FS#23678 - [bitlbee] gnutls update breaks bitlbee connections to certain jabber servers

Attached to Project: Arch Linux
Opened by Michael Hellwig (the_eye) - Sunday, 10 April 2011, 14:18 GMT
Last edited by Gaetan Bisson (vesath) - Sunday, 18 September 2011, 13:23 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Jan de Groot (JGC)
Andreas Radke (AndyRTR)
Gaetan Bisson (vesath)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
The update of gnutls that came through yesterday, (i.e. to version 2.12.2-1) breaks functionality in bitlbee in that bitlbee then fails to complete its connections to at least one important jabber server (namely jabber.ccc.de)

downgrading gnutls (to the version available in A.R.M which is 2.10.5-1) makes it work again, so the problem is in gnutls, not bitlbee (which also saw an update yesterday that was, as far as i can see, pretty minor).

Since I don't control the server I'm not sure how I can further debug this ..

Additional info:
* package version(s) gnutls 2.12.2-1 breaks connections of bitlbee 3.0.2-2 to jabber.ccc.de (biggest german jabber server). using gnutls 2.10.5-1 fixes the problem
* config and/or log files etc. not sure what to put here? I didn't do any user-config of gnutls


Steps to reproduce:
update bitlbee and gnutls to the newest versions available in arch. Connect to jabber.ccc.de. Connection will hang indefinitely after the authentication part (and before the "logged in") part, until bitlbee runs into a timeout, disconnects and then tries to reconnect. repeat ad nauseam.
downgrade gnutls to an earlier version (and recompile bitlbee to be on the safe side) makes it work, so the culprit is gnutls.
This task depends upon

Closed by  Gaetan Bisson (vesath)
Sunday, 18 September 2011, 13:23 GMT
Reason for closing:  Fixed
Additional comments about closing:  bitlbee-3.0.3-4 in [extra]
Comment by Greg (dolby) - Sunday, 10 April 2011, 14:44 GMT
As you say it doesnt break connections with all servers, for example jabber.org works fine.
Comment by Andreas Radke (AndyRTR) - Sunday, 10 April 2011, 16:02 GMT
Does a bitlbee rebuild fix it?
Comment by Greg (dolby) - Sunday, 10 April 2011, 16:21 GMT
AFAICT bitlbee has been rebuilt since the gnutls upgrade
Comment by Axel Müller (the_CLA) - Sunday, 10 April 2011, 17:31 GMT
The update to 2.12.2-1 also broke my SSL connections to pop3 accounts in claws-mail - including todays new version of claws. Downgrading to gnutls-2.10.5-1 made connections working again.
Comment by Michael Hellwig (the_eye) - Sunday, 10 April 2011, 20:11 GMT
just to explicitly answer the question: no, a bitlbee rebuild doesn't solve the problem (also, bitlbee _was_ rebuilt by arch for this update, i.e. it went from 3.0.2-1 to 3.0.2-2 on the same day the gnutls update came in). Only a gnutls-downgrade solves it.
Comment by David Orman (ormandj) - Monday, 11 April 2011, 15:51 GMT
I am also experiencing this issue with a jabber server, downgrading to the 2.10 release of gnutls resolves the issue.
Comment by Andreas Radke (AndyRTR) - Monday, 11 April 2011, 19:14 GMT
http://bugs.bitlbee.org/bitlbee/ticket/779 this should be the upstream report.
Comment by Axel Müller (the_CLA) - Monday, 11 April 2011, 19:36 GMT
Is this really a bug in bitlbee when the new version of gnutls breaks other programms as well? As in my case claws-mail (see my previous comment). Should I open a separate report for claws-mail then?
Comment by Gaetan Bisson (vesath) - Monday, 11 April 2011, 19:46 GMT
For the record, the bitlbee upgrade was unrelated to gnutls: it meant to create /var/run/bitlbee at runtime rather than at install time, although it incidentally built against the new gnutls.

