Handshake fails with Internal error in memory allocation
Andreas Metzler
ametzler at downhill.at.eu.org
Thu May 1 15:02:32 CEST 2008
On 2008-04-29 Simon Josefsson <simon at josefsson.org> wrote:
> This error has come up lately, see:
> http://bugs.debian.org/466477
> http://bugs.debian.org/478191
> The cause seems clear, the server sends a huge list of CA certs and
> GnuTLS runs into some fixed size buffer or something. This reproduces
> it:
> gnutls-cli -p 25 -s mail3.mclemente.net
> ehlo foo
> starttls
> ^D
> Nikos, do you have any idea? I could look at it, but have little time
> right now.
Hello,
isn't it a bug that gnutls *sends* this huge list of certificates in
the first place? (Noted by Florian Weimer)?
I think this is rather strange:
Start with this setup:
- Server is using a self signed certificate and key.
- Client is not using any certificate at all.
This works ...
*server* gnutls-serv --port 666 --x509certfile /etc/exim4/exim.crt \
--x509keyfile /etc/exim4/exim.key
*client* gnutls-cli localhost -p 666
... but this suddenly doesn't (with
the old #define MAX_HANDSHAKE_PACKET_SIZE 16*1024):
*server* gnutls-serv --port 666 --x509certfile /etc/exim4/exim.crt \
--x509keyfile /etc/exim4/exim.key \
--x509cafile /etc/ssl/certs/ca-certificates.crt
*client* gnutls-cli localhost -p 666
I do not understand why specifying a list of irrelevant trusted CAs
changes the the TLS dialogue at all. Afaict this is not the case for
openssl, this won't break gnutls:
openssl s_server -accept 666 -cert /etc/exim4/exim.crt
-key /etc/exim4/exim.key -CAfile /etc/ssl/certs/ca-certificates.crt
thanks, cu andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
More information about the Gnutls-devel
mailing list