[webkit-gtk] SSL Handshake error
Michael Catanzaro
mcatanzaro at igalia.com
Wed Nov 12 17:11:48 PST 2014
On Wed, 2014-11-12 at 11:44 -0800, Niranjan Rao wrote:
> Greetings,
>
> On Webkit 2.2.6/Ubuntu 12.04
>
> When visiting some sites, I get error SLS handshake error. For example
> site https://www.pge.com/eum/login gives SSL handshake error when using
> MiniBrowser. Usual browsers are doing ok when visiting the site.
>
> Is there any way to mitigate this problem?
Each such site requires individual investigation, unfortunately.
> I saw some documentation about TLS errors in webkitgtk web site. Not
> clear if this applies to me or not.
Well, that documentation describes how to handle "successful" TLS
connections with unverified TLS certificates, which is important for
developers because older versions of WebKitGTK+ handle this insecurely
by default. But it's not relevant here, since this connection has failed
completely. We use GnuTLS to handle TLS; here's what its command line
debug tool tells us:
$ gnutls-cli www.pge.com
Processed 153 CA certificate(s).
Resolving 'www.pge.com'...
Connecting to '131.89.128.67:443'...
*** Fatal error: The TLS connection was non-properly terminated.
*** Handshake has failed
GnuTLS error: The TLS connection was non-properly terminated.
That error message is misleading:
$ gnutls-cli-debug www.pge.com
Resolving 'www.pge.com'...
Connecting to '131.89.128.67:443'...
Checking for SSL 3.0 support... no
Connecting to '131.89.128.67:443'...
Checking whether %COMPAT is required... yes
Connecting to '131.89.128.67:443'...
Checking for TLS 1.0 support... no
Connecting to '131.89.128.67:443'...
Checking for TLS 1.1 support... no
Connecting to '131.89.128.67:443'...
Checking fallback from TLS 1.1 to... failed
Connecting to '131.89.128.67:443'...
Checking for TLS 1.2 support... no
Connecting to '131.89.128.67:443'...
Checking whether we need to disable TLS 1.2... yes
So GnuTLS thinks this server apparently does not support any TLS
protocol, and you get no connection. But for a second opinion I went to
https://www.ssllabs.com/ssltest/analyze.html?d=pge.com which was able to
connect via TLS 1.0. The server supports very few cipher suites (you can
see that the site is completely inaccessible with the latest Safari, for
example), but we share three in common so I'm not sure what's wrong. The
next step would be to ask on the gnutls-help mailing list [1] to find
out whether there is a GnuTLS bug (not really likely) or why it's
refusing to connect if not. Please do CC me; I'm curious!
Michael
[1] http://lists.gnutls.org/mailman/listinfo/gnutls-help
More information about the webkit-gtk
mailing list