I will built bitlbee against openssl as a fix for the time being, (at least) until the underlying gnutls problem is solved.
Comment by Michael Hellwig (the_eye) - Monday, 11 April 2011, 20:05 GMT
while we're on that note that I've just filed another bug against archs bitlbee package (which you might of course disagree with) at https://bugs.archlinux.org/task/23709
Comment by Greg (dolby) - Monday, 11 April 2011, 20:32 GMT
Comment by Gaetan Bisson (vesath) - Tuesday, 12 April 2011, 06:23 GMT
Axel, could you create a new bug report specifically for gnutls? Be sure to include debugging information from your mail client.
I will then close this ticket since bitlbee now builds against openssl.
Comment by Michael Hellwig (the_eye) - Tuesday, 12 April 2011, 08:00 GMT
note that upstream recommends "gnutls or nss" over openssl when distributing a binary package (for licensing reasons). but with nss connecting to jabber.ccc.de fails as well. this whole ssl thing seems to be not that easy to get right ...
Comment by Jakob Matthes (jakobm) - Tuesday, 12 April 2011, 12:19 GMT
Seems to be fixed with 3.0.2-3, connection to jabber.ccc.de works.
Comment by Michael Hellwig (the_eye) - Tuesday, 12 April 2011, 12:26 GMT
so the openssl-linkage is now active?
anyway, have opened a bug at https://savannah.gnu.org/support/index.php?107660 the gnutls site ..
if anyone can add info to that bug it would probably be helpful ...

re linking against openssl: whoever is the package maintainer has presumably read the warning that bitlbee make spits out when compiling against openssl? something about it being legally dubious to distribute it as a binary then?
Comment by Michael Hellwig (the_eye) - Tuesday, 12 April 2011, 12:53 GMT Comment by Gaetan Bisson (vesath) - Tuesday, 12 April 2011, 13:05 GMT
Yes, I did build bitlbee against openssl (as I wrote twice above).

I am aware of the incompatibility between the GNU General Public License and the Apache License 1.0, and I believe (like many others) that it does not concern the way Arch distributes software: dynamically linked, in separate packages.
Comment by Michael Hellwig (the_eye) - Tuesday, 12 April 2011, 13:42 GMT
see savannah bugtracker for gnutls for info on what breaks and how and where. It seems software should be rewritten to follow some change in gnutls, if I understand things correctly.
Comment by Michael Hellwig (the_eye) - Tuesday, 12 April 2011, 14:48 GMT
note additionally that this does not bode well for other software depending on gnutls.
Comment by Gaetan Bisson (vesath) - Tuesday, 12 April 2011, 15:31 GMT
Thanks for the feedback.

As BitlBee is now built against OpenSSL, I will close this bug report, but please create new ones for other programs affected by the GnuTLS update.
Comment by Evan Callicoat (Apsu) - Saturday, 16 April 2011, 11:04 GMT
Rebuilding against OpenSSL does not resolve the issue for all jabber servers. The GnuTLS downgrade build remains the only bitlbee version that connects correctly. Can provide straces or other information if necessary.
Comment by Gaetan Bisson (vesath) - Saturday, 16 April 2011, 11:26 GMT
Evan: That is very surprising. Can other people confirm this? Or can you reproduce this on another computer?

Could you patch bitlbee with https://savannah.gnu.org/support/download.php?file_id=23212 , compile it with --ssl=gnutls and then --ssl=openssl (and maybe --ssl=bogus) and report which work?
Comment by David Orman (ormandj) - Saturday, 16 April 2011, 13:30 GMT
Gaetan: I can confirm I still have trouble connecting to an SSL enabled jabber server, until I revert to using the older version of GnuTLS and Bitlbee built against that.
Comment by Guilherme de Sousa (guisacouto) - Sunday, 17 April 2011, 01:51 GMT
Same problem here... Claws-mail wont download my hotmail mails (pop3).. If I downgrade gnutls it works just fine..

