Your message dated Sat, 21 Dec 2019 18:32:10 +0000 with message-id <[email protected]> and subject line Bug#933538: fixed in gnutls28 3.6.7-4+deb10u1 has caused the Debian Bug report #933538, regarding libgnutls30: still fails with older servers to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 933538: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933538 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: libgnutls30 Version: 3.6.7-4 Severity: important Dear Maintainer, * What led up to the situation? First, I had problems using sogo-tool for a sogo instance connected to an older LDAP Server. Restoring a user gave this error: 2019-07-31 12:51:37.411 sogo-tool[11248:11248] Received packet with illegal length: 16624 2019-07-31 12:51:37.411 sogo-tool[11248:11248] Fatal LDAP error during ldap_result: Can't contact LDAP server * What exactly did you do (or not do) that was effective (or ineffective)? In order to isolate the problem, I used gnutls-utils for opening a server on the older LDAP machine: gnutls-serv --echo --x509keyfile /etc/ssl/private/ssl-cert-snakeoil.key --x509certfile /etc/ssl/certs/ssl-cert-snakeoil.pem The server runs libgnutls26 2.12.23-12ubuntu2.8 On the client machine (buster) I tried pwgen 16383 | gnutls-cli --no-ca-verification --port 5556 server * What was the outcome of this action? On the client I get something like this: root@groupware-beta:~# pwgen 16383 | gnutls-cli --no-ca-verification --port 5556 ldap.company.x Processed 130 CA certificate(s). Resolving 'redacted'... Connecting to 'redacted:5556'... - Certificate type: X.509 - Got a certificate list of 1 certificates. - Certificate[0] info: - subject `CN=redacted', issuer `CN=redacted', serial 0x00e120b43d69e2e4d8, RSA key 2048 bits, signed using RSA-SHA256, activated `2017-07-06 10:03:48 UTC', expires `2027-07-04 10:03:48 UTC', pin-sha256="SxggXxyfEDi9fmVyLwzPN9yE5y69T92aF8CBdGMe9Rc=" Public Key ID: sha1:21c8b2ecfc2b23da00de3371a4aa7bb8b8fc13bc sha256:4b18205f1c9f1038bd7e65722f0ccf37dc84e72ebd4fdd9a17c08174631ef517 Public Key PIN: pin-sha256:SxggXxyfEDi9fmVyLwzPN9yE5y69T92aF8CBdGMe9Rc= - Successfully sent 0 certificate(s) to server. - Description: (TLS1.2)-(RSA)-(AES-256-CBC)-(SHA1) - Session ID: 74:27:72:45:ED:A4:AA:BD:4C:06:1C:43:3D:1C:71:3D:AE:02:14:06:7D:72:25:01:ED:4F:50:BF:C5:67:1C:79 - Options: safe renegotiation, - Handshake was completed - Simple Client Mode: |<1>| Received packet with illegal length: 16624 *** Fatal error: A TLS record packet with invalid length was received. *** Server has terminated the connection abnormally. The server does not show anything abnormal: * Successful handshake from IPv4 REDACTED_IP port 43420 - Given server name[1]: ldap.indurad.x - Certificate type: X.509 No certificates found! - Could not verify certificate (err: The peer did not send any certificate.) - Version: TLS1.2 - Key Exchange: RSA - Cipher: AES-256-CBC - MAC: SHA1 - Compression: NULL received: