Cannot connect to any SSL servers besides "EFNet", with gnutls 3.6.3

[Jigoku]

Bug summary

Weechat 2.1 and 2.2 have issues connecting to any SSL server on Slackware -current with gnutls 3.6.3.

Current behavior

I cannot connect to any SSL servers, the exception is that EFNet works fine for some reason. Of the 15-20 irc servers i have in my irc.conf which use SSL, i can literally only connect to EFNet. All other servers give this obscure error:

irc: TLS handshake failed
irc: error: The operation was cancelled due to user error

Steps to reproduce

1. run weechat
2. connect to SSL server (other than EFNet)
3. client will never connect, producing error as mentioned above

Desired behavior

Should connect the first time.

Suggested solutions

There seems to be no solution

Additional information

I use Slackware -current, which had upgraded the gnutls package on July 17th, to version 3.6.3.
I believe it was a day after this upgrade that i started to experience this problem.

Rebuilding weechat against this version of gnutls doesn't resolve anything.

I have tried a fresh config, deleting ~/.weechat/ etc, and no solution from that. I have also recently installed Slackware -current to a virtual machine to test this, and get the same problems.

I have been told that several people came into the #weechat channel on FreeNode asking about this problem in relation to Slackware -current, but there still seems to be no solution.

There seems to be no problem with other applications that use gnutls, with v3.6.3, so i believe this is solely related to weechat. There's also the odd thing about EFNet being able to connect over SSL perfectly fine, yet no other network will ever connect, and just gives this error message as mentioned above.

---

• WeeChat version: 2.1 and 2.2
• OS, distribution and version:  Slackware -current x86_64

[orbea]

Seems Fedora backported some gnutls upstream fixes which solved this for me (I'm on Slackware current too).

diff --git a/lib/cert-cred.c b/lib/cert-cred.c
index d3777e51f..2150e903f 100644
--- a/lib/cert-cred.c
+++ b/lib/cert-cred.c
@@ -387,6 +387,13 @@ static int call_legacy_cert_cb1(gnutls_session_t session,
 	if (ret < 0)
 		return gnutls_assert_val(ret);
 
+	if (st2.ncerts == 0) {
+		*pcert_length = 0;
+		*ocsp_length = 0;
+		*privkey = NULL;
+		return 0;
+	}
+
 	if (st2.cert_type != GNUTLS_CRT_X509) {
 		gnutls_assert();
 		ret = GNUTLS_E_INVALID_REQUEST;
@@ -503,7 +510,10 @@ void gnutls_certificate_set_retrieve_function
      gnutls_certificate_retrieve_function * func)
 {
 	cred->legacy_cert_cb1 = func;
-	cred->get_cert_callback3 = call_legacy_cert_cb1;
+	if (!func)
+		cred->get_cert_callback3 = NULL;
+	else
+		cred->get_cert_callback3 = call_legacy_cert_cb1;
 }
 
 static int call_legacy_cert_cb2(gnutls_session_t session,
@@ -578,7 +588,10 @@ void gnutls_certificate_set_retrieve_function2
      gnutls_certificate_retrieve_function2 * func) 
 {
 	cred->legacy_cert_cb2 = func;
-	cred->get_cert_callback3 = call_legacy_cert_cb2;
+	if (!func)
+		cred->get_cert_callback3 = NULL;
+	else
+		cred->get_cert_callback3 = call_legacy_cert_cb2;
 }
 
 /**
diff --git a/lib/hello_ext.c b/lib/hello_ext.c
index a3027130a..f72afe77f 100644
--- a/lib/hello_ext.c
+++ b/lib/hello_ext.c
@@ -208,7 +208,7 @@ int hello_ext_parse(void *_ctx, unsigned tls_id, const uint8_t *data, unsigned d
 
 	if (tls_id == PRE_SHARED_KEY_TLS_ID) {
 		ctx->seen_pre_shared_key = 1;
-	} else if (ctx->seen_pre_shared_key) {
+	} else if (ctx->seen_pre_shared_key && session->security_parameters.entity == GNUTLS_SERVER) {
 		/* the pre-shared key extension must always be the last one,
 		 * draft-ietf-tls-tls13-28: 4.2.11 */
 		return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);

https://src.fedoraproject.org/cgit/rpms/gnutls.git/tree/gnutls-3.6.3-backport-upstream-fixes.patch

[Jigoku]

@orbea Just saw your reply on the LinuxQuestions forum thread, and yeah, the above patch fixes all of these connection problems for me. Cheers.

Not sure if i should close this issue myself, so i'll just leave it open i guess.

[flashcode]

Closing the issue, since the problem was in gnutls and not WeeChat.