~rwv/dezhemini#1: 
handling TLS 1.3 resumption on Linux

The diohsc gets into trouble on the second hit to a capsule hosted by dezhmsrv and reports:

! HandshakeFailed (Error_Protocol ("expecting server hello, got alert
  : [(AlertLevel_Fatal,InternalError)]",True,HandshakeFailure))

To problem goes away when the server is force to use TLS 1.2 instead of the negotiated TLS 1.3. The culprit is probably TLS resumption because TLS 1.2 doesn't support it. This problem is reproducible on a server running Linux (with openssl 1.1.1f/j).

On OpenBSD this problem does not occur. Here racket probably uses libressl which properly seems to handle the resumption.

Possible solutions:

  • consider openssl crippled on Linux and fallback to TLS 1.2

  • command line option to force dezhmsrv into TLS 1.2 modus

  • command line option to drop TLS and allow this work to be done by relayd or nginx (like vger)

Status
RESOLVED FIXED
Submitter
~rwv
Assigned to
No-one
Submitted
1 year, 2 months ago
Updated
11 months ago
Labels
No labels applied.

~rwv 1 year, 2 months ago

On hold for now.

~rwv REPORTED FIXED 1 year, 2 months ago

~fsiefken referenced this from ~sircmpwn/gmni#63 11 months ago

Register here or Log in to comment, or comment via email.