debbugs.gnu.org; Tue, 15 Jun 2021 08:39:06 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:51956) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lt8LK-0007o1-Ay; Tue, 15 Jun 2021 08:38:59 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=59954 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lt8LK-0000U6-3C; Tue, 15 Jun 2021 08:38:58 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: 49035@debbugs.gnu.org Subject: Re: bug#49035: Git 2.32.0 fails with =?utf-8?Q?=E2=80=98gnutls=5F?= =?utf-8?Q?handshake=E2=80=99?= error References: <871r93v665.fsf@inria.fr> Date: Tue, 15 Jun 2021 14:38:56 +0200 In-Reply-To: <871r93v665.fsf@inria.fr> ("Ludovic =?utf-8?Q?Court=C3=A8s=22?= =?utf-8?Q?'s?= message of "Tue, 15 Jun 2021 11:16:50 +0200") Message-ID: <87pmwns3of.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -1.6 (-) X-Debbugs-Envelope-To: 49035 Cc: Emmanuel Agullo X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.6 (--) Ludovic Court=C3=A8s skribis: > $ guix environment -CN --ad-hoc git nss-certs -- git clone https://bitbuc= ket.org/oseledets/rectcross /tmp/rectcross > Cloning into '/tmp/rectcross'... > fatal: unable to access 'https://bitbucket.org/oseledets/rectcross/': gnu= tls_handshake() failed: An illegal parameter has been received. > $ guix describe > Generacio 185 Jun 07 2021 15:07:46 (nuna) > guix e3611cc > repository URL: https://git.savannah.gnu.org/git/guix.git > branch: master > commit: e3611cc412e7b1c750a56d17fb1b7cde684baa3f Initially I thought this might have to do with the GnuTLS 3.6.15 =E2=86=92 3.6.16 replacement: --8<---------------cut here---------------start------------->8--- $ guix environment -CN --no-grafts --ad-hoc git nss-certs -- git clone http= s://bitbucket.org/oseledets/rectcross /tmp/rectcross Cloning into '/tmp/rectcross'... Receiving objects: 100% (112/112), 23.43 KiB | 244.00 KiB/s, done. Resolving deltas: 100% (56/56), done. $ guix build gnutls /gnu/store/199npi1hcv7zn0r19vl29np6ccshii4p-gnutls-3.6.16-debug /gnu/store/8ixa3p7hwb26warjinffcrvzl064wbcg-gnutls-3.6.16-doc /gnu/store/akc7l65z459pnifrr6bcm97cjvmpvp9k-gnutls-3.6.16 $ guix build gnutls --no-grafts /gnu/store/vswbfgjcadrjlkmd5d7p38rr0i87wdqy-gnutls-3.6.15-debug /gnu/store/fzi1qqvcj5h2b6nsajwlqpf0jb66ngnb-gnutls-3.6.15-doc /gnu/store/5yvzilh78996627i8avq532sl2c03i95-gnutls-3.6.15 --8<---------------cut here---------------end--------------->8--- But Git does not use GnuTLS directly, only via cURL: --8<---------------cut here---------------start------------->8--- $ guix graph -t references --path git-minimal $(guix build --no-grafts gnut= ls |grep '[0-9]$') /gnu/store/skxzvsvnl7yqgx99l0m7mqcpz85l8fml-git-minimal-2.32.0 /gnu/store/k9wmrk5m91599lk8gd4rc7h4df642qw0-curl-7.74.0 /gnu/store/5yvzilh78996627i8avq532sl2c03i95-gnutls-3.6.15 --8<---------------cut here---------------end--------------->8--- And indeed, cURL 7.77 (the replacement) exhibits the bogus behavior: --8<---------------cut here---------------start------------->8--- $ guix environment -CN --no-grafts --ad-hoc curl@7.77 nss-certs -- curl htt= ps://bitbucket.org > /dev/null % Total % Received % Xferd Average Speed Time Time Time Cur= rent Dload Upload Total Spent Left Spe= ed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- = 0 curl: (35) gnutls_handshake() failed: An illegal parameter has been receive= d. $ guix environment -CN --no-grafts --ad-hoc curl@7.74 nss-certs -- curl htt= ps://bitbucket.org > /dev/null % Total % Received % Xferd Average Speed Time Time Time Cur= rent Dload Upload Total Spent Left Spe= ed 100 75735 100 75735 0 0 134k 0 --:--:-- --:--:-- --:--:-- 1= 34k --8<---------------cut here---------------end--------------->8--- Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Tue Jun 15 17:51:20 2021 Received: (at 49035) by debbugs.gnu.org; 15 Jun 2021 21:51:20 +0000 Received: from localhost ([127.0.0.1]:50971 