Bug 455800

Summary:	net-im/pidgin-2.10.6 with net-libs/gnutls-3.1.7 - cannot connect to Google Talk account: connection: Connection error on 0x1887a00 (reason: 5 description: SSL-handshake failed)
Product:	Gentoo Linux	Reporter:	Viktor Yu. Kovalskii <vityokster>
Component:	Current packages	Assignee:	Gentoo Net-im project <net-im>
Status:	RESOLVED FIXED
Severity:	normal	CC:	brainkiller_01, crypto+disabled, faenon, marduk, patrakov
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=456250
Whiteboard:
Package list:		Runtime testing required:	---

Description Viktor Yu. Kovalskii 2013-02-06 07:30:14 UTC

After upgrading gnutls to 3.1.7 version pidgin can't connect to GTalk account with error: SSL-handshake failed.

Reproducible: Always

Steps to Reproduce:
1.Upgrade gnutls to 3.1.7 version
2.Restart pidgin
3.Try to connect to GTalk account.
Actual Results:  
Pidgin can't connect with error: SSL-handshake failed.


At Debug Window with gnutls-3.1.7:
(14:16:12) account: Connecting to account accountname@gmail.com/.
(14:16:12) connection: Connecting. gc = 0x1887a00
(14:16:12) dnsquery: Performing DNS lookup for talk.google.com
(14:16:12) dns: Successfully sent DNS request to child 18195
(14:16:12) dns: Got response for 'talk.google.com'
(14:16:12) dnsquery: IP resolved for talk.google.com
(14:16:12) proxy: Attempting connection to 173.194.70.125
(14:16:12) proxy: Connecting to talk.google.com:443 with no proxy
(14:16:12) proxy: Connection in progress
(14:16:12) proxy: Connecting to talk.google.com:443.
(14:16:12) proxy: Connected to talk.google.com:443.
(14:16:12) gnutls: Starting handshake with talk.google.com
(14:16:12) gnutls: Handshake failed. Error The Diffie-Hellman prime sent by the server is not acceptable (not long enough).
(14:16:12) connection: Connection error on 0x1887a00 (reason: 5 description: SSL-handshake failed)
(14:16:12) account: Disconnecting account vityokster@gmail.com/ (0x7a6ad0)
(14:16:12) connection: Disconnecting connection 0x1887a00
(14:16:12) jabber: jabber_actions: have pep: NO
(14:16:12) connection: Destroying connection 0x1887a00

