Handshake fails with Internal error in memory allocation

Andreas Metzler ametzler at downhill.at.eu.org
Thu May 1 15:02:32 CEST 2008

On 2008-04-29 Simon Josefsson <simon at josefsson.org> wrote:
> This error has come up lately, see:

> http://bugs.debian.org/466477
> http://bugs.debian.org/478191

> The cause seems clear, the server sends a huge list of CA certs and
> GnuTLS runs into some fixed size buffer or something.  This reproduces
> it:

> gnutls-cli -p 25 -s mail3.mclemente.net
> ehlo foo
> starttls
> ^D

> Nikos, do you have any idea?  I could look at it, but have little time
> right now.


isn't it a bug that gnutls *sends* this huge list of certificates in
the first place? (Noted by Florian Weimer)?

I think this is rather strange:

Start with this setup:
  - Server is using a self signed certificate and key.
  - Client is not using any certificate at all.

This works ...
*server* gnutls-serv --port 666 --x509certfile /etc/exim4/exim.crt \
    --x509keyfile /etc/exim4/exim.key
*client* gnutls-cli localhost -p 666

... but this suddenly doesn't (with
the old #define MAX_HANDSHAKE_PACKET_SIZE 16*1024):
*server*  gnutls-serv --port 666 --x509certfile /etc/exim4/exim.crt \
    --x509keyfile /etc/exim4/exim.key \
    --x509cafile /etc/ssl/certs/ca-certificates.crt
*client* gnutls-cli localhost -p 666

I do not understand why specifying a list of irrelevant trusted CAs
changes the the TLS dialogue at all. Afaict this is not the case for
openssl, this won't break gnutls:
 openssl s_server -accept 666 -cert /etc/exim4/exim.crt
   -key  /etc/exim4/exim.key -CAfile /etc/ssl/certs/ca-certificates.crt 

thanks, cu andreas
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

More information about the Gnutls-devel mailing list