Egregoros · Phoenix Framework

Replying to @feld@friedcheese.us

The Doctor

@drwho@masto.hackers.town remote

2w

@feld I don't think I've met anyone who's gotten GnuTLS to work.

Replying to @drwho@masto.hackers.town

feld

@feld@friedcheese.us remote

2w

@drwho every time I had software that used GnuTLS by default, it was broken somehow. And just rebuilding it against OpenSSL fixed it.

Replying to @feld@friedcheese.us

Haelwenn /элвэн/

@lanodan@queer.hacktivis.me remote

2w

@feld Reminds me that the few times I looked at WolfSSL it just gave me the same impression as GrSecurity, technically free software license wise but otherwise acts like proprietary software, so effectively goes in the same box as BoringSSL and AWS-LC.

Replying to @feld@friedcheese.us

Andrew (LinuxJedi) Hutchings

@LinuxJedi@fosstodon.org remote

2w

@feld owned by ARM? Can I ask where that quote came from? It would be easier for me if we were, my nearest office would be an hour away rather than another continent.

Replying to @LinuxJedi@fosstodon.org

feld

@feld@friedcheese.us remote

2w

@LinuxJedi I have mentally swapped PolarSSL for WolfSSL there, whoops

Replying to @feld@friedcheese.us

Andrew (LinuxJedi) Hutchings

@LinuxJedi@fosstodon.org remote

2w

@feld ah! Makes sense, thanks! 🙂

As for the core issue, there is a patch to fix that. I can get it into the codebase sooner rather than later if you still need it.

feld

@feld@friedcheese.us remote

2w

@mirabilos typos are a bitch heh

I've thought about automating the Lasted Updated timestamp to be based on the file last modified timestamp, but I can see so many ways that would go wrong

Replying to @LinuxJedi@fosstodon.org

feld

@feld@friedcheese.us remote

2w

@LinuxJedi I think what's most important is that a fix is pushed out ASAP before people start sticking WolfSSL in more places and now an unknown number of servers exist that are unable to handshake with RFC-compliant TLS 1.3 clients.

How many people are sticking WolfSSL in devices where they'll never update for years? That's what's incredibly concerning.

I'm also completely at a loss for why when even compiling with the middlebox compat mode it *still* couldn't complete the handshake. Something just seems extra broken about it.

Replying to @feld@friedcheese.us

Andrew (LinuxJedi) Hutchings

@LinuxJedi@fosstodon.org remote

2w

@feld I can speculate as to why things are how they are now, but we are a large engineering team and I don't have all the history of that feature to hand. I don't typically work on the TLS side of things myself.

It is past my end of day today, but it is on my list to get that pushed forward tomorrow.

Replying to @LinuxJedi@fosstodon.org

feld

@feld@friedcheese.us remote

2w

@LinuxJedi I didn't want to mention this in the Github issue because it's just rage bait for passerbys, but I had the packet dump parsed by Claude which picked it apart for me with tshark and correctly analyzed the handshake frame by frame identifying the missing change_cipher_spec response from the server and how that was the root cause. Saved me so many hours of trying to figure it out myself.

(Claude did lead me down a wrong rabbithole first, but I caught that mistake pretty quick)

I was honestly expecting to be wrong and that the root cause was a broken client implementation on the Erlang side, but something in my gut said "it worked with OpenSSL, and we know OpenSSL is a trash fire, but Occam's Razor says the drop-in replacement of WolfSSL was the only variable that changed..." and I guess it was right.