If CA list from server is longer than 8 KB then there are some combinations
of ciffers and methods when client aborts with message:
86005:error:1408E098:SSL routines:SSL3_GET_MESSAGE:excessive message
size:ssl/s3_both.c:418:
Problem is in the ssl3_get_key_exchange(), key exchange message is read
with the elength 8 KB, but if ssl3_send_server_key_exchange() doesn't occur,
server goes to the SSL3_ST_SW_CERT_REQ_A state and sends at this point
CA list which is processed in the ssl3_get_certificate_request() and
if this CA list is longer then 8 KB, it's rejected. Short patch:
*** ssl/s3_clnt.c.old Tue Jun 19 20:52:44 2001
--- ssl/s3_clnt.c Tue Jun 19 20:53:19 2001
***************
*** 883,889 ****
SSL3_ST_CR_KEY_EXCH_A,
SSL3_ST_CR_KEY_EXCH_B,
-1,
! 1024*8, /* ?? */
&ok);
if (!ok) return((int)n);
--- 883,893 ----
SSL3_ST_CR_KEY_EXCH_A,
SSL3_ST_CR_KEY_EXCH_B,
-1,
! #if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN32)
! 1024*30, /* 30k max cert list :-) */
! #else
! 1024*100, /* 100k max cert list :-) */
! #endif
&ok);
if (!ok) return((int)n);
I've checked the latest snap, bug is still there.
Petr Lampa
--
Department of Computer Science and Engineering E-mail: [EMAIL PROTECTED]
Faculty of El. Engineering and Comp. Science Phone: (+420 5) 4114-1225
Brno University of Technology Fax: (+420 5) 4114-1270
Bozetechova 2, 612 66 Brno, Czech Republic Web: http://www.fee.vutbr.cz/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
