search

jedisct1 / libsodium

A modern, portable, easy to use crypto library.
https://libsodium.org
Other
12.15k stars 1.73k forks source link

gnutls_handshake() failed: Error in protocol version on https://download.libsodium.org #1015

Closed antenore closed 3 years ago

antenore commented 3 years ago

On flathub, each application using libsodium, fails to download the source code from libsodium.org with this error:

Failed to download sources: module libsodium: gnutls_handshake() failed: Error in protocol version

This can be reproduced using gnutls-cli

$ gnutls-cli -V -p 443 download.libsodium.org
Processed 149 CA certificate(s).
Resolving 'download.libsodium.org:443'...
Connecting to '37.59.238.213:443'...
*** Fatal error: A TLS fatal alert has been received.
*** Received alert [70]: Error in protocol version

It works properly with openssl, so I think it's an issue with gnutls, and not in libsodium.org.

Did you change anything recently? I'd like to pass some information to the flathub project to help fix this ASAP.

Thanks in advance!!!

mumbleskates commented 3 years ago

what version of gnu-tls are you using? this is probably the single most important detail and i'm slightly confused that it's not included.

jedisct1 commented 3 years ago

Hi!

No changes to the configuration was recently made. The website is running OpenBSD, so this is using the stock LibreSSL library from the base system.

No similar issues were ever reported with various web browsers or other libraries, so this is probably a GnuTLS bug or limitation.

GnuTLS completes the handshake if the protocol is forced to TLS 1.2. Maybe its TLS 1.3 implementation is still a little bit young. The library is not simple to compile from source, so I didn't test the most recent code, only whatever precompiled release Homebrew installs.

antenore commented 3 years ago

what version of gnu-tls are you using? this is probably the single most important detail and i'm slightly confused that it's not included.

I don't know what version the fluthub build system is using. My test have been done with whatever version fedora 31 have.

A comment I've got from them ,if it males sense:

Two things come to mind. First, GnuPG recently released a new version.
 GnuTLS is usually built against GnuPG. The GnuPG 2.2.25 version bump
 occurred on November 23, 2020.

 Second, GNU organization's X.509 certificate was updated recently.
 GNU's certificate covers gnu.org, www.gnu.org, ftp.gnu.org, etc. I
 experienced some download errors a few days ago because I was pinning
 trust on the wrong CA. Previous GNU certificates were issued by "Let's
 Encrypt Authority X3". New GNU certificates are issued by "Let's
 Encrypt Authority R3".

 Neither of those explain a TLS alert, but I know those two things
 changed. And I know the second change - the CA change - caused me to
 experience download failuress with `wget
 --ca-certificate=$lets_encrypt_x3 ...`.