Big CA certificate bundle causes problems with GnuTLS 3.0.11

Nikos Mavrogiannopoulos n.mavrogiannopoulos at
Tue May 29 22:48:50 CEST 2012

On 05/29/2012 10:37 PM, Michal Suchanek wrote:

>> hsk->start_offset is always 0.
>> hsk->end_offset is always (hsk->length - 1) [because this isn't DTLS].
>> So the check added in 67f4dba6 is going to always reject a fragmented
>> handshake packet.

> Now what I do not get is how a pile of CA certificates is fragmenting

> the packets.

In the TLS protocol the server advertises its CA certificates so a
client would know which certificate to present. If a server trusts all
the certificates in the system, the server would advertise all of them
(their DNs actually).


More information about the Gnutls-help mailing list