Comment 1 Viktor Yu. Kovalskii 2013-02-06 07:32:19 UTC

emerge --info =net-libs/gnutls-3.1.6 net-im/pidgin
Portage 2.2.0_alpha161 (default/linux/amd64/10.0/desktop/kde, gcc-4.7.2, glibc-2.16.0, 3.7.4-gentoo x86_64)
=================================================================
                        System Settings
=================================================================
System uname: Linux-3.7.4-gentoo-x86_64-Intel-R-_Core-TM-2_Duo_CPU_E7500_@_2.93GHz-with-gentoo-2.2
KiB Mem:     1923328 total,    209656 free
KiB Swap:    3156768 total,   2987420 free
Timestamp of tree: Wed, 06 Feb 2013 05:00:01 +0000
ld GNU ld (GNU Binutils) 2.23.1
ccache version 3.1.9 [enabled]
app-shells/bash:          4.2_p42
dev-java/java-config:     2.1.12-r1
dev-lang/python:          2.7.3-r3
dev-util/ccache:          3.1.9
dev-util/cmake:           2.8.10.2-r1
dev-util/pkgconfig:       0.28
sys-apps/baselayout:      2.2
sys-apps/openrc:          0.11.8
sys-apps/sandbox:         2.6
sys-devel/autoconf:       2.13, 2.69
sys-devel/automake:       1.9.6-r3, 1.11.6, 1.12.6
sys-devel/binutils:       2.23.1
sys-devel/gcc:            4.7.2
sys-devel/gcc-config:     1.8
sys-devel/libtool:        2.4.2
sys-devel/make:           3.82-r4
sys-kernel/linux-headers: 3.7 (virtual/os-headers)
sys-libs/glibc:           2.16.0
Repositories: gentoo dmol overlays-oschtan flying
Installed sets: @kde-installed, @toolchain
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="* -@EULA PUEL googleearth AdobeFlash-10.3 skype-4.0.0.7-copyright"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=core2 -msse4.1 -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/polkit-1/actions /var/lib/hsqldb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/splash /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-march=core2 -msse4.1 -O2 -pipe"
DISTDIR="/mnt/slag/distfiles"
EMERGE_DEFAULT_OPTS="--autounmask=n"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs buildpkg ccache collision-protect distlocks ebuild-locks fixlafiles merge-sync metadata-transfer news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://ash.catalysis.ru/gentoo/ http://linux.nsu.ru/gentoo-distfiles http://mirror.yandex.ru/gentoo-distfiles/ http://trumpetti.atm.tut.fi/gentoo http://oschtan.academ.org/"
LANG="ru_RU.UTF-8"
LC_ALL=""
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j3"
PKGDIR="/mnt/slag/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/mnt/slag"
PORTDIR="/mnt/slag/gentoo-tree"
PORTDIR_OVERLAY="/mnt/slag/layman/dmol /mnt/slag/layman/oschtan /mnt/slag/layman/flying"
SYNC="rsync://rsync.gentoo.org/gentoo-portage/"
USE="7zip X a52 aac aalib acl acpi additions alsa amd64 amr amrnb amrwb ao apm apng applet audiofile bash-completion bazaar bdf berkdb branding bs2b bzip2 cairo cdda cdparanoia cdr chm cjk cleartype cli color-console consolekit cracklib crypt cups cvs cxx dbus declarative dirac divx djvu dri drm dts dvd dvdr dvdread egl emboss emf enca encode eselect exceptions exif extensions faac faad fam fbcondecor ffmpeg fftw firefox flac fontconfig fortran ftp fuse gallium gcj gd gif gimp git glitz gmedia gmp gpg gphoto2 gpm graphviz gstreamer hddtemp hdri htmlhandbook icons iconv icq icu imagemagick imlib jabber java jbig jingle jpeg jpeg2k kde kipi lame latex lcms libass libffi libnotify libsamplerate lm_sensors lzma mad mdnsresponder-compat mercurial midi mikmod mime mms mmx mmxext mng modplug modules motif mp2 mp3 mp4 mpeg mplayer mudflap multilib multitarget musepack musicbrainz natspec ncurses network nls nova npp nptl nptlonly nsplugin oav objc objc++ objc-gc ogg openexr opengl openmp orc oscar osmesa pam pango pcre pdf perl pertty phonon plasma plotutils png policykit postscript povray ppds projectm python qt3support qt4 quicktime rar raw rcc readline realmedia reflection rtc samba scanner schroedinger scrobbler sdl sensord session sndfile sound spell spl sqlite srt sse sse2 sse3 sse4_1 ssl ssse3 startup-notification subversion suid svg symlink syslog system-sqlite szip taglib tcpd templates theora threads thumbnail tidy tiff truetype udev udisks unicode unsupported upower usb userlocales utempter vaapi vcd visualization vorbis vpx wavpack webp wma wmf wmp wxwidgets x264 x264-svn-encoder xattr xcb xcomposite xml xorg xpm xv xvid zip zlib" ABI_X86="64" ALSA_CARDS="intel-hda" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="adc65 agfa_cl20 aox barbie canon casio_qv clicksmart310 digigr8 digita dimagev dimera3500 directory enigma13 fuji gsmart300 hp215 iclick jamcam jd11 kodak_dc120 kodak_dc210 kodak_dc240 kodak_dc3200 kodak_ez200 konica konica_qm150 largan lg_gsm mars mustek panasonic_coolshot panasonic_dc1000 panasonic_dc1580 panasonic_l859 pccam300 pccam600 polaroid_pdc320 polaroid_pdc640 polaroid_pdc700 ptp2 ricoh ricoh_g3 samsung sierra sipix_blink sipix_blink2 sipix_web2 smal sonix sony_dscf1 sony_dscf55 soundvision spca50x sq905 stv0674 stv0680 sx330z template toshiba_pdrm11 jl2005a topfield ax203 st2205 jl2005c tp6801" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CURL_SSL="gnutls" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer nlpsolver pdfimport" LINGUAS="ru ru_RU" PHP_TARGETS="php5-3" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7" RUBY_TARGETS="ruby19" SANE_BACKENDS="abaton agfafocus apple artec artec_eplus48u as6e avision bh canon canon630u canon_dr canon_pp cardscan coolscan coolscan2 coolscan3 dc210 dc240 dc25 dell1600n_net dmc epjitsu epson epson2 fujitsu genesys gt68xx hp hp3500 hp3900 hp4200 hp5400 hp5590 hpljm1005 hpsj5s hs2p ibm kodak kvs1025 leo lexmark ma1509 matsushita microtek microtek2 mustek mustek_pp mustek_usb nec net niash p5 pie pixma plustek plustek_pp qcam ricoh rts8891 s9036 sceptre sharp sm3600 sm3840 snapscan sp15c st400 stv680 tamarack teco1 teco2 teco3 test u12 umax umax1220u umax_pp xerox_mfp kvs20xx magicolor pnm kodakaio kvs40xx mustek_usb2" USERLAND="GNU" VIDEO_CARDS="i965 intel" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, INSTALL_MASK, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON

