Opened 4 years ago

Closed 3 years ago

Last modified 3 years ago

#16172 closed defect (fixed)

Can't connect to yahoo: A TLS packet with unexpected length was received

Reported by: momo Owned by:
Milestone: 2.10.10 Component: libpurple
Version: 2.10.9 Keywords: yahoo gnutls tls
Cc: rwky, andrei.mihaila, robert74, djberriman, bertocci, sagi, bberberov

Description

The relevant debug log:

libpurple/gnutls: Serial: 25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd                                                                                                                                                                                                  │
libpurple/gnutls: Cert DN: C=US,O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,CN=VeriSign Class 3 Public Primary Certification Authority - G5                                                                          │
libpurple/gnutls: Cert Issuer DN: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification Authority                                                                                                                                                                 │
libpurple/certificate/x509/tls_cached: Starting verify for login.yahoo.com                                                                                                                                                                                                 │
libpurple/certificate/x509/tls_cached: Checking for cached cert...                                                                                                                                                                                                         │
libpurple/certificate/x509/tls_cached: ...Found cached cert                                                                                                                                                                                                                │
libpurple/gnutls: Attempting to load X.509 certificate from certificates/x509/tls_peers/login.yahoo.com                                                                                                                                             │
libpurple/certificate/x509/tls_cached: Peer cert matched cached                                                                                                                                                                                                            │
libpurple/util: Writing file certificates/x509/tls_peers/login.yahoo.com                                                                                                                                                                            │
libpurple/certificate: Successfully verified certificate for login.yahoo.com                                                                                                                                                                                               │
libpurple/util: request constructed                                                                                                                                                                                                                                        │
libpurple/util: Response headers: 'HTTP/1.1 200 OK␍                                                                                                                                                                                                                        │
Date: Sun, 23 Mar 2014 16:45:33 GMT␍                                                                                                                                                                                                                                       │
Set-Cookie: B=c2ngvmp9iu3td&b=3&s=kq; expires=Wed, 23-Mar-2016 16:45:33 GMT; path=/; domain=.yahoo.com␍                                                                                                                                                                    │
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"␍                                                    │
Cache-Control: private␍                                                                                                                                                                                                                                                    │
Pragma: no-cache␍                                                                                                                                                                                                                                                          │
Expires: Thu, 05 Jan 1995 22:00:00 GMT␍                                                                                                                                                                                                                                    │
Vary: Accept-Encoding␍                                                                                                                                                                                                                                                     │
Content-Type: text/html␍                                                                                                                                                                                                                                                   │
Age: 0␍                                                                                                                                                                                                                                                                    │
Connection: close␍                                                                                                                                                                                                                                                         │
Server: ATS␍                                                                                                                                                                                                                                                               │
␍                                                                                                                                                                                                                                                                          │
'                                                                                                                                                                                                                                                                          │
libpurple/gnutls: receive failed: A TLS packet with unexpected length was received.                                                                                                                                                                                        │
libpurple/yahoo: Authentication: In yahoo_auth16_stage1_cb                                                                                                                                                                                                                 │
libpurple/yahoo: Login Failed, unable to retrieve login url: Error reading from login.yahoo.com: Input/output error                                                                                                                                                        │
libpurple/connection: Connection error on 0x8cd49f8 (reason: 0 description: Error reading from login.yahoo.com: Input/output error) 

Attachments (1)

purple.txt (20.4 KB) - added by djberriman 4 years ago.
debug log of gnutls session

Download all attachments as: .zip

Change History (17)

comment:1 Changed 4 years ago by stelardactek

I have also been getting this error since the 28th of March.

Last edited 4 years ago by stelardactek (previous) (diff)

comment:2 Changed 4 years ago by bjh

I'm getting the same since yesterday (March 29) - verified for 3 Yahoo accounts - tried to play a bit with the server names, IPs with no success. No problems with AIM, ICQ or Google accounts. The Yahoo accounts are all right when I use them with Kopete.

comment:3 in reply to: ↑ description Changed 4 years ago by lucian80

Same error, same date, March 28th.

Very important error I think as nobody can use yahoo messenger any more on pidgin.

