gnutls-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re: GnuTLS versions 2.9.7 and later breaks libsoup (epiphany)

From: Dan Winship
Subject: Re: Re: GnuTLS versions 2.9.7 and later breaks libsoup (epiphany)
Date: Sun, 27 Jun 2010 10:41:16 -0400
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.10) Gecko/20100621 Fedora/3.0.5-1.fc13 Thunderbird/3.0.5 
On 01/-10/-28163 02:59 PM, Simon Josefsson wrote:
>> Shouldn't GnuTLS fall back to the supported protocol (SSL 3.0) in that
>> case instead of getting stuck?
> 
> I think there is a bug in epiphany (or libsoup) here that cause it to
> send the same request over and over again

Yes, that was already fixed in libsoup; Debian must not have the latest
version.

> What it could do is to try the request with default settings (i.e.,
> NORMAL, which makes it support latest protocol improvements) but if that
> fails with an error message that indicate that re-trying without TLS 1.x
> will help, it should re-try with lower TLS protocol versions.

That's the eventual plan, but it's complicated, since the retrying has
to happen at a higher level of the stack, since there may be non-TLS
stuff that has to happen before you get to the new handshake. (Eg, if
you're connecting to the bad site via a proxy, you need to send at least
a CONNECT first.)

> A better solution is to attempt the NORMAL setting first, and if it
> fails, also attempt to negotiate using SSL3+TLS1 only.  If that fails,
> stop retrying.

As someone else noted, PayPal's server is too broken for that. My plan
was to try NORMAL first, and then fall back to SSL3-only; otherwise
there are too many variables for different ways servers could be broken
(maybe they support TLS 1.0 without extensions, but fail if you try to
use the server name extension, etc).

-- Dan
reply via email to
[Prev in Thread] Current Thread [Next in Thread]