On 2019-06-03 Dominik George <naturesha...@debian.org> wrote: > Hi,
>> Is this reproducile with gnutls-cli or is the respective server >> publically accessible? > It is reproducible. > 1. Create a buster chroot for the server, or something > similar. > 2. Install gnutls-bin 3.6.6-3 and ssl-cert. > 3. Start something like: > gnutls-serv --echo --x509keyfile /etc/ssl/private/ssl-cert-snakeoil.key > --x509certfile /etc/ssl/certs/ssl-cert-snakeoil.pem > 4. Create a buster chroot for the client. > 5. Install gnutls-bin 3.6.7-2 and pwgen (I used that to generate > random blobs of printable data). > 6. Try: > pwgen 16383 | gnutls-cli --no-ca-verification --port 5556 localhost > From a size of 16383 bytes onwards, I get: > |<1>| Received packet with illegal length: 16385 > |<1>| Discarded message[1] due to invalid decryption > *** Fatal error: A TLS record packet with invalid length was received. > *** Server has terminated the connection abnormally. Hello, with server at 3.6.6 (and .4 and .5) , client version 3.6.7 breaks, while both earlier versions and 3.6.8 connect successfully. server 3.6.8/3.6.7 does not break with client 3.6.7. Will try a bisect to check why .8 works, but might not have time before weekend. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'
