A fix was introdued in OpenSSL-0.9.5 or so. This added the
ssl3_check_client_hello routine to ssl/s3_srvr.c to check for a
new client hello message when a certificate chain was expected.
This introduced a bug, in that it limited the certificate chain
to SSL3_RT_MAX_PLAIN_LENGTH rather then the original arbitrary 100K
limit used in the ssl3_get_client_certificate routine.
Here is a fix to OpenSSL-0.9.6 to have it use the 100K limit.
*** ,s3_srvr.c Mon Sep 11 07:42:59 2000
--- s3_srvr.c Thu Aug 23 13:32:37 2001
***************
*** 537,543 ****
SSL3_ST_SR_CERT_A,
SSL3_ST_SR_CERT_B,
-1,
! SSL3_RT_MAX_PLAIN_LENGTH,
&ok);
if (!ok) return((int)n);
s->s3->tmp.reuse_message = 1;
--- 537,547 ----
SSL3_ST_SR_CERT_A,
SSL3_ST_SR_CERT_B,
-1,
! #if defined(MSDOS) && !defined(WIN32)
! 1024*30, /* 30k max cert list :-) */
! #else
! 1024*100, /* 100k max cert list :-) */
! #endif
&ok);
if (!ok) return((int)n);
s->s3->tmp.reuse_message = 1;
As the 100K is an arbitrary limit, I would also like to see this changed
so it is a parameter which could be set by the application. Although we don't
currently have certificate chains over 100K with Globus, we could in the future.
The SSLv3 specs don't set this limit, but rather allows 2^24 certificates.
I understand the need to have some practical limit, but it should be
setable by the application at run time.
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
