On Fri, Feb 12, 2010 at 12:41:16PM +0100, Steffen DETTMER wrote:
> * Victor Duchovni wrote:
> > The SSL/TLS record layer has a maximum record size, a
> > certificate probably needs to fit into one record, so if your
> > 500+ domains generate a certificate that is larger than ~16K
> > bytes, you may be out of luck.
>
> (I just ask for curiosity, not because I have any problem with that!)
> Does this mean that OpenSSL has a compiled-in certificate size
> limitation and to increase that it would be required to replace
> the libs on the systems needing to support bigger certificates?
The limit is not (only?) an X.509 limit, rather the SSL/TLS record
layer cannot carry messages larger than 2^14 bytes (plus some overhead
for compression algorithms which provably need to be able to make some
records larger in order to make most records smaller). Given that the
server certificate message in the SSL handshake needs to fit into a single
record, the SSL/TLS protocol constrains certificates to 2^14 (16K) bytes.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
