Re: LibreSSL: extend the max. no. of SANs for avoid OOM error

Jan Klemkow Wed, 17 Mar 2021 06:54:49 -0700

ping

On Tue, Mar 09, 2021 at 03:49:32PM +0100, Jan Klemkow wrote:
> Hi,
> 
> The verification of the https://ugos.ugm.ac.id certificate contains 2032
> subject alt names which leads to the following error in LibreSSL.
> 
> # openssl s_client -connect ugos.ugm.ac.id:443
> ...
> verify error:num=17:out of memory
> ...
> 
> The following diff sets the maximum number of SANs to the next higher
> number to fix this issue.
> 
> OK?
> 
> bye,
> Jan
> 
> Index: lib/libcrypto/x509/x509_internal.h
> ===================================================================
> RCS file: /cvs/src/lib/libcrypto/x509/x509_internal.h,v
> retrieving revision 1.6
> diff -u -p -r1.6 x509_internal.h
> --- lib/libcrypto/x509/x509_internal.h        5 Jan 2021 16:45:59 -0000       
> 1.6
> +++ lib/libcrypto/x509/x509_internal.h        9 Mar 2021 14:38:35 -0000
> @@ -31,7 +31,7 @@
>   * Limit the number of names and constraints we will check in a chain
>   * to avoid a hostile input DOS
>   */
> -#define X509_VERIFY_MAX_CHAIN_NAMES          512
> +#define X509_VERIFY_MAX_CHAIN_NAMES          4096
>  #define X509_VERIFY_MAX_CHAIN_CONSTRAINTS    512
>  
>  /*
>

Re: LibreSSL: extend the max. no. of SANs for avoid OOM error

Reply via email to