On Thu, 2014-03-06 at 09:34 +0000, David Woodhouse wrote: > On Thu, 2014-03-06 at 10:02 +0100, Nikos Mavrogiannopoulos wrote: > > > > I believe you can get away with it by doing a: > > #if GNUTLS_VERSION_NUMBER < 0x030000 > > #define GNUTLS_E_PREMATURE_TERMINATION GNUTLS_E_UNEXPECTED_PACKET_LENGTH > > #endif > > I pondered that. However, it would require satisfying myself that in > *all* cases that it occurs, treating GNUTLS_E_UNEXPECTED_PACKET_LENGTH > as a non-error is acceptable and secure. There is no much difference for an attacker. One requires him to send an RST, and the other an incomplete message. That's why older versions didn't distinguish between them. I mostly added the premature termination because many web servers were not terminating the ssl sessions properly. So if you keep premature termination, and want to have gnutls 2.12.x compatibility, there is no point to not have the unexpected packet length definition. It is of course better to just drop the premature termination though. regards, Nikos
