Hi,
>In the best case, I get :
>
>2223:error:140920C5:SSL routines:SSL3_GET_SERVER_HELLO:old session
>cipher not returned:s3_clnt.c:636:
>
>I've looked in the documentation, in the mailusers archive. I didn't
>found any solution.
It seems to me that your session-reuse code is working correctly, but your
Web server not. This is a known bug of some Web servers, especially Netscape
servers. It is also mentioned in the file "bugs/SSLv3" in the OpenSSL
distribution:
-----
ssl3.netscape.com:443, first a connection is established with RC4-MD5. If
it is then resumed, we end up using DES-CBC3-SHA. It should be RC4-MD5
according to 7.6.1.3, 'cipher_suite'. Netscape-Enterprise/2.01
(https://merchant.netscape.com)
has this bug. It only really shows up when connecting via SSLv2/v3 then
reconnecting via SSLv3. The cipher list changes....
NEW INFORMATION. Try connecting with a cipher list of just DES-CBC-SHA:RC4-MD5.
For some weird reason, each new connection uses
RC4-MD5, but a re-connect tries to use DES-CBC-SHA. So netscape, when doing
a re-connect, always takes the first cipher in the cipher list.
-----
As a work-around: use only one cipher suite in your client, or use
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG with SSL_CTX_set_options().
Hope that helps
Niko
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
