With 0.9.8a, and now also 0.9.8b, building with zlib and running with
the usual bug workarounds ("-bugs" option) results in code that does
not appear to handle session renegotiation correctly. Is compression
incompatible with "-bugs", or is there an implementation issue?
Some vendor distribution
On Fri, May 05, 2006 at 02:43:20PM -0400, Victor Duchovni wrote:
>
> With 0.9.8a, and now also 0.9.8b, building with zlib and running with
> the usual bug workarounds ("-bugs" option) results in code that does
> not appear to handle session renegotiation correctly. Is compression
> incompatible w
On Sat, May 06, 2006, Victor Duchovni wrote:
> On Fri, May 05, 2006 at 02:43:20PM -0400, Victor Duchovni wrote:
>
> >
> > With 0.9.8a, and now also 0.9.8b, building with zlib and running with
> > the usual bug workarounds ("-bugs" option) results in code that does
> > not appear to handle sessio
On Sat, May 06, 2006 at 10:58:57PM +0200, Dr. Stephen Henson wrote:
> > $ ./apps/openssl s_client -no_ssl2 -bugs -cipher ADH -connect
> > localhost:12345
> > CONNECTED(0003)
> > 15938:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record
> > mac:s3_pkt.c:1057:SSL alert number 20
On Sat, May 06, 2006, Victor Duchovni wrote:
> On Sat, May 06, 2006 at 10:58:57PM +0200, Dr. Stephen Henson wrote:
>
> So I take it that the recommendation is to use:
>
> (SSL_OP_ALL & ~SSL_OP_TLS_BLOCK_PADDING_BUG)
>
Yes, for now at least.
> > No one is sure if the bug it works around
On Sun, May 07, 2006, Dr. Stephen Henson wrote:
> On Sat, May 06, 2006, Victor Duchovni wrote:
>
> >
> > Can the work-around be made compatible with zlib?
> >
>
> It isn't just zlib AFAICS, it may be triggered in other cases too.
>
> Well at this stage it isn't clear what the correct solution
On 5/6/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote:
The patch in PR#1204 as I understand it turns a common false positive in
correct implementations into a much rarer false negative on incorrect
implementations so if nothing better can be thought of that may be a usable
compromise.
However
On Sun, May 07, 2006 at 01:15:49AM +0200, Dr. Stephen Henson wrote:
> > > Can the work-around be made compatible with zlib?
> >
> > It isn't just zlib AFAICS, it may be triggered in other cases too.
> >
> > Well at this stage it isn't clear what the correct solution is, it needs a
> > bit
> > o
Hello,
> Interesting that the initial session is uncompressed, but the resumed
> session is...
With default configuration (enabled ssl2/3,tls1) OpenSSL client sends
SSL2 ClientHello packet (with TLS1 protocol version)
which has no support for compression information.
> I'll gladly test any snapsh
On Sat, May 06, 2006, Victor Duchovni wrote:
>
> I'll gladly test any snapshot that addresses this issue.
OK, please try the next snapshot and/or this patch:
http://cvs.openssl.org/chngview?cn=15251
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core d
On Sun, May 07, 2006 at 02:36:10PM +0200, Dr. Stephen Henson wrote:
> On Sat, May 06, 2006, Victor Duchovni wrote:
>
> >
> > I'll gladly test any snapshot that addresses this issue.
>
> OK, please try the next snapshot and/or this patch:
>
> http://cvs.openssl.org/chngview?cn=15251
>
Prelimi
On Sat, May 06, 2006 at 10:45:53PM -0400, Victor Duchovni wrote:
> Is there any
> way to determine at run-time whether the OpenSSL library is a 0.9.8[ab]
> release with zlib enabled?
>
> For Postfix 2.3 (and perhaps even a 2.2 patch at some point) I would like
> to use (SSL_OP_ALL & ~SSL_OP_TLS_B
On Sun, May 07, 2006 at 04:28:22PM -0400, Victor Duchovni wrote:
> It looks like I can call SSL_COMP_get_compression_methods(), and if I
> get a non-null stack, check whether the stack depth is > 0.
>
> static void my_set_options(SSL_CTX *ctx)
> {
> long options = SSL_OP_ALL;
>
>
On Sun, May 07, 2006, Victor Duchovni wrote:
> On Sun, May 07, 2006 at 04:28:22PM -0400, Victor Duchovni wrote:
>
> > It looks like I can call SSL_COMP_get_compression_methods(), and if I
> > get a non-null stack, check whether the stack depth is > 0.
> >
> > static void my_set_options(SSL_C
On Mon, May 08, 2006 at 12:04:24AM +0200, Dr. Stephen Henson wrote:
> > > It looks like I can call SSL_COMP_get_compression_methods(), and if I
> > > get a non-null stack, check whether the stack depth is > 0.
> > >
> > > static void my_set_options(SSL_CTX *ctx)
> > > {
> > > long
15 matches
Mail list logo