> On Apr 30, 2016, at 5:26 PM, Salz, Rich <[email protected]> wrote:
>
>> Since this is a MS IIS 7.0 server I would argue that it'd be in the interest
>> of
>> openssl to handle the situation rather than accept this scenario - since IIS
>> is
>> likely powering more than a few hosts?
>
> It's a known bug, and openssl can work-around the bug by configuring as
> described.
To be clear, it is a known issue in some F5 load-balancers that has been
addressed
since, and a few other rather unusual systems. All systems that have trouble
with
the larger TLS client HELLO should have been patched by now, and the problem is
entirely on their end.
I should also add that in OpenSSL 1.1.0 a lot of TLS ciphers that are obsolete
or unnecessary baggage have been phased out. So the 1.1.0 release may well
be more interoperable with such servers.
--
Viktor.
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
