GnuTLS recv error (-9): A TLS packet with unexpected length was received. - with Paypal Website Payment Pro

Joe Orton joe at manyfish.co.uk
Wed Feb 2 23:33:50 CET 2011


On Wed, Feb 02, 2011 at 08:09:38AM +0100, Nikos Mavrogiannopoulos wrote:
> On 02/01/2011 06:12 PM, Zachary Krebs wrote:
> > I sent this to the libcurl community and they asked me to ping gnutls
> > to see where the issue resides:
> > 
> > Thanks for considering my support request, and I hope I do not
> > agitate/irritate anyone by posting in the wrong place.
> > I looked here first: http://curl.haxx.se/mail/lib-2010-06/0169.html
> > and did not find a resolution.
> > I am attempting to use the Website Payment Pro Paypal module with Drupal CMS.
> [...]
> > When I attempt to complete a payment, I get an error in my log:
> > "GnuTLS recv error (-9): A TLS packet with unexpected length was received"
> 
> Several sites terminate the TLS connection without following the TLS
> protocol (i.e. sending closure alerts), but rather terminate the TCP
> connection directly. This is a relic of SSLv2 and it seems other
> implementations ignore this error. GnuTLS doesn't and thus prints
> this error. You could ignore it, but then you could not distinguish
> between a premature connection termination (i.e. by someone injecting
> a stray TCP termination packet) and normal termination.

The problem is that GnuTLS does not distinguish the TCP closure case 
from this rather generic "unexpected length" error, as has been 
discussed on this list before.  The OpenSSL API does expose this 
distinction.

It is not uncommon for SSL servers to perform unclean TCP closure in 
some cases and HTTP clients can safely work around it if the connection 
is in the right state.

Zachary, if you disable keepalive support in libcurl, does it work?

Regards, Joe




More information about the Gnutls-devel mailing list