GNUTLS_E_UNEXPECTED_PACKET_LENGTH
Simon Josefsson
simon at josefsson.org
Mon Mar 31 12:46:10 CEST 2008
Maiku <cmaiku at gmail.com> writes:
> I discovered that if you try to connect to login.live.com with GNU TLS (I
> used gnutls-cli) and send any data to it, after a successful connection,
> when it gets to the end of receiving a response to that data, it throws a
> GNUTLS_E_UNEXPECTED_PACKET_LENGTH error. I tried the same test on another
> SSL server (addons.mozilla.org) and it worked fine, so I imagine it's
> something that login.live.com is doing specifically. I tested it with the
> version of GNU TLS that comes with Ubuntu 7.10, 8.04 beta, and the
> 2.3.4source package from the GNU TLS site, and all of them had the
> same results.
Thanks for the report. I believe the server is buggy, it disconnects
instead of sending a CLOSE alert after the HTTP command has completed.
GnuTLS expects a TLS header at that point, but gets no data at all,
hence the unexpected length error.
I'm not sure what the proper behaviour should be. I don't think
ignoring this error condition is a good idea, it makes the
implementation vulnerable to the same problem that SSLv2 were vulnerable
to. (I.e., faking TCP FIN makes recipient believe the TLS channel is
terminated successfully.)
The error message isn't particularly helpful. We could add another
error code, such as GNUTLS_E_PREMATURE_CLOSE or similar instead. What
do you think?
> I went digging through the code and found that the problem seems to be in
> gnutls_record.c in the function _gnutls_recv_int on line 899 (at least
> that's the line in version 2.3.4). The line reads:
>
> if (ret < 0 && gnutls_error_is_fatal (ret) == 0)
>
> I believe this should be changed to:
>
> if (gnutls_error_is_fatal (ret) == 0)
>
> because the a return value of zero is not fatal, but as the code currently
> reads it doesn't return (as I think it should).
I believe this patch would ignore the error condition, which is a bad
idea.
> I tried it and the change seemed to remedy my problem. I'm happy to
> formalize a patch for it. Although I'm not not sure which format it should
> be in, where to send it to, or if this post is sufficient.
Posting to this list is the best way to do it.
/Simon
More information about the Gnutls-devel
mailing list