tls: unexpected message

makew0rld / amfora

A fancy terminal browser for the Gemini protocol.

GNU General Public License v3.0

1.12k stars 68 forks source link

tls: unexpected message #316

Open nervuri opened 2 years ago

nervuri commented 2 years ago

amfora gemini://gemini.ucant.org/ -> URL Fetch Error: Failed to connect to the server: local error: tls: unexpected message.

The capsule works in other clients.

I'm using:

Amfora 1.9.2
Commit: 61d864540140f463a183e187e4211c258bd518bf
Built by: goreleaser

makew0rld commented 2 years ago

Thanks for finding this. Can confirm the bug with version:

Amfora v1.9.2-32-g3917402
Commit: 3917402e2d44b6a302bf4a4d39570896a989d29c
Built by: Makefile

This seems to be an upstream bug with Go's TLS library. Or perhaps not a bug at all, but an issue with the server, and other non-Go clients are more forgiving of it.

Related Go issues:

This capsule uses the bespoke blizanci server. Maybe the issue is there, maybe not. Would require some testing and reading into its code.

mk270 commented 2 years ago

working theory is that we're hitting the following missing feature / bug of the underlying server-side TLS implementation: https://github.com/erlang/otp/issues/5950

Is the amfora TLS client trying to use a TLS version earlier than TLS v1.3?

nervuri commented 2 years ago

TLS 1.3 is used. Amfora supports both 1.3 and 1.2.

mk270 commented 2 years ago

Aha! I shall have to check this out by installing Amfora. The Erlang/OTP people will be interested to hear what on earth is going on here.

makew0rld commented 2 years ago

@mk270 thanks looking into this! Let me know how things go. Once this is confirmed to be a server-side problem I'll close this issue, but you can still put updates here.

TLS 1.3 is used. Amfora supports both 1.3 and 1.2.

Can confirm.

mk270 commented 2 years ago

Thanks. does Amfora default to TLS v1.2 though?

mk270 commented 2 years ago

I've checked this with gemget, which seems to use the same client TLS library (but maybe not in the same way), and the problem doesn't recur. I'll have to try with Amfora directly.

makew0rld commented 2 years ago

The problem is recurring for me with gemget, I'd be surprised if it didn't. Maybe you're using an older version, and something in Go's TLS lib changed somewhat recently that is causing this bug? Strange...

~
➤ gemget -o- gemini://gemini.ucant.org/ 
Info: Started gemini://gemini.ucant.org/
Error: failed to connect to the server: local error: tls: unexpected message

~
➤ gemget -v
gemget v1.8.0-3-g257682e
Commit: 257682ea01077b5c75a2214f2feab96f27dceb90
Built by: Makefile

Does Amfora default to TLS v1.2 though?

This is handled by the Go TLS lib. The only setting I've made related to versions is that TLS 1.2 is the minimum supported version, so TLS 1.0 will never be used. I would assume that the client uses the highest version that the server supports. Can't find an RFC or code snippet to support this right now, but it would be weird for it to do anything else.

So the answer is that Amfora will use TLS 1.3 if the server supports it, and otherwise use TLS 1.2.

mk270 commented 2 years ago

It looks like upstream has just put a lot of work into fixing this. Let's re-test in due course.

https://github.com/erlang/otp/pull/6041