I just committed the proposed change. It will appear in future snapshots and releases of OpenSSL.
Thanks for your contribution. Ticket resolved. [EMAIL PROTECTED] - Tue Nov 18 08:34:11 2003]: > OpenSSL 0.9.7c 30 Sep 2003 > built on: Thu Nov 13 23:47:30 2003 > platform: VC-NT > options: bn(64,32) md2(int) rc4(idx,int) des(idx,cisc,4,long) > idea(int) > blowfis > h(idx) > compiler: cl /MDd /W3 /WX /Zi /Yd /Od /nologo -DOPENSSL_SYSNAME_WIN32 > -D_DEBUG > -DL_ENDIAN -DWIN32_LEAN_AND_MEAN -DDEBUG -DDSO_WIN32 > -DOPENSSL_SYSNAME_WINNT > /Fd > out32dll -DOPENSSL_NO_KRB5 > OPENSSLDIR: "/usr/local/ssl" > > Problem description: > With the release of OpenSSL 0.9.7c, people start to see the error "SSL > routines:SSL3_CHECK_CERT_AND_ALGORITHM:missing > export tmp rsa key:s3_clnt.c:1952" on the cient side, e.g.: > http://www.mail-archive.com/[EMAIL PROTECTED]/msg33162.html > > Analysis: > The root of this problem is in line 109, x509type.c: > if (EVP_PKEY_size(pk) <= 512/8) /* /8 because it's 512 bits we look > New export regulations allow the export of 56-bit encryption and 1024- > bit > key exchange(check out #define SSL_EXPORT_PKEYLENGTH(a) > (SSL_IS_EXPORT40(a) > ? 512 : 1024) in ssl_locl.h), but this line will attribute any PKEY > size > bigger than 512 bit as non-exportable. In my scenario: the server has > only > export license, and chooses the cipher EXP1024-RC4-SHA. The server's > RSA key > is also 1024 bit, so it opts NOT to use ephemeral key exchange. Then > on the > client side, OpenSSL correctly identifies EXP1024-RC4-SHA as > exportable, but > incorrectly treats the server's 1024 bit RSA key used to sign the x509 > certificate as non-exportable. Given that no ephemeral key is used to > work > around the "problem", the client side reports error "missing export > tmp rsa > key" and fails the handshake. > > A possible solution would be to change it to: > if (EVP_PKEY_size(pk) <= 1024/8) > > Thanks, > Charles Zhang > [EMAIL PROTECTED] > > _________________________________________________________________ > Great deals on high-speed Internet access as low as $26.95. > https://broadband.msn.com (Prices may vary by service area.) > -- Richard Levitte [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