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ltGxr-0004cq-W4 for submit@debbugs.gnu.org; Tue, 15 Jun 2021 17:51:20 -0400 Received: from eggs.gnu.org ([209.51.188.92]:42970) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ltGxp-0004cW-JH for 49035@debbugs.gnu.org; Tue, 15 Jun 2021 17:51:18 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:43676) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ltGxi-0004nI-TM; Tue, 15 Jun 2021 17:51:10 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=33584 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ltGxi-0006Si-Ej; Tue, 15 Jun 2021 17:51:10 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: 49035@debbugs.gnu.org Subject: TLS downgrade at bitbucket.org References: <871r93v665.fsf@inria.fr> <87pmwns3of.fsf@gnu.org> Date: Tue, 15 Jun 2021 23:51:08 +0200 In-Reply-To: <87pmwns3of.fsf@gnu.org> ("Ludovic =?utf-8?Q?Court=C3=A8s=22'?= =?utf-8?Q?s?= message of "Tue, 15 Jun 2021 14:38:56 +0200") Message-ID: <87eed2re43.fsf_-_@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -1.6 (-) X-Debbugs-Envelope-To: 49035 Cc: Emmanuel Agullo , gnutls-help@lists.gnutls.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.6 (--) Hi, (+Cc: gnutls-help; this is about a TLS 1.3=E2=86=921.2 downgrade at bitbucket.org, see for context.) Ludovic Court=C3=A8s skribis: > And indeed, cURL 7.77 (the replacement) exhibits the bogus behavior: > > $ guix environment -CN --no-grafts --ad-hoc curl@7.77 nss-certs -- curl h= ttps://bitbucket.org > /dev/null > % Total % Received % Xferd Average Speed Time Time Time C= urrent > Dload Upload Total Spent Left S= peed > 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- = 0 > curl: (35) gnutls_handshake() failed: An illegal parameter has been recei= ved. > $ guix environment -CN --no-grafts --ad-hoc curl@7.74 nss-certs -- curl h= ttps://bitbucket.org > /dev/null > % Total % Received % Xferd Average Speed Time Time Time C= urrent > Dload Upload Total Spent Left S= peed > 100 75735 100 75735 0 0 134k 0 --:--:-- --:--:-- --:--:-- = 134k So these two cURL versions use different TLS priority strings; here=E2=80= =99s the one that cURL 7.77 uses (bad) vs. the one that 7.74 uses (good): --8<---------------cut here---------------start------------->8--- $ gnutls-cli --priority=3D"NORMAL:-ARCFOUR-128:-CTYPE-ALL:+CTYPE-X509:-VERS= -SSL3.0:-VERS-TLS-ALL:+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2:+VERS-TLS1.3" = -p https bitbucket.org Processed 444 CA certificate(s). Resolving 'bitbucket.org:https'... Connecting to '2406:da00:ff00::6b17:d1f5:443'... |<1>| Detected downgrade to TLS 1.2 from TLS 1.3 *** Fatal error: An illegal parameter has been received. $ gnutls-cli --priority=3D"NORMAL:-ARCFOUR-128:-CTYPE-ALL:+CTYPE-X509:-VERS= -SSL3.0" -p https bitbucket.org Processed 444 CA certificate(s). Resolving 'bitbucket.org:https'... Connecting to '2406:da00:ff00::6b17:d1f5:443'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: - subject `CN=3Dbitbucket.org,OU=3DBitbucket,O=3DAtlassian\, Inc.,L=3DSan = Francisco,ST=3DCalifornia,C=3DUS,serialNumber=3D3928449,jurisdictionOfIncor= porationStateOrProvinceName=3DDelaware,jurisdictionOfIncorporationCountryNa= me=3DUS,businessCategory=3DPrivate Organization', issuer `CN=3DDigiCert SHA= 2 Extended Validation Server CA,OU=3Dwww.digicert.com,O=3DDigiCert Inc,C=3D= US', serial 0x040c19f4e9ba36e333316834b8908235, EC/ECDSA key 256 bits, sign= ed using RSA-SHA256, activated `2020-03-27 00:00:00 UTC', expires `2022-05-= 23 12:00:00 UTC', pin-sha256=3D"nFuN2gwclU/9rBe3vz/UUe48hIdL5wLVY8Zke9vApM0= =3D" Public Key ID: sha1:5f7c6de5e52a6bc39dfdcd5230220f1a7957772b sha256:9c5b8dda0c1c954ffdac17b7bf3fd451ee3c84874be702d563c6647bdbc0a4cd Public Key PIN: pin-sha256:nFuN2gwclU/9rBe3vz/UUe48hIdL5wLVY8Zke9vApM0=3D - Certificate[1] info: - subject `CN=3DDigiCert SHA2 Extended Validation Server CA,OU=3Dwww.digic= ert.com,O=3DDigiCert Inc,C=3DUS', issuer `CN=3DDigiCert High Assurance EV R= oot CA,OU=3Dwww.digicert.com,O=3DDigiCert Inc,C=3DUS', serial 0x0c79a944b08= c11952092615fe26b1d83, RSA key 2048 bits, signed using RSA-SHA256, activate= d `2013-10-22 12:00:00 UTC', expires `2028-10-22 12:00:00 UTC', pin-sha256= =3D"RRM1dGqnDFsCJXBTHky16vi1obOlCgFFn/yOhI/y+ho=3D" - Status: The certificate is trusted.