FS#36212 - [gnutls] update to 3.2.2-1 breaks TLS handling in webkitgtk2

Attached to Project: Arch Linux
Opened by Zulu (smoon) - Saturday, 20 July 2013, 19:06 GMT
Last edited by Laurent Carlier (lordheavy) - Wednesday, 31 July 2013, 07:26 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Andreas Radke (AndyRTR)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 23
Private No



After the latest update of gnutls loading of (some) resources via https fails in webkitgtk2 based browsers (e. g. surf). The error message is "Error reading data from TLS socket: Decryption has failed."

Additional info:

* [PACMAN] upgraded gnutls (3.2.1-1 -> 3.2.2-1)

Steps to reproduce:

* Refresh your package list and do a sysupgrade: `pacman -Suy`
* Install surf: `pacman -S surf`
* Open Trello in surf: `surf https://trello.com/`
* Instead of seeing the Trello homepage, you'll get an error message.
* Open the Webkit-Inspector `Ctrl-Shift-o`, click the "Network" tab and refresh the page `Ctrl-r`
* You'll notice how some resources fail to load with the message "Error reading data from TLS socket: Decryption has failed."
* The same error occurs at other sites like outlook.com.
This task depends upon

Closed by  Laurent Carlier (lordheavy)
Wednesday, 31 July 2013, 07:26 GMT
Reason for closing:  Fixed
Additional comments about closing:  gnutls-3.2.3-1
Comment by Zulu (smoon) - Saturday, 20 July 2013, 20:12 GMT
Probably related to #36207
Comment by Andreas Radke (AndyRTR) - Saturday, 20 July 2013, 20:28 GMT
Please report it upstream!
Comment by Skottish (skottish) - Sunday, 21 July 2013, 16:00 GMT
I reported this to the gnutls developer list. It's a major bug with their software.
Comment by Christian Richter (chri) - Sunday, 21 July 2013, 16:17 GMT
I also have the browser related problems, but I also had strange problems with certificates not beeing accepted for ownCloud-calenders synced in Evolution 3.8.3! Just thought it might has something to do with it. I installed Arch from scratch today and did not have any problems with certificates two days ago when using the old system (which I did not update since a week or so)and the certificates I'm using seem to be valid for some months.

That is what Evolution tells me:

Detailed error message: Unable to connect to 'default': Cannot open book: Error reading data from TLS socket: Decryption has failed.

Sorry if thats wrong here, I'm new…
Comment by Tomasz Kowalski (Apentulla) - Monday, 22 July 2013, 03:24 GMT
Viewing emails from an MS-Exchange account also fails in Evolution 3.8.3. Error message is the same: "Error reading data from TLS socket: Decryption has failed." Downgrading gnutls to 3.2.1-1 works.
Comment by Peter Weber (hoschi) - Monday, 22 July 2013, 10:56 GMT
I have to confirm this for Evolution (ews -> MS-Exchange) and WebKit based browsers like Epiphany.

// update
I've written a short email to bugs@gnutls.org
Seems like, they didn't provide a bugtracker!?
Comment by qh doe (qh) - Wednesday, 24 July 2013, 07:23 GMT Comment by Peter Weber (hoschi) - Wednesday, 24 July 2013, 08:05 GMT
While taking a look at the mailing-list, I'm afraid Nikos Mavrogiannopoulos is talking with everyone of us. But doesn't see that it is all the same issue!
We should use a more clear communication :-)

Thanks for the link the savannah! Their website doesn't mention it, only the bug-mail. Does anyone have a savannah-account?

By the way, I remembered an old issue:
Two years ago webkit based browses failed to load the css for the wiki, after it started to use HTTPS and loading the CSS from another server.
Same like this time? Maybe we should take a look, what caused the problem in the past?
https://bugs.archlinux.org/task/23678 (fixed in bitlbee, not gnutls)

I see there are several upgrades to webkitgtk and evolution-ews now available, I will install and test them. If the don't fix the issue I will downgrade gnutls.

// the bitlbee fix, from 2013-04-12:
Don't know if their is a realtion to our problem. Looks like some system-specific thing.
Comment by Peter Weber (hoschi) - Wednesday, 24 July 2013, 08:18 GMT
webkitgtk 2.0.4-1
evolution-ews 3.8.4-1

Don't fix this issue.
Comment by Marco Scannadinari (zheoffec) - Wednesday, 24 July 2013, 08:30 GMT
also cant access some files from epiphany - sometimes css, html, etc.

`pacman -Q epiphany`
epiphany 3.8.2-1
`pacman -Q gnutls`
gnutls 3.2.2-1
`pacman -Q webkitgtk`
webkitgtk 2.0.4-1
Comment by Peter Weber (hoschi) - Wednesday, 24 July 2013, 09:09 GMT
I've downgraded to gnutls-3.2.1-1 and everything works again. I can't imagine that all other programs use the API of gnutls in a wrong way.

