"Interesting" problem

Simon Josefsson simon at josefsson.org
Sat Oct 11 21:06:16 CEST 2008

Colin Leroy <colin at colino.net> writes:

> On 11 October 2008 at 18h10, Simon Josefsson wrote:
> Hi, 
>> Hi!  Thanks for the report, I'm in a hurry now so I can't look into
>> this completely, but gnutls-cli from 2.6.0 seems to work fine against
>> that server (or has the server changed somehow?).  It may be a bug
>> that has been fixed.  I'll debug it more later, but thought I'd give
>> you a quick reply.
> Thanks; it looks like Gnutls 2.4.1 also works -- 2.0.4 is the version I
> and the reporter are using.

I tracked down the problem.

The reason the problem is triggered is that the server sends a huge list
of CA's it trusts, and older GnuTLS's had a small limit to protect
against DoS attacks.  The limit has been increased in v2.4.0:

*** The default handshake size limit has been increased to 48kb.
It appears as if some valid handshakes are large due to sending many
CA certificates.  (The earlier limit was 16kb.)

Thus, the gnutls handshake failed against the server with your GnuTLS
version.  Arguable the server is somewhat strangely configured, but
there are many debian machines out there that has a large CA trust list
(possibly a bug in the ca-certificates package).

The reason for the _crash_ is a bug in gnutls-cli: older versions didn't
behave correctly on handshake failures.  This was fixed for v.2.4.0 as

** gnutls-cli: Fix crash on TLS handshake failures.
Reported by "Marc F. Clemente" <marc at mclemente.net> in Debian BTS #466477.
This is similar to <http://bugs.debian.org/429183>.

See those bug reports for more information.

This explains why Claws Mail just return an error, whereas gnutls-cli
crashes.  If the problem was in the library, you'd expect that Claws
Mail would have crashed as well.

Anyway, this has been fixed in modern releases.


More information about the Gnutls-devel mailing list