On Fri, Jan 17, 2014 at 06:05:37PM -0800, Jeff Franklin wrote: > Our Windows servers only go up to TLSv1, and the key indication of a > failed connection is that openssl s_client will claim that 'Secure > Renegotiation IS NOT supported'. However, if I use openssl-1.0.0k > against the same server it will report that 'Secure Renegotiation IS > supported'. > > Does anyone have any idea what's going on? Can someone recommend > some next steps I can try?
http://ietf.10.n7.nabble.com/Windows-2003-TLS-64-ciphersuite-limit-td392649.html https://www.mail-archive.com/openssl-users@openssl.org/msg72735.html http://openssl.6102.n7.nabble.com/Verisign-Problem-with-smtp-tls-td47834i20.html Definitely FAQ time... Old Windows Exchange and IIS servers without appropriate patches choke when RC4-SHA and RC4-MD5 are not in the top 64 cipher-suites. Solution is Windows server upgrade. Work-around is cipherlist tweaks that ensure at least RC4-SHA is sent in the first 64. One can disable TLSv1.2 (which is not supported by these servers) or tweak the cipherlist as I've posted previously. -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org