wip.pkgsrc.org broken TLS? (GnuTLS Fatal error: The TLS connection was non-properly terminated.)

["Dr. Thomas Orgis" <thomas.orgis%uni-hamburg.de@localhost>]

Hi,

I regularily have trouble downloading wip snapshots using wget on
Debian, where it is linked to gnutls. It does work with openssl. So I
am not really sure who is to blame … but this is a long-standing issue
that pops up from time to time and I only finde the remark that the
server is just not behaving properly. But then, openssl is not offended.

Downloading anything from gitweb.cgi looks like this:

$ wget https://wip.pkgsrc.org/cgi-bin/gitweb.cgi
--2020-08-15 12:17:32--  https://wip.pkgsrc.org/cgi-bin/gitweb.cgi
Resolving wip.pkgsrc.org (wip.pkgsrc.org)... 2a00:19e0:3004:219:2a92:4aff:fe33:3b71, 195.22.142.117
Connecting to wip.pkgsrc.org (wip.pkgsrc.org)|2a00:19e0:3004:219:2a92:4aff:fe33:3b71|:443... failed: Connection refused.
Connecting to wip.pkgsrc.org (wip.pkgsrc.org)|195.22.142.117|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘gitweb.cgi.1’

gitweb.cgi.1                      [ <=>                                              ]   3,03K  --.-KB/s    in 0,01s   

2020-08-15 12:17:32 (207 KB/s) - Read error at byte 3100 (The TLS connection was non-properly terminated.).Retrying.

--2020-08-15 12:17:33--  (try: 2)  https://wip.pkgsrc.org/cgi-bin/gitweb.cgi
Connecting to wip.pkgsrc.org (wip.pkgsrc.org)|195.22.142.117|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘gitweb.cgi.1’

gitweb.cgi.1                      [ <=>                                              ]   3,03K  --.-KB/s    in 0,01s   

2020-08-15 12:17:34 (223 KB/s) - Read error at byte 3100 (The TLS connection was non-properly terminated.).Retrying.

--2020-08-15 12:17:36--  (try: 3)  https://wip.pkgsrc.org/cgi-bin/gitweb.cgi

… and it repeats to retry and download the same content again and again.

A smaller test:

$ gnutls-cli -p 443 -- wip.pkgsrc.org
Processed 126 CA certificate(s).
Resolving 'wip.pkgsrc.org:443'...
Connecting to '2a00:19e0:3004:219:2a92:4aff:fe33:3b71:443'...
Connecting to '195.22.142.117:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
[…]
- Simple Client Mode:

GET /
HTTP/0.9 200 OK
<html>
<head>
<title>pkgsrc-wip git repository</title>
<meta http-equiv="refresh" content="0; URL=https://wip.pkgsrc.org/cgi-bin/gitweb.cgi";>
</head>
<body>
The pkgsrc-wip git repository is <a href="https://wip.pkgsrc.org/cgi-bin/gitweb.cgi";>here</a>.
</body>
</html>
*** Fatal error: The TLS connection was non-properly terminated.
*** Server has terminated the connection abnormally.

While openssl is rather silent on this:

$ openssl s_client -connect wip.pkgsrc.org:443
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = wip.pkgsrc.org
verify return:1
---
Certificate chain
 0 s:CN = wip.pkgsrc.org
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
[…]
---
GET /
HTTP/0.9 200 OK
<html>
<head>
<title>pkgsrc-wip git repository</title>
<meta http-equiv="refresh" content="0; URL=https://wip.pkgsrc.org/cgi-bin/gitweb.cgi";>
</head>
<body>
The pkgsrc-wip git repository is <a href="https://wip.pkgsrc.org/cgi-bin/gitweb.cgi";>here</a>.
</body>
</html>
read:errno=0


So, should this be a bug report to GnuTLS? Or to the server code and
openssl for not choking on it? I figure that, even if the TLS standard
now doesn't require closing a connection explicitly anymore, it is
kindof hard for a client to decide if a download is complete if (for
obvious reasons in case of CGI) the content length is not known and the
connection just drops.


Alrighty then,

Thomas

-- 
Dr. Thomas Orgis
HPC @ Universität Hamburg