GNU bug report logs - #34102
[staging] Guix fails to download from TLSv1.3-enabled servers

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Package: guix; Severity: serious; Reported by: Marius Bakke <mbakke@HIDDEN>; dated Wed, 16 Jan 2019 13:34:01 UTC; Maintainer for guix is bug-guix@HIDDEN.

Message received at 34102 <at> debbugs.gnu.org:


Received: (at 34102) by debbugs.gnu.org; 25 Jan 2019 13:43:49 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Jan 25 08:43:48 2019
Received: from localhost ([127.0.0.1]:44639 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1gn1ls-0008IJ-G7
	for submit <at> debbugs.gnu.org; Fri, 25 Jan 2019 08:43:48 -0500
Received: from hera.aquilenet.fr ([185.233.100.1]:37090)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1gn1lp-0008I8-Cc
 for 34102 <at> debbugs.gnu.org; Fri, 25 Jan 2019 08:43:46 -0500
Received: from localhost (localhost [127.0.0.1])
 by hera.aquilenet.fr (Postfix) with ESMTP id 2461656BB;
 Fri, 25 Jan 2019 14:43:44 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at aquilenet.fr
Received: from hera.aquilenet.fr ([127.0.0.1])
 by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id mOBTZ-b9BvVL; Fri, 25 Jan 2019 14:43:42 +0100 (CET)
Received: from ribbon (unknown [IPv6:2001:660:6102:320:e120:2c8f:8909:cdfe])
 by hera.aquilenet.fr (Postfix) with ESMTPSA id 3D712361A;
 Fri, 25 Jan 2019 14:43:42 +0100 (CET)
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: Marius Bakke <mbakke@HIDDEN>
Subject: Re: bug#34102: [staging] Guix fails to download from TLSv1.3-enabled
 servers
References: <875zuoiv6s.fsf@HIDDEN>
Date: Fri, 25 Jan 2019 14:43:41 +0100
In-Reply-To: <875zuoiv6s.fsf@HIDDEN> (Marius Bakke's message of "Wed, 16
 Jan 2019 14:33:15 +0100")
Message-ID: <87sgxgq2cy.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Spam-Score: 1.0 (+)
X-Debbugs-Envelope-To: 34102
Cc: 34102 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.0 (/)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hi Marius,

Marius Bakke <mbakke@HIDDEN> skribis:

> On the staging branch (with GnuTLS 3.6), `guix download` will negotiate
> TLSv1.3 with servers that support it, and fail shortly after the initial
> handshake:
>
> $ ./pre-inst-env guix download https://data.iana.org
> Starting download of /tmp/guix-file.vJ4v7h
> From https://data.iana.org...
> Throw to key `gnutls-error' with args `(#<gnutls-error-enum Resource temp=
orarily unavailable, try again.> read_from_session_record_port)'.
> failed to download "/tmp/guix-file.vJ4v7h" from "https://data.iana.org"
> guix download: error: https://data.iana.org: download failed

Ouch, thanks for the heads-up!

> The GnuTLS maintainer have written a blog post about TLS 1.3 porting[0],
> and I suspect the problem is that Guix (or the GnuTLS Guile bindings)
> does not handle the "GNUTLS_E_REAUTH_REQUEST" error code; however my
> attempts at catching it (or any error code) has been unfruitful.

I think we need to update the Guile bindings to wrap
GNUTLS_E_REAUTH_REQUEST, GNUTLS_POST_HANDSHAKE_AUTH, and
=E2=80=98gnutls_reauth=E2=80=99, which are currently missing.  Would you li=
ke to give it
a try?

What=E2=80=99s unclear to me from the blog post is exactly when
GNUTLS_E_REAUTH_REQUEST is delivered to the application.  Is it the next
time the application calls some (possibly unrelated) GnuTLS function?

> This is an obvious merge blocker, help wanted!  Disabling TLS1.3 in the
> priority string works as a last-resort workaround.

Yes, that=E2=80=99s a stop-gap measure we should probably apply for now:


--=-=-=
Content-Type: text/x-patch
Content-Disposition: inline

diff --git a/guix/build/download.scm b/guix/build/download.scm
index c08221b3b2..23c9a4d466 100644
--- a/guix/build/download.scm
+++ b/guix/build/download.scm
@@ -268,7 +268,10 @@ host name without trailing dot."
     ;; "(gnutls) Priority Strings"); see <http://bugs.gnu.org/23311>.
     ;; Explicitly disable SSLv3, which is insecure:
     ;; <https://tools.ietf.org/html/rfc7568>.
-    (set-session-priorities! session "NORMAL:%COMPAT:-VERS-SSL3.0")
+    ;;
+    ;; FIXME: Since we currently fail to handle TLS 1.3, remove it; see
+    ;; <https://bugs.gnu.org/34102>.
+    (set-session-priorities! session "NORMAL:%COMPAT:-VERS-SSL3.0:-VERS-TLS1.3")
 
     (set-session-credentials! session
                               (if (and verify-certificate? ca-certs)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable


Any objections?

