Allow client certificate lists > 16kB ("Douglas E. Engert" <deengert@anl.gov>.)

diff --git a/CHANGES b/CHANGES
index aed1082915fd3ba96b5d3d472219773041f145cc..88574700f4c3413e04181199b245f17821f2d6cc 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,12 @@
 
  Changes between 0.9.6b and 0.9.6c  [XX xxx XXXX]
 
+  *) s3_srvr.c: allow sending of large client certificate lists (> 16 kB).
+     This function was broken, as the check for a new client hello message
+     to handle SGC did not allow these large messages.
+     (Tracked down by "Douglas E. Engert" <deengert@anl.gov>.)
+     [Lutz Jaenicke]
+
   *) Add alert descriptions for TLSv1 to SSL_alert_desc_string[_long]().
      [Lutz Jaenicke]
 

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 258af84867adc4ce9ccc9aae5e74ac5491c9f869..0d3eb76e0a12097dd178c1939f9827012dbcd712 100644 (file)
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -537,7 +537,11 @@ static int ssl3_check_client_hello(SSL *s)
                SSL3_ST_SR_CERT_A,
                SSL3_ST_SR_CERT_B,
                -1,
-               SSL3_RT_MAX_PLAIN_LENGTH,
+#if defined(MSDOS) && !defined(WIN32)
+               1024*30, /* 30k max cert list :-) */
+#else
+               1024*100, /* 100k max cert list :-) */
+#endif
                &ok);
        if (!ok) return((int)n);
        s->s3->tmp.reuse_message = 1;