Bugzilla – Bug 1134877
glib-networking combined with a recent gnutls update causes TLSv1.3 connections to fail
Last modified: 2019-05-24 14:53:12 UTC
Created attachment 804899 [details] Milan Crha's imap-conn program; build with gcc `pkg-config --cflags --libs glib-2.0 gio-2.0` imap-conn.c -g -O0 -o imap-conn Turning on TLSv1.3 in gnutls, which seems to have happened in gnutls-3.6.7-lp150.9.1.x86_64 Caused TLS based network connections using glib-networking to fail. Specifically for me this was evolution connecting to my imap and SMTP servers. Milan Crha constructed a minimal connector program to demonstrate the issue which is attached. The demonstration can simply be done with imap.googlemail.com because that offers TLSv1.3 Using Milan's connector going via glib-networking, I see: jejb@jarvis> ./imap-conn imap.googlemail.com 993 Connected to imap.googlemail.com:993 Failed to read data from the server: Error reading data from TLS socket: The specified session has been invalidated for some reason. But using gnutls-cli directly succeeds: jejb@jarvis:~> gnutls-cli -p 993 imap.googlemail.com [...] - Description: (TLS1.3)-(ECDHE-X25519)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM) - Options: - Handshake was completed Updating glib-networking from 2.54.1 to 2.55.2 causes both to succeed and fixes my evolution problem. I've tried to isolate the fix that went in between these two versions, but haven't been able to; it may be something to do with switching to the meson build system, so I'd recommend fixing this bug by doing the upgrade to 2.55.2
duplicate *** This bug has been marked as a duplicate of bug 1134795 ***
(In reply to James Bottomley from comment #0) > Updating glib-networking from 2.54.1 to 2.55.2 causes both to succeed and > fixes my evolution problem. I've tried to isolate the fix that went in > between these two versions, but haven't been able to; it may be something to > do with switching to the meson build system, so I'd recommend fixing this > bug by doing the upgrade to 2.55.2 This doesn't seem to be fixed in glib-networking 2.55.2. The invalid session error can be reproduced with epiphany on the latest glib-networking 2.60.2. See bug 1134795.
(In reply to Vítězslav Čížek from comment #2) > This doesn't seem to be fixed in glib-networking 2.55.2. It definitely is for me with both the imap-conn test program and evolution itself using this build of glib-networking: https://build.opensuse.org/package/show/home:jejb1:Tumbleweed:gnome-leap-15/glib-networking > The invalid session error can be reproduced with epiphany on the latest > glib-networking 2.60.2. See bug 1134795. OK, then there's something not present in that bug report because the report is against Leap 15.0 packages are definitely Leap 15.0 and the version of glib-networking there is: glib-networking-debugsource-2.54.1-lp150.1.3.x86_64 glib-networking actually gives the consuming client very little control over the TLS negotiation, so if it's broken for one client I would think it would be broken for all. It could be another break was introduced between 2.55.2 and 2.60.2. However, I think this is unlikely because I first started trying to diagnose this on the evolution hackers list: https://mail.gnome.org/archives/evolution-hackers/2019-May/msg00002.html And Milan Crha is using Fedora 30 which, I believe is 2.60.2 based
(In reply to James Bottomley from comment #3) > (In reply to Vítězslav Čížek from comment #2) > > This doesn't seem to be fixed in glib-networking 2.55.2. > > It definitely is for me with both the imap-conn test program and evolution > itself using this build of glib-networking: Yes. The update does fix your problem with imap-conn. In fact, this is the commit that makes it work: https://gitlab.gnome.org/GNOME/glib-networking/commit/0795cd14651c965659ccef33630872a53a7bc8ec So this particular issue might be a different problem than the others.
*** Bug 1136138 has been marked as a duplicate of this bug. ***