On Sun, Mar 25, 2012 at 01:52:22PM +0200, Stephen Henson via RT wrote: > > [steve - Sun Mar 25 13:11:30 2012]: > > > > I've done some more tests and it seems that the size of the client hello > > message is significant: all the options that work reduce the size of > > client hello. If you use the -debug option and check out the first > > message bytes 4 and 5 it seems those servers hang if the length exceeds > > 0xFF (using two bytes instead of one). > > > > If you use the option "-servername <very long string>" you can precisely > control the size of the client hello. If you use that to make client > hello long enough you get the hang with OpenSSL 1.0.0h and earlier as well.
So I'm getting more and more reports of sites that have a problem since 1.0.1. They basicly fall in 2 categories: - They don't tolerate versions higher than TLS 1.0 - They don't like big packets. Of the 2nd case I have at least found people complain about those sites: - www.facebook.com - www.paypal.com - sourceforge.net Kurt ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org