Yes, 516 instead of 514 does the trick. -----Original Message----- From: owner-openssl-...@openssl.org [mailto:owner-openssl-...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Tuesday, January 03, 2012 7:51 PM To: openssl-dev@openssl.org Subject: Re: BUG: openssl-1.0.1-beta1 bug - TLS 1.2 connection failure
On Tue, Jan 03, 2012, Jean Cyr wrote: > > s_client and s_server fail to establish connection with TLS 1.2. Valid > self-signed CA certificate, and valid client and server certificates are used > (attached). > > With unpatched openssl-1.0.1-beta1 the following is observed (failure case): > > Server: > > >openssl s_server -Verify 3 -cert server.pem -key server.pem -CAfile > >root.pem -tls1_2 > verify depth is 3, must return a certificate Loading 'screen' into > random state - done Using default temp DH parameters Using default > temp ECDH parameters ACCEPT > depth=1 C = US, ST = Georgia, L = Atlanta, O = CableLabs, CN = > CableLabs verify return:1 > depth=0 C = US, ST = georgia, O = SEB Client, CN = SEB Client verify > return:1 ERROR 3248:error:1408E098:SSL > routines:SSL3_GET_MESSAGE:excessive message size:.\ssl\s > 3_both.c:504: > shutting down SSL > CONNECTION CLOSED > Client: > That's the 4096 bit key which causes that issue. In TLS v1.2 an extra couple of bytes are needed. In ssl/s3_srvr.c in ssl3_get_cert_verify() try changing the figure 514 to 516. If that works I'll commit it. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org