curl/curl
1
1
Fork 0
mirror of https://github.com/curl/curl.git synced 2025-09-09 21:52:40 +03:00
Code Issues Packages Projects Releases Wiki Activity

rustls: make max size of cert and key reasonable

Browse Source 
SIZE_MAX is an very overkill size for certificates or keys, lower it to
100KiB for both certificate and keys. The default max size of openssl is
100KiB for the entire chain [1], and it seems firefox fails at ~60kb
[2].

Found by https://github.com/curl/curl/pull/16923

[0] https://docs.openssl.org/3.2/man3/SSL_CTX_set_max_cert_list/#notes
[2] https://0x00.cl/blog/2024/exploring-tls-certs/

Closes #16951
This commit is contained in:
Yedaya Katsman 2025-04-03 23:36:05 +03:00 committed by Daniel Stenberg
parent bdc42ba23e
commit fe1ba25c87
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
2 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/dynbuf.h
View File

@ -99,4 +99,6 @@ char *Curl_dyn_take(struct dynbuf *s, size_t *plen);
#define DYN_MQTT_RECV (64*1024) #define DYN_MQTT_RECV (64*1024)
#define DYN_MQTT_SEND 0xFFFFFFF #define DYN_MQTT_SEND 0xFFFFFFF
#define DYN_CRLFILE_SIZE (400*1024*1024) /* 400mb */ #define DYN_CRLFILE_SIZE (400*1024*1024) /* 400mb */
#define DYN_CERTFILE_SIZE (100*1024) /* 100KiB */
#define DYN_KEYFILE_SIZE (100*1024) /* 100KiB */
#endif #endif

4
lib/vtls/rustls.c
View File

@ -868,8 +868,8 @@ init_config_builder_client_auth(struct Curl_easy *data,
return CURLE_SSL_CERTPROBLEM; return CURLE_SSL_CERTPROBLEM;
} }
Curl_dyn_init(&cert_contents, SIZE_MAX); Curl_dyn_init(&cert_contents, DYN_CERTFILE_SIZE);
Curl_dyn_init(&key_contents, SIZE_MAX); Curl_dyn_init(&key_contents, DYN_KEYFILE_SIZE);
if(!read_file_into(conn_config->clientcert, &cert_contents)) { if(!read_file_into(conn_config->clientcert, &cert_contents)) {
failf(data, "rustls: failed to read client certificate file: '%s'", failf(data, "rustls: failed to read client certificate file: '%s'",