[Ach] client certificate request troubles

Wolfgang Breyha wolfgang.breyha at univie.ac.at
Mon Jan 20 17:32:46 CET 2014


I've a topic not directly related to our document, but it fits "better crypto";-)

I configured most of my Exim installations to request client certificates and
to try to verify them. Currently without consequences and only for logging

Last Friday I updated the ca-certificates bundle RPM of our CentOS hosts. The
file grew in size from 570k to 750k and 120 root-CAs to 149, respectively.

It took some time to figure that out, but since then many (older and/or
embedded) clients fail to finish the SSL handshake. Eg. Pegasus Mail(, most
likely Mercury MTA), older Exchange, Canon Printers,...more?

I did some debugging with wireshark and recognized that the certificate
request in the handshake grew since the DNs of the CAs are sent with the
request as specified in the RFCs. And it grew beyond the maximum TLS record
size of 16k and two TLS records are sent by OpenSSL. Pegasus directly
complained about the length.

Currently the only solution I see is disabling client cert requests at all.
Stripping down the root-CAs makes no sense at all and the list of root-CAs
wont get shorter. And we wont get rid of all the servers and clients of this
kind, too.

I wanted to ask if somebody else has seen troubles of this sort and if there
are other possibilities then disabling client cert requests completely (and
most likely for very long time).

Greetings, Wolfgang
Wolfgang Breyha <wolfgang.breyha at univie.ac.at> | http://zid.univie.ac.at/
Vienna University Computer Center              | Austria

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 538 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140120/fcb8b0ba/attachment.sig>

More information about the Ach mailing list