Query reg. using certificates bigger than 4k for EAP-TLS

Matt Caswell matt at openssl.org
Wed Oct 20 13:30:19 UTC 2021

Your scenario is still not quite clear to me.

It sounds like you are using a BIO_f_buffer() BIO to buffer data. This 
is on the server side right? Are you encountering this problem for 
server writes? Since you are talking about the certificate chain, I 
assume you are referring to the server writing that chain.

libssl itself also uses a BIO_f_buffer() internally for writes during 
the handshake. It's not clear to me whether you are referring to the 
internal libssl buffering BIO, or one that you have created?

Either way, the effect of the buffering BIO during writes is that a 4k 
buffer is used by default. If data is written that is less than 4k in 
length then it is held in the buffer until either the BIO is "flushed" 
or the buffer is filled. In the event the buffer gets filled then it is 
automatically flushed, and any remaining data gets buffered.

The only effect of changing the buffer size should be to decrease the 
frequency that the buffer gets filled and automatic flushes occur. It 
sounds like by trying to increase the buffer size you are seeking to 
avoid "parial" writes where only part of the data is flushed and the 
remainder is held back for sending later when the buffer is next filled 
or flushed. This should not normally make any difference to the correct 
operation of the protocol (except for efficiency) although it does 
depend on what happens "downstream" of the buffering bio and how partial 
writes get sent to the peer.

It sounds like things are not quite working correctly for you when 
"partial" writes occur. This sounds like a potential problem in the BIO 
chain downstream of libssl (i.e. in your application).


On 20/10/2021 12:34, Vishal Sinha wrote:
> Hi Matt
> The certificate is not large as such. But since it's a chain, the 
> overall size crosses 4k. We used BIO_set_write_buffer_size() API to 
> increase the size from 4k to 8k of the BIO buffer in SSL context.
> Regards
> Vishal
> On Wed, Oct 20, 2021 at 3:26 PM Vishal Sinha <vishals1991 at gmail.com 
> <mailto:vishals1991 at gmail.com>> wrote:
>     Hi
>     We are using openssl 1.1.1c version on our client and server. Client
>     and Server are doing EAP-TLS authentication using certificates which
>     are more than 4k in size (using 1 root CA and 2 intermediate CAs).
>     We noticed that the server is not able to handle it gracefully due
>     to insufficient buffer size during SSL handshake and hence
>     authentication fails. To solve this issue, we increased the buffer
>     size to 8k programmatically and authentication passed. Is there any
>     other way to solve this problem?
>     Regards
>     Vishal

More information about the openssl-users mailing list