[openssl-dev] [openssl.org #4065] Re: Client Hello longer than 2^14 bytes are rejected

Tue Sep 29 11:56:28 UTC 2015

On Saturday 26 September 2015 01:02:15 Viktor Dukhovni wrote:
> On Sat, Sep 26, 2015 at 12:17:20AM +0000, Salz, Rich wrote:
> > > On the other side of the coin handling very large ClientHello's is
> > > not without cost and risk.
> > 
> > As long as it's a #define that can be changed in ssl.h (or a runtime
> > global? Ick) we should be okay.
> It would have to more configurable than that to be worth the bother.
> All sorts of "appliance" products with OpenSSL inside would
> potentially some day pose a barrier to interoperability with clients
> that send large HELLO messages.
> 
> I should note that server side session state can also contain a
> client certificate, which is then embedded in the session ticket.
> So the outer limits of current practice are somewhat bigger.
> 
> We could perhaps increase the limit from 16K to 32K bytes, just in
> case that helps, and hope that the result does not expose servers
> to significantly higher risk of DoS.
> 
> Or raise the issue on the TLS WG.  Are servers really expected
> to support up to 128K or so of client HELLO?

TLS 1.3 Client Hello will contain client key shares for _multiple_ key 
exchange methods (sending both DH 2048 and ECDH 256 is rather likely).

Then we have session tickets, which for case with client certificates 
can easily be few kilobytes in size (there are "godzillacerts" that are 
bigger than 16KiB already out there).

So I have to retract my initial "unlikely" and "never" and say that even 
for standard TLSv1.2 with commonly used extensions a Client Hello bigger 
than 16KiB is not out of the question.

Client Hello messages of at least 2^16+σ MUST be accepted. Question is, 
how big the σ needs to be, likely 1KiB at the very least.

I'd still say that it's just kicking the can down the road.

-- 
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150929/3f6a505f/attachment.sig>