Welcome! Log In Create A New Profile

Advanced

Controlling list of "Acceptable CA names"

Posted by Mihir Shirali -X (mshirali - INFOSYS LIMITED at Cisco) 
Mihir Shirali -X (mshirali - INFOSYS LIMITED at Cisco)
Controlling list of "Acceptable CA names"
January 07, 2017 09:20PM
Hi All,

We have a scenario where HA proxy might send a large of "Acceptable client certificate CA names" to the client as part of the "Certificate Request" message. What we see on the client side, is that it balks with the following error:
>>> TLS 1.2 Alert [length 0002], fatal illegal_parameter
02 2f
139911422498632:error:1408E098:SSL routines:SSL3_GET_MESSAGE:excessive message size:s3_both.c:512:
---

Now, for the moment we worked arpound the problem by preventing the server from sending down the client certificate request, but we're wondering if:
1 - Anyone is aware of this issue or if there is a limitation to the number of names that the server can send down?
2 - Is there a way to send the client request, but avoid sending the list of "acceptable client certificate CA names"

Regards,
Mihir
Sorry, only registered users may post in this forum.

Click here to login