[openssl-commits] [openssl] master update

Matt Caswell matt at openssl.org
Sun Dec 27 23:03:12 UTC 2015

The branch master has been updated
       via  057b6f797d89964892620fe9980a1ca6872a771f (commit)
      from  b1931d432f4b53ceb2e2eacec09c2e32e043830b (commit)

- Log -----------------------------------------------------------------
commit 057b6f797d89964892620fe9980a1ca6872a771f
Author: Matt Caswell <matt at openssl.org>
Date:   Wed Dec 23 16:36:59 2015 +0000

    Increase the max size limit for a CertificateRequest message
    Previous versions of OpenSSL had the max size limit for a CertificateRequest
    message as |s->max_cert_list|. Previously master had it to be
    SSL3_RT_MAX_PLAIN_LENGTH. However these messages can get quite long if a
    server is configured with a long list of acceptable CA names. Therefore
    the size limit has been increased to be consistent with previous versions.
    Reviewed-by: Viktor Dukhovni <viktor at openssl.org>


Summary of changes:
 ssl/statem/statem_clnt.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index b14e6ed..536689b 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -696,7 +696,11 @@ unsigned long ossl_statem_client_max_message_size(SSL *s)
             return SERVER_KEY_EXCH_MAX_LENGTH;
         case TLS_ST_CR_CERT_REQ:
-            return SSL3_RT_MAX_PLAIN_LENGTH;
+            /* Set to s->max_cert_list for compatibility with previous releases.
+             * In practice these messages can get quite long if servers are
+             * configured to provide a long list of acceptable CAs
+             */
+            return s->max_cert_list;
         case TLS_ST_CR_SRVR_DONE:
             return SERVER_HELLO_DONE_MAX_LENGTH;

More information about the openssl-commits mailing list