On 10/22/2009 02:09 PM, Joe Orton wrote:
On Thu, Oct 22, 2009 at 12:49:10PM +0530, Kamesh Jayachandran wrote:
I tried your patch. It does *not* fix the issue.
One difference it makes is , triggers failure early at 20/30 files(PUT
requests) instead of 20k files earlier.
Can you get a packet dump/trace from the client side? Is there anything
between client and server which is intercepting the SSL traffic?
(physical/software firewall?) It would be good whether this problem is
due to the traffic becoming corrupted.
Find the tcpdump while this failure occurs at
http://www.livecipher.com/tlsext_dump/tlsext.dmp
I could not suspect the firewall as this occurs only with
httpd-2.2.12+openssl-with-tls-ext *not* with httpd-2.2.11 or
httpd-2.2.13+openssl-without-tls-ext.
Thanks
There seem to be two places in OpenSSL's ssl_parse_serverhello_tlsext()
which can send a "decode error" alert, if I am reading the code and
following the error handling correctly. It would be useful if you could
use a custom OpenSSL build with an fprintf(stderr, ... ) or similar
added before each of the "*al = SSL_AD_DECODE_ERROR;" lines in that
function (in ssl/t1_lib.c), if you're able to try that?
Regards, Joe
Will try this next week as it involves building in win32 which I am not
used to.
With regards
Kamesh Jayachandran
