If I remember correctly, something similar demonstrated by someone(a bounty hunter) a few months back, and was featured on HN front page as well.

I remember it was maybe related to Facebook, and not to TLS/SSL specifically. Very similar.. sending excessively long session id values.

I wonder if excessively long session id values can break something else as well?

Excessively long data is a cornerstone of security vulnerabilities.

> I wonder if excessively long session id values can break something else as well?

Yes, with p~=1.

Indeed it is, but what I was curious to know more about the particular case of session IDs.

PoC (not weaponized and ugly code due to lack of time): https://github.com/azet/CVE-2014-3466_PoC

hf.

At least it's a client only vulnerability. Hope your servers don't make outbound connections! :)

Because clients don't get re-routed through malicious redirects to unexpected servers. The consolation is that GnuTLS isn't used for popular web browsers.