users@glassfish.java.net

Re: ssl_error_rx_malformed_cert_request with two-way ssl ...

From: Oleksiy Stashok <oleksiy.stashok_at_oracle.com>
Date: Tue, 11 Sep 2012 11:48:39 +0200

Hi Gabriel,

I think you found correct problem description.
When I ran the java based SSL client vs. GF (w/ the settings you
provided) - I saw the SSLException: "Bad CertificateRequest DN length",
thrown from:


/ CertificateRequest(HandshakeInStream input) throws IOException {//
// types = input.getBytes8();//
// int len = input.getInt16();//
// ArrayList<DistinguishedName> v = new
ArrayList<DistinguishedName>();//
// while (len >= 3) {//
// DistinguishedName dn = new DistinguishedName(input);//
// v.add(dn);//
// len -= dn.length();//
// }//
//
// if (len != 0) {//
//*throw new SSLProtocolException("Bad CertificateRequest DN length");*//
// }//
//
// authorities = v.toArray(new DistinguishedName[v.size()]);//
// }//
/

the len variable is assigned as 16bit integer value (max size 2^16-1).
So it's probably causing the problem.

Not sure why I see problem on decoder side (I would expect to see it on
encoder side first)...

Thanks.

WBR,
Alexey.

On 09/11/2012 08:18 AM, forums_at_java.net wrote:
> In fact they are telling is starting between 500 and 1000. I made the
> test
> and is if the error is hit at 512, you will have it at 1000 and 2000
> also. In
> fact somewhere they are also telling: "This is probably because there
> is an
> hardcoded limit in the protocol: The CertificateRequest message must
> specify
> the DNs of accepted CA. This DNs, all together, can occupy at the most
> 2^16-1
> = 65535 bytes, so if there are too many CAs, this limit can be
> encountered.
> For reference, this is paragraph 7.4.4 of RFC 2246. It describes TLS
> 1.0, but
> there is little significant difference between TLS and SSL for what
> interest
> us." Regards, Gabriel
>
> --
>
> [Message sent by forum member 'gabosu']
>
> View Post: http://forums.java.net/node/889917
>
>