[Bug 1111882] Re: GnuTLS recv error (-9): A TLS packet with unexpected length was received

TJ ubuntu at iam.tj
Fri Feb 1 00:02:57 UTC 2013 

This is a gnutls issue; it could affect any application that makes use
of it.

I've already mentioned it on the git developers mailing list and it has
been seen once or twice before affecting git.

Additional research seems to indicate this is a known intentional gnutls
behaviour (that has been modified in very recent gnutls that makes use
of a recent libnettle - as mentioned above). The issue is, apparently,
the random size padding of packets to prevent communications compromise
for stream ciphers.

Unfortunately the changes required are far too invasive for an SRU so
we'll have to make do with a work-around.

I installed stunnel4 (which depends on openssl rather than gnutls) and
created a reverse-proxy (client in stunnel terminology):

$ cat /etc/stunnel/rp-codeplex.com.conf 
client = yes

[http]
accept = 8888
connect =  git01.codeplex.com:443
TIMEOUTclose = 0

$ sudo sed -i 's/\(ENABLED\).*/\1=1/' /etc/default/stunnel4
$ sudo service stunnel4 restart

$ GIT_CURL_VERBOSE=1 git clone -v http://localhost:8888/typescript

...
> POST http://localhost:8888/typescript/git-upload-pack HTTP/1.1
User-Agent: git/1.8.1.2.433.g9808ce0.dirty
Host: localhost:8888
Accept-Encoding: gzip
Proxy-Connection: Keep-Alive
Content-Type: application/x-git-upload-pack-request
Accept: application/x-git-upload-pack-result
Content-Length: 611

* upload completely sent off: 611out of 611 bytes
< HTTP/1.1 200 OK
< Cache-Control: no-cache, max-age=0, must-revalidate
< Pragma: no-cache
< Content-Type: application/x-git-upload-pack-result
< Expires: Fri, 01 Jan 1980 00:00:00 GMT
< Server: Microsoft-IIS/7.5
< X-Powered-By: ASP.NET
< Date: Thu, 31 Jan 2013 23:38:19 GMT
< Connection: close
< 
remote: Counting objects: 149798, done.
remote: Compressing objects: 100% (10612/10612), done.
remote: Total 149798 (delta 138221), reused 149558 (delta 138077)
* Closing connection #0
Receiving objects: 100% (149798/149798), 198.99 MiB | 640 KiB/s, done.
Resolving deltas: 100% (138221/138221), done.
Checking out files: 100% (2851/2851), done.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to curl in Ubuntu.
https://bugs.launchpad.net/bugs/1111882

Title:
  GnuTLS recv error (-9): A TLS packet with unexpected length was
  received

Status in “curl” package in Ubuntu:
  New
Status in “git” package in Ubuntu:
  Confirmed
Status in “gnutls26” package in Ubuntu:
  New

Bug description:
  On Precise 12.04 whilst attempting:

  GIT_CURL_VERBOSE=1 git clone -v https://git01.codeplex.com/typescript

  the operation fails after the final git pack-file has been received
  and the already-created repository is deleted from the file system.

  ...
  > POST /typescript/git-upload-pack HTTP/1.1
  User-Agent: git/1.8.1.2.433.g9808ce0.dirty
  Host: git01.codeplex.com
  Accept-Encoding: gzip
  Content-Type: application/x-git-upload-pack-request
  Accept: application/x-git-upload-pack-result
  Content-Length: 611

  * upload completely sent off: 611out of 611 bytes
  < HTTP/1.1 200 OK
  < Cache-Control: no-cache, max-age=0, must-revalidate
  < Pragma: no-cache
  < Content-Type: application/x-git-upload-pack-result
  < Expires: Fri, 01 Jan 1980 00:00:00 GMT
  < Server: Microsoft-IIS/7.5
  < X-Powered-By: ASP.NET
  < Date: Thu, 31 Jan 2013 21:43:55 GMT
  < Connection: close
  < 
  remote: Counting objects: 149766, done.
  remote: Compressing objects: 100% (10580/10580), done.
  * GnuTLS recv error (-9): A TLS packet with unexpected length was received.
  * Closing connection #0
  remote: Total 149766 (delta 138201), reused 149559 (delta 138077)
  Receiving objects: 100% (149766/149766), 198.98 MiB | 361 KiB/s, done.
  error: RPC failed; result=56, HTTP code = 200
  Resolving deltas: 100% (138201/138201), done.

  git exits at this point but it deletes the entire cloned ./typescript
  directory.

  I tried building the latest git binary and included an additional
  debug option in "http.c" that allowed me to set the protocol version
  using an environment option:

  CURLOPT_SSLVERSION=1 git clone ...

  where 1 = TLSv1, 2 = SSLv2, 3 = SSLv3.

  I tried each protocol but the result was the same.

  The knock-on bug here is that git ought not to delete what it has
  fetched - in this case more than 250MB of data.

  I did try to build the latest gnutls but it needs a very recent
  version of libnettle which has the "rsa_decrypt_tr" function. I
  stopped at that point since I don't want to get into dependency and
  library version issues.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/curl/+bug/1111882/+subscriptions

More information about the foundations-bugs mailing list