Increase the max size limit for a CertificateRequest message

Previous versions of OpenSSL had the max size limit for a CertificateRequest
message as |s->max_cert_list|. Previously master had it to be
SSL3_RT_MAX_PLAIN_LENGTH. However these messages can get quite long if a
server is configured with a long list of acceptable CA names. Therefore
the size limit has been increased to be consistent with previous versions.

RT#4198

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index b14e6edf28c9c464a8a2d9d09583099373630cca..536689be6277c580aafe8b414caca97f1e6eb968 100644 (file)
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -696,7 +696,11 @@ unsigned long ossl_statem_client_max_message_size(SSL *s)
             return SERVER_KEY_EXCH_MAX_LENGTH;
 
         case TLS_ST_CR_CERT_REQ:
             return SERVER_KEY_EXCH_MAX_LENGTH;
 
         case TLS_ST_CR_CERT_REQ:

-            return SSL3_RT_MAX_PLAIN_LENGTH;
+            /* Set to s->max_cert_list for compatibility with previous releases.
+             * In practice these messages can get quite long if servers are
+             * configured to provide a long list of acceptable CAs
+             */
+            return s->max_cert_list;

 
         case TLS_ST_CR_SRVR_DONE:
             return SERVER_HELLO_DONE_MAX_LENGTH;
 
         case TLS_ST_CR_SRVR_DONE:
             return SERVER_HELLO_DONE_MAX_LENGTH;