138794 2014-11-17 05:56:04 -0800 [SOUP] [GnuTLS] Don't use a SSL3.0 record version in client hello. 2014-11-18 01:32:20 -0800 1 1 1 Unclassified WebKit WebKitGTK 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED P2 Normal --- 1 clopez clopez cgarcia commit-queue gustavo mcatanzaro oldest_to_newest 1049172 0 clopez 2014-11-17 05:56:04 -0800 Reported here: https://lists.webkit.org/pipermail/webkit-gtk/2014-November/002134.html and followed with the gnutls developers here: http://lists.gnutls.org/pipermail/gnutls-help/2014-November/003673.html Some sites ( for example: https://www.pge.com/eum/login ) are banning SSL 3.0 record packet versions, and GnuTLS uses by default a a SSL 3.0 version record in client hello to advertise TLS (even when SSL 3.0 is disabled). Doc: http://gnutls.org/manual/html_node/Priority-Strings.html#tab_003aprio_002dspecial1 1049173 1 241705 clopez 2014-11-17 06:00:42 -0800 Created attachment 241705 Patch 1049175 2 clopez 2014-11-17 06:04:08 -0800 Checked on https://cc.dcsec.uni-hannover.de/ Before this patch it says: Preferred SSL/TLS version: SSLv3 Version: 3.0 After the patch it says: Preferred SSL/TLS version: TLSv1.2 Version: 3.3 Also the test page https://www.pge.com/eum/login loads fine after this patch. 1049191 3 mcatanzaro 2014-11-17 07:19:36 -0800 We should do this, but going forward: is Nikos going to add %LATEST_RECORD_VERSION to %COMPAT? 1049193 4 clopez 2014-11-17 07:24:03 -0800 (In reply to comment #3) > We should do this, but going forward: is Nikos going to add > %LATEST_RECORD_VERSION to %COMPAT? In his reply he shows intention to change the default from %SSL3_RECORD_VERSION to %LATEST_RECORD_VERSION: http://lists.gnutls.org/pipermail/gnutls-help/2014-November/003673.html > That seems like a good opportunity to make that the default. 1049416 5 241705 svillar 2014-11-18 00:55:42 -0800 Comment on attachment 241705 Patch Thanks for the patch! 1049420 6 241705 commit-queue 2014-11-18 01:32:16 -0800 Comment on attachment 241705 Patch Clearing flags on attachment: 241705 Committed r176252: <http://trac.webkit.org/changeset/176252> 1049421 7 commit-queue 2014-11-18 01:32:20 -0800 All reviewed patches have been landed. Closing bug. 241705 2014-11-17 06:00:42 -0800 2014-11-18 01:32:16 -0800 Patch bug-138794-20141117150052.patch text/plain 2944 clopez U3VidmVyc2lvbiBSZXZpc2lvbjogMTc2MTk4CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViS2l0Mi9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViS2l0Mi9DaGFuZ2VMb2cKaW5kZXggNGM2ZmFiZmNlNjVmOTBi NTYyZjQxMDU3YjBkMWY4ODJlZTE2Njc0ZS4uNDY2MGQ2NjlhYzk3YTZlNjlhNzJmNzVjOWU3ZWQw OWE5N2M5ZDYzMSAxMDA2NDQKLS0tIGEvU291cmNlL1dlYktpdDIvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJLaXQyL0NoYW5nZUxvZwpAQCAtMSwzICsxLDI0IEBACisyMDE0LTExLTE3ICBDYXJs b3MgQWxiZXJ0byBMb3BleiBQZXJleiAgPGNsb3BlekBpZ2FsaWEuY29tPgorCisgICAgICAgIFtT T1VQXSBbR251VExTXSBEb24ndCB1c2UgYSBTU0wzLjAgcmVjb3JkIHZlcnNpb24gaW4gY2xpZW50 IGhlbGxvLgorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9 MTM4Nzk0CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAg SXQgc2VlbXMgdGhhdCBmb2xsb3dpbmcgUE9PRExFIG1hbnkgc2l0ZXMgaW5jb3JyZWN0bHkgYmFu bmVkIFNTTCAzLjAKKyAgICAgICAgcmVjb3JkIHBhY2tldCB2ZXJzaW9ucy4gU2luY2UgR251VExT