Eric Gilbertson wrote:
>
> Hello:
>
> Can anyone point me to a solution to the infamous handshake
> problems that occur when a weak crypto client attempts to
> connect with a strong server? I've purused the relevant
> posts in the archives and they seem similar but not exactly
> the same as what I am seeing. The problem is related to this
> test:
>
> line #703 of s3_clnt.c:
> if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE)
> {
> al=SSL_AD_UNEXPECTED_MESSAGE;
> ...
> }
>
> from ssl3_get_server_certificate(). The type is 0 (instead
> of 1) causing an abort. As far as I can tell the server had
> correctly sent the cert across so the error is a mystery to
> me. Looking up the stack trace it appears that the client
> thinks it is doing an anonymous DH handshake, whereas I expect
> it to be doing RSA so perhaps this is a symptom and not the
> problem. I also wonder if the handshake logic is dependent
> upon the cert attributes. I swore this was working until I
> generated a new cert (using the ssleay cmd line utility).
> But since both the new and the old certs were generated using
> the same parameters I don't see how this could affect anything. Any solution
> pointers are greatly appreciated.
>
Is this pre 0.9.5, MSIE and are you using an MS SGC certificate? If so
try 0.9.5. If this is the cause it is because MSIE SGC violates the SSL
protocol and previous versions of OpenSSL didn't have a work around.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