@qh doe: Thanks for your bugreport :-)
Comment by Benpro (benpro) - Thursday, 25 July 2013, 21:17 GMT
It also break FTPS with clients like lftp or FileZilla:

> **** gnutls_record_recv: Decryption has failed.

Downgrade to gnutls-3.2.1-1 works.
Comment by Peter Weber (hoschi) - Friday, 26 July 2013, 09:47 GMT
Please recompile gnutls-3.2.2-1 with the following change:
- #make -k check
- make -j1 check
+ make -k check
+ #make -j1 check

I'm looking forward that this fixes the issue.

// update
Arrrgh. Nope. Looks like Ctrl+Shift+R isn't as trustworthy as it was...
   PKGBUILD (1.2 KiB)
Comment by Peter Weber (hoschi) - Friday, 26 July 2013, 10:47 GMT Comment by Mark E. Lee (bluerider) - Friday, 26 July 2013, 15:20 GMT
I did (for my outlook.com issue). So did this fellow : <http://lists.gnutls.org/pipermail/gnutls-devel/2013-July/006381.html>

A patch was offered by Nikos : <http://lists.gnutls.org/pipermail/gnutls-devel/2013-July/006385.html>

I can confirm it works.
Comment by qh doe (qh) - Sunday, 28 July 2013, 08:52 GMT
  • Field changed: Percent Complete (100% → 0%)
this is still broken in gnutls-3.2.2-2, i just pulled the update from pacman. weechat is still failing to establish a secure connection:

> irc: reading data on socket: error -24 Decryption has failed.

Comment by Andreas Radke (AndyRTR) - Sunday, 28 July 2013, 09:00 GMT
Check for further upstream fixes that you may need: https://gitorious.org/gnutls/gnutls/commits/master

Or ask Nikos, the upstream dev.
Comment by Mark E. Lee (bluerider) - Monday, 29 July 2013, 01:37 GMT
Nikos has released a beta version of 3.2.3; please download it at : <ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/>
See post : <http://lists.gnutls.org/pipermail/gnutls-devel/2013-July/006393.html>
Comment by Mark E. Lee (bluerider) - Monday, 29 July 2013, 04:16 GMT
I just tried weechat with both gnutls-3.2.{2,3pre0} and I don't experience any issues with TLS connections.
Comment by Peter Weber (hoschi) - Monday, 29 July 2013, 07:59 GMT
Maybe a different bug?
Comment by qh doe (qh) - Monday, 29 July 2013, 09:04 GMT
maybe a different bug but also caused by gnutls, ppl on #weechat reporting a downgrade to gnutls-3.2.1 makes weechat working again.

i have no idea how to debug this.
Comment by Mark E. Lee (bluerider) - Monday, 29 July 2013, 17:05 GMT
Can you give me a server that weechat is definitely broken on (commands like /connect <server>; /join <group>) ?
Comment by Mark E. Lee (bluerider) - Monday, 29 July 2013, 17:22 GMT
I've tried to connect to ircs://irc.freenode.net and encountered the error :

13:19:53 irc.feenode.net -- | irc: connecting to server irc.feenode.net/6667
| (SSL)...
13:19:53 irc.feenode.net =!= | irc: TLS handshake failed
13:19:53 irc.feenode.net =!= | irc: error: An unexpected TLS packet was
| received.

A recompilation of weechat 0.4.1-2 didn't fix the error.

I believe that this should be reported as a different bug though, I do not think it's affecting webkit anymore.
Comment by Mark E. Lee (bluerider) - Monday, 29 July 2013, 17:29 GMT
I just followed the instructions (section 6.3) from this url: <http://www.weechat.org/files/doc/weechat_faq.en.html>. I have managed to connect to the Arch Linux on <irc.freenode.net> via these instructions.
Comment by David J. Haines (dhaines) - Tuesday, 30 July 2013, 01:26 GMT
3.2.2 also breaks nzbget for SSL connections to the astraweb.com NNTP servers.
Comment by Mark E. Lee (bluerider) - Tuesday, 30 July 2013, 01:35 GMT
Does the error still occur with gnutls-3.2.3pre0? I've attached my modified PKGBUILD and the install file (provided by GNUTLS-3.2.2-2) if you haven't tried testing it.
Comment by Frederik (ball) - Tuesday, 30 July 2013, 11:30 GMT
The release announcement for 3.2.3 indicates that the problem should be fixed now:
Comment by qh doe (qh) - Wednesday, 31 July 2013, 07:11 GMT
confirming that gnutls-3.2.3-1 is now working as expected with weechat. fixed \o/