SSL certificate size

Question

SSL certificate size

igrr opened this issue 8 years ago · comments

From @tijnkooijmans on March 17, 2016 10:6

Is there any limit to the SSL certificate size in axTLS?

I'm using WifiClientSecure and when I have fully-chained certificate (6 kb) on the server the connection gets refused (error -1) while if the server only uses the non-chained certificate (1.8 kb) there is no problem.

I have 30 kb heap available when making the SSL connection so it's no memory issue.

Thanks in advance for looking into this!

Copied from original issue: esp8266/Arduino#1788

Ivan Grokhotkov · Answer 1 · Mon Mar 21 2016 03:44:42 GMT+0800 (China Standard Time)

Could you please advise how to reproduce this? What server URL should I use for non-chained certificate and fully-chained certificate?

Ivan Grokhotkov · Answer 2 · Mon Mar 21 2016 03:44:42 GMT+0800 (China Standard Time)

From @tijnkooijmans on March 17, 2016 10:52

Thanks for your super-fast response! This is the one without chain:

brokerstagingdev.minibrew.io

This is the one with chain:

brokerstaging.minibrew.io

Ivan Grokhotkov · Answer 3 · Mon Mar 21 2016 03:44:42 GMT+0800 (China Standard Time)

Okay, this is what seems to be happening... In order to reduce memory pressure during handshake, we allocate smaller TLS fragment buffer (~6kb) than per spec (16kb). Then when connection is established, we allow this buffer to grow as required. I will check if we can allow this buffer to grow during handshake, i.e. whether it will fit into RAM.

Ivan Grokhotkov · Answer 4 · Mon Mar 21 2016 03:44:43 GMT+0800 (China Standard Time)

From @tijnkooijmans on March 17, 2016 11:33

Great, thanks! Looking forward to test if you can make this work.

Tijn Kooijmans · Answer 5 · Fri Apr 22 2016 16:32:55 GMT+0800 (China Standard Time)

Did you get a chance to look into this? Thanks!

Ivan Grokhotkov · Answer 6 · Wed Jun 01 2016 17:36:53 GMT+0800 (China Standard Time)

Should be fixed in latest version.