On Thu, Apr 13, 2023 at 02:35:50AM +0000, Peter Gutmann wrote: > Salz, Rich <rsalz=40akamai....@dmarc.ietf.org> writes: > > >Is this generally used? Would things go badly if we stopped sending them? > > Just as a data point, in the SCADA world it seems to be universally ignored. > I've seen everything from servers that send a list containing every CA in > existence, so much data in that one field that it overflows the TLS maximum > message size (when queried the server admins asked what a CA name list was, > and what it was used for), to a few random CA names that don't correspond to > anything they'll accept (when queried the server admins asked what a CA name > list was, and what it was used for), to nothing at all. I've also seen plenty > of servers that send cert requests to the client without actually wanting a > cert (when queried the server admins asked what a cert request was, and what > it was used for).
You mean overflow the maximum field size (64kB)? I don't think anything can deal with overflowing maximum message size, as that will cause the handshake to desync (everything afterwards will be garbage). Overflowing the field could still work if client just ignores what is in there (there is nothing after that in certificate request). And furthermore, overflowing the message would require a truly impressive number of CA certs. Even WebPKI, infamous for having lots of CAs, does not have even close to enough for that (an order of magnitude more might start coming close). -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
