Handshake fails with Internal error in memory allocation

Simon Josefsson simon at josefsson.org
Thu May 1 22:32:29 CEST 2008

Andreas Metzler <ametzler at downhill.at.eu.org> writes:

> ... but this suddenly doesn't (with
> the old #define MAX_HANDSHAKE_PACKET_SIZE 16*1024):
> *server*  gnutls-serv --port 666 --x509certfile /etc/exim4/exim.crt \
>     --x509keyfile /etc/exim4/exim.key \
>     --x509cafile /etc/ssl/certs/ca-certificates.crt
> *client* gnutls-cli localhost -p 666
> I do not understand why specifying a list of irrelevant trusted CAs
> changes the the TLS dialogue at all.

It does change the TLS dialogue.

The problem may be that /etc/ssl/certs/ca-certificates.crt contains a
lot of CA certificates.  A setting of trusting all CAs shipped with
debian seems rather weird to me, I'd expect the default to be to not
trust any CA and that administrators can selectively add CAs.

> Afaict this is not the case for openssl, this won't break gnutls:
> openssl s_server -accept 666 -cert /etc/exim4/exim.crt -key
> /etc/exim4/exim.key -CAfile /etc/ssl/certs/ca-certificates.crt

But does openssl request a client certificate?  The list of CAs isn't
sent otherwise.


More information about the Gnutls-devel mailing list