Bug#679737: Handshake packets which span multiple records cause TLS handshake failure
Janne Snabb
snabb at epipe.com
Sun Jul 1 08:27:18 UTC 2012
Package: gnutls28
Version: 3.0.19-2
GnuTLS 3.0.19 has a bug which causes a TLS handshake failure if a
handshake packet needs to be fragmented (if a packet is larger than 16
kB). This bug is fixed in 3.0.20 which is available in Debian "sid". I
am filing this bug report because I think this bug should be fixed in
debian "wheezy" release (it has currently 3.0.19).
The Debian package "ca-certificates" includes so many CA certificates
that if used together with GnuTLS 3.0.19 with all CA's enabled (the
default), it will always produce a failed TLS handshake.
The error message is: "Fatal error: A TLS packet with unexpected length
was received".
See the following for a discussion of the details, how to repeat, etc.
of this bug:
http://comments.gmane.org/gmane.network.gnutls.general/2789
See the following for 3.0.20 release notes:
http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/6162
The specific commit which fixes this bug is here:
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=6299e8a8c7371da1e674419c36cbcbe1630aef0a
IMHO it would be good to get 3.0.20 in "wheezy" before the release.
Best Regards,
--
Janne Snabb / EPIPE Communications
snabb at epipe.com - http://epipe.com/
More information about the Pkg-gnutls-maint
mailing list