[gnutls-help] Many "Hello Request" messages

Rick van Rein rick at openfortress.nl
Thu Nov 5 20:46:27 CET 2015 

Hello,

I'm trying to get handshake renegotiation working with GnuTLS 3.2.21,
and I wonder if I may have run into a GnuTLS bug.

Using tcpdump, I found an astounding number of Hello Request messages,
even when I didn't trigger renogotiation.  More seriously, I also see
these messages from client to server, which is not explicitly permitted
in Section 7.4.1.1 of RFC 5246, unlike the server-sent message.  Here
are the patterns I am seeing:

c->s Client Hello (TLS 1.2)
c<-s Server Hello, Certificate, Server Key Exchange, Certificate
Request, Server Hello Done
c->s Certificate, Client Key Exchange, Certificate Verify, Change Cipher
Spec, HELLO REQUEST, HELLO REQUEST
c<-s Change Cipher Spec, HELLO REQUEST, HELLO REQUEST
...
c->s Application Data [me typing rubbish]
...
      Then I ask GnuTLS to renegotiate from the client:
c->s HELLO REQUEST, HELLO REQUEST
c<-s HELLO REQUEST, HELLO REQUEST, HELLO REQUEST, HELLO REQUEST, HELLO
REQUEST, HELLO REQUEST
c->s HELLO REQUEST, HELLO REQUEST, Change Cipher Spec, Encrypted
Handshake Message
c<-s Change Cipher Spec, Encrypted Handshake Message
...
c->s Application Data [me typing rubbish again]
...
     Then I ask GnuTLS to renegotiate from the server.  This is bound to
fail, since I commented-out gnutls_rehandshake()
     After a while I start typing again on the client:
c->s Application Data [rubbish]
     The server closes the connection when it sees that it gets data,
not the expected Client Hello.


What can be the explanation of the multitude of Hello Request messages? 
They seem to be grouped in pairs in one record level message, multiple
of which may occur in one TCP-level message.  Within a pair, the first
seems to always be empty and the second I've seen with 0, 1 and 2 bytes
of contents.


I'm starting to believe that something is wrong with the handshake
renegotiation code, or am I doing something funny?

I'm using GnuTLS 3.2.21 at the moment, but didn't find remarks about
handshaking in the news since that version, so I've assumed that there's
no value in upgrading to the latest version.


Any ideas?


Thanks,
 -Rick

More information about the Gnutls-help mailing list