Update to libgnutls26-2.12.23-12ubuntu2.5 broke ldapsearch and Apache Directory Studio for me in particular. Whatever the previous version was worked fine. Now, when trying to connect via TLS or SSL to our ldap server, I get the following with gnutls-cli:
# gnutls-cli --print-cert -p 636 192.168.125.187 Connecting to '192.168.125.187:636'... *** Fatal error: A TLS packet with unexpected length was received. *** Handshake has failed GnuTLS error: A TLS packet with unexpected length was received. But, works fine with openssl: # openssl s_client -connect 192.168.125.187:636 -CApath /etc/ssl/certs/ CONNECTED(00000003) depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify return:1 depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority verify return:1 depth=1 C = US, ST = MI, L = Ann Arbor, O = Internet2, OU = InCommon, CN = InCommon RSA Server CA verify return:1 depth=0 C = US, postalCode = MyZip, ST = GA, L = MyTown, street = MyStreetAddress, O = MyOrg, CN = 192.168.125.187 verify return:1 --- Certificate chain 0 s:/C=US/postalCode=MyZip/ST=MyState/L=MyTown/street=MyStreetAddress/O=MyOrg/CN=192.168.125.187 i:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA 1 s:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root --- Server certificate -----BEGIN CERTIFICATE----- MIIHIDCCBgigAwIBAgIQeJi0ZL9m+H676krkb1nDDDANBgkqhkiG9w0BAQsFADB2 MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjES MBAGA1UEChMJSW50ZXJuZXQyMREwDwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMW SW5Db21tb24gUlNBIFNlcnZlciBDQTAeFw0xNTAyMDMwMDAwMDBaFw0xODAyMDIy MzU5NTlaMIGaMQswCQYDVQQGEwJVUzEOMAwGA1UEERMFMzAzMjIxCzAJBgNVBAgT AkdBMRAwDgYDVQQHEwdBdGxhbnRhMR0wGwYDVQQJExQxNzg0IE4gRGVjYXR1ciBS ZCBORTEZMBcGA1UEChMQRW1vcnkgVW5pdmVyc2l0eTEiMCAGA1UEAxMZbGRzYXV0 aC5zZXJ2aWNlLmVtb3J5LmVkdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBAM1fBQTBn8MuVC07NkkR5nvQppHUOk7l8KOu0MFCnyTaQFE0lOC7k4cGcsHS 0LmKFPwDaMUsGs23ER5+TfBa9JRLfKVbgvF7Uqt3X9CwGnTJvLjest59mWd4oGZm vKBPcV3WwkAGgC2UJKUcYrQXLp5yTAjlBhgmoz5ZKa2fIRS1jPWDI5Pn9yzssw5j OIwuoHo68jocpz8sSIN3gQ6gIM+5rIs1rgJ/SVS40sRrtBAneP3Qnr6MF3DQrSYP 8TbkCAEjf4xYqVa5f3Oy8NdC2v4Jk7VVTDoiNDpEzFbLzoCI0NpYvZKWPx3l3xr/ jZoYM+Mi+rviCqW8M88KpxBoTf0CAwEAAaOCA4MwggN/MB8GA1UdIwQYMBaAFB4F o3ePbJbiW4dLprSGrHEADOc4MB0GA1UdDgQWBBSJE3N+JO9Yhb3bxPnUC90OhJy0 xjAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEF BQcDAQYIKwYBBQUHAwIwZwYDVR0gBGAwXjBSBgwrBgEEAa4jAQQDAQEwQjBABggr BgEFBQcCARY0aHR0cHM6Ly93d3cuaW5jb21tb24ub3JnL2NlcnQvcmVwb3NpdG9y eS9jcHNfc3NsLnBkZjAIBgZngQwBAgIwRAYDVR0fBD0wOzA5oDegNYYzaHR0cDov L2NybC5pbmNvbW1vbi1yc2Eub3JnL0luQ29tbW9uUlNBU2VydmVyQ0EuY3JsMHUG CCsGAQUFBwEBBGkwZzA+BggrBgEFBQcwAoYyaHR0cDovL2NydC51c2VydHJ1c3Qu Y29tL0luQ29tbW9uUlNBU2VydmVyQ0FfMi5jcnQwJQYIKwYBBQUHMAGGGWh0dHA6 Ly9vY3NwLnVzZXJ0cnVzdC5jb20wggHYBgNVHREEggHPMIIBy4IZbGRzYXV0aC5z ZXJ2aWNlLmVtb3J5LmVkdYIZbGRzYXV0aHByb2QxLmNjLmVtb3J5LmVkdYIZbGRz YXV0aHByb2QxLmV1LmVtb3J5LmVkdYIZbGRzYXV0aHByb2QyLmNjLmVtb3J5LmVk dYIZbGRzYXV0aHByb2QyLmV1LmVtb3J5LmVkdYIZbGRzYXV0aHByb2QzLmNjLmVt