Re: Addition of TLS 1.2 client-side support causing failures to Windows servers
On Fri, Jan 17, 2014 at 06:05:37PM -0800, Jeff Franklin wrote: > Our Windows servers only go up to TLSv1, and the key indication of a > failed connection is that openssl s_client will claim that 'Secure > Renegotiation IS NOT supported'. However, if I use openssl-1.0.0k > against the same server it will report that 'Secure Renegotiation IS > supported'. > > Does anyone have any idea what's going on? Can someone recommend > some next steps I can try? http://ietf.10.n7.nabble.com/Windows-2003-TLS-64-ciphersuite-limit-td392649.html https://www.mail-archive.com/openssl-users@openssl.org/msg72735.html http://openssl.6102.n7.nabble.com/Verisign-Problem-with-smtp-tls-td47834i20.html Definitely FAQ time... Old Windows Exchange and IIS servers without appropriate patches choke when RC4-SHA and RC4-MD5 are not in the top 64 cipher-suites. Solution is Windows server upgrade. Work-around is cipherlist tweaks that ensure at least RC4-SHA is sent in the first 64. One can disable TLSv1.2 (which is not supported by these servers) or tweak the cipherlist as I've posted previously. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Addition of TLS 1.2 client-side support causing failures to Windows servers
Hello, Our organization just switched some of our environments to using openssl-1.0.1e, and since doing so connections from those machines to our Windows servers fail where they used to succeed. I've done some investigation into openssl and I have the problem narrowed to the list of cipher suites offered in the client hello when TLS 1.2 is switched on. Specifically, if I do 'openssl s_client -no_tls1_2 ...' on the latest openssl-1.0.1f it will succeed, and fail otherwise. From a debugger I can set client_version to 1.1 during the function ssl_cipher_list_to_bytes and reset to 1.2 upon exit of that function and connection will again succeed. Our Windows servers only go up to TLSv1, and the key indication of a failed connection is that openssl s_client will claim that 'Secure Renegotiation IS NOT supported'. However, if I use openssl-1.0.0k against the same server it will report that 'Secure Renegotiation IS supported'. Does anyone have any idea what's going on? Can someone recommend some next steps I can try? Thanks, -- Jeff Franklin Software Engineer, Identity and Access Management UW Information Technology University of Washington __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
