Received: (at 34102) by debbugs.gnu.org; 25 Jan 2019 13:43:49 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Fri Jan 25 08:43:48 2019 Received: from localhost ([127.0.0.1]:44639 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1gn1ls-0008IJ-G7 for submit <at> debbugs.gnu.org; Fri, 25 Jan 2019 08:43:48 -0500 Received: from hera.aquilenet.fr ([185.233.100.1]:37090) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1gn1lp-0008I8-Cc for 34102 <at> debbugs.gnu.org; Fri, 25 Jan 2019 08:43:46 -0500 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 2461656BB; Fri, 25 Jan 2019 14:43:44 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mOBTZ-b9BvVL; Fri, 25 Jan 2019 14:43:42 +0100 (CET) Received: from ribbon (unknown [IPv6:2001:660:6102:320:e120:2c8f:8909:cdfe]) by hera.aquilenet.fr (Postfix) with ESMTPSA id 3D712361A; Fri, 25 Jan 2019 14:43:42 +0100 (CET) From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> To: Marius Bakke <mbakke@HIDDEN> Subject: Re: bug#34102: [staging] Guix fails to download from TLSv1.3-enabled servers References: <875zuoiv6s.fsf@HIDDEN> Date: Fri, 25 Jan 2019 14:43:41 +0100 In-Reply-To: <875zuoiv6s.fsf@HIDDEN> (Marius Bakke's message of "Wed, 16 Jan 2019 14:33:15 +0100") Message-ID: <87sgxgq2cy.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: 34102 Cc: 34102 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -0.0 (/) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi Marius, Marius Bakke <mbakke@HIDDEN> skribis: > On the staging branch (with GnuTLS 3.6), `guix download` will negotiate > TLSv1.3 with servers that support it, and fail shortly after the initial > handshake: > > $ ./pre-inst-env guix download https://data.iana.org > Starting download of /tmp/guix-file.vJ4v7h > From https://data.iana.org... > Throw to key `gnutls-error' with args `(#<gnutls-error-enum Resource temp= orarily unavailable, try again.> read_from_session_record_port)'. > failed to download "/tmp/guix-file.vJ4v7h" from "https://data.iana.org" > guix download: error: https://data.iana.org: download failed Ouch, thanks for the heads-up! > The GnuTLS maintainer have written a blog post about TLS 1.3 porting[0], > and I suspect the problem is that Guix (or the GnuTLS Guile bindings) > does not handle the "GNUTLS_E_REAUTH_REQUEST" error code; however my > attempts at catching it (or any error code) has been unfruitful. I think we need to update the Guile bindings to wrap GNUTLS_E_REAUTH_REQUEST, GNUTLS_POST_HANDSHAKE_AUTH, and =E2=80=98gnutls_reauth=E2=80=99, which are currently missing. Would you li= ke to give it a try? What=E2=80=99s unclear to me from the blog post is exactly when GNUTLS_E_REAUTH_REQUEST is delivered to the application. Is it the next time the application calls some (possibly unrelated) GnuTLS function? > This is an obvious merge blocker, help wanted! Disabling TLS1.3 in the > priority string works as a last-resort workaround. Yes, that=E2=80=99s a stop-gap measure we should probably apply for now: --=-=-= Content-Type: text/x-patch Content-Disposition: inline diff --git a/guix/build/download.scm b/guix/build/download.scm index c08221b3b2..23c9a4d466 100644 --- a/guix/build/download.scm +++ b/guix/build/download.scm @@ -268,7 +268,10 @@ host name without trailing dot." ;; "(gnutls) Priority Strings"); see <http://bugs.gnu.org/23311>. ;; Explicitly disable SSLv3, which is insecure: ;; <https://tools.ietf.org/html/rfc7568>. - (set-session-priorities! session "NORMAL:%COMPAT:-VERS-SSL3.0") + ;; + ;; FIXME: Since we currently fail to handle TLS 1.3, remove it; see + ;; <https://bugs.gnu.org/34102>. + (set-session-priorities! session "NORMAL:%COMPAT:-VERS-SSL3.0:-VERS-TLS1.3") (set-session-credentials! session (if (and verify-certificate? ca-certs) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Any objections? Thanks, Ludo=E2=80=99. --=-=-=--
bug-guix@HIDDEN
:bug#34102
; Package guix
.
