Re: [Evolution-hackers] evolution failing on TLSv1.3 after gnutls upgrade

From: Milan Crha <mcrha redhat com>
To: evolution-hackers gnome org
Subject: Re: [Evolution-hackers] evolution failing on TLSv1.3 after gnutls upgrade
Date: Mon, 13 May 2019 18:00:21 +0200

On Mon, 2019-05-13 at 07:59 -0700, James Bottomley wrote:

As for how to apply the fix (assuming we can find it), this is a hard
one.  Clearly the bug was always present, but the conditions that
trip it remained untested until people started turning on TLSv1.3.
I think the best way forward is to open bugs with the distros and see
what they want to do: Either find and fix the bug or update to 2.55.2.


        Hi,
I see. That would work until a new version of the TLS is released and
implemented and advertised by the servers with clients which probably
know about it (due to new enough gnutls being installed, right?), but
its usage in glib-networking failing for whatever reason.

Just to clarify, the server isn't requiring a particular version,
it's offering a set of options and we're choosing TLSv1.3 which we
then can't negotiate successfully, so the bug is client side but
triggered both by the client going to a gnutls (or probably openssl
but I can't test that) version that makes 1.3 possible and the server
offering it as an option.


Oh, you are right, I'm sorry for misinterpreting it.

Maybe the glib-networking can be changed to try a lower version(s)
(when allowed to), when the best it thinks it can use fails with this
error (meaning if the server advertises TLS versions 1.2 and 1.3, the
client can try with 1.3 and if it fails, then retry with 1.2). I'd
expect such naive "solution" would work on the gnutls level
transparently though. I do not know gnutls, nor glib-networking, thus
this is really just a very naive idea.

Consider filling a bug against glib-networking [1] and ask them whether
they can do anything about it. You've a clear view what is going on in
the background, thus you'd be able to explain the problem to them. Feel
free to use the test program to your liking.

By the way, the openssl implementation for glib-networking is very new,
released as part of the 2.60.0, on March 11 [2].
        Bye,
        Milan

[1] https://gitlab.gnome.org/GNOME/glib-networking/issues/new
[2] https://gitlab.gnome.org/GNOME/glib-networking/blob/2.60.0/NEWS#L1

Follow-Ups:
- Re: [Evolution-hackers] evolution failing on TLSv1.3 after gnutls upgrade
  - From: James Bottomley

References:
- [Evolution-hackers] evolution failing on TLSv1.3 after gnutls upgrade
  - From: James Bottomley
- Re: [Evolution-hackers] evolution failing on TLSv1.3 after gnutls upgrade
  - From: Milan Crha
- Re: [Evolution-hackers] evolution failing on TLSv1.3 after gnutls upgrade
  - From: James Bottomley
- Re: [Evolution-hackers] evolution failing on TLSv1.3 after gnutls upgrade
  - From: Milan Crha
- Re: [Evolution-hackers] evolution failing on TLSv1.3 after gnutls upgrade
  - From: James Bottomley
- Re: [Evolution-hackers] evolution failing on TLSv1.3 after gnutls upgrade
  - From: Sasa Ostrouska
- Re: [Evolution-hackers] evolution failing on TLSv1.3 after gnutls upgrade
  - From: James Bottomley
- Re: [Evolution-hackers] evolution failing on TLSv1.3 after gnutls upgrade
  - From: Milan Crha
- Re: [Evolution-hackers] evolution failing on TLSv1.3 after gnutls upgrade
  - From: James Bottomley

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]