[gnutls-devel] gnutls 3.2.6+: connection to api.dreamhost.com hangs
Nikos Mavrogiannopoulos
nmav at gnutls.org
Sun Jan 19 14:56:26 CET 2014
On 01/19/2014 02:23 PM, Nikos Mavrogiannopoulos wrote:
> On 01/19/2014 01:34 PM, Andreas Metzler wrote:
>> Hello,
>>
>> this is http://bugs.debian.org/733039 reported by Neil Roeth.
>>
>> Recent versions of gnutls fail at connecting to api.dreamhost.com,
>> they just hang. Git bisect shows that breakage started with this commit:
>
> Hello,
> It looks like that this site is behind the problematic firewall the
> %DUMBFW priority string option was added. Does adding the %DUMBFW option
> fix the connection? This firewall drops TLS client hello messages that
> are between 256 and 512 bytes.
And indeed that's the case. When removing DHE-DSS the client hello size
drops to 247 bytes. If it is a widespread issue maybe we can add enable
the %DUMBFW extension to clients by default.
There is even an internet draft for this extension:
http://tools.ietf.org/html/draft-agl-tls-padding-03
regards,
Nikos
More information about the Gnutls-devel
mailing list