SSLv3 clients call ssl3_get_key_exchange regardless of whether this message is required for the chosen cipher.
As a result, ssl3_get_message called from ssl3_get_key_exchange ends up reading the certificate request message (when doing client auth and the key exchange message is absent): n=ssl3_get_message(s, SSL3_ST_CR_KEY_EXCH_A, SSL3_ST_CR_KEY_EXCH_B, -1, 1024*8, /* ?? */ &ok); This results in a limit of 8K for the certificate request list, whereas the limit should be 100K. This bug manifests itself when using s_client to connect to apache-modssl. Apache sends all the CA's listed in ca-bundle.crt, which exceeds the 8K limit and causes the client to barf: 28537:error:1408E098:SSL routines:SSL3_GET_MESSAGE:excessive message size:s3_both.c:418: Nagendra Modadugu [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]