Thanks,
Ludo=E2=80=99.

--=-=-=--
Information forwarded to bug-guix@HIDDEN:
bug#34102; Package guix. Full text available.
Severity set to 'serious' from 'normal' Request was from Ludovic Courtès <ludo@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 16 Jan 2019 13:33:45 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Jan 16 08:33:45 2019
Received: from localhost ([127.0.0.1]:60961 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1gjlKD-0001Ld-4g
	for submit <at> debbugs.gnu.org; Wed, 16 Jan 2019 08:33:45 -0500
Received: from eggs.gnu.org ([209.51.188.92]:48594)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mbakke@HIDDEN>) id 1gjlKB-0001LQ-Ii
 for submit <at> debbugs.gnu.org; Wed, 16 Jan 2019 08:33:44 -0500
Received: from lists.gnu.org ([209.51.188.17]:42440)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <mbakke@HIDDEN>) id 1gjlK4-0003OY-Cz
 for submit <at> debbugs.gnu.org; Wed, 16 Jan 2019 08:33:37 -0500
Received: from eggs.gnu.org ([209.51.188.92]:58755)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <mbakke@HIDDEN>) id 1gjlK1-00085O-7x
 for bug-guix@HIDDEN; Wed, 16 Jan 2019 08:33:36 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
 RCVD_IN_DNSWL_LOW autolearn=disabled version=3.3.2
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <mbakke@HIDDEN>) id 1gjlJz-0003CA-71
 for bug-guix@HIDDEN; Wed, 16 Jan 2019 08:33:33 -0500
Received: from out5-smtp.messagingengine.com ([66.111.4.29]:51673)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <mbakke@HIDDEN>) id 1gjlJt-0002wy-MZ
 for bug-guix@HIDDEN; Wed, 16 Jan 2019 08:33:27 -0500
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45])
 by mailout.nyi.internal (Postfix) with ESMTP id D62E7200E3
 for <bug-guix@HIDDEN>; Wed, 16 Jan 2019 08:33:21 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162])
 by compute5.internal (MEProxy); Wed, 16 Jan 2019 08:33:21 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h=
 from:to:subject:date:message-id:mime-version:content-type; s=
 fm1; bh=iqlwehj8OjAR9qPT3V0EKvcb4fdsTR/FQ0tEVLEJfaQ=; b=q0nl9K5T
 o4iRBCpeIHBbhtW7BVcOxwzby2BCzsbJ5O8TXMJHRNka8xABVMwokfUwrV6A6z97
 KDcT0+2ytBObrTDeVE9zPjkhrE+J/aHqb4bqfgrdEu4ns971ObHgHy+zPyTDohY+
 zNbyJugqMaIqYYwiElLHQGLk6Rq05p2gohYp3AoXCYDTCN7fieD09eHQAu2O45Cl
 Lc52FIwNAEHiwgrzF0j34oNpiOt+x+x6Gov/W8wySGZzEHvhJP2VfKV6YD7y4ULa
 79K+AUNmULgIv87zKazWNoREARA7lJ2X2YHxkgmCcukyVi57ObkacB/089x3SWC9
 nANZIoVdq6LWfQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:message-id
 :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender
 :x-me-sender:x-sasl-enc; s=fm1; bh=iqlwehj8OjAR9qPT3V0EKvcb4fdsT
 R/FQ0tEVLEJfaQ=; b=gg02blwSfUoWMNKKgaqHSvA/3BoytNFbN2JJRvIiHnu19
 GBQn6ZlnPaakZfWteHp8iceOnbS8GVhjZ4/tpQo4zhxN4/z5SgotaH2IRiC0iShA
 zmfmG+RNM7yRw+Rk8RMZIG29CJ7nNEUgpQQAppco+LFUBnr36HX9ssjArOvo92hL
 yPtAVY8eyEc7Rl0kAj0ImgyC5qqfMWR4QOhsZeIP7yLzM2+qJ9YQs8/lBltcKPPy
 5xshEbDpqWUkzRk75Jlwcse9D7wqyNksCsxdpjtTxxN6Dq235oqN279ho2m+yE7n
 8uNse/IrEyfnHgcIfi00/U1JbTx+ptMTBFPYC9llg==
X-ME-Sender: <xms:oTI_XH83tOw85-LlNoxcH9BiTefh-PvCvXkUHx95OU6LE-wyy1OvjA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedtledrgeehgdehgecutefuodetggdotefrodftvf
 curfhrohhfihhlvgemucfhrghsthforghilhdpqfhuthenuceurghilhhouhhtmecufedt
 tdenucgoufhushhpvggtthffohhmrghinhculdegledmnecujfgurhephffvufgffffkgg
 gtsehgtderredtredtnecuhfhrohhmpeforghrihhushcuuegrkhhkvgcuoehmsggrkhhk
 vgesfhgrshhtmhgrihhlrdgtohhmqeenucffohhmrghinhepsghlohhgshhpohhtrdgtoh
 hmpdhirghnrgdrohhrghenucfkphepiedvrdduiedrvddviedrudegtdenucfrrghrrghm
 pehmrghilhhfrhhomhepmhgsrghkkhgvsehfrghsthhmrghilhdrtghomhenucevlhhush
 htvghrufhiiigvpedt
X-ME-Proxy: <xmx:oTI_XOP1jlZpuYD26lLrVA3Dinn8wpXc5HaujQTydi7lJLE9BBeiPA>
 <xmx:oTI_XGJLIXeLk8hwwiGLCyowLx2qsr1atoeVQM82qrtY0pPrWgHTGQ>
 <xmx:oTI_XCMEFSc1rJPM9whkHwOqMWKLQ0CCBkTvrxY6XfcQzfhc_DE4iQ>
 <xmx:oTI_XBJTDir7o_1vi66kfxBif_iAVPOaqXvbDm2bx1-eF5pvEqLDlw>
Received: from localhost (140.226.16.62.customer.cdi.no [62.16.226.140])
 by mail.messagingengine.com (Postfix) with ESMTPA id 411A9E455C
 for <bug-guix@HIDDEN>; Wed, 16 Jan 2019 08:33:21 -0500 (EST)
From: Marius Bakke <mbakke@HIDDEN>
To: bug-guix@HIDDEN
Subject: [staging] Guix fails to download from TLSv1.3-enabled servers
User-Agent: Notmuch/0.28 (https://notmuchmail.org) Emacs/26.1
 (x86_64-pc-linux-gnu)
Date: Wed, 16 Jan 2019 14:33:15 +0100
Message-ID: <875zuoiv6s.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 66.111.4.29
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Spam-Score: 0.7 (/)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.3 (/)

