[openssl-dev] [openssl.org #4198] BUG: READ_STATE_MACHINE:excessive message size during handshake
Viktor Dukhovni
openssl-users at dukhovni.org
Sun Dec 27 22:24:04 UTC 2015
On Sun, Dec 27, 2015 at 10:20:41PM +0000, Matt Caswell wrote:
> > I am very tempted to say that this misconfiguration *should fail,
> > it is far better to send an *empty* list of trusted CAs than send
> > the Vladivostok phone directory.
>
> I strongly disagree.
I did say *tempted*. In practice, I too would oppose that maximalist
stance.
> > Sending the whole bundle to every client is not a good idea. The
> > empty list works much better in every respect.
>
> This might be worthwhile as a *server side* solution. It should not
> prevent us from accepting long CertifcateRequests on the client.
We're on the same page, see the discussion on your MR in gitlab.
--
Viktor.
More information about the openssl-dev
mailing list