GnuTLS recv error (-9): A TLS packet with unexpected length was received. - with Paypal Website Payment Pro

Joe Orton joe at manyfish.co.uk
Thu Feb 3 13:14:17 CET 2011


On Thu, Feb 03, 2011 at 11:03:10AM +0100, Nikos Mavrogiannopoulos wrote:
> On Wed, Feb 2, 2011 at 11:33 PM, Joe Orton <joe at manyfish.co.uk> wrote:
> >> Several sites terminate the TLS connection without following the TLS
> >> protocol (i.e. sending closure alerts), but rather terminate the TCP
> >> connection directly. This is a relic of SSLv2 and it seems other
> >> implementations ignore this error. GnuTLS doesn't and thus prints
> >> this error. You could ignore it, but then you could not distinguish
> >> between a premature connection termination (i.e. by someone injecting
> >> a stray TCP termination packet) and normal termination.
> > The problem is that GnuTLS does not distinguish the TCP closure case
> > from this rather generic "unexpected length" error, as has been
> > discussed on this list before.  The OpenSSL API does expose this
> > distinction.
> 
> How does openssl expose this distinction? Does it have a separate error for
> unclean termination?

Via the SSL_get_error() interface, see part on SSL_ERROR_SYSCALL.

Regards, Joe




More information about the Gnutls-devel mailing list