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Hello!

On the staging branch (with GnuTLS 3.6), `guix download` will negotiate
TLSv1.3 with servers that support it, and fail shortly after the initial
handshake:

$ ./pre-inst-env guix download https://data.iana.org
Starting download of /tmp/guix-file.vJ4v7h
From=20https://data.iana.org...
Throw to key `gnutls-error' with args `(#<gnutls-error-enum Resource tempor=
arily unavailable, try again.> read_from_session_record_port)'.
failed to download "/tmp/guix-file.vJ4v7h" from "https://data.iana.org"
guix download: error: https://data.iana.org: download failed

The GnuTLS maintainer have written a blog post about TLS 1.3 porting[0],
and I suspect the problem is that Guix (or the GnuTLS Guile bindings)
does not handle the "GNUTLS_E_REAUTH_REQUEST" error code; however my
attempts at catching it (or any error code) has been unfruitful.

This is an obvious merge blocker, help wanted!  Disabling TLS1.3 in the
priority string works as a last-resort workaround.

[0] https://nikmav.blogspot.com/2018/05/gnutls-and-tls-13.html

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlw/MpsACgkQoqBt8qM6
VPrmBAf+Np1ZUW6Ig+q1x89okOiySN/6RlYhtDFOcB4VV3rvRa33HCXrsSpvauSw
WTloJ3qz7mMow0QeG9bPt+3YsO8HnhNoe/vmJTPtRs7nzPRrvFK9dDEn/sgmIrvg
Kxd95V2NLxnrEB3KiFzlf3rsZHMEC1zaBF9BgPEUYARheS2N0yH4N9U9HyieCH5S
ckqUHMH+PMuWYsUaqgXkD1XBYD7d7L9Hy/uLI3X47cJpLytBQB0TEmaOr2pqEgrg
bT1Gv0godCL1+bmRNv57DmKQXhKFNBgMsx+h12Lu/D/Z1rju+ywRxvJSS8jdLjY8
T6ldlxmOHUSfmYO9I1V+Tfi8bo+acg==
=s8VF
-----END PGP SIGNATURE-----
--=-=-=--
Acknowledgement sent to Marius Bakke <mbakke@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#34102; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Fri, 25 Jan 2019 13:45:01 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.