Simon Josefsson <[EMAIL PROTECTED]> writes: > Because trying to do the same handshake another time will not > make it work better. > > If I understand the OpenSSL code part correctly, it disables > TLS (i.e., then only SSL 3.0 is supported). The GnuTLS code > does not disable TLS.
It used to disable TLS. This was inadvertently broken on 2004-08-03. http://pasky.or.cz/gitweb.cgi?p=elinks-history.git;a=commit;h=1b9c49c30bde90824fb4a7ff1dd3b6c2d55f5b48 http://cvsweb.elinks.cz/cvsweb.cgi/elinks/src/ssl/Attic/connect.c#rev1.77 > The algorithm settings looks rather similar to those in ssl.c. Not entirely identical, though... but the differences seem to be caused merely by lack of coordination, rather than by any real intention. ssl_set_no_tls (2002-07-05): http://pasky.or.cz/gitweb.cgi?p=elinks-history.git;a=commit;h=08ca765f7536f921a560433e3e2ddad59c01b71d http://cvsweb.elinks.cz/cvsweb.cgi/elinks/src/ssl/Attic/connect.c#rev1.11 init_ssl_connection (2003-09-29): http://pasky.or.cz/gitweb.cgi?p=elinks-history.git;a=commit;h=59230528ae307744fa7e212cfa2f4046725d9c3f http://cvsweb.elinks.cz/cvsweb.cgi/elinks/src/ssl/Attic/ssl.c#rev1.26 http://bugzilla.elinks.cz/show_bug.cgi?id=241 > What you might want to do is to disable TLS and only use SSL > 3.0 with GnuTLS too. However, unless there are documented > examples of web servers that need this workaround, I'm not sure > it should be added. Bug 712 says <https://www-s.uiuc.edu/bluestem/notes/overview.html> doesn't work with GnuTLS. Which seems reproducible here. If I disable GNUTLS_TLS1 in ssl_set_no_tls(), then it works. However, an ELinks built with OpenSSL can access this site just fine even if I remove SSL_OP_NO_TLSv1 from ssl_set_no_tls(). This site has "Server: Netscape-Enterprise/3.6 SP3", which ELinks treats specially, as mentioned in bug 234. However, running with -eval "set protocol.http.bugs.allow_blacklist = 0" neither averts nor causes the error. If you have some test program that can send the same HTTPS request as ELinks and then receive the data, I think that would help figure out whether the bug is in the server or in ELinks (or even in GnuTLS). Here are my request headers for reference. Sending these with openssl s_client showed that SSLv3 was used. GET /bluestem/notes/overview.html HTTP/1.1 Host: www-s.uiuc.edu User-Agent: ELinks/0.12.GIT (textmode; Linux 2.6.12-1-k7 i686; 127x49-2) Accept: */* Accept-Encoding: bzip2, gzip Accept-Language: fi Connection: Keep-Alive > diff --git a/src/network/ssl/socket.c b/src/network/ssl/socket.c > index 96caf8b..322a718 100644 > diff --git a/src/network/ssl/ssl.c b/src/network/ssl/ssl.c > index 3c38765..c14ab67 100644 I am going to apply this patch to ELinks 0.12.GIT but reinstate the gnutls_protocol_set_priority() call in ssl_set_no_tls() because it appears to fix or at least hide bug 712. If the real bug is later found elsewhere, the call can then be removed again.
pgpI6MWlPuwYq.pgp
Description: PGP signature
_______________________________________________ elinks-dev mailing list elinks-dev@linuxfromscratch.org http://linuxfromscratch.org/mailman/listinfo/elinks-dev
