Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and
privacy statement. We’ll occasionally send you account related emails.
Already on GitHub?
to your account
It looks like boringssl backed server does not like ClientHello generated by GnuTLS. It is hard for me to debug this because it is TLS internal stuff.
Similar to #6864 but this only happens with GnuTLS builds now.
Originally posted by @tatsuhiro-t in #6864 (comment)
The text was updated successfully, but these errors were encountered:
It looks like GnuTLS sends legacy session ID which must be prohibited in QUIC: https://tools.ietf.org/html/draft-ietf-quic-tls-34#section-8.4
Now I have to find how to make GnuTLS stop sending this.
Meanwhile it seems that OpenSSL does not check this thing out, which smells like a bug.
Sorry, something went wrong.
@ueno Is there any way to tell GnuTLS to disable TLSv1.3 compatibility mode?
It looks like #undef TLS13_APPENDIX_D4 disables it, but it is a compile time option.
Not currently, but it should be easy to add. I've filed an issue at:
I'm going to close this issue here since this has been determined to be a GnuTLS bug and it isn't very useful for us to keep it open here as well. This should work with curl once GnuTLS is fixed to do right.
ngtcp2: disable TLSv1.3 compatible mode when using GnuTLS
The latest GnuTLS-3.7.2 implements disable switch for TLSv1.3 compatible
mode for middle box but it is enabled by default, which is unnecessary
No branches or pull requests