On Sat, Sep 26, 2015 at 12:17:20AM +0000, Salz, Rich wrote: > > On the other side of the coin handling very large ClientHello's is not > > without > > cost and risk. > > As long as it's a #define that can be changed in ssl.h (or a runtime global? > Ick) we should be okay.
It would have to more configurable than that to be worth the bother. All sorts of "appliance" products with OpenSSL inside would potentially some day pose a barrier to interoperability with clients that send large HELLO messages. I should note that server side session state can also contain a client certificate, which is then embedded in the session ticket. So the outer limits of current practice are somewhat bigger. We could perhaps increase the limit from 16K to 32K bytes, just in case that helps, and hope that the result does not expose servers to significantly higher risk of DoS. Or raise the issue on the TLS WG. Are servers really expected to support up to 128K or so of client HELLO? -- Viktor. _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev