Actions
Bug #27156
open
Do not send CA list on client authentication
Status:
Pending release
Priority:
N/A
Assignee:
Category:
Server components
Target version:
Pull Request:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
To do
Regression:
No
Description
When a client tries to authenticate via TLS in the http connection, the server sends it a list of accepted CA, which can be pretty long since we don't have a proper PKI yet
Since we don't have a PKI, we store all agent certificates as CA, which makes a very long list.
When this list is sent, it can overflow the TLS connection a and make it fail with a tlsv1 alert internal error.
The solution is to use SSLCADNRequestFile to send a shorter list.
Updated by
Actions