Kalle Olavi Niemitalo <[EMAIL PROTECTED]> writes: >> What you might want to do is to disable TLS and only use SSL >> 3.0 with GnuTLS too. However, unless there are documented >> examples of web servers that need this workaround, I'm not sure >> it should be added. > > Bug 712 says <https://www-s.uiuc.edu/bluestem/notes/overview.html> > doesn't work with GnuTLS. Which seems reproducible here. > If I disable GNUTLS_TLS1 in ssl_set_no_tls(), then it works.
Ah, yes, I can reproduce it too using gnutls-cli. Thanks, it is a good test-case. > However, an ELinks built with OpenSSL can access this site just > fine even if I remove SSL_OP_NO_TLSv1 from ssl_set_no_tls(). I'm not sure why that happens. Using 'openssl s_client' I see that it reverts to SSLv3 successfully. > If you have some test program that can send the same HTTPS > request as ELinks and then receive the data, I think that would > help figure out whether the bug is in the server or in ELinks > (or even in GnuTLS). Here are my request headers for reference. > Sending these with openssl s_client showed that SSLv3 was used. I think one could debug it further, and I've added it to the GnuTLS TODO: - Debug why www-s.uiuc.edu:443 refuse to negotiate sslv3 when we propose sslv3+tls1. The tool to use is typically 'gnutls-cli -d 4711' and ethereal. >> diff --git a/src/network/ssl/socket.c b/src/network/ssl/socket.c >> index 96caf8b..322a718 100644 > >> diff --git a/src/network/ssl/ssl.c b/src/network/ssl/ssl.c >> index 3c38765..c14ab67 100644 > > I am going to apply this patch to ELinks 0.12.GIT but reinstate > the gnutls_protocol_set_priority() call in ssl_set_no_tls() > because it appears to fix or at least hide bug 712. If the real > bug is later found elsewhere, the call can then be removed again. Thanks! Your change looks correct to me. Btw, I don't think this is a bug in elinks. I'm not even sure it is a bug in GnuTLS, I suspect it is an area where GnuTLS simply could be improved to handle buggy servers better. /Simon _______________________________________________ elinks-dev mailing list elinks-dev@linuxfromscratch.org http://linuxfromscratch.org/mailman/listinfo/elinks-dev
