We compile our application with -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to avoid the server hang described in the Changelog for 1.0.1a. However, I have now encountered a server that fails to handshake with openssl (the command line tool or e.g. curl linked against libopenssl) if openssl has been built with -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 Building without this option (or values >=124) or forcing sslv3 or tlsv1 works even with this server, independent of the CIPHER_LENGTH option.
Is it possible to work around this in openssl, or is this an bug or configuration problem of the server? $ ./apps/openssl s_client -connect d2kqn7a3b4vhhs.cloudfront.net:443 WARNING: can't open config file: /usr/local/ssl/openssl.cnf CONNECTED(00000003) 2886126188:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:741: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 211 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- rainer______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
