)]}' { "commit": "cccf8525db8a57153d3cb3e22efed2db4b71a8ab", "tree": "74a38b24b720ffe2c87b556f5ccb623c8d32e596", "parents": [ "85145fdc914b4c01b9bb16a9253067958e327283" ], "author": { "name": "Chris Vest", "email": "christianvest_hansen@apple.com", "time": "Wed Feb 26 10:16:18 2025 -0800" }, "committer": { "name": "Boringssl LUCI CQ", "email": "boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com", "time": "Wed Apr 23 16:09:52 2025 -0700" }, "message": "Use max_cert_list for TLSv1.3 NewSessionTicket\n\nCertificate chains are transfered to the respective peer during the TLS\nhandshake in the ServerHello, and sometimes the ClientHello, messages.\nThese certificate chains can be of arbitrary size due to the number of\nintermediary issuers, and due to the extensions within the certificates.\n\nTo avoid resource exhaustion, BoringSSL limits the size of handshake\nmessages, and rejects handshakes beyond a certain size.\nBy default, the max message size is 16 KiB, but it can be increased with\nthe SSL_CTX_set_cert_max_list setting.\n\nThis setting allows handshakes to complete with large certificate\nchains. However, a new problem surfaces for TLSv1.3 sessions.\nIn TLSv1.3, session tickets (for supporting session resumption) are sent\nafter the handshake in NewSessionTicket messages. BoringSSL currently\nencode the entire peer certificate chain (and some other things) in the\nsession ticket, which means the size of the certificate chains\ninfluence the size of the corresponding NewSessionTicket.\n\nTo avoid breaking the TLS session on oversized NewSessionTicket\nmessages, a BoringSSL server will refuse to send any NewSessionTicket\nthat looks like it will be larger than 16 KiB. Unfortunately, this\naccounting is inaccurate and does not take the entire NewSessionTicket\nmessage into account. Thus, certificate chains that are a few hundred\nbytes smaller than 16 KiB can be accepted by a handshake when the\nmax_cert_list setting has been increased, and by the NewSessionTicket\nsize accounting, but then later fail on the client with an\nEXCESSIVE_MESSAGE_SIZE error, because ssl_max_handshake_message_len()\nreturns the default 16 KiB, in turn because the handshake has finished\nand that causes it to ignore the configured max_cert_list.\n\nThis patch fixes this problem by making TLSv1.3 clients keep using the\nmax_cert_list setting post-handshake, when it is greater than the\ndefault 16 KiB.\n\nChange-Id: I17d689906a12079add4ad48b679508bc09a79f7c\nReviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/78647\nReviewed-by: David Benjamin \u003cdavidben@google.com\u003e\nReviewed-by: Adam Langley \u003cagl@google.com\u003e\nCommit-Queue: Adam Langley \u003cagl@google.com\u003e\n", "tree_diff": [ { "type": "modify", "old_id": "a3a38638a1f73eaa48a5393d2697b34003c9615e", "old_mode": 33188, "old_path": "ssl/handshake.cc", "new_id": "cd6a25df394140c4b9b1ed08c719fe2e77795648", "new_mode": 33188, "new_path": "ssl/handshake.cc" } ] }