Yes, I did it (see my original message - it works with SSL_OP_NO_SSLv2 | SSL_OP_NO_TLSv1). I'm not having trouble in getting it to work. But, my server also supports SSLv3. And the problem I described is not in the connection being stuck (I only mentioned it as a related bug), but error messages like OpenSSL error 1: error:00000001:lib(0):func(0):reason(1) error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
still being present for such a server when using TLSv1.1 and re-negotiating. They were supposed to get fixed by the patch http://cvs.openssl.org/chngview?cn=22565 Of course, the error messages themselves can be removed by choosing suitable methods and flags (all working combinations listed in original message). Did I pick the wrong list to report this? Cheers. 02.09.2014 23:13, Viktor Dukhovni <openssl-us...@dukhovni.org> >On Tue, Sep 02, 2014 at 10:52:59PM +0300, Artem Pylypchuk wrote: > > > Yes, the "stuck connection" bug I mentioned is the "F5 BigIP needs padding > > bug" or is very similar to it. > > Sorry for the confusing explanation. > > To disable TLSv1.2 with the associated ciphers and extensions (which > increase the size of the client hello and trigger the padding extension) > use SSLv23_client_method() with SSL_OP_NO_TLSv1_2 and if that's not > enough also SSL_OP_NO_TLSv1_1. > > See SSL_set_options(3). > > -- > Viktor. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org -- реклама ----------------------------------------------------------- Крутые телефоны! Низкие цены! Покупай тут! http://aukro.ua/?utm_source=i.ua&utm_medium=advert ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
