Hi, I'm attaching a simple patch that should correct this behavior. Can you test it and tell us the results? Thanks,
-- Mounir IDRASSI IDRIX http://www.idrix.fr > Dear openssl support, > > I investigated the following web servers. > But all of them failed with the same error. > > 1) apache-tomcat-6.0.26 + bcprov-ext-jdk16-145 + jdk1.6.0_17 (centos 5) > 2) jboss-4.2.3.GA + bcprov-jdk15 + jdk1.6.0_17 (centos 5) > 3) IIS 7 (windows 7) > > On the other hand, many browsers except for opera successfully connect to > the servers. > Something wrong? > > Regards, > Koichi Sugimoto. > > 2010/4/20 Jack Lloyd via RT <r...@openssl.org> > >> >> RFC 4492 says: >> >> A client that receives a ServerHello message containing a Supported >> Point Formats Extension MUST respect the server's choice of point >> formats during the handshake (cf. Sections 5.6 and 5.7). If no >> Supported Point Formats Extension is received with the ServerHello, >> this is equivalent to an extension allowing only the uncompressed >> point format. >> >> OpenSSL 1.0.0 rejects such a negotiation, always requiring the >> extension to exist in the ServerHello: >> >> CONNECTED(00000003) >> >>> TLS 1.0 Handshake [length 00cd], ClientHello >> 01 00 00 c9 03 01 4b cc f2 87 fc 1d 05 2d 0c 1f >> 4a 74 8b 8c 6f 20 c3 56 fb 35 4a 73 b0 9c e0 c1 >> 6f 34 1b 10 f9 9f 00 00 5c c0 14 c0 0a 00 39 00 >> 38 00 88 00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 >> 08 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09 00 >> 33 00 32 00 9a 00 99 00 45 00 44 c0 0e c0 04 00 >> 2f 00 96 00 41 00 07 c0 11 c0 07 c0 0c c0 02 00 >> 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 >> 06 00 03 00 ff 01 00 00 44 00 0b 00 04 03 00 01 >> 02 00 0a 00 34 00 32 00 01 00 02 00 03 00 04 00 >> 05 00 06 00 07 00 08 00 09 00 0a 00 0b 00 0c 00 >> 0d 00 0e 00 0f 00 10 00 11 00 12 00 13 00 14 00 >> 15 00 16 00 17 00 18 00 19 00 23 00 00 >> <<< TLS 1.0 Handshake [length 002a], ServerHello >> 02 00 00 26 03 01 20 3f 72 c5 29 9f 22 b1 a6 af >> 4b 81 31 eb 4c 85 bf bb 3a a5 8b b8 21 86 16 c5 >> 7c 84 5c 73 4a 4a 00 c0 08 00 >> 139742562498200:error:1411809D:SSL >> routines:SSL_CHECK_SERVERHELLO_TLSEXT:tls invalid ecpointformat >> list:t1_lib.c:1440: >> 139742562498200:error:14092113:SSL >> routines:SSL3_GET_SERVER_HELLO:serverhello tlsext:s3_clnt.c:942: >> >> OpenSSL 1.0.0 29 Mar 2010 >> built on: Mon Apr 19 19:52:35 EDT 2010 >> platform: linux-x86_64 >> options: bn(64,64) rc4(1x,char) des(idx,cisc,16,int) idea(int) >> blowfish(idx) >> compiler: gcc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H >> -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 >> -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM >> -DAES_ASM -DWHIRLPOOL_ASM >> OPENSSLDIR: "/usr/local/ssl" >> >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> Development Mailing List openssl-dev@openssl.org >> Automated List Manager majord...@openssl.org >> >
t1_lib.c.diff
Description: Binary data