[openssl-dev] [openssl.org #4065] Re: Client Hello longer than 2^14 bytes are rejected
Viktor Dukhovni
openssl-users at dukhovni.org
Fri Sep 25 20:14:29 UTC 2015
On Fri, Sep 25, 2015 at 09:19:02PM +0200, Kurt Roeckx wrote:
> Since we don't actually know how things are going to change in the
> future and that they can change the maximum size of a Client
> Hello, it makes sense to me to not enforce a limit for the Client
> Hello message just because that's what the current version only
> supports. For all other messages we should be able to tell what
> the maximum size is.
There's no such thing as "no limit". If the client HELLO retains
its basic structure, it needs to retain the same limits.
If the limits change, that's a new protocol message that is no
longer an SSLv3/TLSv1.0 compatible client HELLO.
The published limits from TLS 1.2 cannot change in TLS 1.3, if TLS
1.3 HELLO messages are to be understood by TLS 1.2 servers.
--
Viktor.
More information about the openssl-dev
mailing list