libgnutls30 3.6.7.4-deb10u9 May cause unexpected SSL connection problem

[gooparm]

I'm not sure this is right place to submit libgnutls30 armbian package issues.

If anyone libgnutls30 to 3.6.7.4-deb10u9, you may have trouble to connect some SSL destinations.

I revert it back to 10u7, then problem was gone.

 

20220817.05:18:10 root@armbianr2s:~/lkm# echo -e "GET / HTTP/1.1\n\n\n" | openssl s_client -connect web.telegram.org:443 -tlsextdebug
CONNECTED(00000003)
^C
20220817.05:18:47 root@armbianr2s:~/lkm# #SSL_CONNECTION_PROBLEM_SOME_SITES_AFTER_UPGRADE_libgnutls30_THEN_REBOOT;
20220817.05:19:03 root@armbianr2s:~/lkm# #PROBLEM_ALSO_HAPPENED_WHILE_tcptraceroute_THEREFORE_I_WAS_REALLY_CONFUSED_AND_WASTED_TIME. BECAUSE, tcptrace and python NOTE TO ME Connection Timeout(I_WAS_MISTAKEN_PROBLEM_BETWEEN_NETWORK_PATH_OR_DESTINATION_SERVICE_BLOCKS_MY_IP)
20220817.05:19:45 root@armbianr2s:~/lkm# #BUT,THIS CONNECTION PROBLEM HAPPENDED BY libgnutls30!!!
20220817.05:54:50 root@armbianr2s:~/lkm# apt-get -s install libgnutls30=3.6.7-4+deb10u7
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
  gnutls-bin
The following packages will be DOWNGRADED:
  libgnutls30
0 upgraded, 0 newly installed, 1 downgraded, 0 to remove and 0 not upgraded.
Inst libgnutls30 [3.6.7-4+deb10u9] (3.6.7-4+deb10u7 Debian:10.12/oldstable [arm64])
Conf libgnutls30 (3.6.7-4+deb10u7 Debian:10.12/oldstable [arm64])
20220817.05:55:11 root@armbianr2s:~/lkm# echo -e "GET / HTTP/1.1\n\n\n" | openssl s_client -connect web.telegram.org:443 -tlsextdebug
CONNECTED(00000003)
TLS server extension "supported versions" (id=43), len=2
0000 - 03 04                                             ..
TLS server extension "key share" (id=51), len=36
0000 - 00 1d 00 20 cc c3 07 cd-ca 4c 1a ae db 51 b9 e3   ... .....L...Q..
0010 - 86 02 18 3e fa b5 b7 bd-0d f2 27 20 fb e8 c9 a5   ...>......' ....
0020 - 16 45 ff 08                                       .E..
TLS server extension "server name" (id=0), len=0
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = *.web.telegram.org
verify return:1
---
Certificate chain
 0 s:OU = Domain Control Validated, CN = *.web.telegram.org
   i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
 1 s:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
   i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
 2 s:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
   i:C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
 3 s:C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
   i:C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGvDCCBaSgAwIBAgIJAJjKNDH6CCbXMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
..SNIP.. ..SNIP.. ..SNIP..
xFtIy/Z3OffAcOWV/l+xh7s/8E/cqSNLOvnDPCgCW1s98JWw7xwL+EwGYxS4N2pY
-----END CERTIFICATE-----
subject=OU = Domain Control Validated, CN = *.web.telegram.org

issuer=C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5720 bytes and written 388 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE
20220817.05:55:28 root@armbianr2s:~/lkm# 

 

Edited August 17, 2022 by gooparm