[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Handshake fails with Internal error in memory allocation

From: Andreas Metzler
Subject: Re: Handshake fails with Internal error in memory allocation
Date: Thu, 1 May 2008 15:02:32 +0200
User-agent: Mutt/1.5.13 (2006-08-11)

On 2008-04-29 Simon Josefsson <address@hidden> wrote:
> This error has come up lately, see:


> The cause seems clear, the server sends a huge list of CA certs and
> GnuTLS runs into some fixed size buffer or something.  This reproduces
> it:

> gnutls-cli -p 25 -s
> ehlo foo
> starttls
> ^D

> Nikos, do you have any idea?  I could look at it, but have little time
> right now.


isn't it a bug that gnutls *sends* this huge list of certificates in
the first place? (Noted by Florian Weimer)?

I think this is rather strange:

Start with this setup:
  - Server is using a self signed certificate and key.
  - Client is not using any certificate at all.

This works ...
*server* gnutls-serv --port 666 --x509certfile /etc/exim4/exim.crt \
    --x509keyfile /etc/exim4/exim.key
*client* gnutls-cli localhost -p 666

... but this suddenly doesn't (with
the old #define MAX_HANDSHAKE_PACKET_SIZE 16*1024):
*server*  gnutls-serv --port 666 --x509certfile /etc/exim4/exim.crt \
    --x509keyfile /etc/exim4/exim.key \
    --x509cafile /etc/ssl/certs/ca-certificates.crt
*client* gnutls-cli localhost -p 666

I do not understand why specifying a list of irrelevant trusted CAs
changes the the TLS dialogue at all. Afaict this is not the case for
openssl, this won't break gnutls:
 openssl s_server -accept 666 -cert /etc/exim4/exim.crt
   -key  /etc/exim4/exim.key -CAfile /etc/ssl/certs/ca-certificates.crt 

thanks, cu andreas
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

reply via email to

[Prev in Thread] Current Thread [Next in Thread]