[openssl-users] sendmail, openssl 1.1.1, tls1.3

Jakob Bohm jb-openssl at wisemo.com
Tue Oct 16 06:13:11 UTC 2018

On 16/10/2018 06:19, Viktor Dukhovni wrote:
>> On Oct 15, 2018, at 9:22 PM, Viktor Dukhovni <openssl-users at dukhovni.org> wrote:
>>> pointing the CACertFile to 750KB file with 149 certificates.
>> With 149 certs, and typical CA names O(80) bytes, we're looking at
>> ~12KB of cert names, which should fit into an extension that can be
>> up to 64KB in size.  So overflowing the extension size limit would
>> not be my first guess.  If you make the CA bundle available (send
>> it to me off-list?) I can take a closer look.
> [ Carl sent me the CA bundle off-list ]  With the provided CA bundle
> I was able to easily reproduce the same symptoms with:
>   $ openssl s_client -requestCAfile bundle.pem -connect localhost:12345
> Running this under a debugger the failure happens at certificate #143
> because the client hello packet overflows its maximum allocation:
> $6 = {
>    buf = 0x0000000100724200
>    staticbuf = 0x0000000000000000 <no value available>
>    curr = 16364
>    written = 16364
>    maxsize = 16384
>    subs = 0x0000000100727700
> }
> So even though the extension is allowed to be up to 2^16 bytes, it
> seems the client HELLO is expected to fit into a single TLS record
> of at most 16K bytes.
> Given enough crud in the CA bundle, and a client misconfigured to
> to spill its guts to the server, by sending the names of all the
> trusted CAs, the limit is not too hard to exceed.
> The work-around is to send *zero* CA names to the server, Sendmail
> SHOULD NOT configure the SSL_CTX for the client connection to with
> preferred CA names.  If that is not configurable, then keep the
> CA file as short as possible, empty if possible, else just one
> root CA, and everything else in CApath (yes "hashed" with the
> various symlinks in place to each cert, one per file).
> As for the 16K limit, and whether we should be sending client
> CA names without further indication from the (TLS 1.3) client
> to do so, I'm hoping Matt Caswell and or other team members
> will chime in.
Just for clarity, how is an OpenSSL 1.1.1 client supposed to tell
the local validation code which CAs to trust, especially if loading
the list before entering a chroot jail?

How is this different from the OpenSSL 1.0.x API?


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list