Increase the max size limit for a CertificateRequest message

Previous versions of OpenSSL had the max size limit for a CertificateRequest message as |s->max_cert_list|. Previously master had it to be SSL3_RT_MAX_PLAIN_LENGTH. However these messages can get quite long if a server is configured with a long list of acceptable CA names. Therefore the size limit has been increased to be consistent with previous versions. RT#4198 Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
author: Matt Caswell <matt@openssl.org> 2015-12-23 16:36:59 +0000
committer: Matt Caswell <matt@openssl.org> 2015-12-27 22:56:25 +0000
commit: 057b6f797d89964892620fe9980a1ca6872a771f (patch)
tree: aaa9bc970cec5fcf5b5ad43905897d43297d46de /ssl
parent: b1931d432f4b53ceb2e2eacec09c2e32e043830b (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index b14e6edf28..536689be62 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -696,7 +696,11 @@ unsigned long ossl_statem_client_max_message_size(SSL *s)
             return SERVER_KEY_EXCH_MAX_LENGTH;
 
         case TLS_ST_CR_CERT_REQ:
-            return SSL3_RT_MAX_PLAIN_LENGTH;
+            /* Set to s->max_cert_list for compatibility with previous releases.
+             * In practice these messages can get quite long if servers are
+             * configured to provide a long list of acceptable CAs
+             */
+            return s->max_cert_list;
 
         case TLS_ST_CR_SRVR_DONE:
             return SERVER_HELLO_DONE_MAX_LENGTH;
author	Matt Caswell <matt@openssl.org>	2015-12-23 16:36:59 +0000
committer	Matt Caswell <matt@openssl.org>	2015-12-27 22:56:25 +0000
commit	057b6f797d89964892620fe9980a1ca6872a771f (patch)
tree	aaa9bc970cec5fcf5b5ad43905897d43297d46de /ssl
parent	b1931d432f4b53ceb2e2eacec09c2e32e043830b (diff)