best regards
Comment by Gaetan Bisson (vesath) - Sunday, 17 April 2011, 01:55 GMT
Very well. Now we just need to wait for people affected by this issue to try the patch above...
Comment by Evan Callicoat (Apsu) - Tuesday, 19 April 2011, 05:30 GMT
Gaetan: So, with the GnuTLS reversion patch you linked applied to the latest version of GnuTLS per their thread https://savannah.gnu.org/support/index.php?107660 , --ssl=gnutls works correctly, --ssl=openssl does not work (hangs identically to un-unpatched GnuTLS) and --ssl=bogus doesn't seem to even load up the account configs correctly, let alone connect. Definitely confirmed the patch reversion works exactly as 2.10 did.
Comment by Gaetan Bisson (vesath) - Tuesday, 19 April 2011, 20:06 GMT
Thanks, Evan.
When this is fixed in GnuTLS (Jan, Andreas?) I will rebuild bitlbee against it.
Comment by Gaetan Bisson (vesath) - Sunday, 24 April 2011, 17:39 GMT
Could somebody that still experiencing the problem please try the bitlbee-3.0.2-4 package from http://arch.vesath.org/all/ and let me know if it solves the issue? It is built against gnutls-2.12.3-1. Thanks.
Comment by Greg (dolby) - Sunday, 24 April 2011, 20:49 GMT
FWIW i had problems with gnus which seem to have been automagically solved right after i upgraded to gnutls 2.12.3 just now. Maybe it solves problems with bitlbee as well.
Comment by David Orman (ormandj) - Monday, 25 April 2011, 13:22 GMT
08:19 <@root> jabber - Logging in: Connecting
08:19 <@root> jabber - Logging in: Connected to server, logging in
08:19 <@root> jabber - Logging in: Converting stream to TLS
08:19 <@root> jabber - Logging in: Connected to server, logging in
08:21 <@root> jabber - Login error: Connection timeout
08:21 <@root> jabber - Logging in: Signing off..

[root@desktop1 ~]# pacman -Qs bitlbee
local/bitlbee 3.0.2-4
Brings instant messaging (XMPP, MSN, Yahoo!, AIM, ICQ, Twitter) to IRC
[root@desktop1 ~]# pacman -Qs gnutls
local/gnutls 2.12.3-1
A library which provides a secure layer over a reliable transport layer

Unfortunately, this does not seem to have resolved the problem.
Comment by Verdickt Jeffrey (redostrike) - Monday, 23 May 2011, 08:01 GMT
I can confirm that this is still happening for claws-mail software and hotmail. I mostly recieve one message from my hotmail inbox and then it just spits out error.

Downgrading to lower version did help.
Comment by Andreas Radke (AndyRTR) - Monday, 22 August 2011, 05:23 GMT
Can you please try again with gnutls 3.0.1 ?
Comment by Michael Hellwig (the_eye) - Monday, 22 August 2011, 10:42 GMT
just compiled my bitlbee against the new gnutls and I now get a connection timeout upon trying to retrieve the buddy list.

Built against openssl, connections to jabber.ccc.de still work.

Note, will also communicate this on the bitlbee bugtracker.
Comment by Evan Callicoat (Apsu) - Tuesday, 23 August 2011, 05:41 GMT
Compiled against the new gnutls and observing identical behavior to previously, the same as David Orman listed on 4/25/11.
In addition, connecting to both Facebook and GoogleTalk Jabber works correctly with all versions of bitlbee/gnutls I've tried.

For reference the server being contacted that's not working is running OpenFire 3.6.4.

From the GNU bugtracker and looking at the code it seems the issue here is that with the 3.x branch gnutls changed how clients
check for remaining encrypted data on the socket, from a "low water mark" select()-based approach to something more asynchronous,
requiring the client to poll for new data. At this point, it probably requires a bitlbee patch to correctly handle these situations,
assuming it's not somehow a bug specific to OpenFire 3.6.4.
Comment by Evan Callicoat (Apsu) - Tuesday, 23 August 2011, 07:14 GMT
Just to compare, I decided to install OpenFire 3.7.0 and try bitlbee with both old gnutls, new gnutls and new openssl. All three work perfectly fine, with TLS or SSL on ports 5222 and 5223 respectively.