=20 - Description: (TLS1.3-X.509)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-(A= ES-128-GCM) - Options: OCSP status request, - Handshake was completed - Simple Client Mode: C-c C-c --8<---------------cut here---------------end--------------->8--- The key thing here is =E2=80=9CDetected downgrade to TLS 1.2 from TLS 1.3= =E2=80=9D. Why is a downgrade detected when using the most explicit priority string and not when using the shorter string? Aren=E2=80=99t these two priority strings supposed to be equivalent today? (This is with GnuTLS 3.6.16.) Thanks, Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Fri Jun 18 08:11:09 2021 Received: (at 49035) by debbugs.gnu.org; 18 Jun 2021 12:11:09 +0000 Received: from localhost ([127.0.0.1]:55971 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1luDL3-0002U8-DN for submit@debbugs.gnu.org; Fri, 18 Jun 2021 08:11:09 -0400 Received: from eggs.gnu.org ([209.51.188.92]:54360) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1luDL0-0002Tg-Tj for 49035@debbugs.gnu.org; Fri, 18 Jun 2021 08:11:07 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:42540) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1luDKu-0006sP-OP; Fri, 18 Jun 2021 08:11:00 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=54310 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1luDKt-0001dp-RH; Fri, 18 Jun 2021 08:11:00 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: 49035@debbugs.gnu.org Subject: Re: bug#49035: Git 2.32.0 fails with =?utf-8?Q?=E2=80=98gnutls=5F?= =?utf-8?Q?handshake=E2=80=99?= error References: <871r93v665.fsf@inria.fr> <87pmwns3of.fsf@gnu.org> <87eed2re43.fsf_-_@gnu.org> Date: Fri, 18 Jun 2021 14:10:58 +0200 In-Reply-To: <87eed2re43.fsf_-_@gnu.org> ("Ludovic =?utf-8?Q?Court=C3=A8s?= =?utf-8?Q?=22's?= message of "Tue, 15 Jun 2021 23:51:08 +0200") Message-ID: <87wnqrfk4t.fsf_-_@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 49035 Cc: Emmanuel Agullo X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Ludovic Court=C3=A8s skribis: > So these two cURL versions use different TLS priority strings; here=E2=80= =99s > the one that cURL 7.77 uses (bad) vs. the one that 7.74 uses (good): Also reported at . Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Fri Jun 18 09:01:33 2021 Received: (at control) by debbugs.gnu.org; 18 Jun 2021 13:01:33 +0000 Received: from localhost ([127.0.0.1]:56070 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1luE7o-0003rz-VR for submit@debbugs.gnu.org; Fri, 18 Jun 2021 09:01:33 -0400 Received: from eggs.gnu.org ([209.51.188.92]:35634) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1luE7m-0003rn-U3 for control@debbugs.gnu.org; Fri, 18 Jun 2021 09:01:31 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:46530) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1luE7h-0007Sv-Lx for control@debbugs.gnu.org; Fri, 18 Jun 2021 09:01:25 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=54946 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1luE7h-00057v-EU for control@debbugs.gnu.org; Fri, 18 Jun 2021 09:01:25 -0400 Date: Fri, 18 Jun 2021 15:01:24 +0200 Message-Id: <874kdvfhsr.fsf@gnu.org> To: control@debbugs.gnu.org From: =?utf-8?Q?Ludovic_Court=C3=A8s?