> [[email protected] - Sun Mar 25 04:51:32 2012]: > > On Fri, Mar 23, 2012 at 06:49:43PM +0100, Stephen Henson via RT wrote: > > > [[email protected] - Fri Mar 23 18:21:39 2012]: > > > > > > OpenSSL negotiation times out when connecting to Outlook Exchange > 2007 > > > both through Outlook Web Access (webmail) and IMAP (POP untested). > This > > > bug appeared between version 1.0.0h and 1.0.1-beta1. > > > > > > OS: Arch Linux > > > Applications tested: Offlineimap (IMAP), elinks (webmail), wget > (webmail). > > > Version: 1.0.1, 1.0.1-beta{3,2,1}. > > > Versions-not-affected: 1.0.0h > > > > > > To reproduce, run `wget https://owa.mit.edu/`. > > > > > > > It isn't clear that this is a problem with OpenSSL. The server > doesn't > > seem to be responding to the OpenSSL client hello. If you disable > > TLSv1.2 (with -no_tls1_2) or disable AES or ECDH ciphersuites or > various > > other things it responds OK. > > -no_tls1_2 and -no_tls1_1 doesn't work for me, I need to use -tls1 > (or -ssl3) to be able to get a connection. > > gnutls-cli which also supports TLS 1.1 and 1.2 works with that > site without problem. > > https://sourceforge.net/ has the same problem, both report BigIP > as the server. >
Disabling TLSv1.2 will eliminate some ciphersuites and the signature algorithm extension. Due to a bug it still sends that extension in OpenSSL 1.0.1 if you specify -no_tls1_2. This fixes it: http://cvs.openssl.org/chngview?cn=22286 It should then also work with -no_tls1_2. Without that option some arguments also allow a connection. For example -cipher 'DEFAULT:!ECDH' or -cipher 'DEFAULT:!AES'. I've done some more tests and it seems that the size of the client hello message is significant: all the options that work reduce the size of client hello. If you use the -debug option and check out the first message bytes 4 and 5 it seems those servers hang if the length exceeds 0xFF (using two bytes instead of one). Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
