Thank you all for the assistance - trying to convince Qt/C++ SSL sockets to do as you've described by cutting down on ciphers. I did check std Google Chrome ClientHello which does only contain about 10 cipher suites - where Qt seems to include a lot more (all supported) - so what i'm trying to determine now is which can I safely skip - based on name , bit, protocol - this is for a web browser so if anyone have any insight into which ciphers makes sense here that'd be greatly appreciated - for now i'm trying to just use the same as other browsers. Thank you again!
On Sat, Apr 30, 2016 at 5:44 PM -0700, "Stephen Henson via RT" <[email protected]> wrote: On Sat Apr 30 21:23:30 2016, [email protected] wrote: > Since this is a MS IIS 7.0 server I would argue that it'd be in the > interest of openssl to handle the situation rather than accept this > scenario - since IIS is likely powering more than a few hosts? It is > possible to have the host correctly list its supported protocols using > nmap - i'd assume the TLS1.2 attempt can be avoided altogether ( > without knowing any implementation details or if tht adds overhead > though ) ? > As others have indicated this is a known bug with a load balancer and not IIS. As well as the solutions suggested you can try the -bugs option to s_client which pads client hellos to workaround this issue. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4524 Please log in as guest with password guest if prompted -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4524 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
