On Wed, Nov 14, 2012, Rainer Canavan wrote: > We compile our application with -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to > avoid the > server hang described in the Changelog for 1.0.1a. However, I have now > encountered > a server that fails to handshake with openssl (the command line tool or e.g. > curl > linked against libopenssl) if openssl has been built with > -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 > Building without this option (or values >=124) or forcing sslv3 or tlsv1 > works even > with this server, independent of the CIPHER_LENGTH option. > > Is it possible to work around this in openssl, or is this an bug or > configuration > problem of the server? >
The -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH option was a quick hack to workaround some broken servers. It may not be needed now many have been fixed and applications where you have some control over the connection parameters don't really need it at all. It might be that there are no supported ciphersuites in the truncated list: try messing around with the ciphers and disable (for example) ECDH. For example DEFAULT:!ECDH Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org