[gnutls-help] help needed with: Alert(21)
Daiki Ueno
ueno at gnu.org
Fri Sep 30 10:32:32 CEST 2022
Hello Michael,
Michael Wohlwend <micha-1 at fantasymail.de> writes:
> I got a problem with a gnutls client-server connection which breaks after
> sending 64GB of data. Most often less data is send, so the problem was not
> recognized. I'm using the gnutls version in debian bullseye. One computer is
> still running debian stretch, where it doesn't break, but just happily handles
> more than 64 GB, so I think the client side is responsible for closing the
> connection.
I need a bit more information to answer properly:
Are both client and server programs using GnuTLS? If yes, could you
provide the exact package versions, for both client and server?
> I have not that much knowing of the gnutls lib and just turned on debug
> output.
>
> The last lines in the log I'm seeing before the connection breaks are:
>
[...]
> gnutls[5]: REC: Sending Alert[1|0] - Benachrichtigung schließen (notify close)
> gnutls[5]: REC[0x564834690fd0]: Preparing Packet Alert(21) with length: 2 and
> min pad: 0
> gnutls[9]: ENC[0x564834690fd0]: cipher: AES-256-GCM, MAC: AEAD, Epoch: 2
[...]
> Has something changed between versions 3.5 and 3.7 which explains that 64G
> border?
64 GB is above the limit of AES-GCM being safely used without rekeying.
If TLS 1.3 is negotiated GnuTLS initiates automatic rekeying, though TLS
1.3 is a feature supported by GnuTLS 3.6 or later.
Perhaps you could try other ciphers that doesn't have such limitation,
e.g., CHACHA20-POLY1305?
Regards,
--
Daiki Ueno
More information about the Gnutls-help
mailing list