First off, both server names appear to point to the same IP address, meaning it's a case of a single dodgy server.
I'm pretty sure this is a case of the server ignoring the minor protocol version number sent by the openssl client (3.1 = TLSv1), and simply responding as if the client had requested straight SSLv3 (3.0), which results in the "bad mac" error on the client side. Disabling TLSv1 on the client "works", but this is quite a drastic solution as: a) it's the server that's broken, and b) TLSv1 should always be your preferred protocol anyway. Might I recommend having your application code catch this error and then attempt a second connection without TLS? I think this is the way MSIE does it, even though they still apparently ship with TLSv1 disabled. //oscar Fabrice Mougin wrote: > > Hello, > > I noticed some trouble connecting some domains with the v23 method > (meth=SSLv23_client_method()). When I use the v3 or v2 method > directly, it works fine. > > I use the openssl-0.9.6b version. The concerned domains are : > > www.cofinoga.fr > souscription.mediatis.fr > > Thanks, > > Fabrice. > > -- > Fabrice Mougin - Witbe.net The Net screener > Work email: [EMAIL PROTECTED] > Phone: +331 42 91 5000 > When there is no > solution, there > is no pbs ... > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
