When connecting to host that requires name in SNI extension longer
than 256 bytes, it's not possible to set such a name in openssl
client code.
Version:
openssl-1.0.1e and git master
Steps to Reproduce:
1. openssl s_client -servername $(perl -e 'print "a"x256') -connect
localhost:4433
Actual results:
Unable to set TLS servername extension.
139654513657504:error:140D513F:SSL routines:ssl3_ctrl:ssl3 ext invalid
servername:s3_lib.c:3514:
Expected results:
Connection established
Additional info:
RFC specifies that the maximum length of the SNI value is 2^16-1.
RFC 6066, Section 3:
In order to provide any of the server names, clients MAY include an
extension of type "server_name" in the (extended) client hello. The
"extension_data" field of this extension SHALL contain
"ServerNameList" where:
struct {
NameType name_type;
select (name_type) {
case host_name: HostName;
} name;
} ServerName;
enum {
host_name(0), (255)
} NameType;
opaque HostName<1..2^16-1>;
struct {
ServerName server_name_list<1..2^16-1>
} ServerNameList;
At the same time, s_server accepts very long names:
openssl s_server -servername $(perl -e 'print "a"x10000') -servername_fatal
-key2 server.key -cert2 server.crt -key server.key -cert server.crt
Setting secondary ctx parameters
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
--
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Email: [email protected]
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
