From 057b6f797d89964892620fe9980a1ca6872a771f Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 23 Dec 2015 16:36:59 +0000 Subject: [PATCH] Increase the max size limit for a CertificateRequest message Previous versions of OpenSSL had the max size limit for a CertificateRequest message as |s->max_cert_list|. Previously master had it to be SSL3_RT_MAX_PLAIN_LENGTH. However these messages can get quite long if a server is configured with a long list of acceptable CA names. Therefore the size limit has been increased to be consistent with previous versions. RT#4198 Reviewed-by: Viktor Dukhovni --- ssl/statem/statem_clnt.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index b14e6edf28..536689be62 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -696,7 +696,11 @@ unsigned long ossl_statem_client_max_message_size(SSL *s) return SERVER_KEY_EXCH_MAX_LENGTH; case TLS_ST_CR_CERT_REQ: - return SSL3_RT_MAX_PLAIN_LENGTH; + /* Set to s->max_cert_list for compatibility with previous releases. + * In practice these messages can get quite long if servers are + * configured to provide a long list of acceptable CAs + */ + return s->max_cert_list; case TLS_ST_CR_SRVR_DONE: return SERVER_HELLO_DONE_MAX_LENGTH; -- 2.25.1