Skip to content

/ go

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/tls: handling a message longer than 12kB in record protocol #8928

Closed
gopherbot opened this issue Oct 14, 2014 · 7 comments
Closed

crypto/tls: handling a message longer than 12kB in record protocol #8928

gopherbot opened this issue Oct 14, 2014 · 7 comments
Assignees
@agl
Labels
FrozenDueToAge
Milestone
Go1.5

Comments

@gopherbot
Copy link

@gopherbot gopherbot commented Oct 14, 2014

by thomas.berger@videxio.com:

In Go1.3

We sometime observe failing establishing of TLS1.2 connections

Error Message: tls: first record does not look like a TLS handshake


Root cause:

In file http://golang.org/src/pkg/crypto/tls/conn.go

Inside readRecord there is a check to ensure that the record is no longer than 12KB
(0x3000) (line 578):

if (typ != recordTypeAlert && typ != want) || vers >= 0x1000 || n >=
0x3000 {

However, some servers do have a lot of certificates installed, so we have observed more
than 12KB of data.

One example (depending on the server behind the load balancer):
Test: openssl s_client -connect sipfed0E.online.lync.com:5061 

We have observed 0x3013 as length in some server hellos (which is > 0x3000).

I suggest the limit is raised to a higher number.

Kind regards, 
Thomas M. Berger, videxio
@griesemer

This comment has been minimized.

Sign in to view
Copy link
Contributor

@griesemer griesemer commented Oct 15, 2014

Comment 1:

Labels changed: added release-none, repo-main.

Owner changed to @rsc.

Status changed to Accepted.
@rsc

This comment has been minimized.

Sign in to view
Copy link
Contributor

@rsc rsc commented Oct 15, 2014

Comment 2:

+agl
@gopherbot

This comment has been minimized.

Sign in to view
Copy link
Author

@gopherbot gopherbot commented Dec 2, 2014

Comment 3 by zaozao:

Please don't be too conservative when increasing this limit. One of my real-world GRID
computing storage nodes just gave me a fluffy ClientHello just short of 0x3900 octets.
@mattkanwisher

This comment has been minimized.

Sign in to view
Copy link

@mattkanwisher mattkanwisher commented Jan 13, 2015

We are getting the same error to this connecting to a windows based sip ssl server also. Wondering if anyone else found out a solution
@bradfitz bradfitz assigned agl and unassigned rsc Jan 13, 2015
@bradfitz

This comment has been minimized.

Sign in to view
Copy link
Contributor

@bradfitz bradfitz commented Jan 13, 2015

Assigned to @agl. Adam, if you advise what to do here, I can also send a CL, if that saves you any time.
@mikioh mikioh changed the title TLS connections - packet longer than 12Kb crypto/tls: handling a message longer than 12kb in record protocol Jan 13, 2015
@mikioh mikioh changed the title crypto/tls: handling a message longer than 12kb in record protocol crypto/tls: handling a message longer than 12kB in record protocol Jan 13, 2015
@agl agl closed this in 8f8d066 Feb 24, 2015
@mikioh mikioh added this to the Go1.5 milestone Feb 24, 2015
@mattkanwisher

This comment has been minimized.

Sign in to view
Copy link

@mattkanwisher mattkanwisher commented Feb 25, 2015

much appreciated thanks
@justinsb

This comment has been minimized.

Sign in to view
Copy link

@justinsb justinsb commented Mar 22, 2015

I just hit this issue; the cause for me was that my server was requesting a client certificate, but I had forgotten to configure a list of trusted certificates. The server included every CA configured on my system in the CertificateRequest message, which (in my case) was ~11,000 bytes of data (and then I also had the server cert, hello etc).

It sounds like after this patch, users may now hit the message "tls: oversized record received with length %d". Remembering to configure the accepted CAs for client certs would fix the problem I hit.
@sdboyer sdboyer mentioned this issue Oct 26, 2015
Open
@golang golang locked and limited conversation to collaborators Jun 25, 2016
FiloSottile pushed a commit to FiloSottile/go that referenced this issue Oct 12, 2018
@agl
crypto/tls: allow larger initial records.
d25298a 
Some servers which misunderstood the point of the CertificateRequest
message send huge reply records. These records are large enough that
they were considered “insane” by the TLS code and rejected.

This change removes the sanity test for record lengths. Although the
maxCiphertext test still remains, just above, which (roughly) enforces
the 16KB protocol limit on record sizes:
https://tools.ietf.org/html/rfc5246#section-6.2.1

Fixes golang#8928.

Change-Id: Idf89a2561b1947325b7ddc2613dc2da638d7d1c9
Reviewed-on: https://go-review.googlesource.com/5690
Reviewed-by: Andrew Gerrand <adg@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
FiloSottile pushed a commit to FiloSottile/go that referenced this issue Oct 12, 2018
@agl
crypto/tls: allow larger initial records.
fb479af 
Some servers which misunderstood the point of the CertificateRequest
message send huge reply records. These records are large enough that
they were considered “insane” by the TLS code and rejected.

This change removes the sanity test for record lengths. Although the
maxCiphertext test still remains, just above, which (roughly) enforces
the 16KB protocol limit on record sizes:
https://tools.ietf.org/html/rfc5246#section-6.2.1

Fixes golang#8928.

Change-Id: Idf89a2561b1947325b7ddc2613dc2da638d7d1c9
Reviewed-on: https://go-review.googlesource.com/5690
Reviewed-by: Andrew Gerrand <adg@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@agl agl

Labels
FrozenDueToAge
Projects
None yet
Milestone
  Go1.5
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
8 participants
@gopherbot @griesemer @rsc @mattkanwisher @bradfitz @justinsb @agl @mikioh
You can’t perform that action at this time.