On Tue, Mar 27, 2012 at 10:42:18AM +0200, Louis-David Mitterrand wrote: > Package: openssl > Version: 1.0.1-2 > Followup-For: Bug #665452 > > I can no longer contact paypal on its ssl port with that 'upgrade' with > perl, wget, w3m, etc. (all clients using openssl).
This seems to be a different issue that has the same effect. > Going back to 1.0.0h fixes it. > > Dear Maintainer, > *** Please consider answering these questions, where appropriate *** > > * What led up to the situation? > * What exactly did you do (or not do) that was effective (or > ineffective)? > * What was the outcome of this action? > * What outcome did you expect instead? > > *** End of the template - remove these lines *** Why are you asking me those questions? Anyway, there seems to be 3 different problems: - Servers that report BigIP as server. They don't reply to ClientHello requests that are bigger than 255 bytes. Examples include sourceforge.net and owa.mit.edu. - Servers that don't tolerate verion numbers they don't support while they are supposed to negiotate a lower version. Examples include boekhuis.nl - paypal which currently isn't clear what the problem really is, it seems to support TLS1.2, but reacts weird to 1.1. All problems can be worked around by disabling the TLS 1.1 and 1.2 protocols. The first can also be worked around by disabling ciphersuites that are send, so you get a smaller ClientHello. It can also be triggered by the 1.0.0h version by adding extra options like -servername. Due to a bug fixed upstream disabling TLS 1.1 and 1.2 might currently not fix the first issue, but that should get fixed in the next version. In any case you should contact affected sites or venders about this issue, else we're never going to get those protocols deployed. Kurt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
