[webkit-gtk] SSL Handshake error
Niranjan Rao
nhrdls at gmail.com
Wed Nov 12 18:18:00 PST 2014
Michael,
Thank you for detailed explanation. Though I am not expert I suspected
something on similar lines and hence raised the question about using
webkit TLS functionality.
I'll follow up with gnu tls lists.
Regards,
Niranjan
On 11/12/2014 05:11 PM, Michael Catanzaro wrote:
> On Wed, 2014-11-12 at 11:44 -0800, Niranjan Rao wrote:
>> Greetings,
>>
>> On Webkit 2.2.6/Ubuntu 12.04
>>
>> When visiting some sites, I get error SLS handshake error. For example
>> site https://www.pge.com/eum/login gives SSL handshake error when using
>> MiniBrowser. Usual browsers are doing ok when visiting the site.
>>
>> Is there any way to mitigate this problem?
> Each such site requires individual investigation, unfortunately.
>
>> I saw some documentation about TLS errors in webkitgtk web site. Not
>> clear if this applies to me or not.
> Well, that documentation describes how to handle "successful" TLS
> connections with unverified TLS certificates, which is important for
> developers because older versions of WebKitGTK+ handle this insecurely
> by default. But it's not relevant here, since this connection has failed
> completely. We use GnuTLS to handle TLS; here's what its command line
> debug tool tells us:
>
> $ gnutls-cli www.pge.com
> Processed 153 CA certificate(s).
> Resolving 'www.pge.com'...
> Connecting to '131.89.128.67:443'...
> *** Fatal error: The TLS connection was non-properly terminated.
> *** Handshake has failed
> GnuTLS error: The TLS connection was non-properly terminated.
>
> That error message is misleading:
>
> $ gnutls-cli-debug www.pge.com
> Resolving 'www.pge.com'...
> Connecting to '131.89.128.67:443'...
> Checking for SSL 3.0 support... no
> Connecting to '131.89.128.67:443'...
> Checking whether %COMPAT is required... yes
> Connecting to '131.89.128.67:443'...
> Checking for TLS 1.0 support... no
> Connecting to '131.89.128.67:443'...
> Checking for TLS 1.1 support... no
> Connecting to '131.89.128.67:443'...
> Checking fallback from TLS 1.1 to... failed
> Connecting to '131.89.128.67:443'...
> Checking for TLS 1.2 support... no
> Connecting to '131.89.128.67:443'...
> Checking whether we need to disable TLS 1.2... yes
>
> So GnuTLS thinks this server apparently does not support any TLS
> protocol, and you get no connection. But for a second opinion I went to
> https://www.ssllabs.com/ssltest/analyze.html?d=pge.com which was able to
> connect via TLS 1.0. The server supports very few cipher suites (you can
> see that the site is completely inaccessible with the latest Safari, for
> example), but we share three in common so I'm not sure what's wrong. The
> next step would be to ask on the gnutls-help mailing list [1] to find
> out whether there is a GnuTLS bug (not really likely) or why it's
> refusing to connect if not. Please do CC me; I'm curious!
>
> Michael
>
> [1] http://lists.gnutls.org/mailman/listinfo/gnutls-help
>
More information about the webkit-gtk
mailing list