[Webkit-unassigned] [Bug 202156] [GTK] Unable to load page due to TLS errors

Wed Sep 25 04:26:25 PDT 2019

https://bugs.webkit.org/show_bug.cgi?id=202156

--- Comment #3 from Carlos Alberto Lopez Perez <clopez at igalia.com> ---
Ok.

It seems that I came to conclusions too fast.

We do still support TLS-1.0 as you can check by opening the site: https://tls-v1-0.badssl.com:1010/

The issue is this site uses 3DES which gnutls has decided to disable long time ago by default:

Check: https://gitlab.com/gnutls/gnutls/issues/120

By enabling it back I get gnutls-cli to connect.

$ gnutls-cli --priority "NORMAL:+3DES-CBC"  -p 443 clientes.tautoradio.com
Processed 124 CA certificate(s).
Resolving 'clientes.tautoradio.com:443'...
Connecting to '91.117.124.94:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - subject `C=ES,CN=*.tautoradio.com,O=TRANSPORTES AUTO-RADIO S.A.,OU=SISTEMAS,serialNumber=A15080773,L=CORUÑA (A)', issuer `CN=Camerfirma Corporate Server II - 2015,L=Madrid (see current address at https://www.camerfirma.com/address),serialNumber=A82743287,O=AC Camerfirma S.A.,OU=AC CAMERFIRMA,C=ES', serial 0x1caad33528197c7351, RSA key 2048 bits, signed using RSA-SHA256, activated `2018-12-27 13:55:18 UTC', expires `2019-12-27 13:55:18 UTC', pin-sha256="e2KHpkroiqqX4eM+6L8h+LWipNBpurEdmYYNY6RolNs="
        Public Key ID:
                sha1:47566945cd16d0e43840bf65a5eeb98a21164291
                sha256:7b6287a64ae88aaa97e1e33ee8bf21f8b5a2a4d069bab11d99860d63a46894db
        Public Key PIN:
                pin-sha256:e2KHpkroiqqX4eM+6L8h+LWipNBpurEdmYYNY6RolNs=

- Certificate[1] info:
 - subject `CN=Camerfirma Corporate Server II - 2015,L=Madrid (see current address at https://www.camerfirma.com/address),serialNumber=A82743287,O=AC Camerfirma S.A.,OU=AC CAMERFIRMA,C=ES', issuer `CN=Chambers of Commerce Root - 2008,O=AC Camerfirma S.A.,serialNumber=A82743287,L=Madrid (see current address at www.camerfirma.com/address),C=EU', serial 0x621ff31c489ba136, RSA key 4096 bits, signed using RSA-SHA256, activated `2015-01-15 09:21:16 UTC', expires `2037-12-15 09:21:16 UTC', pin-sha256="m6nepCtxe9G9HhpXqQbCc7VSQX41KwYqD6LqFDqntKk="
- Status: The certificate is trusted. 
- Description: (TLS1.0)-(RSA)-(3DES-CBC)-(SHA1)
- Session ID: 5E:22:00:00:5C:2D:07:33:9D:25:D4:0B:94:34:1D:69:1B:D5:26:8E:53:B8:D4:09:BD:24:08:74:49:76:1E:3D
- Options: safe renegotiation,
- Handshake was completed

- Simple Client Mode:

So, this is indeed something we can patch on WebKitGTK to override gnutls default policy in this regard.

That Website seems to be running Microsoft-IIS/6.0 as webserver, which I imagine is running on some very old version of Windows. I'm a bit horrified.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190925/32cfe651/attachment.html>