From fe1ba25c87e3fe1f797051ac4df96df7549e4d3a Mon Sep 17 00:00:00 2001 From: Yedaya Katsman Date: Thu, 3 Apr 2025 23:36:05 +0300 Subject: [PATCH] rustls: make max size of cert and key reasonable SIZE_MAX is an very overkill size for certificates or keys, lower it to 100KiB for both certificate and keys. The default max size of openssl is 100KiB for the entire chain [1], and it seems firefox fails at ~60kb [2]. Found by https://github.com/curl/curl/pull/16923 [0] https://docs.openssl.org/3.2/man3/SSL_CTX_set_max_cert_list/#notes [2] https://0x00.cl/blog/2024/exploring-tls-certs/ Closes #16951 --- lib/dynbuf.h | 2 ++ lib/vtls/rustls.c | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/dynbuf.h b/lib/dynbuf.h index cc7e5a12ed..72471bc104 100644 --- a/lib/dynbuf.h +++ b/lib/dynbuf.h @@ -99,4 +99,6 @@ char *Curl_dyn_take(struct dynbuf *s, size_t *plen); #define DYN_MQTT_RECV (64*1024) #define DYN_MQTT_SEND 0xFFFFFFF #define DYN_CRLFILE_SIZE (400*1024*1024) /* 400mb */ +#define DYN_CERTFILE_SIZE (100*1024) /* 100KiB */ +#define DYN_KEYFILE_SIZE (100*1024) /* 100KiB */ #endif diff --git a/lib/vtls/rustls.c b/lib/vtls/rustls.c index 0f07e8e215..0087d5cbf7 100644 --- a/lib/vtls/rustls.c +++ b/lib/vtls/rustls.c @@ -868,8 +868,8 @@ init_config_builder_client_auth(struct Curl_easy *data, return CURLE_SSL_CERTPROBLEM; } - Curl_dyn_init(&cert_contents, SIZE_MAX); - Curl_dyn_init(&key_contents, SIZE_MAX); + Curl_dyn_init(&cert_contents, DYN_CERTFILE_SIZE); + Curl_dyn_init(&key_contents, DYN_KEYFILE_SIZE); if(!read_file_into(conn_config->clientcert, &cert_contents)) { failf(data, "rustls: failed to read client certificate file: '%s'", -- 2.47.3