Marc Haber <[EMAIL PROTECTED]> writes: >> Could you run gnutls-cli with -d 4711 or something and post the >> output too? > > attached.
Thanks. It confirms my theory: |<7>| RB: Have 5 bytes into buffer. Adding 16384 bytes. ... |<2>| ASSERT: gnutls_buffers.c:1187 16kb is the current max handshake size limit, for DoS reasons. It seems that is too low. This patch increases the default limit to 32kb. The error message is quite bad, and on the development trunk I'll be adding a new error code for this situation. diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index e37237d..71a9b89 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -47,7 +47,7 @@ /* The size of a handshake message should not * be larger than this value. */ -#define MAX_HANDSHAKE_PACKET_SIZE 16*1024 +#define MAX_HANDSHAKE_PACKET_SIZE 32*1024 #define TLS_RANDOM_SIZE 32 #define TLS_MAX_SESSION_ID_SIZE 32 >> Does the server by any chance have a very large set of known CAs? > > Not that I am aware of. It does, and it may be useful to investigate why this happens. Could it be a change in the ca-certificate package? It is quite wasteful to send a list of this many trusted CA certificates. Perhaps it reflects the ca-certificate trust setting: if you click in that you trust all CAs in the entire world, exim/gnutls may use that. But I'm not that familiar with how trusted CA handling works in debian. /Simon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]