=================================================================
                        Package Settings
=================================================================

net-libs/gnutls-3.1.6 was built with the following:
USE="(consolekit) cxx (multilib) nls (policykit) zlib -dane -doc -examples -guile -pkcs11 -static-libs -test" ABI_X86="64" LINGUAS="-cs -de -en -fi -fr -it -ms -nl -pl -sv -uk -vi -zh_CN"


net-im/pidgin-2.10.6 was built with the following:
USE="(consolekit) dbus gnutls gtk (multilib) nls perl (policykit) python spell (-aqua) -debug -doc -eds -gadu -groupwise -gstreamer -idn -meanwhile -ncurses -networkmanager -prediction -sasl -silc -tcl -tk -xscreensaver -zephyr -zeroconf"
CFLAGS="-march=core2 -O2 -pipe"
CXXFLAGS="-march=core2 -O2 -pipe"

Comment 2 Eugene Shalygin 2013-02-06 17:10:11 UTC

Same problem with net-voip/telepathy-gabble-0.16.4

Comment 3 Albert W. Hopkins 2013-02-07 16:30:40 UTC

Between this and OpenSSL (bug #420261) it's been a bumpy ride wrt to recent updates and connecting to secure services.

The relevant info I have is (empathy connecting to Google Talk):

tp-glibproxy-DEBUG: 02/07/2013 16:19:01.748158: tp_proxy_invalidate: 0x688dc60: WOCKY_CONNECTOR_ERROR_TLS_SESSION_FAILED (#7): TLS handshake error: -63: GNUTLS_E_DH_PRIME_UNACCEPTABLE
tp-glibproxy-DEBUG: 02/07/2013 16:19:01.748208: tp_proxy_signal_connection_proxy_invalidated: 0x7f7b28003440: TpProxy 0x688dc60 invalidated (I have 0x688dc60): WOCKY_CONNECTOR_ERROR_TLS_SESSION_FAILED (#7): TLS handshake error: -63: GNUTLS_E_DH_PRIME_UNACCEPTABLE
tp-glibproxy-DEBUG: 02/07/2013 16:19:01.748264: tp_proxy_signal_connection_proxy_invalidated: 0x875ef30: TpProxy 0x688dc60 invalidated (I have 0x688dc60): WOCKY_CONNECTOR_ERROR_TLS_SESSION_FAILED (#7): TLS handshake error: -63: GNUTLS_E_DH_PRIME_UNACCEPTABLE
tp-glibproxy-DEBUG: 02/07/2013 16:19:01.748318: tp_proxy_signal_connection_proxy_invalidated: 0x8b60180: TpProxy 0x688dc60 invalidated (I have 0x688dc60): WOCKY_CONNECTOR_ERROR_TLS_SESSION_FAILED (#7): TLS handshake error: -63: GNUTLS_E_DH_PRIME_UNACCEPTABLE
tp-glibproxy-DEBUG: 02/07/2013 16:19:01.748485: tp_proxy_signal_connection_proxy_invalidated: 0x875eec0: TpProxy 0x688dc60 invalidated (I have 0x688dc60): WOCKY_CONNECTOR_ERROR_TLS_SESSION_FAILED (#7): TLS handshake error: -63: GNUTLS_E_DH_PRIME_UNACCEPTABLE

Comment 4 Jan Psota 2013-02-07 20:52:39 UTC

I confirm: it's net-libs/gnutls-3.1.7 fault.
On 3.1.6 both pidgin and empathy works fine.
(and recompiling pidgin on gnutls 3.1.7 doesn't
change anything - does not work)

Comment 5 Diego Elio Pettenò (RETIRED) gentoo-dev

2013-02-09 12:50:43 UTC

I've reported this upstream; the same problem happens with any other client using gnutls.

Comment 6 Diego Elio Pettenò (RETIRED) gentoo-dev

2013-02-10 14:35:06 UTC

Fixed with GnuTLS 3.1.8.