SSL compatibility mode

Tomasz Wasilczyk tomkiewicz.groups at gmail.com
Wed Apr 17 20:10:25 EDT 2013 

2013/4/14 Mark Doliner <mark at kingant.net>:
> On Sat, Nov 24, 2012 at 10:08 AM, Tomasz Wasilczyk
> <tomkiewicz.groups at gmail.com> wrote:
>> I have just double-checked it, and it seems, that this problem is only
>> related to gnutls. Mozilla NSS seems not to be that picky and just
>> returns EOF in that case.
>>
>> Anyway, I'm convinced, that we shouldn't just ignore that error when
>> using gnutls, so suggested configuration for ssl is still appropriate,
>> even if it doesn't do anything with NSS (because it seems to be
>> already in "compatibility mode").
>
> If NSS treats this situation as EOF and we're not experiencing
> problems from it, then I think we should change our gnutls ssl plugin
> to always treat GNUTLS_E_PREMATURE_TERMINATION as EOF.  Our SSL
> plugins should behave as similarly as possible.
>
> I'd prefer to avoid adding
> purple_ssl_set_compatibility_level/purple_ssl_get_compatibility_level
> unless we're sure there is a use case for it.

For protocols, that double-checks data length there is no problem,
because they anyway figure out, that stream ends before expected
length. On the other hand, some protocols (like HTTP) may rely on EOF
and we could theoretically pass broken data (shorter than original)
further. So, in theory, ignoring this means accepting such data as
properly signed. On the other hand, most protocols and HTTP servers
are not affected, and we still have to verify data we got from servers
[1]. That's why I'm uncertain, what should be done - treating
premature termination as EOF shouldn't do any harm, but on the other
hand being strict is always better.

[1] http://pidgin.im/pipermail/devel/2013-April/011260.html

>> Should I change anything in proposed patch [1]?
>> [1] http://pastebin.com/qFYTSWS5
>
> Hmm, what does gnutls_session_enable_compatibility_mode() actually do?
>  The man page is very vague.  Is that call needed in order to detect
> GNUTLS_E_PREMATURE_TERMINATION?

No, it's not needed. Actually, I don't see real use case for it,
except for debugging.

Tomek

More information about the Devel mailing list