Post Reply 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
TLS received oversize handshake
2019-03-24, 23:33
Post: #1
TLS received oversize handshake
Hi All,
Our Red Hat OpenShift/Kubernetes servers appear to have been upgraded over the last few days and iPXE started giving me the following error. I've pulled the latest sources and compiled with DEBUG=tls:1 and disabled OCSP.

Here's a screen dump of the error with tls debug enabled:

https://pasteboard.co/I6XJBPp.png

Any thoughts hugely appreciated. I can provide packet traces if that helps too.

Cheers,

Doug
Find all posts by this user
Quote this message in a reply
2019-03-25, 01:22
Post: #2
RE: TLS received oversize handshake
(2019-03-24 23:33)dscoular@gmail.com Wrote:  Our Red Hat OpenShift/Kubernetes servers appear to have been upgraded over the last few days and iPXE started giving me the following error. I've pulled the latest sources and compiled with DEBUG=tls:1 and disabled OCSP.

Here's a screen dump of the error with tls debug enabled:

https://pasteboard.co/I6XJBPp.png

Any thoughts hugely appreciated. I can provide packet traces if that helps too.

There was a recent feature enhancement to add support for RFC5077 stateless session resumption (aka session tickets). This may cause the server to send a longer ServerHello message, and it's plausible that this causes the handshake message to be split across multiple records. iPXE doesn't currently handle TLS record reassembly and would instead give the message that you are seeing.

Michael
Visit this user's website Find all posts by this user
Quote this message in a reply
Post Reply 




User(s) browsing this thread: 1 Guest(s)