Handshake fails with Internal error in memory allocation
Simon Josefsson
simon at josefsson.org
Thu May 1 22:32:29 CEST 2008
Andreas Metzler <ametzler at downhill.at.eu.org> writes:
> ... but this suddenly doesn't (with
> the old #define MAX_HANDSHAKE_PACKET_SIZE 16*1024):
> *server* gnutls-serv --port 666 --x509certfile /etc/exim4/exim.crt \
> --x509keyfile /etc/exim4/exim.key \
> --x509cafile /etc/ssl/certs/ca-certificates.crt
> *client* gnutls-cli localhost -p 666
>
> I do not understand why specifying a list of irrelevant trusted CAs
> changes the the TLS dialogue at all.
It does change the TLS dialogue.
The problem may be that /etc/ssl/certs/ca-certificates.crt contains a
lot of CA certificates. A setting of trusting all CAs shipped with
debian seems rather weird to me, I'd expect the default to be to not
trust any CA and that administrators can selectively add CAs.
> Afaict this is not the case for openssl, this won't break gnutls:
> openssl s_server -accept 666 -cert /etc/exim4/exim.crt -key
> /etc/exim4/exim.key -CAfile /etc/ssl/certs/ca-certificates.crt
But does openssl request a client certificate? The list of CAs isn't
sent otherwise.
/Simon
More information about the Gnutls-devel
mailing list