On Sat, Aug 14, 2010, Stefan de Konink wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hello, > > I have a very odd problem with respect to my recent upgrade to 1.0.0; > > In principle this is the problem: > openssl s_client -connect server.db.kvk.nl:443 -debug > CONNECTED(00000003) > write to 0x1180ea0 [0x1180f20] (211 bytes => 211 (0xD3)) > 0000 - 16 03 01 00 ce 01 00 00-ca 03 01 4c 65 bf 5b ff ...........Le.[. > 0010 - 27 e2 50 b0 2e 2a fa 72-e6 65 5d 36 9c e4 b4 d6 '.P..*.r.e]6.... > 0020 - 97 f0 23 b8 a9 d3 5e 4f-d5 78 8d 00 00 5c c0 14 ..#...^O.x...\.. > 0030 - c0 0a 00 39 00 38 00 88-00 87 c0 0f c0 05 00 35 ...9.8.........5 > 0040 - 00 84 c0 12 c0 08 00 16-00 13 c0 0d c0 03 00 0a ................ > 0050 - c0 13 c0 09 00 33 00 32-00 9a 00 99 00 45 00 44 .....3.2.....E.D > 0060 - c0 0e c0 04 00 2f 00 96-00 41 00 07 c0 11 c0 07 ...../...A...... > 0070 - c0 0c c0 02 00 05 00 04-00 15 00 12 00 09 00 14 ................ > 0080 - 00 11 00 08 00 06 00 03-00 ff 02 01 00 00 44 00 ..............D. > 0090 - 0b 00 04 03 00 01 02 00-0a 00 34 00 32 00 01 00 ..........4.2... > 00a0 - 02 00 03 00 04 00 05 00-06 00 07 00 08 00 09 00 ................ > 00b0 - 0a 00 0b 00 0c 00 0d 00-0e 00 0f 00 10 00 11 00 ................ > 00c0 - 12 00 13 00 14 00 15 00-16 00 17 00 18 00 19 00 ................ > 00d0 - 23 # > 00d3 - <SPACES/NULS> > read from 0x1180ea0 [0x1186480] (7 bytes => 7 (0x7)) > 0000 - 15 03 01 00 02 02 32 ......2 > 140504236033704:error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 > alert decode error:s23_clnt.c:658: > - --- > no peer certificate available > - --- > No client certificate CA names sent > - --- > SSL handshake has read 7 bytes and written 211 bytes > - --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > - --- > > > > For some reason on systems with 0.9.8 this works. But fails for me, it > works for me if I manually specify -ssl2. > > The site will have a downtime in the next 6 hours (some sort of daily > backup window), but I wonder if anyone can help me from the above log > pasted. >
OpenSSL 1.0.0 doesn't include any SSLv2 cipersuites by default and new logic means it doesn't send out an SSLv2 compatible client hello if it will never use SSLv2. That effectively disables SSLv2 by default. Try a cipher string that explicitly enables some SSLv2 ciphers. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
