Bug#929907: libgnutls30: Connections to older GnUTLS servers break
Andreas Metzler
ametzler at bebt.de
Tue Jun 4 19:27:22 BST 2019
On 2019-06-03 Dominik George <natureshadow at debian.org> wrote:
> Hi,
>> Is this reproducile with gnutls-cli or is the respective server
>> publically accessible?
> It is reproducible.
> 1. Create a buster chroot for the server, or something
> similar.
> 2. Install gnutls-bin 3.6.6-3 and ssl-cert.
> 3. Start something like:
> gnutls-serv --echo --x509keyfile /etc/ssl/private/ssl-cert-snakeoil.key --x509certfile /etc/ssl/certs/ssl-cert-snakeoil.pem
> 4. Create a buster chroot for the client.
> 5. Install gnutls-bin 3.6.7-2 and pwgen (I used that to generate
> random blobs of printable data).
> 6. Try:
> pwgen 16383 | gnutls-cli --no-ca-verification --port 5556 localhost
> From a size of 16383 bytes onwards, I get:
> |<1>| Received packet with illegal length: 16385
> |<1>| Discarded message[1] due to invalid decryption
> *** Fatal error: A TLS record packet with invalid length was received.
> *** Server has terminated the connection abnormally.
Hello,
with server at 3.6.6 (and .4 and .5) , client version 3.6.7 breaks, while
both earlier versions and 3.6.8 connect successfully.
server 3.6.8/3.6.7 does not break with client 3.6.7.
Will try a bisect to check why .8 works, but might not have time before
weekend.
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
More information about the Pkg-gnutls-maint
mailing list