New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS1.2 Failure - Handshake not supported #392
Comments
We use SECURE128 priority settings for gnutls, and it seems that it disables RSA-SHA1 signature algorithm support. I think you can reproduce this with gnutls-cli with The following patch would fix this: diff --git a/src/LibgnutlsTLSSession.cc b/src/LibgnutlsTLSSession.cc
index ab3daf2..81f3720 100644
--- a/src/LibgnutlsTLSSession.cc
+++ b/src/LibgnutlsTLSSession.cc
@@ -127,7 +127,7 @@ int GnuTLSSession::init(sock_t sockfd)
// It seems err is not error message, but the argument string
// which causes syntax error.
const char* err;
- std::string pri = "SECURE128";
+ std::string pri = "SECURE128:+SIGN-RSA-SHA1";
switch(tlsContext_->getMinTLSVersion()) {
case TLS_PROTO_TLS12:
pri += ":-VERS-TLS1.1"; |
For the site I visit (ftp.f3l.de), the Signature Algorithm is, in fact, SHA512. After digging around some more with your diff in mind, I stumbled upon this neat little Bug within GnuTLS on Debian/Wheezy: |
Thank you. From my attempt to connect to that site, I see signature algorithm RSA-SHA1. Even your first post prove it:
Anyway, latest gnutls includes SIGN-RSA-SHA512 support, so it might help here. |
All servers with Older aria2 versions never had this problem, so it looks like a security-driven regression, which are very hard to handle. We can't ask the world to upgrade their gnuTLS; is there a compromise the aria2 team would make most https servers downloadable again? |
We fixed this in master branch. Next release will have this fix. |
Thank you ever so much, waiting patiently for the next release :) I use ArchLinux, so will get it really early :) |
Filed for Ubuntu downstream at https://bugs.launchpad.net/ubuntu/+source/aria2/+bug/1553778 |
@antbryan This is maybe a problem with certificates. You can try disable it with the following command:
Also, you can use my ca-certificates (ca-certificates.crt):
|
Same problem for me, I'm under:
aria was installed from depot |
Problem still exists in Debian Jessie. "check-certificate=false" is ignored as parameter and in config-file. |
When downloading a file via HTTPS, I get the error
The Host has a CACert-Certificate that is trusted globally by my PC.
My aria2c is build against libgnutls.so.30.
When connecting directly with gnutls, I get the following error (Shortened to relevant part):
So, the handshake failure does not lie within the range of gnutls.
The text was updated successfully, but these errors were encountered: