Closed
Bug 201232
Opened 22 years ago
Closed 22 years ago
SSL fragment size workaround
Categories
(NSS :: Libraries, enhancement, P3)
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: bugz, Assigned: nelson)
References
()
Details
This was reported on a newsgroup:
Date: Wed, 26 Mar 2003 12:32:00 -0800 (PST)
From: Mark Crispin <mrc@CAC.Washington.EDU>
To: bill hunter <Bill.Hunter@Sun.COM>
Newsgroups: comp.mail.pine
Subject: Re: incomplete SecBuffer exceeds maximum buffer size
On Wed, 26 Mar 2003, bill hunter wrote:
> I get this message when connecting to a Sun server running iPlanet
> Messaging Server 5.2 HotFix 1.12 (built Feb 13 2003).
Sounds like you need to file a bug report on the iPlanet Messaging server.
It is not safe to use full-sized (16K) SSL payloads when talking to a
Microsoft SSL implementation. This is due to a longstanding bug in
Microsoft SSL which limits the maximum payload to 16K - 5 bytes.
Microsoft has known about this bug for years. Much to my extreme
annoyance, it was not fixed in WinXP SP1, although some Win2K systems now
have the fix.
Many implementations use 8K payloads in order to keep the payload size a
power of 2. That may not necessarily matter.
> I am using PCPine 4.53 on WindowsXP Home, and have selected the pinerc
> option that says it will quell this issue.
It doesn't quell the problem completely. It just causes PC Pine to avoid
doing things that are likely to provoke the server into causing the
problem. That doesn't mean that the server won't do it anyway for some
other reason.
> I am aware of the faq (http://www.washington.edu/imap/IMAP-FAQs/#7.43),
> but do not see any obvious way of solving this on the imap server side.
Get whomever maintains the iPlanet Messaging server to limit the SSL
payloads to a smaller value. It's not their bug, but until Microsoft
fixes its bug we all have to work around it.
Microsoft should be embarassed that this has gone on for so long. This
bug doesn't just break client software such as PC Pine, but it also breaks
their own Exchange server!
-- Mark --
-----
Reporter | ||
Comment 1•22 years ago
|
||
I verified that our code can send up to 16K fragments (see MAX_FRAGMENT_LENGTH).
I haven't verified the MS bug, for now I'm assuming the report is reliable.
Do we want to implement some kind of workaround for this in NSS?
Reporter | ||
Comment 2•22 years ago
|
||
OK, I seem to have the relevant MS bug. See URL field above.
Assignee | ||
Comment 3•22 years ago
|
||
I, for one, advocate defending the standard.
Let's keep the pressure on non-conformant implementations to get them fixed.
Let's not let them redefine the standard, and remove from them any motivation
to fix their bugs. That's my vote.
Assignee | ||
Comment 4•22 years ago
|
||
taking bug
Assignee: wtc → nelsonb
Severity: normal → minor
Priority: -- → P5
Assignee | ||
Comment 5•22 years ago
|
||
According to http://www.washington.edu/imap/IMAP-FAQs/#7.43 Pine uses
Microsoft's SChannel DLL to do SSL, and it reportedly causes Pine to crash.
Most users have a choice of email client but do not have a choice of IMAPS
server. Mozilla has an IMAPS client that works well with standards compliant
servers. Is this seen as hurting sales of any IMAPS server?
In any case, this is not a bug in NSS.
I guess we could "enhance" libSSL to give it another settable SSL socket
"option" which is the maximum outgoing SSL3/TLS "fragment" size. It would
default to 16K. That way, a server product that wants to accomodate
non-compliant clients could choose to do so.
Is that what should be done?
Severity: minor → enhancement
Priority: P5 → P3
Reporter | ||
Comment 6•22 years ago
|
||
Looking back at the email thread I filed the bug from, it seems a workaround was
developed in the server, and having a workaround at the NSS level was deemed not
to be an urgent matter. I think it is appropriate to mark this bug as WONTFIX,
and if someone comes along and asks for the NSS workaround you suggest (which I
agree would be the right approach), we can reopen it.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → WONTFIX
Assignee | ||
Comment 7•22 years ago
|
||
What workaround was implemented?
The only workaround I can imagine is one that limits the size of each PR_Write
and PR_Send to less than 16K. I think that would also necessitate eliminating
use or PR_SendFile and PR_TransmitFile, at least on some platforms.
You need to log in
before you can comment on or make changes to this bug.
Description
•