gpg-wks-client TLS access to server with wrong SNI name aborts
Closed, ResolvedPublic

Description

Andre tried to access our demo WKS with:
gpg-wks-client --supported aheinecke1@testkolab.intevation.de
(using 2.1.16-beta328, git master)

It aborted with an error:
TLS handshake failed: The server name sent was not recognized (alert 112)

This happened due to a missing ServerName on the web server, but as
"SSLStrictSNIVHostCheck off" was set (Default in Apache 2.4), this should not
have caused an abort.

"gnutls-cli testkolab.intevation.de" conntected fine, but reported a warning:

  • Non fatal error: A TLS warning alert has been received.
  • Received alert [112]: The server name sent was not recognized"

curl had the same problem in the past, see e.g.:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786512

Adding a ServerName configuration to the web server helped working around this
problem (and is the right thing to do anyway), but gpg-wks-client (and maybe
other parts of gnupg that access TLS servers) should not abort here.

Details

Version
2.1.20-beta10
thomas set Version to 2.1.16-beta328.
thomas added subscribers: aheinecke, thomas, werner.

Andre said, category dirmngr is better

thomas removed a project: gnupg.Nov 9 2016, 11:49 AM
thomas added a project: dirmngr.
werner closed this task as Resolved.Mar 2 2017, 7:49 PM

Tried with ntbtls and gnutls - both work fine now. Given the work we did with
recent release I will close this bug now.

From T2833 (wk on Mar 02 2017, 07:49 PM / Roundup) I don't think the problem is resolved. Yes it works now with
gnutls and ntbtls because we fixed / changed it on our side. There were no
changes to the GnuTLS code regarding alerts afaik.

Thomas: I've assigned this now to "no-selection" if possible I would have
assigned it to you. Can you come up with a test / demo that shows that this
problem still exists. Something werner could test against?

aheinecke reopened this task as Open.Mar 2 2017, 8:50 PM
aheinecke removed werner as the assignee of this task.
aheinecke added a project: Testing.
aheinecke changed Version from 2.1.16-beta328 to 2.1.20-beta10.Mar 3 2017, 10:28 AM

Thomas confirmed this, with our workaround for the SNI problem removed the
problem still occurs. We have activated our workaround again to keep wks working
on testkolab.

I think gniibe may have posted a related patch to gnupg-devel some time ago not
to abort on non fatal GNUTLS alerts but I don't think it was applied.

This issue does not have high priority for me so I downgraded to minor bug but
it's still an issue.

aheinecke lowered the priority of this task from Normal to Low.Mar 3 2017, 10:28 AM
aheinecke removed a project: Testing.

Thomas: Is there any way how I can reproduce this now that you changed the
configuration of testkolab?

  • Werner Koch via BTS <gnupg@bugs.g10code.com> [20170316 14:37]:

Thomas: Is there any way how I can reproduce this now that you changed the
configuration of testkolab?

If you have a WKD server that does not require name-based virtual
hosting, remove the "ServerName" configuration in the Apache
configuration.

Alternatively I can remove this on testkolab.intevation.de for as
long as you need it, assuming Andre or other members of the project
have no problem with that.

What is this Apache thing ;-). Frankly, I don't have one running and it would
be easier if you can remove it from testkolab. The current Windows versions
should not have the problem anyway because warning alerts are skipped in ntbtls.
For gnutls I have a fix ready.

  • Werner Koch via BTS <gnupg@bugs.g10code.com> [20170316 21:12]:

What is this Apache thing ;-). Frankly, I don't have one running and it would
be easier if you can remove it from testkolab.

Done, good hunting! :)

Fixed with commit 69c521d.
You can reconfigure your server. Thanks.

werner closed this task as Resolved.
werner claimed this task.
  • Werner Koch via BTS <gnupg@bugs.g10code.com> [20170317 12:57]:

Fixed with commit 69c521d.
You can reconfigure your server. Thanks.

Done.

Just ping me if you need it again.