[Pkg-gnutls-maint] Bug#466477: Bug#466477: Bug#466477: Bug#466477: libgnutls26: Failure to talk with IBM ldap/http servers
Simon Josefsson
simon at josefsson.org
Mon Apr 28 22:01:55 UTC 2008
"Marc F. Clemente" <marc at mclemente.net> writes:
> Simon Josefsson wrote:
>> Thanks for reporting this, I've solved it with patch:
>> http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=08fe3bfac8e12e6154dce6a834cdf838eeac3b05
>
> I tried to install the patch, but I had problems. I found socket_bye at
> lines 655 and 719. I commented both instances out, and recompiled. It
> still crashes, but it does not give the backtrace.
Try this patch (against the v2.2 branch) instead:
diff --git a/src/cli.c b/src/cli.c
index 1136d9d..640b3f0 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -652,7 +652,6 @@ after_handshake:
if (ret < 0)
{
fprintf (stderr, "*** Handshake has failed\n");
- socket_bye (&hd);
user_term = 1;
break;
}
@@ -716,7 +715,6 @@ after_handshake:
if (ret < 0)
{
fprintf (stderr, "*** Handshake has failed\n");
- socket_bye (&hd);
user_term = 1;
break;
}
> So maybe my problem is different. As far as I can tell, the bug is in
> the library (or a dependency). EXP-RC4-MD5 is a no-go, but other ciphers
> are ok.
I think something with the CA certificates changed. I recall a
ca-certificate update recently. Could you try downgrade that? Possibly
the ca certificates aren't marked as configuration files, so you may
have to --purge remove it and then install the old version.
> Where do I go form here? You (or anybody else) is welcome to use my
> server (mail3.mclemente.net) for testing. Let me know what I have to do
> to help resolve my issue. In my spare time, I will try and downgrade
> some packages to see what happens.
I could reproduce the problem: it is the same as we have seen in a few
other recent cases: the server sends a huge list of known CA's, and
GnuTLS can't handle the packet sizes.
We are investigating that problem.
/Simon
More information about the Pkg-gnutls-maint
mailing list