On Sat, Nov 13, 2010, Andrey Kulikov wrote: > Hello, > > On 13 November 2010 03:33, Dr. Stephen Henson <st...@openssl.org> wrote: > > > > I've just tried 1.0.1 and it does have a problem with GOST and TLS v1.1 > > which > > is the default for OpenSSL 1.0.1. If you include -no_tls1_1 in the command > > line it should work or if you try a recent 1.0.0 snapshot (OpenSSL 1.0.0 > > doesn't support TLS v1.1). > > > > I'll look into the TLS v1.1 issue. > > > > Steve. > > > Sorry to confuse you - I've mixed up versions and snapshot filenames. > I just re-check these snapshots of 1.0.0 > ftp://ftp.openssl.org/snapshot/openssl-1.0.0-stable-SNAP-20101112.tar.gz > and 1.0.1 > ftp://ftp.openssl.org/snapshot/openssl-1.0.1-stable-SNAP-20101112.tar.gz > > I disable TSL in there: > ./config no-tls > > I add "-ssl3" parameter to s_server and s_client commands. > > ./apps/openssl s_server -ssl3 -www -engine gost -accept 4333 -state > -cert botcert.pem -key botkey.p8 > ./apps/openssl s_client -ssl3 -engine gost -connect localhost:4333 > > And both of these versions are not working in the same way. > > s_server > ================= > SSL3 alert write:fatal:bad record mac > SSL_accept:error in SSLv3 read certificate verify A > 3076736652:error:1411D144:SSL routines:ssl3_handshake_mac:digest > requred for handshake isn't computed:s3_enc.c:668: > ================= > > s_client > ================= > verify return:1 > 3076413068:error:1411D144:SSL routines:ssl3_handshake_mac:digest > requred for handshake isn't computed:s3_enc.c:668: > ================= > > So, the problem not in TLS1.1 > > BTW: 1.0.1 s_server doesn't accept -no_tls1_1 option, while have it in > help option list. > s_client does accept this option. > >
FYI I've just fixed up s_server to accept the TLS1.1 options. I get that error with SSLv3 so don't disable it at config time or on the command line. Don't use the -engine gost option to s_server either. If your openssl.cnf is set up correctly you shouldn't need it. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
