Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/tls: handling a message longer than 12kB in record protocol #8928

Closed
gopherbot opened this issue Oct 14, 2014 · 7 comments
Closed

crypto/tls: handling a message longer than 12kB in record protocol #8928

gopherbot opened this issue Oct 14, 2014 · 7 comments
Labels
FrozenDueToAge
Milestone
Go1.5

Comments

@gopherbot
Copy link

by thomas.berger@videxio.com:

In Go1.3

We sometime observe failing establishing of TLS1.2 connections

Error Message: tls: first record does not look like a TLS handshake


Root cause:

In file http://golang.org/src/pkg/crypto/tls/conn.go

Inside readRecord there is a check to ensure that the record is no longer than 12KB
(0x3000) (line 578):

if (typ != recordTypeAlert && typ != want) || vers >= 0x1000 || n >=
0x3000 {

However, some servers do have a lot of certificates installed, so we have observed more
than 12KB of data.

One example (depending on the server behind the load balancer):
Test: openssl s_client -connect sipfed0E.online.lync.com:5061 

We have observed 0x3013 as length in some server hellos (which is > 0x3000).

I suggest the limit is raised to a higher number.

Kind regards, 
Thomas M. Berger, videxio
@griesemer
Copy link
Contributor

Comment 1:

Labels changed: added release-none, repo-main.

Owner changed to @rsc.

Status changed to Accepted.

@rsc
Copy link
Contributor

rsc commented Oct 15, 2014

Comment 2:

+agl

@gopherbot
Copy link
Author

Comment 3 by zaozao:

Please don't be too conservative when increasing this limit. One of my real-world GRID
computing storage nodes just gave me a fluffy ClientHello just short of 0x3900 octets.

@mattkanwisher
Copy link

We are getting the same error to this connecting to a windows based sip ssl server also. Wondering if anyone else found out a solution

@bradfitz bradfitz assigned agl and unassigned rsc Jan 13, 2015
@bradfitz
Copy link
Contributor

Assigned to @agl. Adam, if you advise what to do here, I can also send a CL, if that saves you any time.

@mikioh mikioh changed the title TLS connections - packet longer than 12Kb crypto/tls: handling a message longer than 12kb in record protocol Jan 13, 2015
@mikioh mikioh changed the title crypto/tls: handling a message longer than 12kb in record protocol crypto/tls: handling a message longer than 12kB in record protocol Jan 13, 2015
@agl agl closed this as completed in 8f8d066 Feb 24, 2015
@mikioh mikioh added this to the Go1.5 milestone Feb 24, 2015
@mattkanwisher
Copy link

much appreciated thanks

@justinsb
Copy link

I just hit this issue; the cause for me was that my server was requesting a client certificate, but I had forgotten to configure a list of trusted certificates. The server included every CA configured on my system in the CertificateRequest message, which (in my case) was ~11,000 bytes of data (and then I also had the server cert, hello etc).

It sounds like after this patch, users may now hit the message "tls: oversized record received with length %d". Remembering to configure the accepted CAs for client certs would fix the problem I hit.

@sdboyer sdboyer mentioned this issue Oct 26, 2015
Open
@golang golang locked and limited conversation to collaborators Jun 25, 2016
FiloSottile pushed a commit to FiloSottile/go that referenced this issue Oct 12, 2018
@agl
crypto/tls: allow larger initial records.
d25298a 
Some servers which misunderstood the point of the CertificateRequest
message send huge reply records. These records are large enough that
they were considered “insane” by the TLS code and rejected.

This change removes the sanity test for record lengths. Although the
maxCiphertext test still remains, just above, which (roughly) enforces
the 16KB protocol limit on record sizes:
https://tools.ietf.org/html/rfc5246#section-6.2.1

Fixes golang#8928.

Change-Id: Idf89a2561b1947325b7ddc2613dc2da638d7d1c9
Reviewed-on: https://go-review.googlesource.com/5690
Reviewed-by: Andrew Gerrand <adg@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
FiloSottile pushed a commit to FiloSottile/go that referenced this issue Oct 12, 2018
@agl
crypto/tls: allow larger initial records.
fb479af 
Some servers which misunderstood the point of the CertificateRequest
message send huge reply records. These records are large enough that
they were considered “insane” by the TLS code and rejected.

This change removes the sanity test for record lengths. Although the
maxCiphertext test still remains, just above, which (roughly) enforces
the 16KB protocol limit on record sizes:
https://tools.ietf.org/html/rfc5246#section-6.2.1

Fixes golang#8928.

Change-Id: Idf89a2561b1947325b7ddc2613dc2da638d7d1c9
Reviewed-on: https://go-review.googlesource.com/5690
Reviewed-by: Andrew Gerrand <adg@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
@rsc rsc unassigned agl Jun 23, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
Go1.5
Development

No branches or pull requests
8 participants
@bradfitz @mattkanwisher @agl @mikioh @justinsb @rsc @griesemer @gopherbot