[openssl-users] sendmail, openssl 1.1.1, tls1.3

Matt Caswell matt at openssl.org
Wed Oct 17 14:37:53 UTC 2018

On 16/10/2018 05:19, Viktor Dukhovni wrote:
> [ Carl sent me the CA bundle off-list ]  With the provided CA bundle
> I was able to easily reproduce the same symptoms with:

Please can someone send me the same CA bundle so that I might also
reproduce this?



>  $ openssl s_client -requestCAfile bundle.pem -connect localhost:12345
> Running this under a debugger the failure happens at certificate #143
> because the client hello packet overflows its maximum allocation:
> $6 = {
>   buf = 0x0000000100724200
>   staticbuf = 0x0000000000000000 <no value available>
>   curr = 16364
>   written = 16364
>   maxsize = 16384
>   subs = 0x0000000100727700
> }
> So even though the extension is allowed to be up to 2^16 bytes, it
> seems the client HELLO is expected to fit into a single TLS record
> of at most 16K bytes.
> Given enough crud in the CA bundle, and a client misconfigured to
> to spill its guts to the server, by sending the names of all the
> trusted CAs, the limit is not too hard to exceed.
> The work-around is to send *zero* CA names to the server, Sendmail
> SHOULD NOT configure the SSL_CTX for the client connection to with
> preferred CA names.  If that is not configurable, then keep the
> CA file as short as possible, empty if possible, else just one
> root CA, and everything else in CApath (yes "hashed" with the
> various symlinks in place to each cert, one per file).
> As for the 16K limit, and whether we should be sending client
> CA names without further indication from the (TLS 1.3) client
> to do so, I'm hoping Matt Caswell and or other team members
> will chime in.

More information about the openssl-users mailing list