Thanks for the reply. Using a lower version of TLS solved it for us. //Toland (^_^x)
On May 30, 2013, at 10:29 PM, Dave Thompson <dthomp...@prinpay.com> wrote: >> From: owner-openssl-us...@openssl.org On Behalf Of Toland Hon >> Sent: Thursday, 30 May, 2013 22:22 > >> I'm on Mac running OS X 10.8.3 and have 2 versions of openssl installed: >> * Default: OpenSSL 0.9.8r 8 Feb 2011 >> * Homebrew: OpenSSL 1.0.1e 11 Feb 2013 >> My most recent version of ruby (1.9.3-p429) is linked with Homebrew's > openssl >> and [] I began having [timeout] to a particular website. > >> I noticed there was a recent security bulletin and a fix in regards to CBC > ciphers: >> http://www.openssl.org/news/secadv_20130205.txt >> I was curious if this security fix introduced a bug that has problems >> connecting to certain websites using CBC cipher <snip> >> or is there something incorrectly configured on this server? > > The "Lucky13" issue wouldn't affect handshake at all. > It would affect performance during data phase if there is > (underlying) data alteration accidentally or due to attack. > > This is most likely another case of the frequently reported > (and discussed) issue that 1.0.1 implements TLS1.2, which > has more ciphersuites enabled by default and additional > extensions, which together make the ClientHello bigger, > and some server implementations apparently can't cope. > It appears in at least many cases the cutoff is 256 bytes, > suggesting these servers don't handle 2-byte length right. > > It's unlikely that this would be explicitly configured on > a server, rather it would be an implementation flaw that > previously did not cause a problem. It might occur in an > older version of server software fixed in a newer version. > > For many details see > http://rt.openssl.org/Ticket/Display.html?id=2771&user=guest&pass=guest > > Short answer is that restricting to TLS1(.0), and/or a smaller list > of ciphersuites (but still enough to intersect with the server), > likely works. Both do for me using 1.0.1e to your example host. > You can use -msg in s_client to see exactly how much (and what) > is sent for different options. > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org
