[gnutls-devel] handshake packet re-ordering issue during encrypted handshake

Peter Williams home_pw at msn.com
Fri Jun 3 22:46:39 CEST 2016

Is a masked connection less handshake really supported ?

(Recall lots of American ietfers are nsa agents. Lots of uk academics in ietfers crypto and phone telco are beholden to police forensics funding too.)

Think about its original design intent  (enable export control regime).

Sent from my iPhone

> On Jun 3, 2016, at 13:19, Guillaume Roguez <guillaume.roguez at savoirfairelinux.com> wrote:
> Hi,
> Using gnutls 3.4.12, I'm trying to implement an encrypted and authenticated UDP channel using DTLS.
> To not send the certificate in clear during the handshake, I'm doing a double hanshake, starting
> with an anonymous credential session, then forcing a re-handshake using a certified credential session.
> My in-production code was worked well... until some users complain about the certified handshake not working.
> After investigation I've found that the packet containing (completely or partially) the client certificate is
> shift in time at server side.
> This packet is encryted as it's inside anonymous session, quite big (all allowed bytes used = MTU size)
> and re-ordered by the network.
> It seems that gnutls handshake doesn't like this situation: the server drops all following packets.
> To not enter into a complex code (our product is https://ring.cx), I've written a simple client/server working on GNU/Linux
> based from samples found in gnutls documentation, added a bit of code to do the double handshake
> and simulate the packet re-ordering by swapping the first big packet with the next one (only in server code).
> Questions: What am I doing wrong? In this case, what's the good way to implement my anonymous certificate exchange?
> The code (there is a bit of C++11 code, just easier for me to write few things):
> client: http://gpl.savoirfairelinux.net/ring-download/tests/gnutls_reordering_client.cpp
> build with command (GCC5.x): g++ -std=c++11 -g -Wall gnutls_reordering_client.cpp -o gnutls_reordering_client -pthread -lgnutls -lnettle
> server: http://gpl.savoirfairelinux.net/ring-download/tests/gnutls_reordering_server.cpp
> build with command (GCC5.x): g++ -std=c++11 -g -Wall gnutls_reordering_server.cpp -o gnutls_reordering_server -pthread -lgnutls -lnettle
> each binary must be run with 3 arguments: cafile certfile keyfile
> (to establish the certified session)
> Thanks for any help,
> Guillaume R.
> _______________________________________________
> Gnutls-devel mailing list
> Gnutls-devel at lists.gnutls.org
> http://lists.gnupg.org/mailman/listinfo/gnutls-devel

More information about the Gnutls-devel mailing list