On Tue, Jan 03, 2012, Jean Cyr wrote: > > s_client and s_server fail to establish connection with TLS 1.2. Valid > self-signed CA certificate, and valid client and server certificates are used > (attached). > > With unpatched openssl-1.0.1-beta1 the following is observed (failure case): > > Server: > > >openssl s_server -Verify 3 -cert server.pem -key server.pem -CAfile root.pem > >-tls1_2 > verify depth is 3, must return a certificate > Loading 'screen' into random state - done > Using default temp DH parameters > Using default temp ECDH parameters > ACCEPT > depth=1 C = US, ST = Georgia, L = Atlanta, O = CableLabs, CN = CableLabs > verify return:1 > depth=0 C = US, ST = georgia, O = SEB Client, CN = SEB Client > verify return:1 > ERROR > 3248:error:1408E098:SSL routines:SSL3_GET_MESSAGE:excessive message > size:.\ssl\s > 3_both.c:504: > shutting down SSL > CONNECTION CLOSED > Client: >
That's the 4096 bit key which causes that issue. In TLS v1.2 an extra couple of bytes are needed. In ssl/s3_srvr.c in ssl3_get_cert_verify() try changing the figure 514 to 516. If that works I'll commit it. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
