It was not clear to me whether the new code in 0.9.8 to support secure renegotiation requires "tlsext" support, or is still enabled even with OpenSSL 0.9.8m Configured with "notlsext" (I can't deploy a "tlsext" build of 0.9.8m, because this breaks binary compatibility of shared libraries with previous 0.9.8 releases).
It appears that the secure renegotiation code is still present in a "notlsext" configuration, and does not break binary compatibility. If someone could confirm this "officially", that would be great. In looking at the code, I found a surprising assymetry between the s_client and s_server changes for 0.9.8m. The s_client code supports the "-legacy_renegotiation" flag with "notlsext", but the "s_server" code does not. I am guessing this is unintentional: --- apps/s_client.c 2010-02-04 12:37:56.126584525 -0500 +++ apps/s_client.c 2009-12-16 15:34:19.907161627 -0500 @@ -238,2 +245,8 @@ BIO_printf(bio_err," -sess_in arg - file to read SSL session from\n"); +#ifndef OPENSSL_NO_TLSEXT + BIO_printf(bio_err," -servername host - Set TLS extension servername in ClientHello\n"); + BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n"); + BIO_printf(bio_err," -status - request certificate status from server\n"); + BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); +#endif BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n"); --- apps/s_server.c 2010-02-04 12:37:56.135583361 -0500 +++ apps/s_server.c 2009-12-08 08:47:27.109842042 -0500 @@ -378,2 +397,13 @@ BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); +#ifndef OPENSSL_NO_TLSEXT + BIO_printf(bio_err," -servername host - servername for HostName TLS extension\n"); + BIO_printf(bio_err," -servername_fatal - on mismatch send fatal alert (default warning alert)\n"); + BIO_printf(bio_err," -cert2 arg - certificate file to use for servername\n"); + BIO_printf(bio_err," (default is %s)\n",TEST_CERT2); + BIO_printf(bio_err," -key2 arg - Private Key file to use for servername, in cert file if\n"); + BIO_printf(bio_err," not specified (default is %s)\n",TEST_CERT2); + BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n"); + BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); + BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n"); +#endif } -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org