On Fri, Feb 12, 2010 at 08:35:09PM +0100, Steffen DETTMER wrote:
> (So DER encoding is used, and it is allowing 128 byte long
> length fields allowing 2^1024 [a number taking four and a half
> line in xterm because 309 decimal digits long] bytes long value
> fields sufficient to enumerate every atom in the visible
> universe an unbelievable huge number of times
> - but in the end for certificates limit of 16384 [5 digit
> number] is in effect :-))
SSL protocol engines need sensibly sized I/O buffer size limits.
The decision to limit SSL record lengths is reasonable. 16K
is a fine choice. And yes, 5000 altName entries in a certificate
is absurd. It may be the most expedient way to overcome design
implementations in the software you are forced to use, but the
SSL protocol is not obligated to support this use-case.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