(00:51:11) gnutls: receive failed: A TLS packet with unexpected length was received.
(00:51:11) yahoo: Authentication: In yahoo_auth16_stage1_cb
(00:51:11) yahoo: Login Failed, unable to retrieve login url: Error reading from login.yahoo.com: Input/output error
Last edited 4 years ago by Robby (previous) (diff)

comment:4 Changed 4 years ago by andrei.mihaila

Getting the same error ("Error reading from login.yahoo.com: Input/output error") starting from about the same date with a very similar cause:

(11:05:47) gnutls: receive failed: The TLS connection was non-properly terminated.
(11:05:47) yahoo: Authentication: In yahoo_auth16_stage1_cb
(11:05:47) yahoo: Login Failed, unable to retrieve login url: Error reading from login.yahoo.com: Input/output error

comment:5 Changed 4 years ago by robert74

I am also getting the error "Error reading from login.yahoo.com: Input/output error" for the last couple of days.

comment:6 Changed 4 years ago by datallah

  • Status changed from new to pending

Please follow the instructions to get a debug log and attach it to this ticket.
This has been confirmed to be an issue when using the gnutls ssl implementation - it appears to work fine when the NSS implementation is used - a full debug log may be useful, along with the output of gnutls-cli-debug -V -p 443 login.yahoo.com

comment:7 Changed 4 years ago by datallah

Also, set the PURPLE_GNUTLS_DEBUG environment variable to 9 to get more debug output (quit pidgin and then start it from a terminal):

export PURPLE_GNUTLS_DEBUG=9
pidgin -d > /tmp/debug.log

comment:8 Changed 4 years ago by djberriman

Workaround for this issue.

Ensure you have nspr-devel and nss-devel installed (on fedora at least).

Configure pidgin without gnutls (--enable-gnutls=no), check the output of the configure command to confirm the SSL library is just Mozilla NSS

Make and install pigdin

Finally ensure you remove the gnutls libraries otherwise they will still be used by pidgin/libpurple

rm /usr/lib/purple-2/ssl-gnu*

Everything should now work as long as your account isn't locked out from login failures.

Changed 4 years ago by djberriman

debug log of gnutls session

comment:9 Changed 4 years ago by djberriman

gnutls-cli-debug -V -p 443 login.yahoo.com Resolving 'login.yahoo.com'... Connecting to '217.146.186.54:443'... Error in %INITIAL_SAFE_RENEGOTIATION Checking for Safe renegotiation support...

comment:10 Changed 4 years ago by djberriman

debug log attached to ticket from my libpurple based client.

comment:11 Changed 4 years ago by trac-robot

  • Status changed from pending to closed

This ticket was closed automatically by the system. It was previously set to a Pending status and hasn't been updated within 14 days.

comment:12 Changed 3 years ago by spradnyesh

Not fixed; i am still facing this issue

comment:13 Changed 3 years ago by xnyhps

Taking the discussion from #a16678 here:

Both GnuTLS and CDSA (Adium's SSL plugin) check whether a TLS connection has been closed properly by checking if the server sent a close_notify alert first. NSS doesn't. If that alert wasn't sent, GnuTLS and CDSA consider it a fatal error, which for the HTTPS handler means the response is completely discarded. That's what's happening here with Yahoo: their HTTPS server closes the connection without sending close_notify first.

The danger of not checking for that alert is that any MitM may cause a response to be truncated, yet we'd be unable to tell that it is.

Is it really an error condition libpurple should consider fatal? I'm not entirely sure.

XMPP: Shouldn't do anything with a stanza that is an incomplete XML node. IRC: Probably also doesn't handle packets until a newline is received. HTTPS: Occasionally resources need to be loaded over HTTPS. Some servers don't add a Content-Length header (Yahoo here doesn't), which means we'd be unable to tell when a HTTP response was maliciously truncated. However, as this ticket shows, and what seems to be indicated by this comment, it is relatively common for HTTPS servers not to close_notify properly. Other: I have no idea what other connections happen over TLS in libpurple.

So in general, I'd expect not too many security implications of ignoring this error condition, but I'm not fully convinced of this. Maybe libpurple should add a new error code for an uncleanly closed socket, so the HTTPS code can deal with it, somehow?

comment:14 Changed 3 years ago by Robby

  • Status changed from closed to new

comment:15 Changed 3 years ago by MarkDoliner

  • Milestone set to 2.10.10
  • Resolution set to fixed
  • Status changed from new to closed

Just submitted 42ba908c25c7 which fixes this.

comment:16 Changed 3 years ago by MarkDoliner

Also, thanks xnyhps for typing all that info! Super useful. I think it's fine to not require close_notify, and that's the change I made.

Coincidentally we talked about this problem briefly on devel@… when Tomasz implemented his new http code. Email subject was "SSL compatibility mode," from Oct and Nov 2012 and March 2013. You can also find the email by searching for GNUTLS_E_PREMATURE_TERMINATION.

Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!