Bug 138794

Summary: [SOUP] [GnuTLS] Don't use a SSL3.0 record version in client hello.
Product: WebKit Reporter: Carlos Alberto Lopez Perez <clopez>
Component: WebKitGTKAssignee: Carlos Alberto Lopez Perez <clopez>
Status: RESOLVED FIXED    
Severity: Normal CC: cgarcia, commit-queue, gns, mcatanzaro
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Description Carlos Alberto Lopez Perez 2014-11-17 05:56:04 PST
Reported here: https://lists.webkit.org/pipermail/webkit-gtk/2014-November/002134.html and followed with the gnutls developers here: http://lists.gnutls.org/pipermail/gnutls-help/2014-November/003673.html

Some sites ( for example: https://www.pge.com/eum/login ) are banning SSL 3.0 record packet versions, and GnuTLS uses by default a a SSL 3.0 version record in client hello to advertise TLS (even when SSL 3.0 is disabled). Doc: http://gnutls.org/manual/html_node/Priority-Strings.html#tab_003aprio_002dspecial1
Comment 1 Carlos Alberto Lopez Perez 2014-11-17 06:00:42 PST
Created attachment 241705 [details]
Patch
Comment 2 Carlos Alberto Lopez Perez 2014-11-17 06:04:08 PST
Checked on https://cc.dcsec.uni-hannover.de/

Before this patch it says:

  Preferred SSL/TLS version: SSLv3
  Version: 3.0

After the patch it says:

  Preferred SSL/TLS version: TLSv1.2
  Version: 3.3




Also the test page https://www.pge.com/eum/login loads fine after this patch.
Comment 3 Michael Catanzaro 2014-11-17 07:19:36 PST
We should do this, but going forward: is Nikos going to add %LATEST_RECORD_VERSION to %COMPAT?
Comment 4 Carlos Alberto Lopez Perez 2014-11-17 07:24:03 PST
(In reply to comment #3)
> We should do this, but going forward: is Nikos going to add
> %LATEST_RECORD_VERSION to %COMPAT?

In his reply he shows intention to change the default from %SSL3_RECORD_VERSION to %LATEST_RECORD_VERSION:

http://lists.gnutls.org/pipermail/gnutls-help/2014-November/003673.html
> That seems like a good opportunity to make that the default.
Comment 5 Sergio Villar Senin 2014-11-18 00:55:42 PST
Comment on attachment 241705 [details]
Patch

Thanks for the patch!
Comment 6 WebKit Commit Bot 2014-11-18 01:32:16 PST
Comment on attachment 241705 [details]
Patch

Clearing flags on attachment: 241705

Committed r176252: <http://trac.webkit.org/changeset/176252>
Comment 7 WebKit Commit Bot 2014-11-18 01:32:20 PST
All reviewed patches have been landed.  Closing bug.