Interoperability issues (Debian Bug #348046)
mh+gnutls-devel at zugschlus.de
Tue Feb 26 23:27:39 CET 2008
On Tue, Feb 26, 2008 at 05:59:22PM +0100, Simon Josefsson wrote:
> Marc Haber <mh+gnutls-devel at zugschlus.de> writes:
> >> > (G) Andrew McGlashan finding it impossible to connect to gnutls-serv
> >> > with incredimail (giving debug output in Message 224).
> > That one is Debian Bug #459323 and has been pinned down to incredimail
> > being unable to handle client certificate requests. This can be worked
> > around by exim configuration and is clearly brokenness on
> > incredimail's part. Additionally, this incredimail issue also happens
> > when exim (in Debian's default configuration which requests client
> > ceritificates, but does not act on them by default) is compiled
> > against OpenSSL and also explains why Postfix works.
> Interesting. Maybe some documentation on this issue is warranted,
> especially if it affects other implementations than incredimail as well.
I have documented this in Debian exim4's README.Debian.
> > For example, the incredimail issue would have been more easily pinned
> > down if the error message logged on the server would have been
> > something like "A TLS packet with an unexpected length was received in
> > response to our client certificate request", or the random MAC padding
> > by "Connection was dropped by the remote side after we announced that
> > we would like to do random MAC padding".
> One "problem" with TLS is that each packet contains many requests so it
> can be difficult to know what triggered the problem. The handshake is
> typically just two round trips.
Is it possible to stretch the handshake for debugging purposes to
obtain more accurate errors in a lab setup?
> However, to be able to improve the error messages here, I need to know
> where in gnutls the error code was generated. A debug log containing
> the gnutls_assert() outputs from where the error code is generated is
I have the lab setup still available. Do I need to recompile GnuTLS
(and libgcrypt?) in order to obtain the gnutls_assert() outputs? What
do I do to do this?
> Many thanks for your diligent work!
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190
More information about the Gnutls-devel