pheedei [...] * What outcome did you expect instead? Successful connection to server and echo of the sent bytes. I also tried this with libgnutls30 3.6.8-2 on the client side (taken from testing). Same problem persists. -- System Information: Debian Release: 10.0 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-5-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libgnutls30 depends on: ii libc6 2.28-10 ii libgmp10 2:6.1.2+dfsg-4 ii libhogweed4 3.4.1-1 ii libidn2-0 2.0.5-1 ii libnettle6 3.4.1-1 ii libp11-kit0 0.23.15-2 ii libtasn1-6 4.13-3 ii libunistring2 0.9.10-1 libgnutls30 recommends no packages. Versions of packages libgnutls30 suggests: ii gnutls-bin 3.6.7-4 -- no debconf information
--- End Message ---
--- Begin Message ---Source: gnutls28 Source-Version: 3.6.7-4+deb10u1 We believe that the bug you reported is fixed in the latest version of gnutls28, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Andreas Metzler <[email protected]> (supplier of updated gnutls28 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 30 Nov 2019 13:41:59 +0100 Source: gnutls28 Architecture: source Version: 3.6.7-4+deb10u1 Distribution: buster Urgency: medium Maintainer: Debian GnuTLS Maintainers <[email protected]> Changed-By: Andreas Metzler <[email protected]> Closes: 933538 Changes: gnutls28 (3.6.7-4+deb10u1) buster; urgency=medium . * 42_rel3.6.10_01-gnutls_epoch_set_keys-do-not-forbid-random-padding.patch from 3.6.10: Fix interop problems with gnutls 2.x. Closes: #933538 (Thanks, Hanno Stock!) Checksums-Sha1: 144bb2085a7405e03ba68b5e71c7cf520e130d80 3354 gnutls28_3.6.7-4+deb10u1.dsc f875b9b8fe9715d7c5870accfa98ef581d2d97b8 73600 gnutls28_3.6.7-4+deb10u1.debian.tar.xz Checksums-Sha256: 9b095e30940b1011831e557981e0c2992c6e8eec00ea7160af0746e3debb6cbc 3354 gnutls28_3.6.7-4+deb10u1.dsc c3c51ffb43ae3908778464a449a3e2d64bacc3d0a2b9eb6f36bb867f9b08efef 73600 gnutls28_3.6.7-4+deb10u1.debian.tar.xz Files: 7ef52d7865a1438eb3c22577a4fbe5c8 3354 libs optional gnutls28_3.6.7-4+deb10u1.dsc 791b53d09eec41189cc0a39d0fe6f656 73600 libs optional gnutls28_3.6.7-4+deb10u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE0uCSA5741Jbt9PpepU8BhUOCFIQFAl3jXZQACgkQpU8BhUOC FITn4w/7BlH+l3dqjRFA433k5k9farQFWrw7styWYeTNsBSykWz/1y4IxyMyeryt Tq9qaBOgZeAdykNXdTApPXF3pe3lIQMCMd7I/9s28UMwT5Ab1Mn6s2AVQ35yfaaz SkzRr4yhPMyNxwB/Wr1J9eEpmz80ljt8okB3V3eKYj1FtTfLnsMTElQjvHogIhi4 B5DWYvoJTxBsbvMytkY6tUs0MwDNKhmC9MkQU1W+vP/sI+EOSsCeVUSGftQD0LPh V3oMLFFTM1srclaj/4FkRdVjDMVLdlv4PXmq8oGhh60g8aIa1avSzXPKFzpexKIm Ti7T3gJCwrXFTGdhsjCCOD9hOVHkAAv5CtY5jjlthVmdwZm54S0gSw4SowtyWeem zcj/ckSFlbpD8lz21H0H8XicTV/F2BOpplusFb7HLO0Ir3V8tuwK+7KiKSGv/kbj 8yJBbN9lqgb9UkhNntQbvZeiovY80xhPlUI7CPIT8qGilm/SokE0d51T2gMpb1rW nHrc2QTKsBlVyYuOycZDbKcpAzw7/XnVNvX+YZY2sDXq3xVB0UYFv/MXXQjO4cg6 lEdswa/S9l7XnZMcNLet6Hu+uJ3y755lzPBNQC8WL2iSa3iuLksKe4nDpDiGFppy 7gBcrICWutwKPbaU6viDSi0qDAWNiKmIm2E0XNKNhAY40YxQQZk= =GfPO -----END PGP SIGNATURE-----
--- End Message ---
