Skip to content

Outgoing client Certificate message is not fragmented according to negotiated Max Fragment Length #10787

Description

@pbizzarriINIM

I am testing an embedded mutual-TLS client based on Mbed TLS 3.6.6 with the following options enabled:

#define MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH

The device uses TLS 1.2 mutual authentication. The current certificate chains are relatively small:

  • server Certificate handshake message: about 1200 bytes
  • client Certificate handshake message: about 900 bytes

With:

#define MBEDTLS_SSL_IN_CONTENT_LEN   4352
#define MBEDTLS_SSL_OUT_CONTENT_LEN  4352

the handshake succeeds.

I then tested TLS Maximum Fragment Length negotiation.

When using MBEDTLS_SSL_MAX_FRAG_LEN_512, the peer accepts the MFL extension. The server-side Certificate message is received correctly by the device, fragmented across multiple TLS records within the negotiated 512-byte limit.

However, when Mbed TLS sends the client Certificate message, it appears to emit it as a single TLS record of about 833 bytes. The peer then aborts the handshake with a fatal record_overflow alert.

With MBEDTLS_SSL_MAX_FRAG_LEN_4096, the same handshake succeeds, because both the server and client Certificate messages fit below the negotiated 4096-byte record limit.

This looks like an asymmetry in MFL handling:

  • incoming Certificate messages are handled correctly when the peer fragments them according to MFL;
  • outgoing client Certificate messages do not appear to be fragmented by Mbed TLS according to the negotiated MFL.

Expected behavior:

After a Maximum Fragment Length value has been negotiated, Mbed TLS should ensure that all outgoing TLSPlaintext records, including handshake records such as the client Certificate message, respect the negotiated maximum fragment length.

Actual behavior:

The outgoing client Certificate message appears to be sent as a single TLS record larger than the negotiated MFL value, causing the peer to abort with record_overflow.

This is relevant for embedded mutual-TLS devices, where MFL is used to reduce runtime RAM usage while still supporting certificate-based authentication.

Please let me know if this is a known limitation, a configuration issue, or an actual bug in the outgoing handshake fragmentation path.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    Status
    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions