GnuTLS 3.6.3 connection failure: Error performing TLS handshake: The operation was cancelled due to user error
Since Fedora Rawhide and Fedora testing updated GnuTLS to 3.6.3, our Cockpit unit tests for TLS connections fail during handshake:
$ ./test-httpstream
./test-httpstream terminated with SIGABRT
FAIL: test-httpstream 7 /http-stream/tls/basic
FAIL: test-httpstream 12 /http-stream/tls/authority-good
cockpit-bridge-Message: 14:08:31.926: https://localhost:42005/test: couldn't read: Error performing TLS handshake: The operation was cancelled due to user error
**
cockpit-bridge:ERROR:src/bridge/test-httpstream.c:815:test_tls_authority_bad: Got unexpected message: https://localhost:42005/test: couldn't read: Error performing TLS handshake: The operation was cancelled due to user error instead of cockpit-bridge-Message: *Unacceptable TLS certificate:*untrusted-issuer*
FAIL: test-httpstream 13 /http-stream/tls/authority-bad
ERROR: test-httpstream process failed: 250
This can be reproduced without Cockpit, just a simple standalone reproducer using glib-networking:
curl -O https://raw.githubusercontent.com/cockpit-project/cockpit/master/src/bridge/mock-server.crt
curl -O https://raw.githubusercontent.com/cockpit-project/cockpit/master/src/bridge/mock-server.key
curl -O https://piware.de/tmp/glib-networking-tls-9723.c
gnutls-serv --x509keyfile ./mock-server.key --x509certfile ./mock-server.crt --port 9999
# in another terminal:
gcc -g -O0 `pkg-config --cflags --libs gio-2.0` glib-networking-tls-9723.c
./a.out
This works with GnuTLS 3.6.2, as currently in Fedora 28:
** Message: 09:19:51.913: successfully connected
HTTP/1.0 200 OK
Content-type: text/html
<HTML>[...]
But it fails with GnuTLS 3.6.3 (on the client side -- didn't test the server side). I extracted libgnutls.so.30 from a rawhide mock chroot and put it into /tmp/. Then LD_LIBRARY_PATH=/tmp ./a.out
reproduces the bug:
** Message: 09:21:00.794: successfully connected
**
ERROR:glib-networking-tls-9723.c:36:main: assertion failed (error == NULL): Error performing TLS handshake: The operation was cancelled due to user error (g-tls-error-quark, 1)
Aborted (core dumped)
The server says:
* Accepted connection from IPv4 127.0.0.1 port 59050 on Wed Jul 25 09:21:21 2018
Error in handshake: Error in the pull function.
Notes:
-
This works against an OpenSSL server:
openssl s_server -cert ./mock-server.crt -key ./mock-server.key -port
(You need to type something onto the server side to see it on the client - but if you are there, you are past the connection)
-
This doesn't depend on the actual certificates. I tried a different one, and it fails in the same way. The above ones are the ones from Cockpit's tests, and are convenient to use.