Big CA certificate bundle causes problems with GnuTLS 3.0.11

Nikos Mavrogiannopoulos n.mavrogiannopoulos at
Tue May 29 22:36:55 CEST 2012

On 05/29/2012 04:46 PM, Janne Snabb wrote:

> I am experiencing a TLS handshake problem when GnuTLS 3.0.11 server has
> a big pile of CA certificates to verify against. I can not reproduce the
> problem with GnuTLS 2.12.14.
> Steps to re-produce:
> Note that the file /etc/ssl/certs/ca-certificates.crt contains a big
> pile of certificates, as distributed by Debian and Ubuntu
> "ca-certificates" package. (I am happy to send it if needed.) If I
> specify just a sigle CA cert I do not see any problems.
> This means that when the problem happens the "certificate request" is
> bigger than 16k.

Thank you for reporting this. A quick solution to avoid this issue is to
restrict the CAs that you enable to the server to the minimum required
(a typical server needs to trust only the authorities that signed the
user's certificates).


More information about the Gnutls-help mailing list