IHVzZXMgYSBTU0wgMy4wIHJlY29yZCB0bworICAgICAgICBhZHZlcnRpc2UgVExTIDEuMiwgdGhl eSBhcmUgZWZmZWN0aXZlbHkgYmFubmluZyBpdCBldmVuIGlmIGl0IGRvZXNuJ3QKKyAgICAgICAg YWR2ZXJ0aXNlIFNTTCAzLjAuIFRoYXQgaXMgYSBzZXJ2ZXIgaXNzdWUsIGJ1dCBpdCBjYW4gYmUg d29ya2VkIGFyb3VuZAorICAgICAgICBieSB1c2luZyB0aGUgbW9kaWZpZXIgJUxBVEVTVF9SRUNP UkRfVkVSU0lPTi4KKworICAgICAgICBXaXRoIHRoaXMgbW9kaWZpZXIsIEdudVRMUyB3aWxsIHVz ZSB0aGUgbGF0ZXN0IFRMUyB2ZXJzaW9uIHJlY29yZAorICAgICAgICBpbiBjbGllbnQgaGVsbG8g aW5zdGVhZCBvZiB1c2luZyB0aGUgZGVmYXVsdCBTU0wgMy4wLgorCisgICAgICAgICogTmV0d29y a1Byb2Nlc3MvRW50cnlQb2ludC91bml4L05ldHdvcmtQcm9jZXNzTWFpbi5jcHA6CisgICAgICAg IChtYWluKToKKyAgICAgICAgKiBXZWJQcm9jZXNzL0VudHJ5UG9pbnQvdW5peC9XZWJQcm9jZXNz TWFpbi5jcHA6CisgICAgICAgIChtYWluKToKKwogMjAxNC0xMS0xNiAgQmVuamFtaW4gUG91bGFp biAgPGJwb3VsYWluQGFwcGxlLmNvbT4KIAogICAgICAgICBTdGFydCBjbGVhbmluZyB1cCBtaW5p bWFsIFVJIGZyb20gV0tXZWJWaWV3CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViS2l0Mi9OZXR3b3Jr UHJvY2Vzcy9FbnRyeVBvaW50L3VuaXgvTmV0d29ya1Byb2Nlc3NNYWluLmNwcCBiL1NvdXJjZS9X ZWJLaXQyL05ldHdvcmtQcm9jZXNzL0VudHJ5UG9pbnQvdW5peC9OZXR3b3JrUHJvY2Vzc01haW4u Y3BwCmluZGV4IGM0MmJhYThlOTRlMTZkOGU4ZTk3YWUyNTZkOWEyNDk2ZjE0NGY5NTguLjFhY2Qx MzNjN2QxOGRlZTQ2OGZlNGE5MDc5OTdjYWFhOThkYjk2OTYgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9X ZWJLaXQyL05ldHdvcmtQcm9jZXNzL0VudHJ5UG9pbnQvdW5peC9OZXR3b3JrUHJvY2Vzc01haW4u Y3BwCisrKyBiL1NvdXJjZS9XZWJLaXQyL05ldHdvcmtQcm9jZXNzL0VudHJ5UG9pbnQvdW5peC9O ZXR3b3JrUHJvY2Vzc01haW4uY3BwCkBAIC0zOSw3ICszOSw3IEBAIGludCBtYWluKGludCBhcmdj LCBjaGFyKiogYXJndikKICAgICAvLyBvdmVyd3JpdGUgdGhpcyBwcmlvcml0eSBzdHJpbmcgaWYg aXQncyBhbHJlYWR5IHNldCBieSB0aGUgdXNlci4KICAgICAvLyBLZWVwIHRoaXMgaW4gc3luYyB3 aXRoIFdlYlByb2Nlc3NNYWluLmNwcC4KICAgICAvLyBodHRwczovL2J1Z3ppbGxhLmdub21lLm9y Zy9zaG93X2J1Zy5jZ2k/aWQ9NzM4NjMzCi0gICAgc2V0ZW52KCJHX1RMU19HTlVUTFNfUFJJT1JJ VFkiLCAiTk9STUFMOiVDT01QQVQ6IVZFUlMtU1NMMy4wIiwgMCk7CisgICAgc2V0ZW52KCJHX1RM U19HTlVUTFNfUFJJT1JJVFkiLCAiTk9STUFMOiVDT01QQVQ6JUxBVEVTVF9SRUNPUkRfVkVSU0lP TjohVkVSUy1TU0wzLjAiLCAwKTsKIAogICAgIHJldHVybiBOZXR3b3JrUHJvY2Vzc01haW5Vbml4 KGFyZ2MsIGFyZ3YpOwogfQpkaWZmIC0tZ2l0IGEvU291cmNlL1dlYktpdDIvV2ViUHJvY2Vzcy9F bnRyeVBvaW50L3VuaXgvV2ViUHJvY2Vzc01haW4uY3BwIGIvU291cmNlL1dlYktpdDIvV2ViUHJv Y2Vzcy9FbnRyeVBvaW50L3VuaXgvV2ViUHJvY2Vzc01haW4uY3BwCmluZGV4IDI2MDYyMGE3NjY5 MTFhODE2MmNiYjEwNzE3YWExMzdjYmEzYTkyNzEuLjg3YjQ1YjNjNWMwZDMzNmVmODY5Y2FjNzYx ZDYyZTFmZDU4ZWFlNTkgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJLaXQyL1dlYlByb2Nlc3MvRW50 cnlQb2ludC91bml4L1dlYlByb2Nlc3NNYWluLmNwcAorKysgYi9Tb3VyY2UvV2ViS2l0Mi9XZWJQ cm9jZXNzL0VudHJ5UG9pbnQvdW5peC9XZWJQcm9jZXNzTWFpbi5jcHAKQEAgLTM5LDcgKzM5LDcg QEAgaW50IG1haW4oaW50IGFyZ2MsIGNoYXIqKiBhcmd2KQogICAgIC8vIG92ZXJ3cml0ZSB0aGlz IHByaW9yaXR5IHN0cmluZyBpZiBpdCdzIGFscmVhZHkgc2V0IGJ5IHRoZSB1c2VyLgogICAgIC8v IEtlZXAgdGhpcyBpbiBzeW5jIHdpdGggTmV0d29ya1Byb2Nlc3NNYWluLmNwcC4KICAgICAvLyBo dHRwczovL2J1Z3ppbGxhLmdub21lLm9yZy9zaG93X2J1Zy5jZ2k/aWQ9NzM4NjMzCi0gICAgc2V0 ZW52KCJHX1RMU19HTlVUTFNfUFJJT1JJVFkiLCAiTk9STUFMOiVDT01QQVQ6IVZFUlMtU1NMMy4w IiwgMCk7CisgICAgc2V0ZW52KCJHX1RMU19HTlVUTFNfUFJJT1JJVFkiLCAiTk9STUFMOiVDT01Q QVQ6JUxBVEVTVF9SRUNPUkRfVkVSU0lPTjohVkVSUy1TU0wzLjAiLCAwKTsKIAogICAgIHJldHVy biBXZWJQcm9jZXNzTWFpblVuaXgoYXJnYywgYXJndik7CiB9Cg==