This may indeed be the problem, but some of the changes in 1.0.2 do not
easily merge back to 1.0.1i. Specifically, this diff seems to have no
equivalent code to merge into in 1.0.1i.
We may need to consider reverting back to 1.0.1h until 1.0.2 is released.
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3441,8 +3441,10 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void
*parg)
cipher = s->s3->tmp.new_cipher;
if (!cipher)
return 0;
- /* No certificate for unauthenticated
ciphersuites */
- if (cipher->algorithm_auth & SSL_aNULL)
+ /* No certificate for unauthenticated ciphersuites
+ * or using SRP authentication
+ */
+ if (cipher->algorithm_auth & (SSL_aNULL|SSL_aSRP))
return 2;
cpk = ssl_get_server_send_pkey(s);
if (!cpk)
Norm
On 9/8/2014 7:10 PM, Viktor Dukhovni wrote:
On Mon, Sep 08, 2014 at 05:41:13PM -0700, Norm Green wrote:
Thanks Viktor. I did get some fixes (via this list) from Steve a while back
because SRP authenication was completely broken out of the box with 1.0.1i.
However I don't know if all the changes in the commit you mentioned have
been merged. I will investigate further.
You'll want at least:
30fbe92 Fix SRP authentication ciphersuites.
and then:
03ebf85 Fix SRP ciphersuites.
