Bug 138794

Summary: [SOUP] [GnuTLS] Don't use a SSL3.0 record version in client hello.
Product: WebKit Reporter: Carlos Alberto Lopez Perez <clopez>
Component: WebKitGTKAssignee: Carlos Alberto Lopez Perez <clopez>
Status: RESOLVED FIXED    
Severity: Normal CC: cgarcia, commit-queue, gustavo, mcatanzaro
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Carlos Alberto Lopez Perez
Reported 2014-11-17 05:56:04 PST
Reported here: https://lists.webkit.org/pipermail/webkit-gtk/2014-November/002134.html and followed with the gnutls developers here: http://lists.gnutls.org/pipermail/gnutls-help/2014-November/003673.html Some sites ( for example: https://www.pge.com/eum/login ) are banning SSL 3.0 record packet versions, and GnuTLS uses by default a a SSL 3.0 version record in client hello to advertise TLS (even when SSL 3.0 is disabled). Doc: http://gnutls.org/manual/html_node/Priority-Strings.html#tab_003aprio_002dspecial1
Attachments
Patch (2.88 KB, patch)
2014-11-17 06:00 PST, Carlos Alberto Lopez Perez 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Carlos Alberto Lopez Perez
Comment 1 2014-11-17 06:00:42 PST
Created attachment 241705 [details] Patch
Carlos Alberto Lopez Perez
Comment 2 2014-11-17 06:04:08 PST
Checked on https://cc.dcsec.uni-hannover.de/ Before this patch it says: Preferred SSL/TLS version: SSLv3 Version: 3.0 After the patch it says: Preferred SSL/TLS version: TLSv1.2 Version: 3.3 Also the test page https://www.pge.com/eum/login loads fine after this patch.
Michael Catanzaro
Comment 3 2014-11-17 07:19:36 PST
We should do this, but going forward: is Nikos going to add %LATEST_RECORD_VERSION to %COMPAT?
Carlos Alberto Lopez Perez
Comment 4 2014-11-17 07:24:03 PST
(In reply to comment #3) > We should do this, but going forward: is Nikos going to add > %LATEST_RECORD_VERSION to %COMPAT? In his reply he shows intention to change the default from %SSL3_RECORD_VERSION to %LATEST_RECORD_VERSION: http://lists.gnutls.org/pipermail/gnutls-help/2014-November/003673.html > That seems like a good opportunity to make that the default.
Sergio Villar Senin
Comment 5 2014-11-18 00:55:42 PST
Comment on attachment 241705 [details] Patch Thanks for the patch!
WebKit Commit Bot
Comment 6 2014-11-18 01:32:16 PST
Comment on attachment 241705 [details] Patch Clearing flags on attachment: 241705 Committed r176252: <http://trac.webkit.org/changeset/176252>
WebKit Commit Bot
Comment 7 2014-11-18 01:32:20 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.