On Wed Dec 23 15:42:54 2015, d...@inky.com wrote: > Using the current master (head) code, this reproduces it: > > openssl s_client -connect mail.baggett.org:465 > > This is my own personal mail server, so feel free to poke and prod it. >
Great, thanks. I can reproduce this now. The problem is that the server has been configured to allow client auth. The CertificateRequest message coming from the server seems very long (nearly 20k). This is primarily made up of a long list of acceptable CA names. The master code has the max size limit for this message as being SSL3_RT_MAX_PLAIN_LENGTH (16384 bytes). This is the maximum that can be put into a single TLS record. Previous versions had it set to s->max_cert_list which is a configurable value that by default is 100k. The attached patch should resolve this issue (it just reverts the size limit to what it was before). Matt
>From 14202312b361b5b5c1ad719b96c02daeb1e2b0c0 Mon Sep 17 00:00:00 2001 From: Matt Caswell <m...@openssl.org> Date: Wed, 23 Dec 2015 16:36:59 +0000 Subject: [PATCH] Increase the max size limit for a CertificateRequest message Previous versions of OpenSSL had the max size limit for a CertificateRequest message as |s->max_cert_list|. Previously master had it to be SSL3_RT_MAX_PLAIN_LENGTH. However these messages can get quite long if a server is configured with a long list of acceptable CA names. Therefore the size limit has been increased to be consistent with previous versions. --- ssl/statem/statem_clnt.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index e7c9413..5f9d182 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -695,7 +695,11 @@ unsigned long ossl_statem_client_max_message_size(SSL *s) return SERVER_KEY_EXCH_MAX_LENGTH; case TLS_ST_CR_CERT_REQ: - return SSL3_RT_MAX_PLAIN_LENGTH; + /* Set to s->max_cert_list for compatibility with previous releases. + * In practice these messages can get quite long if servers are + * configured to provide a long list of acceptable CAs + */ + return s->max_cert_list; case TLS_ST_CR_SRVR_DONE: return SERVER_HELLO_DONE_MAX_LENGTH; -- 2.5.0
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev