On Thu, Aug 23, 2001 at 02:21:27PM -0500, Douglas E. Engert wrote:
> A fix was introdued in OpenSSL-0.9.5 or so. This added the
> ssl3_check_client_hello routine to ssl/s3_srvr.c to check for a
> new client hello message when a certificate chain was expected.
>
> This introduced a bug, in that it limited the certificate chain
> to SSL3_RT_MAX_PLAIN_LENGTH rather then the original arbitrary 100K
> limit used in the ssl3_get_client_certificate routine.
> Here is a fix to OpenSSL-0.9.6 to have it use the 100K limit.
>
>
> *** ,s3_srvr.c Mon Sep 11 07:42:59 2000
> --- s3_srvr.c Thu Aug 23 13:32:37 2001
> ***************
> *** 537,543 ****
> SSL3_ST_SR_CERT_A,
> SSL3_ST_SR_CERT_B,
> -1,
> ! SSL3_RT_MAX_PLAIN_LENGTH,
> &ok);
> if (!ok) return((int)n);
> s->s3->tmp.reuse_message = 1;
> --- 537,547 ----
> SSL3_ST_SR_CERT_A,
> SSL3_ST_SR_CERT_B,
> -1,
> ! #if defined(MSDOS) && !defined(WIN32)
> ! 1024*30, /* 30k max cert list :-) */
> ! #else
> ! 1024*100, /* 100k max cert list :-) */
> ! #endif
> &ok);
> if (!ok) return((int)n);
> s->s3->tmp.reuse_message = 1;
Hmm. Seems reasonable to me. ssl3_check_client_hello() was realized
by Steve Henson. Steve: do you see any problem?
> As the 100K is an arbitrary limit, I would also like to see this changed
> so it is a parameter which could be set by the application. Although we don't
> currently have certificate chains over 100K with Globus, we could in the future.
Sounds horrible. With certificates typically having a size of 1-2kB this
would mean a chain length of ...
And it also means that 100kB are on the wire even before any payload is
handled...
> The SSLv3 specs don't set this limit, but rather allows 2^24 certificates.
> I understand the need to have some practical limit, but it should be
> setable by the application at run time.
To be considered.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]