Bug 1108450 - weechat gnutls fails in handshake
weechat gnutls fails in handshake
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security
Current
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Vítězslav Čížek
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-09-14 10:31 UTC by Luis Henriques
Modified: 2021-07-27 12:35 UTC (History)
9 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Luis Henriques 2018-09-14 10:31:27 UTC
After last TW upgrade, where libgnutls got updated, I'm seeing my weechat failing to connect to my local znc instance with:

gnutls: certificate fingerprint matches
irc: TLS handshake failed
irc: error: The operation was cancelled due to user error

I found this issue https://github.com/weechat/weechat/issues/1231 that seems to point the finger at gnutls and presents a backport of a fix from Fedora.
Comment 1 Andreas Stieger 2018-09-14 11:07:02 UTC
(In reply to Luis Henriques from comment #0)
> After last TW upgrade

Which one?

> where libgnutls got updated

To which version?
Comment 2 Luis Henriques 2018-09-14 11:15:56 UTC
(In reply to Andreas Stieger from comment #1)
> (In reply to Luis Henriques from comment #0)
> > After last TW upgrade
> 
> Which one?

20180911

> 
> > where libgnutls got updated
> 
> To which version?

3.6.3
Comment 3 Vítězslav Čížek 2018-09-14 11:34:09 UTC
The problem seems to be introduced in 3.6.3.

Upstream issue:
https://gitlab.com/gnutls/gnutls/issues/528

Fix:
https://gitlab.com/gnutls/gnutls/commit/42945a7aab6d4e18da13a9c6f1d05fd1487e13c7
Comment 4 Luis Henriques 2018-09-14 11:36:57 UTC
(In reply to Vítězslav Čížek from comment #3)
> The problem seems to be introduced in 3.6.3.
> 
> Upstream issue:
> https://gitlab.com/gnutls/gnutls/issues/528
> 
> Fix:
> https://gitlab.com/gnutls/gnutls/commit/
> 42945a7aab6d4e18da13a9c6f1d05fd1487e13c7

Right, which is quite different from the Fedora backport (although I haven't took a close look at any of these patches).

I can however confirm that the Fedora patch (referred in the link above) actually fixes the issue.  I've a gnutls build with that patch applied here:

https://build.opensuse.org/project/show/home:henrix:branches:security:tls
Comment 5 Vítězslav Čížek 2018-09-14 12:36:22 UTC
(In reply to Luis Henriques from comment #4)
> Right, which is quite different from the Fedora backport (although I haven't
> took a close look at any of these patches).

That's because they collected several fixes and squashed them together, omitting all the test files.

> I can however confirm that the Fedora patch (referred in the link above)
> actually fixes the issue.  I've a gnutls build with that patch applied here:
> 
> https://build.opensuse.org/project/show/home:henrix:branches:security:tls

Would you submit your package to security:tls?
Comment 6 Luis Henriques 2018-09-14 13:27:17 UTC
(In reply to Vítězslav Čížek from comment #5)
> (In reply to Luis Henriques from comment #4)
> > Right, which is quite different from the Fedora backport (although I haven't
> > took a close look at any of these patches).
> 
> That's because they collected several fixes and squashed them together,
> omitting all the test files.

Yep:

3df5b7bc8a64 ("cert-cred: fix possible segfault when resetting cert retrieval function")
42945a7aab6d ("allow no certificates to be reported by the gnutls_certificate_retrieve_function callbacks")
10f83e36ed92 ("hello_ext_parse: apply the test for pre-shared key ext being last on client hello")

> 
> > I can however confirm that the Fedora patch (referred in the link above)
> > actually fixes the issue.  I've a gnutls build with that patch applied here:
> > 
> > https://build.opensuse.org/project/show/home:henrix:branches:security:tls
> 
> Would you submit your package to security:tls?

Done!  Thanks for your help.
Comment 7 Vítězslav Čížek 2018-09-14 13:42:35 UTC
On its way to Factory.
Comment 8 Swamp Workflow Management 2018-09-14 14:10:05 UTC
This is an autogenerated message for OBS integration:
This bug (1108450) was mentioned in
https://build.opensuse.org/request/show/635770 Factory / gnutls
Comment 9 Swamp Workflow Management 2019-02-03 09:50:33 UTC
This is an autogenerated message for OBS integration:
This bug (1108450) was mentioned in
https://build.opensuse.org/request/show/670846 15.1 / gnutls