Hi there,
I stumbled on a bug in ssl\s3_clnt.c, line 855,
in function ssl3_get_key_exchange(SSL *s)
the limit on possible message size is hardcoded to 8K:
n=ssl3_get_message(s,
SSL3_ST_CR_KEY_EXCH_A,
SSL3_ST_CR_KEY_EXCH_B,
-1,
1024*8, /* ?? */
&ok);
while using the latest Apache and mod_ssl
(Apache 1.3.17, Mod_SSL 2.8.0, OpenSSL 0.9.6)
with SSLCipherSuite set to MEDIUM in Apache config,
result in message size 9865 bytes,
so SSL handshake fails with SSL_R_EXCESSIVE_MESSAGE_SIZE.
The fix is trivial, just use 10K or more for the limit, I tested it - works
fine. Latest 0.9.6b build still has this problem,
I hope this fix will make it into next release.
Thanks, Alex
P.S. here is my Apache SSL config just in case:
<IfModule mod_ssl.c>
SSLPassPhraseDialog builtin
SSLSessionCache none
SSLSessionCacheTimeout 300
SSLMutex file:/usr/local/apache/logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLLog /usr/local/apache/logs/ssl_engine_log
SSLLogLevel warn
SSLEngine on
SSLCipherSuite MEDIUM
SSLCACertificatePath /usr/local/apache/conf/ssl.crt
SSLCertificateFile /usr/local/apache/keys/msgrouter01.dev.crt
SSLCertificateKeyFile /usr/local/apache/keys/msgrouter01.dev.key
SSLOptions +ExportCertData
SSLVerifyClient optional
</IfModule>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
