nagendra modadugu <[EMAIL PROTECTED]>: > SSLv3 clients call ssl3_get_key_exchange regardless of whether this > message is required for the chosen cipher. > > As a result, ssl3_get_message called from ssl3_get_key_exchange ends up > reading the certificate request message (when doing client auth and the > key exchange message is absent): > > n=ssl3_get_message(s, > SSL3_ST_CR_KEY_EXCH_A, > SSL3_ST_CR_KEY_EXCH_B, > -1, > 1024*8, /* ?? */ > &ok); > > This results in a limit of 8K for the certificate request list, whereas > the limit should be 100K. > > This bug manifests itself when using s_client to connect to apache-modssl. > Apache sends all the CA's listed in ca-bundle.crt, which exceeds the 8K > limit and causes the client to barf: > > 28537:error:1408E098:SSL routines:SSL3_GET_MESSAGE:excessive message > size:s3_both.c:418:
This bug has already been fixed in both in the 0.9.6 and the 0.9.7-dev trees. Snapshots are available at <URL: ftp://ftp.openssl.org/snapshot;type=d>. Current 0.9.6 snapshots can nearly be considered betas for 0.9.6c. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
