Failed Connection over Mobile (Cellular) Networks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sat, Jul 14, 2018 at 9:52 PM, Gareth Williams
<gareth at garethwilliams.me.uk> wrote:
> Hi Nikos
>
> On 14/07/2018 20:41, Nikos Mavrogiannopoulos wrote:
>>
>> What was the total size of the client hello? There was a particular
>> firewall which would terminate the TLS connection if the client hello
>> was between 256 and 512 bytes, and it was the reason of rfc7685
>> extension. You can append %DUMBFW to see if that's the case, and it
>> will ensure that gnutls' hello is outside that range.
>
> Unfortunately, it's 242 bytes, therefore outside of the range.  I've just
> tried with %DUMBFW, just for the sake of it, and it still fails.
>>>
>>> Oddly enough, gnutls-cli still sends the following extensions when
>>> --disable-extensions is set:
>>
>> I think it is time to deprecate that option. It is not possible to
>> negotiate TLS1.2 or TLS1.3 without extensions.
>
>
> It seems that option only disables some but not all extensions, as it
> connected with that option.  It only fails with the %NO_EXTENSIONS option,
> which disables all extensions. Even though the --disable-extensions option
> works, it's a gnutls-cli option and there doesn't seem to be an equivalent
> for the openconnect client.

Unfortunately, it is only heuristics you can try here. It could be
that the middlebox doesn't understand a particular extension, or some
particular ciphersuite, or doesn't like the hello size. Try a smaller
ciphersuite list as:
"NORMAL:-SHA256:-SHA384:-3DES-CBC:-DHE-DSS:-SIGN-DSA-SHA1:-SIGN-DSA-SHA256:-SIGN-DSA-SHA384:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC:-CAMELLIA-128-GCM:-CAMELLIA-256-GCM"

And/or combinations of that list (i.e., re-enabling DSS/DSA if you
need it). That's the list of algorithms which are already disabled in
3.6.2 (some also from the unreleased 3.6.3) versions of gnutls. Would
that improve the situation? If not you can go further by trying
options for specific extensions such as %NO_ETM,
%DISABLE_SAFE_RENEGOTIATION, %NO_SESSION_HASH, %NO_TICKETS etc. If any
of these help improve the situation let me know.

regards,
Nikos
[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux