resumption problem
Jeremy Harris
jgh at wizmail.org
Fri Mar 27 20:20:55 UTC 2020
On 26/03/2020 00:58, Viktor Dukhovni wrote:
> On Thu, Mar 26, 2020 at 12:40:08AM +0000, Jeremy Harris wrote:
>
>> Looks like I'm wrong, from the behaviour.
>>
>> It's the second of the possible places, and "i" is 129.
>> It appears to be failing the WPACKET_sub_allocate_bytes_u16()
>> call. %rsi before the call, which I think should be
>> the "namelen" arg, has value 172.
>
> Right, you're running out of space by trying to send too many
> CA names. It is better to have this fail, so you can figure
> what is trying to dump your entire trusted CA list (of names)
> to the server, than to actually have that silently "work".
It's /etc/pki/tls/certs/ca-bundle.crt (on Centos 8) and
it's being loaded using SSL_CTX_set_client_CA_list()
into the client, supposedly to be the acceptable CAs
for the cert sent by the server.
The load call doesn't have a return value to check. The
list presented had 133 entries.
> Perhaps your
> "openssl.cnf" (Linux distro mistake?) causes the damage
> for all applications even without explicit code to that
> end in Exim? Or you're calling something to make it happen.
The Exim config is saying to use that file, so I do have a
workaround point there. However, the question is: what is [1] the
proper fix? We want to accept "the usual, pretty big, set of
well-known CAs". Is that an incorrect way of telling OpenSSL
that list? And how come it only fails under resumption and
when a client-cert is also used?
1] We also need to code to be compatible across a wide range
of OpenSSL versions. Minimising #ifdeffery is a factor.
--
Cheers,
Jeremy
More information about the openssl-users
mailing list