[Bug 2019094] Re: [SRU] Focal: TLS 1.3 doesn't work on strict firewall/middlebox

Mauricio Faria de Oliveira 2019094 at bugs.launchpad.net
Thu May 11 13:56:45 UTC 2023 

** Summary changed:

- [SRU] Focal: TLS 1.3 doesn't work in private network
+ [SRU] Focal: TLS 1.3 doesn't work on strict firewall/middlebox

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnutls28 in Ubuntu.
https://bugs.launchpad.net/bugs/2019094

Title:
  [SRU] Focal: TLS 1.3 doesn't work on strict firewall/middlebox

Status in gnutls28 package in Ubuntu:
  In Progress
Status in gnutls28 source package in Focal:
  In Progress

Bug description:
  [ Impact ]

  When registering a focal VM to landscape server in a private network
  by landscape-config, it fails to register and shows:

  We were unable to contact the server.
  Your internet connection may be down. The landscape client will continue to try and contact the server periodically.

  But registration works on bionic and jammy in the same network

  Use gnutls-cli to check, it shows:
  ...
  - Description: (TLS1.3-X.509)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
  - Options:
  - Handshake was completed

  - Simple Client Mode:

  *** Fatal error: Error in the pull function.
  *** Server has terminated the connection abnormally.

  gnutls version:
  bionic 3.5.18
  focal 3.6.13
  jammy 3.7.3

  gnutls 3.5 doesn't support TLS1.3 so it's using TLS1.2
  and both 3.6.x and 3.7.x are using TLS1.3, but only 3.7.x works

  We built gnutls from upstream and found the same issue:
  3.16.3 isn't working and 3.7.3 is working
  so we did a bisect and found this commit fixes the issue for TLS1.3 on 3.6.x:

  commit e0bb98e1f71f94691f600839ff748d3a9f469d3e
  Author: Norbert Pocs <npocs at redhat.com>
  Date: Fri Oct 30 17:18:30 2020 +0100

  Fix non-empty session id (TLS13_APPENDIX_D4)

  When TLS1.3 is used with middlebox compatible mode, the session id should be filled with random session id,
  but remained empty.

  Signed-off-by: Norbert Pocs <npocs at redhat.com>

  Closes #1074

  We need to SRU this commit to libgnutls28 on focal

  [ Test Plan ]

  I build a test package with above commit on focal in this PPA
  https://launchpad.net/~gerald-yang-tw/+archive/ubuntu/359157

  and confirmed it fixes the issue, TLS1.3 works on focal in the same
  network

  [ Where problems could occur ]

  With this commit, both public network and private network work fine
  and it fixes TLS1.3 used in middlebox compatible mode
  I couldn't see any potential issue here

  [ Other Info ]

  https://gitlab.com/gnutls/gnutls/-/merge_requests/1350
  https://gitlab.com/gnutls/gnutls/-/issues/1074

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/2019094/+subscriptions

More information about the foundations-bugs mailing list