b3J5LmVkdYIZbGRzYXV0aHByb2QzLmV1LmVtb3J5LmVkdYIZbGRzYXV0aHByb2Q0 LmNjLmVtb3J5LmVkdYIZbGRzYXV0aHByb2Q0LmV1LmVtb3J5LmVkdYIZbGRzYXV0 aHByb2Q1LmNjLmVtb3J5LmVkdYIZbGRzYXV0aHByb2Q1LmV1LmVtb3J5LmVkdYIZ bGRzYXV0aHByb2Q2LmNjLmVtb3J5LmVkdYIZbGRzYXV0aHByb2Q2LmV1LmVtb3J5 LmVkdYIZbGRzYXV0aHByb2Q3LmNjLmVtb3J5LmVkdYIZbGRzYXV0aHByb2Q3LmV1 LmVtb3J5LmVkdYIZbGRzYXV0aHByb2Q4LmNjLmVtb3J5LmVkdYIZbGRzYXV0aHBy b2Q4LmV1LmVtb3J5LmVkdTANBgkqhkiG9w0BAQsFAAOCAQEAYP3rmVUa7lz+aT1Z qYNw+08WiM6zLJDTlDAH6bfMOifqOg42rNL4QiiAaldCSkvCjqS5nUwOyLjy3Mr1 1/77dJsuDxtUE7brhLyCRrktsQ4aytTrbTowPhJzOFKZaYZ0Bq/Im31N2IluGVRu C1sqHsSCsYhv/qcxJkwXDA4/luH21Uc55RJvr2AcZ09qddo1UOMVpSfAM6fBooB+ 0T0bOFoYXXpc7dGS6Ffwos2T9+LkFlPCBHWD7vPoLzywSbDK2mJVCWjELowVwX50 pKsD/8qFB22FZe3arjFRb17hkJERDyFrcrbUv84WAeM9gisskoloMORNWMc6BOFZ +DSClw== -----END CERTIFICATE----- subject=/C=US/postalCode=MyZip/ST=MyState/L=MyTown/street=MyStreetAddress/O=MyOrg/CN=192.168.125.187 issuer=/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA --- No client certificate CA names sent --- SSL handshake has read 5340 bytes and written 489 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-SHA384 Session-ID: 9D3700003CBC5A44A8B0869C88E432ABD6DFAAEF4EC8268126E4DC6E8398E93B Session-ID-ctx: Master-Key: 34CD7A397FB10369831C94F74B048DF1CDE325B4207F15D0354F2487E2E7B697E477ACCA7D0214F98207820A1A4E5D30 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1457420252 Timeout : 300 (sec) Verify return code: 0 (ok) --- -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gnutls26 in Ubuntu. https://bugs.launchpad.net/bugs/1444656 Title: GnuTLS TLS 1.2 handshake failure Status in gnutls26 package in Ubuntu: Invalid Status in gnutls26 source package in Trusty: Triaged Bug description: I'm experiencing the same issue as here: http://comments.gmane.org/gmane.network.gnutls.general/3713 I came across a SSL handshake problem with gnutls-cli when connecting to some websites, see below. It is somehow specific to gnutls as openssl/Chrome/Firefox can connect fine. Is this is a bug in gnutls or do you have any ideas how to troubleshoot it? $ gnutls-cli --version gnutls-cli (GnuTLS) 2.12.23 Packaged by Debian (2.12.23-12ubuntu2.1) $ gnutls-cli www.openlearning.com Resolving 'www.openlearning.com'... Connecting to '119.9.9.205:443'... *** Fatal error: A TLS fatal alert has been received. *** Received alert [40]: Handshake failed *** Handshake has failed GnuTLS error: A TLS fatal alert has been received. $ gnutls-cli sequencewiz.com Resolving 'sequencewiz.com'... Connecting to '50.112.144.117:443'... *** Fatal error: A TLS packet with unexpected length was received. *** Handshake has failed GnuTLS error: A TLS packet with unexpected length was received. Thank you, Please back port the latest GnuTLS to Trusty as it is an LTS release and clearly GnuTLS 2.12 is an old branch. I've also attached packet captures of this. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1444656/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp