GnuTLS/NSS interop in Exim 4.80 RC

Janne Snabb snabb at epipe.com
Tue May 22 10:38:00 CEST 2012


On 2012-05-22 14:47, Nikos Mavrogiannopoulos wrote:
>  I don't really understand what you mean here. Is there an issue in
> gnutls we can somehow improve?

The previously discussed interop problem between GnuTLS and NSS
manifests itself in such a way that NSS client just closes the TCP
connection after it receives the "Server Hello" packet which it does not
like. The GnuTLS library provides very misleading diagnostics in that case:

[..snip..]
4011 GnuTLS<4>: REC[0x1213b00]: Sending Packet[3] Handshake(22) with
length: 4
4011 GnuTLS<4>: REC[0x1213b00]: Sent Packet[4] Handshake(22) with length: 9
4011 GnuTLS<2>: ASSERT: gnutls_buffers.c:640
4011 GnuTLS<2>: ASSERT: gnutls_record.c:969
4011 GnuTLS<2>: ASSERT: gnutls_handshake.c:3061
4011 LOG: MAIN
4011 TLS error on connection from localhost [127.0.0.1]
(gnutls_handshake): A TLS packet with unexpected length was received.
4003 child 4011 ended: status=0x0
4003 normal exit, 0

Instead of seeing an indication of EOF, GnuTLS reports "TLS packet with
unexpected length was received". One must dive into gnutls_buffers.c to
realize that it was EOF that just happened:

  if (ret == 0)
    {                           /* EOF */
      gnutls_assert ();
      return 0;
    }

For more complete log see:

http://www.gossamer-threads.com/lists/exim/users/94048#94048


I updated the NSS bug [1] with simple instructions on how to reproduce
the issue using GnuTLS command line tools and Firefox. Even if the hard
limit in NSS is fixed quickly, this will be a burden for TLS server side
developers for many years to come. Luckily new versions of GnuTLS now
have ECDHE-RSA key exchange support as it masks the DHE-RSA interop
problem. People can survive with recent NSS clients if they make sure
that ECDHE-RSA is enabled on their servers.

I think the only reason why we have not already seen wide-spread
breakage is that the developers who use GnuTLS are not yet using the new
gnutls_sec_param_to_pk_bits() API and are instead manually setting the
DHE key size to 1024 or 2048 which works with NSS.

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=636802

-- 
Janne Snabb / EPIPE Communications
snabb at epipe.com - http://epipe.com/




More information about the Gnutls-help mailing list