On Fri, 2010-04-30 at 17:03 -0400, Richard Matthew McCutchen wrote: > On Fri, 2010-04-30 at 16:10 -0400, Eric Sturdivant wrote: > > On Fri, 30 Apr 2010, Richard Matthew McCutchen wrote: > > > On Fri, 2010-04-30 at 13:11 -0400, Daniel Lenski wrote: > > >> If I try ldaps://directory.umd.edu, I get an error about being unable to > > >> contact the server. > > > > > > Indeed, the SSL interface seems to be broken. The server closes the > > > connection without sending any data: > > > > Odd, it's working for me: (and alot of things would be broken if it wasn't > > working): > [...] > > z.glue.umd.edu -> directory.umd.edu TCP D=636 S=39185 Syn Seq=2539659181 > > Len=0 Win=49640 Options=<mss 1460,nop,wscale 0,nop,nop,sackOK> > > I tried from glue and it works. Likewise from birdy.cs.umd.edu . > However, it doesn't work from my computer on the wireless network, or > using the UMD-Wireless VPN. Is there a firewall or something? The SSL > interface has worked from my computer in the past.
I spoke to John Pfeifer about this and we figured out what the problem is. The server is throwing up because I have a new version of OpenSSL that advertises RFC 5746 support via the renegotiation_info extension. SSL servers are supposed to ignore extensions they don't understand. Strictly speaking, this is a bug in the server, so I filed ITSC #44180. But John said realistically it won't be fixed anytime soon, so I will look into workarounds, such as changing OpenSSL to advertise RFC 5746 support via the SCSV rather than the extension (like NSS does). -- Matt
