Description of problem: A bug in the client cert verify code of openssl prevents the use of client certs with 4096 bits. This was detected by playing around with an TLS enabled postfix. Version-Release number of selected component (if applicable): RHL's openssl-0.9.6b-28, sure others, too. How reproducible: Always Steps to Reproduce: 1.Create a server cert and a client cert with 4096 bit 2.Run openssl server # openssl s_server -cert cert.pem -key key.pem -verify ca.cert 3.Run openssl client $ openssl s_client -cert 4096-cert.pem -key 4096-key.pem -connect host:4433 Actual Results: Server: 911:error:1408E098:SSL routines:SSL3_GET_MESSAGE:excessive message size:s3_both.c:418: Client: 4454:error:14094417:SSL routines:SSL3_READ_BYTES:sslv3 alert illegal parameter:s3_pkt.c:964:SSL alert number 47 4454:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226: Expected Results: Proper connect. Additional info: Credits to Bodo Moeller and Lutz Jaenicke which found the reason of the bug in the openssl code. Following patch will fix this issue. Note1: diff only shows the related part for this issue Note2: client certs with more than 4096 bit still not supported --- openssl-engine-0.9.6b/ssl/s3_srvr.c Sun Nov 3 17:36:13 2002 +++ openssl-0.9.6-stable-SNAP-20021102/ssl/s3_srvr.c Mon Oct 28 17:02:46 2002 @@ -1477,7 +1566,7 @@ SSL3_ST_SR_CERT_VRFY_A, SSL3_ST_SR_CERT_VRFY_B, -1, - 512, /* 512? */ + 514, /* 514? */ &ok); if (!ok) return((int)n);
Adding to compat package openssl096b-0.9.6b-3 and for any future erratum which includes 0.9.6b. Thanks!