Full text available.Ludovic Courtès <ludo@HIDDEN>
to control <at> debbugs.gnu.org
.
Full text available.Received: (at submit) by debbugs.gnu.org; 16 Jan 2019 13:33:45 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Wed Jan 16 08:33:45 2019 Received: from localhost ([127.0.0.1]:60961 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1gjlKD-0001Ld-4g for submit <at> debbugs.gnu.org; Wed, 16 Jan 2019 08:33:45 -0500 Received: from eggs.gnu.org ([209.51.188.92]:48594) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <mbakke@HIDDEN>) id 1gjlKB-0001LQ-Ii for submit <at> debbugs.gnu.org; Wed, 16 Jan 2019 08:33:44 -0500 Received: from lists.gnu.org ([209.51.188.17]:42440) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from <mbakke@HIDDEN>) id 1gjlK4-0003OY-Cz for submit <at> debbugs.gnu.org; Wed, 16 Jan 2019 08:33:37 -0500 Received: from eggs.gnu.org ([209.51.188.92]:58755) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from <mbakke@HIDDEN>) id 1gjlK1-00085O-7x for bug-guix@HIDDEN; Wed, 16 Jan 2019 08:33:36 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_LOW autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from <mbakke@HIDDEN>) id 1gjlJz-0003CA-71 for bug-guix@HIDDEN; Wed, 16 Jan 2019 08:33:33 -0500 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:51673) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from <mbakke@HIDDEN>) id 1gjlJt-0002wy-MZ for bug-guix@HIDDEN; Wed, 16 Jan 2019 08:33:27 -0500 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id D62E7200E3 for <bug-guix@HIDDEN>; Wed, 16 Jan 2019 08:33:21 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute5.internal (MEProxy); Wed, 16 Jan 2019 08:33:21 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= from:to:subject:date:message-id:mime-version:content-type; s= fm1; bh=iqlwehj8OjAR9qPT3V0EKvcb4fdsTR/FQ0tEVLEJfaQ=; b=q0nl9K5T o4iRBCpeIHBbhtW7BVcOxwzby2BCzsbJ5O8TXMJHRNka8xABVMwokfUwrV6A6z97 KDcT0+2ytBObrTDeVE9zPjkhrE+J/aHqb4bqfgrdEu4ns971ObHgHy+zPyTDohY+ zNbyJugqMaIqYYwiElLHQGLk6Rq05p2gohYp3AoXCYDTCN7fieD09eHQAu2O45Cl Lc52FIwNAEHiwgrzF0j34oNpiOt+x+x6Gov/W8wySGZzEHvhJP2VfKV6YD7y4ULa 79K+AUNmULgIv87zKazWNoREARA7lJ2X2YHxkgmCcukyVi57ObkacB/089x3SWC9 nANZIoVdq6LWfQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=iqlwehj8OjAR9qPT3V0EKvcb4fdsT R/FQ0tEVLEJfaQ=; b=gg02blwSfUoWMNKKgaqHSvA/3BoytNFbN2JJRvIiHnu19 GBQn6ZlnPaakZfWteHp8iceOnbS8GVhjZ4/tpQo4zhxN4/z5SgotaH2IRiC0iShA zmfmG+RNM7yRw+Rk8RMZIG29CJ7nNEUgpQQAppco+LFUBnr36HX9ssjArOvo92hL yPtAVY8eyEc7Rl0kAj0ImgyC5qqfMWR4QOhsZeIP7yLzM2+qJ9YQs8/lBltcKPPy 5xshEbDpqWUkzRk75Jlwcse9D7wqyNksCsxdpjtTxxN6Dq235oqN279ho2m+yE7n 8uNse/IrEyfnHgcIfi00/U1JbTx+ptMTBFPYC9llg== X-ME-Sender: <xms:oTI_XH83tOw85-LlNoxcH9BiTefh-PvCvXkUHx95OU6LE-wyy1OvjA> X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedtledrgeehgdehgecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfhuthenuceurghilhhouhhtmecufedt tdenucgoufhushhpvggtthffohhmrghinhculdegledmnecujfgurhephffvufgffffkgg gtsehgtderredtredtnecuhfhrohhmpeforghrihhushcuuegrkhhkvgcuoehmsggrkhhk vgesfhgrshhtmhgrihhlrdgtohhmqeenucffohhmrghinhepsghlohhgshhpohhtrdgtoh hmpdhirghnrgdrohhrghenucfkphepiedvrdduiedrvddviedrudegtdenucfrrghrrghm pehmrghilhhfrhhomhepmhgsrghkkhgvsehfrghsthhmrghilhdrtghomhenucevlhhush htvghrufhiiigvpedt X-ME-Proxy: <xmx:oTI_XOP1jlZpuYD26lLrVA3Dinn8wpXc5HaujQTydi7lJLE9BBeiPA> <xmx:oTI_XGJLIXeLk8hwwiGLCyowLx2qsr1atoeVQM82qrtY0pPrWgHTGQ> <xmx:oTI_XCMEFSc1rJPM9whkHwOqMWKLQ0CCBkTvrxY6XfcQzfhc_DE4iQ> <xmx:oTI_XBJTDir7o_1vi66kfxBif_iAVPOaqXvbDm2bx1-eF5pvEqLDlw> Received: from localhost (140.226.16.62.customer.cdi.no [62.16.226.140]) by mail.messagingengine.com (Postfix) with ESMTPA id 411A9E455C for <bug-guix@HIDDEN>; Wed, 16 Jan 2019 08:33:21 -0500 (EST) From: Marius Bakke <mbakke@HIDDEN> To: bug-guix@HIDDEN Subject: [staging] Guix fails to download from TLSv1.3-enabled servers User-Agent: Notmuch/0.28 (https://notmuchmail.org) Emacs/26.1 (x86_64-pc-linux-gnu) Date: Wed, 16 Jan 2019 14:33:15 +0100 Message-ID: <875zuoiv6s.fsf@HIDDEN> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 66.111.4.29 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Spam-Score: 0.7 (/) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -0.3 (/) --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hello! On the staging branch (with GnuTLS 3.6), `guix download` will negotiate TLSv1.3 with servers that support it, and fail shortly after the initial handshake: $ ./pre-inst-env guix download https://data.iana.org Starting download of /tmp/guix-file.vJ4v7h From=20https://data.iana.org... Throw to key `gnutls-error' with args `(#<gnutls-error-enum Resource tempor= arily unavailable, try again.> read_from_session_record_port)'. failed to download "/tmp/guix-file.vJ4v7h" from "https://data.iana.org" guix download: error: https://data.iana.org: download failed The GnuTLS maintainer have written a blog post about TLS 1.3 porting[0], and I suspect the problem is that Guix (or the GnuTLS Guile bindings) does not handle the "GNUTLS_E_REAUTH_REQUEST" error code; however my attempts at catching it (or any error code) has been unfruitful. This is an obvious merge blocker, help wanted! Disabling TLS1.3 in the priority string works as a last-resort workaround. [0] https://nikmav.blogspot.com/2018/05/gnutls-and-tls-13.html --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlw/MpsACgkQoqBt8qM6 VPrmBAf+Np1ZUW6Ig+q1x89okOiySN/6RlYhtDFOcB4VV3rvRa33HCXrsSpvauSw WTloJ3qz7mMow0QeG9bPt+3YsO8HnhNoe/vmJTPtRs7nzPRrvFK9dDEn/sgmIrvg Kxd95V2NLxnrEB3KiFzlf3rsZHMEC1zaBF9BgPEUYARheS2N0yH4N9U9HyieCH5S ckqUHMH+PMuWYsUaqgXkD1XBYD7d7L9Hy/uLI3X47cJpLytBQB0TEmaOr2pqEgrg bT1Gv0godCL1+bmRNv57DmKQXhKFNBgMsx+h12Lu/D/Z1rju+ywRxvJSS8jdLjY8 T6ldlxmOHUSfmYO9I1V+Tfi8bo+acg== =s8VF -----END PGP SIGNATURE----- --=-=-=--
Marius Bakke <mbakke@HIDDEN>
:bug-guix@HIDDEN
.
Full text available.bug-guix@HIDDEN
:bug#34102
; Package guix
.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.