peleg atar wrote:
>
> Dr Stephen Henson Thank you a lot for your help.
>
> I pass the"DEFAULT:!EXPORT56:@STRENGTH" string to the
> SSL_CTX_set_cipher_list function.
>
> Right now the behavior of the IE 5.01(Win2000)is
> "page can not be displayed" in the first attempt for connecting securly to
> the openSSl server.
> But in the second attempt I succeed connecting to the site.
>
> Is this the correct behavior?
> If it is, then what should i do in order to fix it?
>
No this is not normal behaviour as such. There are several possible
causes.
What usually happens when you use SGC or "step up" is that the first
attempt to call SSL_read() in the server gives an error -1 and the
various things are set to tell it to retry the call.
If it doesn't and just assumes -1 is an error and closes the connection
you can get the result you mention.
If it does retry properly you shouldn't see that error.
Thats one possible cause: a bug in the server software but there are
other possible reasons too particularly if this worked with OpenSSL
0.9.4.
You might also want to try the s_server program (which does retry) and
see if you get the same problem.
If you do get the same problem check what cipher it negotiates then try
messing around with the cipher list a bit more. For example
DEFAULT:!EXPORT56:!DES:@STRENGTH to eliminate all 56 bit cipher suites
and RC4:!EXPORT56:@STRENGTH to just use RC4.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
