[openssl-dev] [EXTERNAL] Re: [openssl.org #4063] Client Hello longer than 2^14 bytes are rejected
Sands, Daniel
dnsands at sandia.gov
Fri Sep 25 17:44:58 UTC 2015
> > On Friday 25 September 2015 16:54:02 Alessandro Ghedini via RT wrote:
> > > FWIW I checked a couple of TLS implementations I have around (GnuTLS
> > > and s2n), and AFAICT they don't check for a maximum size at all.
> >
> > what do you mean by that? As we've said with Matt, you can't create a
> > valid Client Hello bigger than 131396 bytes...
>
> The fact that the other libraries don't do this check at all suggests that
> increasing the limit in OpenSSL (or even removing the limit completely)
> shouldn't affect it negatively.
Actually it suggests that they don't do their due diligence. If there is not a valid Hello message that is greater than 131396 bytes, then there is no reason to allow for one either. On the contrary, there is every reason to protect oneself from Godzillagrams.
More information about the openssl-dev
mailing list