On Thu, Nov 19, 2009, tensy joseph wrote: > Hi ALL, > > I have also tested the latest snap shot of openssl . I can also experience > the same problem. It seems like now neither the normal handshake nor > renegotiation is working . > > I have used to s_server and s_client to communicate the server and client > > 1. ./openssl s_server -accept 443 -key $HOME/server_req/server_priv_key.pem > -cert $HOME/exampleca/certs/01.pem -state -msg > Server wait for the client connection request > > 2. ./openssl s_client -connect hostname:443 -CAfile > $HOME/exampleca/cacert.pem -showcerts -prexit -state -msg > when i issue this command ,client session is ended and i can see the > following error message in server . > > SSL3 alert read:fatal:illegal parameter > SSL_accept:failed in SSLv3 read client certificate A > ERROR > 2703612:error:14094417:SSL routines:SSL3_READ_BYTES:sslv3 alert illegal > parameter:s3_pkt.c:1069:SSL alert number 47 > shutting down SSL > CONNECTION CLOSED > >From my understanding , here i have not tried renegotiation . I have tried > to connect the server to client but the handshake fails with illegal > parameter .( i think in the latest snapshot some thing is messed up). >
The version which was in 0.9.8-stable was buggy: OpenSSL tried to do an SSLv2 compatible client hello and failed because that couldn't negotiate secure renegotiation (there is no way to do that because SSLv2 compatible client hellos don't support extensions). The result was you'd get s_server/s_client not connecting with default options. You needed -legacy_renegotiation to get that to work. I should have resolved that yesterday and the fix should be in last night's snapshot. The specification btw is far from finalised and some parts of it are not well defined yet and so are subject to change. A different technique which doesn't use TLS extensions at all is currently being discussed. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
