New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/tls: handling a message longer than 12kB in record protocol #8928
Comments
Labels changed: added release-none, repo-main. Owner changed to @rsc. Status changed to Accepted. |
We are getting the same error to this connecting to a windows based sip ssl server also. Wondering if anyone else found out a solution |
Assigned to @agl. Adam, if you advise what to do here, I can also send a CL, if that saves you any time. |
much appreciated thanks |
I just hit this issue; the cause for me was that my server was requesting a client certificate, but I had forgotten to configure a list of trusted certificates. The server included every CA configured on my system in the CertificateRequest message, which (in my case) was ~11,000 bytes of data (and then I also had the server cert, hello etc). It sounds like after this patch, users may now hit the message "tls: oversized record received with length %d". Remembering to configure the accepted CAs for client certs would fix the problem I hit. |
Some servers which misunderstood the point of the CertificateRequest message send huge reply records. These records are large enough that they were considered “insane” by the TLS code and rejected. This change removes the sanity test for record lengths. Although the maxCiphertext test still remains, just above, which (roughly) enforces the 16KB protocol limit on record sizes: https://tools.ietf.org/html/rfc5246#section-6.2.1 Fixes golang#8928. Change-Id: Idf89a2561b1947325b7ddc2613dc2da638d7d1c9 Reviewed-on: https://go-review.googlesource.com/5690 Reviewed-by: Andrew Gerrand <adg@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Some servers which misunderstood the point of the CertificateRequest message send huge reply records. These records are large enough that they were considered “insane” by the TLS code and rejected. This change removes the sanity test for record lengths. Although the maxCiphertext test still remains, just above, which (roughly) enforces the 16KB protocol limit on record sizes: https://tools.ietf.org/html/rfc5246#section-6.2.1 Fixes golang#8928. Change-Id: Idf89a2561b1947325b7ddc2613dc2da638d7d1c9 Reviewed-on: https://go-review.googlesource.com/5690 Reviewed-by: Andrew Gerrand <adg@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
by thomas.berger@videxio.com:
The text was updated successfully, but these errors were encountered: