tls: oversized record received with length XXXXX
Asked Answered
O

1

3

I use the built-in standard SSL socket client library (net + crypto/tls) like this:

conn, err := net.Dial("tcp", "exploit.im:5222")
//...
config := tls.Config{InsecureSkipVerify: true}
tls_conn := tls.Client(conn, &config)
fmt.Println(tls_conn.Handshake())

And am getting the message:

conn, err := net.Dial("tcp", "exploit.im:5222")

I managed to find out it is somehow related to the default maximum packet size (16384 + 2048 set in common.go:31). Is there any standard work around (without patching this value & rebuilding the lib)?

Omnibus answered 17/3, 2016 at 22:57 Comment(3)
You're probably not connecting to a TLS service.Suffragette
Or you're connecting to a buggy one.Fontanez
@jimB is almost certainly correct. Verify with openssl s_client -connect exploit.im:5222Werbel
S
3

You get this kind of messages if you try to do a SSL handshake with a peer which does not reply with SSL. In this case it is probably some XMPP server and with XMPP you first have some clear text handshake before you start with SSL. Trying to start directly with SSL will result in interpreting the servers clear text response as an SSL frame which can result in strange error messages like this.

Shandrashandrydan answered 18/3, 2016 at 5:55 Comment(3)
Yes, it is an XMPP server. The thing is it says it does support TLS: <stream:features><starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/><mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><mechanism>PLAIN</mechanism><mechanism>DIGEST-MD5</mechanism><mechanism>SCRAM-SHA-1</mechanism></mechanisms><c xmlns='http://jabber.org/protocol/caps' hash='sha-1' node='http://www.process-one.net/en/ejabberd/' ver='NUUMEO3rKA30XLGO1FbA9EZT1rY='/><register xmlns='http://jabber.org/features/iq-register'/></stream:features>Omnibus
By the way, removing the limit and rebuilding crypto lib really didn't help, it just led to another error message stating the first record doesn't look like SSL handshake. So it was not a very helpful ideaOmnibus
@Gonzalez: TLS is started via a STARTTLS extension. You have to negotiate this within the XMPP protocol.Suffragette

© 2022 - 2024 — McMap. All rights reserved.