> From: Jeffrey Altman <[EMAIL PROTECTED]>
>
> jaltman> In ssl\s3_srvr.c ssl3_get_client_key_exchange() there is a call to
> jaltman>
> jaltman> n=ssl3_get_message(s,
> jaltman> SSL3_ST_SR_KEY_EXCH_A,
> jaltman> SSL3_ST_SR_KEY_EXCH_B,
> jaltman> SSL3_MT_CLIENT_KEY_EXCHANGE,
> jaltman> 400, /* ???? */
> jaltman> &ok);
> jaltman>
> jaltman> The problem is that the max message size of 400 is too small to
> jaltman> contain a Kerberos 5 AP_REQ message. These messages can exceed 1K
> jaltman> depending on the number of keys (and even authorization data) included
> jaltman> in the message. Does anyone know why the number 400 was selected?
> jaltman>
> jaltman> What should this be?
>
> Judging (sp?) from the code in s3_both.c, the number can be anything
> from a programming point of view, so I'd say that any number you think
> you can feel safe with should work. I have no real problem with
> increasing that number to something like, say, 2048...
>
That number should be fine. The only thing that might be larger than
that would be if Microsoft ever supported the combination of KRB5 and
TLS. But given their architecture Paul Leach has told me that it
would be impossible for them.
Jeffrey Altman * Sr.Software Designer
The Kermit Project * Columbia University
612 West 115th St * New York, NY * 10025 * USA
http://www.kermit-project.org/ * [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