Looks like this is an OpenFire 3.6.x bug that's already been resolved at this point.
Comment by Jakob Matthes (jakobm) - Tuesday, 23 August 2011, 18:02 GMT
gnutls 3.0.1-1, bitlbee build against gnutls

All my ssl connections still work.
Comment by Andreas Radke (AndyRTR) - Tuesday, 23 August 2011, 18:48 GMT
Gaetan, will you build the repo pkg against gnutls? Can we close this issue?
Comment by Gaetan Bisson (vesath) - Tuesday, 23 August 2011, 19:10 GMT
Sure. I'll rebuild and close this issue.
Comment by Michael Hellwig (the_eye) - Wednesday, 24 August 2011, 12:26 GMT
what, fixed? the issue is still there, same as before. It is NOT limited to OpenFire, jabber.ccc.de runs ejabberd. The issue is still the same, namely that something in the GNUtls API changed (sorry if I get the nomenclature wrong, not a programmer) and bitlbee needs to be changed to accomodate that.
fix is still the same as before, namely "build against openssl".
Comment by Jakob Matthes (jakobm) - Wednesday, 24 August 2011, 13:12 GMT
Michael, can you paste logs and/or account connection settings to reproduce this?

ldd =bitlbee | grep gnutls
libgnutls.so.28 => /usr/lib/libgnutls.so.28 (0x00007feb28b6a000)

jabber.ccc.de

ssl = `false'
tls = `true'

Logging in: Connected to server, logging in
Logging in: Converting stream to TLS
Logging in: Connected to server, logging in
Logging in: Authentication finished
Logging in: Authenticated, requesting buddy list
Logging in: Logged in
Comment by Michael Hellwig (the_eye) - Wednesday, 24 August 2011, 14:12 GMT
allright, I'll can do a check tonight.
Comment by Michael Hellwig (the_eye) - Wednesday, 24 August 2011, 17:27 GMT
'k logfiles. ldd looks the same as yours. with
ssl = true
tls = try (same behaviour with tls=false)

<@root> jabber(the_eye@jabber.ccc.de) - Logging in: Connecting
<@root> jabber(the_eye@jabber.ccc.de) - Logging in: Connected to server, logging in
<@root> jabber(the_eye@jabber.ccc.de) - Logging in: Authentication finished
<@root> jabber(the_eye@jabber.ccc.de) - Logging in: Authenticated, requesting buddy list
<timeout after quite 2-3 Minutes wait>
<@root> jabber(the_eye@jabber.ccc.de) - Login error: Connection timeout
<@root> jabber(the_eye@jabber.ccc.de) - Logging in: Signing off..

in contrast with:

ssl = false
tls = true

19:17 <@root> jabber(the_eye@jabber.ccc.de) - Logging in: Connecting
19:17 <@root> jabber(the_eye@jabber.ccc.de) - Logging in: Connected to server, logging in
19:17 <@root> jabber(the_eye@jabber.ccc.de) - Login error: Error while reading from server
19:17 <@root> jabber(the_eye@jabber.ccc.de) - Logging in: Signing off..
Comment by Gaetan Bisson (vesath) - Wednesday, 24 August 2011, 17:37 GMT
Is Michael the only one still affected?
Comment by Michael Hellwig (the_eye) - Wednesday, 24 August 2011, 17:37 GMT
note that with bitlbee compiled against openssl, also the only way it works is with ssl=true, tls=false. with ssl=false, tls=true I get the same immediate "error while reading from server".
Comment by Geert Hendrickx (ghen) - Thursday, 25 August 2011, 13:22 GMT
bitlbee 3.0.3-3 with libgnutls is broken for me also, connecting to jabber.org with ssl=false and tls=try, whereas 3.0.3-2 with libssl works fine with the same settings.
Comment by Guilherme de Sousa (guisacouto) - Friday, 16 September 2011, 21:38 GMT
I'm still affected by the same problem as Michael too.

regards
Comment by Gaetan Bisson (vesath) - Friday, 16 September 2011, 22:09 GMT
Okay. Unless somebody has helpful insight on these gnutls issues and/or makes a strong argument against switching, I'm going to switch back to using the openssl backend.
Comment by Gaetan Bisson (vesath) - Saturday, 17 September 2011, 19:46 GMT
Please confirm that bitlbee-3.0.3-4 from [testing] solves all your problems (built against openssl rather than gnutls).
Comment by Geert Hendrickx (ghen) - Saturday, 17 September 2011, 20:24 GMT
Works for me!

Loading...