Is anybody else having trouble with newer SSL clients (1.0.1c specifically)
causing older servers to hang?
I asked about this earlier, before I fully understood the problem, in a thread
titled "Configure OpenSSL to skip SSL1 & SSL2?" in which I was incorrectly
assuming that my client was starting with SSL1 negotiation.
The remote server runs RHEL5 and Apache, hosting a subversion repository
accessed over WebDAV over HTTPS. When the latest subversion client attempts to
connect, it initiates a TLSv1.2 handshake encapsulated in a TLSv1.0 CLIENT
HELLO. The remote side (which is a black box to me) never responds to the
CLIENT HELLO. Unfortunately I don't have (and can't get) shell access to the
remote server to troubleshoot.
Testing with s_client and Wireshark, I can see that if I let s_client default,
it does the same thing (TLSv1.2 handshake in TLSv1.0 CLIENT HELLO), and the
server does not respond.
$ openssl s_client -connect server.domain.com:443
CONNECTED(00000003)
... 60-second pause ...
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 320 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
Watching this in Wireshark I see:
Client Server
-------syn---------->
<------ack-----------
--SSL CLIENT HELLO-->
<------ack-----------
[60 second pause]
<------rst-----------
However, if I specify the -tls1 option to s_client, it does a TLSv1.0
handshake (instead of TLSv1.2), and the server responds normally.
Reading the 1.0.1c release notes I see
3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable
TLS 1.2 client support entirely.
Is this something that can be set at runtime, or is it purely a compile-time
option?
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
