diff options
Diffstat (limited to 'security/nss/lib/libpkix')
| -rwxr-xr-x | security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c index af6ed936a..945c251f5 100755 --- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c +++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c @@ -43,6 +43,13 @@ #include "pkix_pl_pk11certstore.h" +/* + * PKIX_DEFAULT_MAX_RESPONSE_LENGTH (64 * 1024) is too small for downloading + * CRLs. We observed CRLs of sizes 338759 and 439035 in practice. So we + * need to use a higher max response length for CRLs. + */ +#define PKIX_DEFAULT_MAX_CRL_RESPONSE_LENGTH (512 * 1024) + /* --Private-Pk11CertStore-Functions---------------------------------- */ /* @@ -871,6 +878,8 @@ DownloadCrl(pkix_pl_CrlDp *dp, PKIX_PL_CRL **crl, myHttpResponseDataLen = ((PKIX_PL_NssContext*)plContext)->maxResponseLength; + if (myHttpResponseDataLen < PKIX_DEFAULT_MAX_CRL_RESPONSE_LENGTH) + myHttpResponseDataLen = PKIX_DEFAULT_MAX_CRL_RESPONSE_LENGTH; /* We use a non-zero timeout, which means: - the client will use blocking I/O |