[ipxe-devel] [tls] received overlength Handshake - GoDaddy certs

Sebastian Roth sebaroth at gmx.de
Sat Jan 19 17:16:05 UTC 2019

On 01/19/2019 10:04 AM, Christian Nilsson wrote:
> Is there any way to detect that you only got a partial TLS header? or
> is it any way to detect that it isn't complete and we should wait for
> more data before processing it?

Yes. The TLS handshake header comes along with a length field. In the
example of Go Daddy this is set to 51xx (can't remember exactly from the
top of my head). This length is being read and causes the "received
overlength Handshake" error. As we set max_fragmentation extension to
4096 and received exactly that amount of data in the first handshake
packet it should be fairly straight forward to predict that another
packet with the rest is on its way.

> I think this has been reported before, just that not enough 
> information was provided to reproduce, and/or not persistence was
> put in to have it fixed.
Looking through the git history I found some more interesting changes
which sound like this kind of issue has been looked at already [1], [2].
But probably from a different angle back in 2012/13 when SSL server side
implementations where still very different.



More information about the ipxe-devel mailing list