[openssl-dev] [openssl.org #4198] BUG: READ_STATE_MACHINE:excessive message size during handshake
Matt Caswell via RT
rt at openssl.org
Wed Dec 23 16:48:20 UTC 2015
On Wed Dec 23 15:42:54 2015, dmb at inky.com wrote:
> Using the current master (head) code, this reproduces it:
>
> openssl s_client -connect mail.baggett.org:465
>
> This is my own personal mail server, so feel free to poke and prod it.
>
Great, thanks. I can reproduce this now.
The problem is that the server has been configured to allow client auth. The
CertificateRequest message coming from the server seems very long (nearly 20k).
This is primarily made up of a long list of acceptable CA names.
The master code has the max size limit for this message as being
SSL3_RT_MAX_PLAIN_LENGTH (16384 bytes). This is the maximum that can be put
into a single TLS record. Previous versions had it set to s->max_cert_list
which is a configurable value that by default is 100k.
The attached patch should resolve this issue (it just reverts the size limit to
what it was before).
Matt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cert-req-size.patch
Type: text/x-patch
Size: 1422 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151223/7b35f518/attachment.bin>
More information about the openssl-dev
mailing list