Bug#679737: Handshake packets which span multiple records cause TLS handshake failure

Janne Snabb snabb at epipe.com
Sun Jul 1 08:27:18 UTC 2012

Package: gnutls28
Version: 3.0.19-2

GnuTLS 3.0.19 has a bug which causes a TLS handshake failure if a
handshake packet needs to be fragmented (if a packet is larger than 16
kB). This bug is fixed in 3.0.20 which is available in Debian "sid". I
am filing this bug report because I think this bug should be fixed in
debian "wheezy" release (it has currently 3.0.19).

The Debian package "ca-certificates" includes so many CA certificates
that if used together with GnuTLS 3.0.19 with all CA's enabled (the
default), it will always produce a failed TLS handshake.

The error message is: "Fatal error: A TLS packet with unexpected length
was received".

See the following for a discussion of the details, how to repeat, etc.
of this bug:


See the following for 3.0.20 release notes:


The specific commit which fixes this bug is here:


IMHO it would be good to get 3.0.20 in "wheezy" before the release.

Best Regards,
Janne Snabb / EPIPE Communications
snabb at epipe.com - http://epipe.com/

More information about the Pkg-gnutls-maint mailing list