Interoperability issues (Debian Bug #348046)

Marc Haber mh+gnutls-devel at zugschlus.de
Tue Feb 26 23:27:39 CET 2008


On Tue, Feb 26, 2008 at 05:59:22PM +0100, Simon Josefsson wrote:
> Marc Haber <mh+gnutls-devel at zugschlus.de> writes:
> >> > (G) Andrew McGlashan finding it impossible to connect to gnutls-serv
> >> >     with incredimail (giving debug output in Message 224).
> >
> > That one is Debian Bug #459323 and has been pinned down to incredimail
> > being unable to handle client certificate requests. This can be worked
> > around by exim configuration and is clearly brokenness on
> > incredimail's part. Additionally, this incredimail issue also happens
> > when exim (in Debian's default configuration which requests client
> > ceritificates, but does not act on them by default)  is compiled
> > against OpenSSL and also explains why Postfix works.
> 
> Interesting.  Maybe some documentation on this issue is warranted,
> especially if it affects other implementations than incredimail as well.

I have documented this in Debian exim4's README.Debian.

> > For example, the incredimail issue would have been more easily pinned
> > down if the error message logged on the server would have been
> > something like "A TLS packet with an unexpected length was received in
> > response to our client certificate request", or the random MAC padding
> > by "Connection was dropped by the remote side after we announced that
> > we would like to do random MAC padding".
> 
> One "problem" with TLS is that each packet contains many requests so it
> can be difficult to know what triggered the problem.  The handshake is
> typically just two round trips.

Is it possible to stretch the handshake for debugging purposes to
obtain more accurate errors in a lab setup?

> However, to be able to improve the error messages here, I need to know
> where in gnutls the error code was generated.  A debug log containing
> the gnutls_assert() outputs from where the error code is generated is
> needed.

I have the lab setup still available. Do I need to recompile GnuTLS
(and libgcrypt?) in order to obtain the gnutls_assert() outputs? What
do I do to do this?

> Many thanks for your diligent work!

You're welcome.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190





More information about the Gnutls-devel mailing list