Bug#929907: libgnutls30: Connections to older GnUTLS servers break

Dominik George natureshadow at debian.org
Mon Jun 3 22:52:09 BST 2019 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

> Is this reproducile with gnutls-cli or is the respective server
> publically accessible? 

It is reproducible.

1. Create a buster chroot for the server, or something
   similar.
2. Install gnutls-bin 3.6.6-3 and ssl-cert.
3. Start something like:
   gnutls-serv --echo --x509keyfile /etc/ssl/private/ssl-cert-snakeoil.key --x509certfile /etc/ssl/certs/ssl-cert-snakeoil.pem
4. Create a buster chroot for the client.
5. Install gnutls-bin 3.6.7-2 and pwgen (I used that to generate
   random blobs of printable data).
6. Try:
   pwgen 16383 | gnutls-cli --no-ca-verification --port 5556 localhost

- From a size of 16383 bytes onwards, I get:

|<1>| Received packet with illegal length: 16385
|<1>| Discarded message[1] due to invalid decryption
*** Fatal error: A TLS record packet with invalid length was received.
*** Server has terminated the connection abnormally.


After upgrading the server to 3.6.7-2, the problem goes away.

Actually, this might as well be an issue in 3.6.6, that was masked
while clients were also 3.6.6… I don't know ;)!

- -nik
-----BEGIN PGP SIGNATURE-----

iQJlBAEBCgBPFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAlz1locxGmh0dHBzOi8v
d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYwAKCRC3mjwW
oMTylrJ7D/9ji2A9+audQYrS1BYInzijlV0QBJLO3ZbAUqt0zhD0jp6Xw9gUKIpW
RU/TGNCzPoXusCefCsdRZAXPHt6aMCgu0ir/oPebMqz8PfIDVoqe588E4dF608u1
/QpfpBzf2DJVfwIjuAPXHLpYL7SmCE9HRanRxR1Wdnxg7mfzhnWO0Nq0Ef7+fsvr
ADMoQaQ6bXko6zS8g2+7cVcI9WURwaozErSHujBhJQjbKlAkO0hzGlpUgWYuu/gd
YghSxaCIQRBuPqoF3prFRA1PkdJnJxaVBaWh15laejxxGZTbb7DRqv7MGewm+LUC
oi/QsnfoZ6hdOKCCP4mGzDKn47oZuVh6ldEemhOC7RK0Gzss+1qqx5XXdcOF3Xcr
brxEshkYLvSMqzLZP4JaKe8a2joTYcn42yvkszB1FlTLmBJ1sK93bRIdZQf2FYKo
RT+2oLITjS9tjRbJjrfoIGzCS0UCiNkJeotYBYS33jHU94igTrLOlayNoCmCe++U
KQsn+09eWnGa9jdeAE6gfGzuxz5krvG2dK2cM/+clHak53EkzRQMGX9hKOkpIa0b
Bs+0bKiNbCLSQtaYx4x9vSxWJg/3XOe+TXGu6CwvYFRlTW1ZXz5uOHGvbCyFoTPK
Q4bbKqP+xmcfdxibx18A2rqMsByNOiNqliC9+3PdreZ2pCPeO3X1PA==
=Blay
-----END PGP SIGNATURE-----

More information about the Pkg-gnutls-maint mailing list