When using client certificates with very large RSA key lengths, the SSL handshake fails with "excessive message size" errors. Reason: the maximum permitted size for the key is hardcoded to 512 bytes in ssl3_get_cert_verify() (call to ssl3_get_message()). This fails for 4096bit RSA keys due to the 2byte length information (4096bits=512bytes).
Solution (short term): increase permitted message size to 514 bytes. Solution (long term): extend API to make this maximum value runtime adjustable, such that applications may accept even higher key lengths. This ticket is the result of a private email exchange with Lutz J�nicke and Bodo M�ller during the investigation of an actual failure. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
