Handshake fails with Internal error in memory allocation
simon at josefsson.org
Tue Apr 29 10:34:05 CEST 2008
Nikos Mavrogiannopoulos <nmav at gnutls.org> writes:
> Simon Josefsson wrote:
>> This error has come up lately, see:
>> The cause seems clear, the server sends a huge list of CA certs and
>> GnuTLS runs into some fixed size buffer or something. This reproduces
>> gnutls-cli -p 25 -s mail3.mclemente.net
>> ehlo foo
>> Nikos, do you have any idea? I could look at it, but have little time
>> right now.
> There is this function that can be used to increase the default
> handshake packet size. The current is 16kb and is used to protect from
> denial of service.
> * gnutls_handshake_set_max_packet_length - set the maximum length of a
> handshake message
> * @session: is a #gnutls_session_t structure.
> * @max: is the maximum number.
> * This function will set the maximum size of a handshake message.
> * Handshake messages over this size are rejected. The default value
> * is 16kb which is large enough. Set this to 0 if you do not want to
> * set an upper limit.
Ah, thanks for the pointer. It seems this is also used for the _total_
handshake packet size, in gnutls_buffers.c:
/* Buffer for handshake packets. Keeps the packets in order
* for finished messages to use them. Used in HMAC calculation
* and finished messages.
_gnutls_handshake_buffer_put (gnutls_session_t session, opaque * data,
if (length == 0)
if ((session->internals.max_handshake_data_buffer_size > 0) &&
((length + session->internals.handshake_hash_buffer.length) >
I've increased the default limit to 48kb. One of the servers in these
two bug reports needed 25kb to do the handshake.
I've also updated the documentation for that function slightly.
More information about the Gnutls-devel