[Pkg-gnutls-maint] Bug#478191: Bug#478191: Is this really the real fix, or only a workaround?
Simon Josefsson
simon at josefsson.org
Thu May 22 15:20:21 UTC 2008
Marc Haber <mh+debian-bugs at zugschlus.de> writes:
> On Thu, May 22, 2008 at 12:24:29PM +0000, Debian Bug Tracking System wrote:
>> + Increase default handshake packet size limit to 48kb. Closes: #478191
>
> I am wondering whether this is a real fix as it only postpones the
> issue, and sending 50 KB of trusted CA list to any connecting client
> is probably excessive as well.
>
> Is this really really necessary or wouldn't it be better to be able to
> configure a list of ca-certificates sent in this situation?
I think increasing the limit is necessary since there appeared to be
some configurations which ran into the earlier limit. Possibly 48kb is
excessive, and it could be made smaller. I think the largest handshake
we saw in reality was 25kb. That was rather close to 32kb, so I picked
a larger value at random. Maybe 32kb is better.
Configuring the list of ca-certificates is possible, as far as I know.
GnuTLS doesn't do any of this, it is in the application. I suspect exim
is using the ca-certificates debian infrastructure. It seems some
people click to trust every CA in the entire world (or close to that)
which causes really large handshakes. I'm not sure gnutls can do
anything about that?
Btw, we have fixed the warning message you get when this happens, so it
should be more clear that you are running into an intentional limit:
ERROR_ENTRY (N_("The handshake data size is too large (DoS?), "
"check gnutls_handshake_set_max_packet_length()."),
GNUTLS_E_HANDSHAKE_TOO_LARGE, 1),
Possibly we could even revert back to the earlier 16kb limit, if the
configurations with a lot of CAs are considered excessive and buggy by
themselves.
/Simon
More information about the Pkg-gnutls-maint
mailing list