[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Big CA certificate bundle causes problems with GnuTLS 3.0.11
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
Re: Big CA certificate bundle causes problems with GnuTLS 3.0.11 |
|
Date: |
Tue, 29 May 2012 22:36:55 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:10.0.4) Gecko/20120510 Icedove/10.0.4 |
On 05/29/2012 04:46 PM, Janne Snabb wrote:
> I am experiencing a TLS handshake problem when GnuTLS 3.0.11 server has
> a big pile of CA certificates to verify against. I can not reproduce the
> problem with GnuTLS 2.12.14.
>
> Steps to re-produce:
[...]
> Note that the file /etc/ssl/certs/ca-certificates.crt contains a big
> pile of certificates, as distributed by Debian and Ubuntu
> "ca-certificates" package. (I am happy to send it if needed.) If I
> specify just a sigle CA cert I do not see any problems.
> This means that when the problem happens the "certificate request" is
> bigger than 16k.
Thank you for reporting this. A quick solution to avoid this issue is to
restrict the CAs that you enable to the server to the minimum required
(a typical server needs to trust only the authorities that signed the
user's certificates).
regards,
Nikos
Re: Big CA certificate bundle causes problems with GnuTLS 3.0.11,
Nikos Mavrogiannopoulos <=