= Subject: control message for bug #49035 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -1.6 (-) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.6 (--) retitle 49035 cURL 7.77.0 uses invalid TLS priority string, prevents access to bitbucket.org quit From debbugs-submit-bounces@debbugs.gnu.org Fri Jun 18 11:44:08 2021 Received: (at 49035-done) by debbugs.gnu.org; 18 Jun 2021 15:44:08 +0000 Received: from localhost ([127.0.0.1]:57672 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1luGf9-0002AP-Ss for submit@debbugs.gnu.org; Fri, 18 Jun 2021 11:44:08 -0400 Received: from eggs.gnu.org ([209.51.188.92]:45954) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1luGf8-0002A2-L2 for 49035-done@debbugs.gnu.org; Fri, 18 Jun 2021 11:44:06 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:53998) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1luGf2-0001fs-ER; Fri, 18 Jun 2021 11:44:00 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=60394 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1luGf2-00012K-74; Fri, 18 Jun 2021 11:44:00 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: 49035-done@debbugs.gnu.org Subject: Re: bug#49035: Git 2.32.0 fails with =?utf-8?Q?=E2=80=98gnutls=5F?= =?utf-8?Q?handshake=E2=80=99?= error References: <871r93v665.fsf@inria.fr> <87pmwns3of.fsf@gnu.org> <87eed2re43.fsf_-_@gnu.org> <87wnqrfk4t.fsf_-_@gnu.org> Date: Fri, 18 Jun 2021 17:43:58 +0200 In-Reply-To: <87wnqrfk4t.fsf_-_@gnu.org> ("Ludovic =?utf-8?Q?Court=C3=A8s?= =?utf-8?Q?=22's?= message of "Fri, 18 Jun 2021 14:10:58 +0200") Message-ID: <87y2b7dvpd.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 49035-done Cc: Emmanuel Agullo X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Ludovic Court=C3=A8s skribis: > Ludovic Court=C3=A8s skribis: > >> So these two cURL versions use different TLS priority strings; here=E2= =80=99s >> the one that cURL 7.77 uses (bad) vs. the one that 7.74 uses (good): > > Also reported at . The issue turned out to be that cURL=E2=80=99s priority string specifies protocol versions in the wrong order, favoring old versions over new ones (see the issue above). Fixed in caf4a7a2770ef4d05a6e18f40d602e51da749ddc! Thanks, Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Sat Jun 19 11:17:53 2021 Received: (at 49035) by debbugs.gnu.org; 19 Jun 2021 15:17:53 +0000 Received: from localhost ([127.0.0.1]:60483 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lucjI-0005zQ-NN for submit@debbugs.gnu.org; Sat, 19 Jun 2021 11:17:52 -0400 Received: from eggs.gnu.org ([209.51.188.92]:35424) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lucjF-0005z9-MA for 49035@debbugs.gnu.org; Sat, 19 Jun 2021 11:17:50 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:39478) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lucj8-0000mx-VW; Sat, 19 Jun 2021 11:17:42 -0400 Received: from deisui.org ([219.94.251.20]:60226 helo=localhost.localdomain) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lucj8-0007O9-AG; Sat, 19 Jun 2021 11:17:42 -0400 Message-ID: <87tultyjcl.fsf-ueno@gnu.org> From: Daiki Ueno To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: [gnutls-help] TLS downgrade at bitbucket.org References: <871r93v665.fsf@inria.fr> <87pmwns3of.fsf@gnu.org> <87eed2re43.fsf_-_@gnu.org> Date: Sat, 19 Jun 2021 17:17:30 +0200 In-Reply-To: <87eed2re43.fsf_-_@gnu.org> ("Ludovic =?utf-8?Q?Court=C3=A8s?= =?utf-8?Q?=22's?= message of "Tue, 15 Jun 2021 23:51:08 +0200") User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -1.6 (-) X-Debbugs-Envelope-To: 49035 Cc: 49035@debbugs.gnu.org, Emmanuel Agullo , gnutls-help@lists.gnutls.