[gnutls-devel] DTLS max_fragment_length extension supported?

Peter Dettman peter.dettman at bouncycastle.org
Tue Dec 22 06:23:36 CET 2015

I am testing a development build of the BouncyCastle DTLS client against
the MacPorts build of GnuTLS (gnutls-serv 3.3.19).

At first it was not connecting, the client dropping packets after the
ServerHello for some reason. I eventually noticed that the client was
requesting max_fragment_length extension, and the server was accepting
it, agreeing on MaxFragmentLength.2^9(1). The client then appears to
ignore the Certificate message as it is too large. (Without that
extension, connections work fine).

See attached capture of the handshake start, noting the ServerHello with
max_fragment_length=1, and the Certificate message with Fragment Length 932.

I have no particular need for this functionality, but I figured I'd
report it, if only to get a second opinion on whether it's a bug in
gnutls-serv specifically, in GnuTLS generally, or some error in code or
understanding at my end.

Pete Dettman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gnutls_maxfrag.pcapng
Type: application/octet-stream
Size: 1920 bytes
Desc: not available
URL: </pipermail/attachments/20151222/8554adb1/attachment.obj>

More information about the Gnutls-devel mailing list