Does not work for Fedora 34: missing ciphers.

[andyholmes]

Should be noted that this does not work for Fedora 34 on a fresh installation due to an issue with missing ciphers.

Originally posted by @xeu100 in #1069 (comment)

[andyholmes]

This is probably an issue with gnutls >= 3.7, although it's unclear if it only affects Fedora. Error looks something like:

JS ERROR: Gio.TlsError: Error performing TLS handshake: No supported cipher suites have been found.
_handshake/</<@/var/home/andrew/.local/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/service/backends/lan.js:595:44
@./daemon.js:728:17

[jnsh]

This is probably an issue with gnutls >= 3.7, although it's unclear if it only affects Fedora.

FWIW, I'm not experiencing this issue on Arch, with gnutls 3.7.1. Looks like F34 has gnutls 3.7.0 out the box, and 3.7.1 package is in testing (source). May be worth checking if update to 3.7.1 fixes this, or there could be some differences in how the package is build between the two distributions.

[andyholmes]

It could just as easily be an error caused by an older Android device, but I really don't know at this point :) GSConnect isn't really a priority for me anymore, I just happened to be working with gnutls when I got the e-mail :)

[FarisZR]

This is probably an issue with gnutls >= 3.7, although it's unclear if it only affects Fedora.

FWIW, I'm not experiencing this issue on Arch, with gnutls 3.7.1. Looks like F34 has gnutls 3.7.0 out the box, and 3.7.1 package is in testing (source). May be worth checking if update to 3.7.1 fixes this, or there could be some differences in how the package is build between the two distributions.

after updating gnutls to 3.7.1-2 it still doesn't work
devices don't show up
running on latest fedora 34 beta.

on a modern android phone

[andyholmes]

Seems likely that Fedora changed its system priority file to exclude the ciphers supported by the Android app, since this is only seems to be affecting Fedora 34 users.

EDIT: looks like I'm wrong and the system priority file for GnuTLS is unchanged. I'm not sure what's going on here or why it only affects Fedora 34.

[FarisZR]

Seems likely that Fedora changed its system priority file to exclude the ciphers supported by the Android app, since this is only seems to be affecting Fedora 34 users.

EDIT: looks like I'm wrong and the system priority file for GnuTLS is unchanged. I'm not sure what's going on here or why it only affects Fedora 34.

here is the full list of changes in fedora 34
https://fedoraproject.org/wiki/Releases/34/ChangeSet

so far i haven't seen anything about ciphers

[FarisZR]

looks like the issue also effects upstream?
kde connect desktop app cant see devices either

[vojta-horanek]

I can confirm this issues is also affects Arch Linux with gnutls 3.7.1-1

[vojta-horanek]

Alright so I think I have an observation:
I think this started happening when I upgraded my (samsung) phone to a new security patch. After that KDE Connect never connected again.
I also asked my brother who also has a samsung phone with the newest security patch and guess what, his kde connect also doesn't work. Before that he had a different phone which connected successfully everytime.

I don't have any conclusion but I think this would be caused by gnutls actually not supporting some protocol that has is now required by Android?

[imreallyliam]

Alright so I think I have an observation:
I think this started happening when I upgraded my (samsung) phone to a new security patch. After that KDE Connect never connected again.
I also asked my brother who also has a samsung phone with the newest security patch and guess what, his kde connect also doesn't work. Before that he had a different phone which connected successfully everytime.

I don't have any conclusion but I think this would be caused by gnutls actually not supporting some protocol that has is now required by Android?

Possible as I too am running a Samsung phone with the latest March patch. Could explain why some haven't had issues.

[daniellandau]

This is what Wireshark tells that Android side offers

Extract from gnutls-cli -l

TLS_ECDHE_ECDSA_AES_128_GCM_SHA256                      0xc0, 0x2b      TLS1.2                
TLS_ECDHE_ECDSA_AES_256_GCM_SHA384                      0xc0, 0x2c      TLS1.2 

Not a huge TLS expert, but to my eyes it seems that not having a cipher in common shouldn't be it. Couldn't find yet what is, though.

[daniellandau]

This has nothing to do with gnutls and everything with #1073. Once I removed CONSTRUCT_ONLY from https://github.com/GSConnect/gnome-shell-extension-gsconnect/blob/master/src/service/backends/lan.js#L82 it started working.

The client cipher suites were being passed without issues and _gnutls_figure_common_ciphersuite in algorithms/ciphersuites.c of gnutls was finding them compatible, but then failing on ret = _gnutls_select_server_cert(session, peer_clist->entry[i]);. Apparently because of https://gitlab.gnome.org/GNOME/gjs/-/merge_requests/591/ (huge thanks @Noobsai for pointing me at that direction in the other issue you opened) the server certificate wasn't being passed to gnutls.

[lverissimo]

I have installed the latest code on git and applyed this fix, but still not working on F34.

[daniellandau]

@lverissimo did you try rebooting? The daemon might not restart unless you at least log out and back in.

[lverissimo]

@daniellandau you were right!! rebooted and it worked! Thank you so much. Great and usefull extension.

[FarisZR]

awesome! thanks for the hard work!
that was the last thing keeping me from switching to gnome 40/fedora 34 beta