Page MenuHome GnuPG
Create Task
Maniphest T2833

gpg-wks-client TLS access to server with wrong SNI name aborts
Closed, ResolvedPublic
Actions

Description

Andre tried to access our demo WKS with:
gpg-wks-client --supported aheinecke1@testkolab.intevation.de
(using 2.1.16-beta328, git master)

It aborted with an error:
TLS handshake failed: The server name sent was not recognized (alert 112)

This happened due to a missing ServerName on the web server, but as
"SSLStrictSNIVHostCheck off" was set (Default in Apache 2.4), this should not
have caused an abort.

"gnutls-cli testkolab.intevation.de" conntected fine, but reported a warning:

  • Non fatal error: A TLS warning alert has been received.
  • Received alert [112]: The server name sent was not recognized"

curl had the same problem in the past, see e.g.:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786512

Adding a ServerName configuration to the web server helped working around this
problem (and is the right thing to do anyway), but gpg-wks-client (and maybe
other parts of gnupg that access TLS servers) should not abort here.

Details

Version
2.1.20-beta10

Related Objects

Event Timeline

thomas added projects: gnupg, Bug Report.Nov 9 2016, 11:48 AM
thomas set Version to 2.1.16-beta328.
thomas added subscribers: aheinecke, thomas, werner.

Andre said, category dirmngr is better

thomas removed a project: gnupg.Nov 9 2016, 11:49 AM
thomas added a project: dirmngr.
werner added a project: gnupg.Nov 10 2016, 10:10 AM
werner closed this task as Resolved.Mar 2 2017, 7:49 PM

Tried with ntbtls and gnutls - both work fine now. Given the work we did with
recent release I will close this bug now.

aheinecke added a comment.Mar 2 2017, 8:50 PM

From T2833 (wk on Mar 02 2017, 07:49 PM / Roundup) I don't think the problem is resolved. Yes it works now with
gnutls and ntbtls because we fixed / changed it on our side. There were no
changes to the GnuTLS code regarding alerts afaik.

Thomas: I've assigned this now to "no-selection" if possible I would have
assigned it to you. Can you come up with a test / demo that shows that this
problem still exists. Something werner could test against?

aheinecke reopened this task as Open.Mar 2 2017, 8:50 PM
aheinecke removed werner as the assignee of this task.
aheinecke added a project: Restricted Project.
aheinecke changed Version from 2.1.16-beta328 to 2.1.20-beta10.Mar 3 2017, 10:28 AM

Thomas confirmed this, with our workaround for the SNI problem removed the
problem still occurs. We have activated our workaround again to keep wks working
on testkolab.

I think gniibe may have posted a related patch to gnupg-devel some time ago not
to abort on non fatal GNUTLS alerts but I don't think it was applied.

This issue does not have high priority for me so I downgraded to minor bug but
it's still an issue.

aheinecke lowered the priority of this task from Normal to Low.Mar 3 2017, 10:28 AM
aheinecke removed a project: Restricted Project.
werner added a comment.Mar 16 2017, 2:37 PM

Thomas: Is there any way how I can reproduce this now that you changed the
configuration of testkolab?

thomas added a comment.Mar 16 2017, 4:12 PM
  • Werner Koch via BTS <gnupg@bugs.g10code.com> [20170316 14:37]:

Thomas: Is there any way how I can reproduce this now that you changed the
configuration of testkolab?

If you have a WKD server that does not require name-based virtual
hosting, remove the "ServerName" configuration in the Apache
configuration.

Alternatively I can remove this on testkolab.intevation.de for as
long as you need it, assuming Andre or other members of the project
have no problem with that.

werner added a comment.Mar 16 2017, 9:12 PM

What is this Apache thing ;-). Frankly, I don't have one running and it would
be easier if you can remove it from testkolab. The current Windows versions
should not have the problem anyway because warning alerts are skipped in ntbtls.
For gnutls I have a fix ready.

thomas added a comment.Mar 17 2017, 8:17 AM
  • Werner Koch via BTS <gnupg@bugs.g10code.com> [20170316 21:12]:

What is this Apache thing ;-). Frankly, I don't have one running and it would
be easier if you can remove it from testkolab.

Done, good hunting! :)

werner added a comment.Mar 17 2017, 12:57 PM

Fixed with commit 69c521d.
You can reconfigure your server. Thanks.

werner closed this task as Resolved.Mar 17 2017, 12:57 PM
werner claimed this task.
werner added a project: Unreleased.
thomas added a comment.Mar 20 2017, 9:31 AM
  • Werner Koch via BTS <gnupg@bugs.g10code.com> [20170317 12:57]:

Fixed with commit 69c521d.
You can reconfigure your server. Thanks.

Done.

Just ping me if you need it again.