gnuTLS 3.0.20 - 'Fatal error: The TLS connection was non-properly termin
From:
Scott McGillivray
Subject:
gnuTLS 3.0.20 - 'Fatal error: The TLS connection was non-properly terminated' against Cisco load balancers
Date:
Sun, 17 Jun 2012 10:58:01 +0100
Hi,
On my older Debian server running gnutls-cli (GnuTLS) 2.8.5 if i test various websites located behind a Cisco CSS load balancer that does the SSL offload with command "gnutls-cli accounts.codemasters.com" it works OK but with a newer install of Debian server running gnutls-cli 3.0.20 if i issue the same command then i get the below error.
Processed 153 CA certificate(s). Resolving 'accounts.codemasters.com'... Connecting to '94.75.196.190:443'... |<1>| Note that the security level of the Diffie-Hellman key exchange has been lowered to 512 bits and this may allow decryption of the session data
*** Fatal error: The TLS connection was non-properly terminated. No certificates found! *** Handshake has failed GnuTLS error: The TLS connection was non-properly terminated.
If i try to connect to https://accounts.codemasters.com using Firefox, Chrome or openssl s_client then it works fine. So it seems that GnuTLS 3.0.x has a bug maybe? On the server running gnuTLS 3.0.20 i am able to run gnutls-cli against other sites such as google.com, hotmail.com etc.. and it works fine so i know that it works, just not against the sites where the SSL offload is performed by these Cisco CSS load balancers.
On the gnuTLS 2.8.5 install i noticed that the client/server hello is processed ok as seen in the debug output below
|<3>| HSK[0x9342d78]: CLIENT HELLO was send [136 bytes] |<2>| ASSERT: gnutls_cipher.c:204
|<2>| ASSERT: gnutls_cipher.c:204 |<3>| HSK[0x9342d78]: SERVER HELLO was received [74 bytes] |<3>| HSK[0x9342d78]: Server's version: 3.1 |<3>| HSK[0x9342d78]: SessionID length: 32
|<3>| HSK[0x9342d78]: SessionID: a32ec5fb0f2fef86bbc660747ee3cd49f0d68483ced53f116f451a96a2ad97d0
|<3>| HSK[0x9342d78]: Selected cipher suite: RSA_ARCFOUR_MD5 |<2>| ASSERT: gnutls_extensions.c:124 |<2>| ASSERT: gnutls_cipher.c:204 |<3>| HSK[0x9342d78]: CERTIFICATE was received [3602 bytes]
but on the 3.2.20 install i get
|<3>| HSK[0x1b5c550]: CLIENT HELLO was queued [217 bytes] |<7>| HWRITE: enqueued [CLIENT HELLO] 217. Total 217 bytes. |<7>| HWRITE FLUSH: 217 bytes in buffer.
|<4>| REC[0x1b5c550]: Preparing Packet Handshake(22) with length: 217 |<9>| ENC[0x1b5c550]: cipher: NULL, MAC: MAC-NULL, Epoch: 0 |<7>| WRITE: enqueued 222 bytes for 0x4. Total 222 bytes. |<4>| REC[0x1b5c550]: Sent Packet[1] Handshake(22) in epoch 0 and length: 222
|<7>| HWRITE: wrote 1 bytes, 0 bytes left. |<7>| WRITE FLUSH: 222 bytes in buffer. |<7>| WRITE: wrote 222 bytes, 0 bytes left. |<2>| ASSERT: gnutls_buffers.c:974 |<7>| READ: Got 0 bytes from 0x4
|<7>| READ: read 0 bytes from 0x4 |<2>| ASSERT: gnutls_buffers.c:482 |<2>| ASSERT: gnutls_record.c:876 |<2>| ASSERT: gnutls_record.c:986 |<2>| ASSERT: gnutls_buffers.c:1175 |<2>| ASSERT: gnutls_handshake.c:1269
|<2>| ASSERT: gnutls_handshake.c:2484 *** Fatal error: The TLS connection was non-properly terminated. |<2>| ASSERT: gnutls_ui.c:544 No certificates found! |<4>| REC: Sending Alert[2|10] - Unexpected message
|<4>| REC[0x1b5c550]: Preparing Packet Alert(21) with length: 2 |<9>| ENC[0x1b5c550]: cipher: NULL, MAC: MAC-NULL, Epoch: 0 |<7>| WRITE: enqueued 7 bytes for 0x4. Total 7 bytes. |<7>| WRITE FLUSH: 7 bytes in buffer.
|<2>| errno: 32 |<2>| ASSERT: gnutls_buffers.c:374 |<7>| WRITE error: code -53, 7 bytes left. |<2>| ASSERT: gnutls_buffers.c:599 |<2>| ASSERT: gnutls_record.c:456 *** Handshake has failed
GnuTLS error: The TLS connection was non-properly terminated.
Can anyone suggest how i can fix this ? I'm trying to to use a program that needs gnuTLS 3.x libs so i can't just use gnuTLS 2.x that works. Also the Cisco devices are running the latest and greatest firmware from Cisco circa Dec 2011.