[stunnel-users] ssl - excessive message size

Olivier Rademakers lists at channelopen.org
Thu Sep 2 00:47:38 CEST 2004

Hi All,


I am having trouble with a secure connection that used to work until now. I
am using an stunnel connection to transfer data from an ldap
server( to Win Active Directory server (machineB.domain.com) in
order to update AD with updated ldap data.


I have run stunnel in high verbosity manually so I could extract a log of a
connection attempt. Here it is below:


# stunnel -c -f -D 7 -P /var/ldapad/ -d -r


LOG5[9318:1]: Using 'machineB.domain.com.636' as tcpwrapper service name

LOG7[9318:1]: RAND_status claims sufficient entropy for the PRNG

LOG6[9318:1]: PRNG seeded successfully

LOG5[9318:1]: stunnel 3.14 on sparc-sun-solaris2.7 PTHREAD

LOG7[9318:1]: Created pid file

LOG7[9318:1]: machineB.domain.com.636 bound to

LOG7[9318:4]: machineB.domain.com.636 started

LOG5[9318:4]: machineB.domain.com.636 connected from

LOG7[9318:4]: machineB.domain.com.636 connecting

LOG7[9318:4]: Remote host connected

LOG7[9318:4]: before/connect initialization

LOG7[9318:4]: before/connect initialization

LOG7[9318:4]: SSLv3 write client hello A

LOG7[9318:4]: SSLv3 read server hello A

LOG7[9318:4]: SSLv3 read server certificate A

LOG7[9318:4]: SSLv3 read server key exchange A

LOG7[9318:4]: SSLv3 read server key exchange A

LOG3[9318:4]: SSL_connect: error:1408E098:SSL
routines:SSL3_GET_MESSAGE:excessive message size

LOG7[9318:4]: machineB.domain.com.636 finished (0 left)


I have searched for this error but to no avail and am wondering if any of
you have already come across such, and if so would have the beginning of a
solution, and why not The Solution ;-)


NB: When running stunnel with the "-c" operand (client mode), it is said the
certificates are optional. I have captured the dialogue between the two
machines, and apparently, the problem would be coming from the AD server as
the DN (Distinguished Name) in the cert is ~8000 bytes long. The capture
reveals other errors, checksum and more, so if needed I could append those
to the problem stated here.


Again, unix-ldap side has not changed to my knowledge. The script has always
been the same, and it worked until now.


The ldap server is SUN Solaris 2.8 with ssl 0.9.7b


Version of stunnel: stunnel 3.21 on sparc-sun-solaris2.8 PTHREAD


The AD server is a Windows 2000 machine.


Please enlighten me,


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20040902/0bf4aadd/attachment.html>

More information about the stunnel-users mailing list