Bug 138794 - [SOUP] [GnuTLS] Don't use a SSL3.0 record version in client hello.
Summary: [SOUP] [GnuTLS] Don't use a SSL3.0 record version in client hello.
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKitGTK (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Carlos Alberto Lopez Perez
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-11-17 05:56 PST by Carlos Alberto Lopez Perez
Modified: 2014-11-18 01:32 PST (History)
4 users (show)

See Also:


Attachments
Patch (2.88 KB, patch)
2014-11-17 06:00 PST, Carlos Alberto Lopez Perez
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos Alberto Lopez Perez 2014-11-17 05:56:04 PST
Reported here: https://lists.webkit.org/pipermail/webkit-gtk/2014-November/002134.html and followed with the gnutls developers here: http://lists.gnutls.org/pipermail/gnutls-help/2014-November/003673.html

Some sites ( for example: https://www.pge.com/eum/login ) are banning SSL 3.0 record packet versions, and GnuTLS uses by default a a SSL 3.0 version record in client hello to advertise TLS (even when SSL 3.0 is disabled). Doc: http://gnutls.org/manual/html_node/Priority-Strings.html#tab_003aprio_002dspecial1
Comment 1 Carlos Alberto Lopez Perez 2014-11-17 06:00:42 PST
Created attachment 241705 [details]
Patch
Comment 2 Carlos Alberto Lopez Perez 2014-11-17 06:04:08 PST
Checked on https://cc.dcsec.uni-hannover.de/

Before this patch it says:

  Preferred SSL/TLS version: SSLv3
  Version: 3.0

After the patch it says:

  Preferred SSL/TLS version: TLSv1.2
  Version: 3.3




Also the test page https://www.pge.com/eum/login loads fine after this patch.
Comment 3 Michael Catanzaro 2014-11-17 07:19:36 PST
We should do this, but going forward: is Nikos going to add %LATEST_RECORD_VERSION to %COMPAT?
Comment 4 Carlos Alberto Lopez Perez 2014-11-17 07:24:03 PST
(In reply to comment #3)
> We should do this, but going forward: is Nikos going to add
> %LATEST_RECORD_VERSION to %COMPAT?

In his reply he shows intention to change the default from %SSL3_RECORD_VERSION to %LATEST_RECORD_VERSION:

http://lists.gnutls.org/pipermail/gnutls-help/2014-November/003673.html
> That seems like a good opportunity to make that the default.
Comment 5 Sergio Villar Senin 2014-11-18 00:55:42 PST
Comment on attachment 241705 [details]
Patch

Thanks for the patch!
Comment 6 WebKit Commit Bot 2014-11-18 01:32:16 PST
Comment on attachment 241705 [details]
Patch

Clearing flags on attachment: 241705

Committed r176252: <http://trac.webkit.org/changeset/176252>
Comment 7 WebKit Commit Bot 2014-11-18 01:32:20 PST
All reviewed patches have been landed.  Closing bug.