OpenConnect 5.99 release

Nikos Mavrogiannopoulos nmav at gnutls.org
Fri Mar 7 01:47:03 EST 2014


On Thu, 2014-03-06 at 09:34 +0000, David Woodhouse wrote:
> On Thu, 2014-03-06 at 10:02 +0100, Nikos Mavrogiannopoulos wrote:
> > 
> > I believe you can get away with it by doing a:
> > #if GNUTLS_VERSION_NUMBER < 0x030000
> > #define GNUTLS_E_PREMATURE_TERMINATION GNUTLS_E_UNEXPECTED_PACKET_LENGTH
> > #endif
> 
> I pondered that. However, it would require satisfying myself that in
> *all* cases that it occurs, treating GNUTLS_E_UNEXPECTED_PACKET_LENGTH
> as a non-error is acceptable and secure.

There is no much difference for an attacker. One requires him to send an
RST, and the other an incomplete message. That's why older versions
didn't distinguish between them. I mostly added the premature
termination because many web servers were not terminating the ssl
sessions properly. So if you keep premature termination, and want to
have gnutls 2.12.x compatibility, there is no point to not have the
unexpected packet length definition.

It is of course better to just drop the premature termination though.

regards,
Nikos





More information about the openconnect-devel mailing list