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.6 (--) Ludovic Court=C3=A8s writes: > $ gnutls-cli --priority=3D"NORMAL:-ARCFOUR-128:-CTYPE-ALL:+CTYPE-X509:-VE= RS-SSL3.0:-VERS-TLS-ALL:+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2:+VERS-TLS1.3= " -p https bitbucket.org > Processed 444 CA certificate(s). > Resolving 'bitbucket.org:https'... > Connecting to '2406:da00:ff00::6b17:d1f5:443'... > |<1>| Detected downgrade to TLS 1.2 from TLS 1.3 > *** Fatal error: An illegal parameter has been received. [...] > The key thing here is =E2=80=9CDetected downgrade to TLS 1.2 from TLS 1.3= =E2=80=9D. > > Why is a downgrade detected when using the most explicit priority > string and not when using the shorter string? I would say this is an expected behavior when the TLS downgrade protection mechanism[1] is in action. What happens is as follows: - the client advertises TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3 (in this order) in the supported_versions extension - the server skips TLS 1.0 and TLS 1.1 (maybe it's disabled), sees TLS 1.2 first in supported_versions, then TLS 1.3; while it also supports TLS 1.3, as TLS 1.2 has precedence and it selects TLS 1.2 and sends the downgrade sentinel in server_random - the client sees the sentinel while TLS 1.3 is enabled, treats it as an unwanted protocol downgrade > Aren=E2=80=99t these two priority strings supposed to be equivalent today? No. If -VERS-TLS-ALL is used, the default priorities on TLS versions in NORMAL are ignored; the user is responsible for building the priority string so it reflects the actual preference, which in this case is: -VERS-TLS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0 Footnotes: [1] https://datatracker.ietf.org/doc/html/rfc8446#section-4.1.3 Regards, --=20 Daiki Ueno From debbugs-submit-bounces@debbugs.gnu.org Sun Jun 20 17:26:27 2021 Received: (at 49035) by debbugs.gnu.org; 20 Jun 2021 21:26:27 +0000 Received: from localhost ([127.0.0.1]:34950 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lv4xX-0007hG-JS for submit@debbugs.gnu.org; Sun, 20 Jun 2021 17:26:27 -0400 Received: from eggs.gnu.org ([209.51.188.92]:40800) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lv4xS-0007h0-DJ for 49035@debbugs.gnu.org; Sun, 20 Jun 2021 17:26:26 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:50430) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lv4xL-0003xk-48; Sun, 20 Jun 2021 17:26:15 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=41758 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lv4xK-00011u-SQ; Sun, 20 Jun 2021 17:26:15 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Daiki Ueno Subject: Re: [gnutls-help] TLS downgrade at bitbucket.org References: <871r93v665.fsf@inria.fr> <87pmwns3of.fsf@gnu.org> <87eed2re43.fsf_-_@gnu.org> <87tultyjcl.fsf-ueno@gnu.org> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 2 Messidor an 229 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Sun, 20 Jun 2021 23:26:13 +0200 In-Reply-To: <87tultyjcl.fsf-ueno@gnu.org> (Daiki Ueno's message of "Sat, 19 Jun 2021 17:17:30 +0200") Message-ID: <87wnqo6xe2.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -1.6 (-) X-Debbugs-Envelope-To: 49035 Cc: 49035@debbugs.gnu.org, Emmanuel Agullo , gnutls-help@lists.gnutls.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.6 (--) Hi Daiki, Daiki Ueno skribis: > Ludovic Court=C3=A8s writes: > >> $ gnutls-cli --priority=3D"NORMAL:-ARCFOUR-128:-CTYPE-ALL:+CTYPE-X509:-V= ERS-SSL3.0:-VERS-TLS-ALL:+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2:+VERS-TLS1.= 3" -p https bitbucket.org [...] >> Aren=E2=80=99t these two priority strings supposed to be equivalent toda= y? > > No. If -VERS-TLS-ALL is used, the default priorities on TLS versions in > NORMAL are ignored; the user is responsible for building the priority > string so it reflects the actual preference, which in this case is: > > -VERS-TLS-ALL:+VERS-TLS1.3:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0 Thanks for the explanations. As you suggest, the mistake was that cURL 7.77.0 would pass the priority string in the =E2=80=9Cwrong order=E2=80=9D,= preferring older TLS versions. This is now fixed: https://github.com/curl/curl/issues/7277 Ludo=E2=80=99. From unknown Sat Jun 21 12:24:05 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Mon, 19 Jul 2021 11:24:05 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator