Scott McGillivray | 17 Jun 11:58 2012
Picon

gnuTLS 3.0.20 - 'Fatal error: The TLS connection was non-properly terminated' against Cisco load balancers

Hi,

On my older Debian server running gnutls-cli (GnuTLS) 2.8.5 if i test various websites located behind a Cisco CSS load balancer that does the SSL offload with command "gnutls-cli accounts.codemasters.com" it works OK but with a newer install of Debian server running gnutls-cli 3.0.20 if i issue the same command then i get the below error.

Processed 153 CA certificate(s).
Resolving 'accounts.codemasters.com'...
Connecting to '94.75.196.190:443'...
|<1>| Note that the security level of the Diffie-Hellman key exchange has been lowered to 512 bits and this may allow decryption of the session data
*** Fatal error: The TLS connection was non-properly terminated.
No certificates found!
*** Handshake has failed
GnuTLS error: The TLS connection was non-properly terminated.

 
If i try to connect to https://accounts.codemasters.com using Firefox, Chrome or openssl s_client then it works fine. So it seems that GnuTLS 3.0.x has a bug maybe? On the server running gnuTLS 3.0.20 i am able to run gnutls-cli against other sites such as google.com, hotmail.com etc.. and it works fine so i know that it works, just not against the sites where the SSL offload is performed by these Cisco CSS load balancers.

On the gnuTLS 2.8.5 install i noticed that the client/server hello is processed ok as seen in the debug output below

|<3>| HSK[0x9342d78]: CLIENT HELLO was send [136 bytes]
|<2>| ASSERT: gnutls_cipher.c:204
|<2>| ASSERT: gnutls_cipher.c:204
|<3>| HSK[0x9342d78]: SERVER HELLO was received [74 bytes]
|<3>| HSK[0x9342d78]: Server's version: 3.1
|<3>| HSK[0x9342d78]: SessionID length: 32
|<3>| HSK[0x9342d78]: SessionID: a32ec5fb0f2fef86bbc660747ee3cd49f0d68483ced53f116f451a96a2ad97d0
|<3>| HSK[0x9342d78]: Selected cipher suite: RSA_ARCFOUR_MD5
|<2>| ASSERT: gnutls_extensions.c:124
|<2>| ASSERT: gnutls_cipher.c:204
|<3>| HSK[0x9342d78]: CERTIFICATE was received [3602 bytes]


but on the 3.2.20 install i get


|<3>| HSK[0x1b5c550]: CLIENT HELLO was queued [217 bytes]
|<7>| HWRITE: enqueued [CLIENT HELLO] 217. Total 217 bytes.
|<7>| HWRITE FLUSH: 217 bytes in buffer.
|<4>| REC[0x1b5c550]: Preparing Packet Handshake(22) with length: 217
|<9>| ENC[0x1b5c550]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
|<7>| WRITE: enqueued 222 bytes for 0x4. Total 222 bytes.
|<4>| REC[0x1b5c550]: Sent Packet[1] Handshake(22) in epoch 0 and length: 222
|<7>| HWRITE: wrote 1 bytes, 0 bytes left.
|<7>| WRITE FLUSH: 222 bytes in buffer.
|<7>| WRITE: wrote 222 bytes, 0 bytes left.
|<2>| ASSERT: gnutls_buffers.c:974
|<7>| READ: Got 0 bytes from 0x4
|<7>| READ: read 0 bytes from 0x4
|<2>| ASSERT: gnutls_buffers.c:482
|<2>| ASSERT: gnutls_record.c:876
|<2>| ASSERT: gnutls_record.c:986
|<2>| ASSERT: gnutls_buffers.c:1175
|<2>| ASSERT: gnutls_handshake.c:1269
|<2>| ASSERT: gnutls_handshake.c:2484
*** Fatal error: The TLS connection was non-properly terminated.
|<2>| ASSERT: gnutls_ui.c:544
No certificates found!
|<4>| REC: Sending Alert[2|10] - Unexpected message
|<4>| REC[0x1b5c550]: Preparing Packet Alert(21) with length: 2
|<9>| ENC[0x1b5c550]: cipher: NULL, MAC: MAC-NULL, Epoch: 0
|<7>| WRITE: enqueued 7 bytes for 0x4. Total 7 bytes.
|<7>| WRITE FLUSH: 7 bytes in buffer.
|<2>| errno: 32
|<2>| ASSERT: gnutls_buffers.c:374
|<7>| WRITE error: code -53, 7 bytes left.
|<2>| ASSERT: gnutls_buffers.c:599
|<2>| ASSERT: gnutls_record.c:456
*** Handshake has failed
GnuTLS error: The TLS connection was non-properly terminated.


Can anyone suggest how i can fix this ? I'm trying to to use a program that needs gnuTLS 3.x libs so i can't just use gnuTLS 2.x that works. Also the Cisco devices are running the latest and greatest firmware from Cisco circa Dec 2011.


many thanks
Scott

_______________________________________________
Help-gnutls mailing list
Help-gnutls <at> gnu.org
https://lists.gnu.org/mailman/listinfo/help-gnutls
Richard Moore | 17 Jun 16:15 2012
Picon

Re: gnuTLS 3.0.20 - 'Fatal error: The TLS connection was non-properly terminated' against Cisco load balancers

On 17 June 2012 10:58, Scott McGillivray <scott.mcgillivray <at> gmail.com> wrote:
> Can anyone suggest how i can fix this ? I'm trying to to use a program that
> needs gnuTLS 3.x libs so i can't just use gnuTLS 2.x that works. Also the
> Cisco devices are running the latest and greatest firmware from Cisco circa
> Dec 2011.

I'd try disabling TLS extensions using --disable-extensions and see if
that makes a difference. I've found with some cisco devices that
compression causes them to drop the connection.

Cheers

Rich.
Scott McGillivray | 17 Jun 18:30 2012
Picon

Re: gnuTLS 3.0.20 - 'Fatal error: The TLS connection was non-properly terminated' against Cisco load balancers


On 17 June 2012 15:15, Richard Moore <rich <at> kde.org> wrote:
On 17 June 2012 10:58, Scott McGillivray <scott.mcgillivray <at> gmail.com> wrote:
> Can anyone suggest how i can fix this ? I'm trying to to use a program that
> needs gnuTLS 3.x libs so i can't just use gnuTLS 2.x that works. Also the
> Cisco devices are running the latest and greatest firmware from Cisco circa
> Dec 2011.

I'd try disabling TLS extensions using --disable-extensions and see if
that makes a difference. I've found with some cisco devices that
compression causes them to drop the connection.

Cheers

Rich.


Thanks for the suggestion. I tried that option as well as many of the other options from the gnutls-cli man page and none of them made any difference.


_______________________________________________
Help-gnutls mailing list
Help-gnutls <at> gnu.org
https://lists.gnu.org/mailman/listinfo/help-gnutls
Phil Pennock | 18 Jun 01:23 2012

Re: gnuTLS 3.0.20 - 'Fatal error: The TLS connection was non-properly terminated' against Cisco load balancers

On 2012-06-17 at 10:58 +0100, Scott McGillivray wrote:
> If i try to connect to https://accounts.codemasters.com using Firefox,
> Chrome or openssl s_client then it works fine.

Failed for me with openssl s_client, 1.0.1c.  Succeeded with 0.9.8r.

Succeeded with OpenSSL 1.0.1c once I added -no_tls1_2 to the
command-line.

Looks as though the site breaks with TLS 1.2.

-Phil
Scott McGillivray | 18 Jun 10:50 2012
Picon

Re: gnuTLS 3.0.20 - 'Fatal error: The TLS connection was non-properly terminated' against Cisco load balancers


I've tried with OpenSSL 0.9.8k and OpenSSL 1.0.1 which both work ok with no special options. The Cisco CSS is quite an old load balancer and doesn't support TLS 1.1 let alone TLS 1.2 so I'm not sure why openssl 1.0.1c would fail until you specifically told it to ignore TLS 1.2. I thought as part of the negotiation, openssl would have detected that TLS 1.0 was only supported.

I had a quick look through the openssl changelog (http://www.openssl.org/news/changelog.html) to see if there was any obvious changes between 1.0.1 and 1.0.1c that might cause the problem but nothing jumped out to me.

I don't know if the problem see in openssl 1.0.1c might be related to the problem I'm seeing in gnutls 3.0.20? I couldn't see a similar option for gnutls-cli to force TLS 1.0 or ignore TLS 1.2 for me to test.

Thanks for the help.


_______________________________________________
Help-gnutls mailing list
Help-gnutls <at> gnu.org
https://lists.gnu.org/mailman/listinfo/help-gnutls
Richard Moore | 18 Jun 11:03 2012
Picon

Re: gnuTLS 3.0.20 - 'Fatal error: The TLS connection was non-properly terminated' against Cisco load balancers

On 18 June 2012 09:50, Scott McGillivray <scott.mcgillivray <at> gmail.com> wrote:
> I don't know if the problem see in openssl 1.0.1c might be related to the
> problem I'm seeing in gnutls 3.0.20? I couldn't see a similar option for
> gnutls-cli to force TLS 1.0 or ignore TLS 1.2 for me to test.

--protocols

Rich.
Scott McGillivray | 18 Jun 11:36 2012
Picon

Re: gnuTLS 3.0.20 - 'Fatal error: The TLS connection was non-properly terminated' against Cisco load balancers

On 18 June 2012 10:03, Richard Moore <rich <at> kde.org> wrote:
On 18 June 2012 09:50, Scott McGillivray <scott.mcgillivray <at> gmail.com> wrote:
> I don't know if the problem see in openssl 1.0.1c might be related to the
> problem I'm seeing in gnutls 3.0.20? I couldn't see a similar option for
> gnutls-cli to force TLS 1.0 or ignore TLS 1.2 for me to test.

--protocols

Rich.


Many thanks, that allowed me to connect.

i think the --protocols option is deprecated, i couldn't find it in in man pages, but i was able to successfully connect to the site using the below command which does the same thing.

gnutls-cli --priority NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:+VERS-SSL3.0:%COMPAT accounts.codemasters.com

Info on the command found at http://www.gnu.org/software/gnutls/manual/gnutls.html#Interoperability

I wonder what has changed in gnutls and openssl in recent versions that prevents them from gratefully downgrading to a supported TLS version when connecting to these Cisco CSS units.

Thanks again for your help.

Scott.
_______________________________________________
Help-gnutls mailing list
Help-gnutls <at> gnu.org
https://lists.gnu.org/mailman/listinfo/help-gnutls
Nikos Mavrogiannopoulos | 19 Jun 00:28 2012

Re: gnuTLS 3.0.20 - 'Fatal error: The TLS connection was non-properly terminated' against Cisco load balancers

On 06/18/2012 11:36 AM, Scott McGillivray wrote:

> gnutls-cli --priority
> NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:+VERS-SSL3.0:%COMPAT
> accounts.codemasters.com
> 
> Info on the command found at
> http://www.gnu.org/software/gnutls/manual/gnutls.html#Interoperability
> 
> I wonder what has changed in gnutls and openssl in recent versions that
> prevents them from gratefully downgrading to a supported TLS version when
> connecting to these Cisco CSS units.

The downgrade occurs on the server side. In the case you describe most
probably it's a broken server.

regards,
Nikos

Gmane