Bug#390712: Nokia/Ericsson MAC padding problem

Simon Josefsson simon at josefsson.org
Mon Feb 4 11:09:17 UTC 2008


I believe we have identified that the problem in this bug is the MAC
padding.  We brought this up on the IETF TLS list:

http://thread.gmane.org/gmane.ietf.tls/3079

Pasi forwarded this to the Symbian TLS team, and my understanding is
that it is a known bug with the Symbian TLS implementation.

GnuTLS won't change the default to cater with broken implementations, at
least not without more justification that it is a widespread problem.  I
think this bug can be resolved as 'wontfix'.

Further, GnuTLS 2.2+ provides a mechanism to work around bugs in
implementations.  You should be able to connect the Nokia E90 to
gnutls-serv if you start it as:

$ gnutls-serv --priority "NORMAL:%COMPAT"

Applications can use the following functions to implement similar
behaviour:

  int gnutls_priority_init( gnutls_priority_t*, const char *priority, const char** err_pos);
  void gnutls_priority_deinit( gnutls_priority_t);
  
  int gnutls_priority_set(gnutls_session_t session, gnutls_priority_t);
  int gnutls_priority_set_direct(gnutls_session_t session, const char *priority, const char** err_pos);

I recommend that applications offer a way to set the GnuTLS priority
string in a configuration file, and to default it to 'NORMAL'.  It is
extra good if the application allows users to set the GnuTLS priority on
a per-IP basis, so that administrators doesn't have to decrease security
to cater for a few broken devices.

Given this, I think gnutls has done what it can about this bug, and it
might be appropriate to even close it, rather than leaving it in
wontfix.

Is there anything more we can do about this bug?  Suggestions are most
welcome.

/Simon





More information about the Pkg-exim4-maintainers mailing list