On 12/24/2013 10:17 PM, Neil Roeth wrote: > This command will illustrate the problem: wget -O- -q > https://api.dreamhost.com/
I can confirm that 3.2.7 seems to hang for me, when i do: gnutls-cli --priority NORMAL api.dreamhost.com However, i can connect cleanly with: gnutls-cli --priority NORMAL:-DHE-DSS api.dreamhost.com I can avoid the same hang if i substitute any large-ish class of ciphers anywhere i put DHE-DSS above. Looking at the traffic on the wire, it looks like the non-hanging connections offer a ClientHello of size < 256 bytes, while the hanging connections have size >= 256 bytes. this smells a lot like the F5 bug with certain sizes of TLS handshakes, being misinterpreted as SSLv2, as reported by Xiaoyong Wu: http://thread.gmane.org/gmane.ietf.tls/11187/focus=11227 The way to resolve this would be: if the client hello is >= 256 byees, but < 512 bytes, add a meaningless extension to push the size of the client hello above 512 bytes. I haven't tested this yet, unfortunately. --dkg
signature.asc
Description: OpenPGP digital signature