> [openssl-dev@openssl.org - Fri Jun 08 00:27:27 2012]: > > This is almost identical to an issue we found with openssl 1.0.1b and > Juniper SBR version v6.13.4949 > In our case we traced it to the heartbeat extension. When the > extension is > sent in the ClientHello PEAP negotiation fails with fatal bad > certificate > alert. > By adding # define OPENSSL_NO_HEARTBEATS to opensslconf.h we disabled > the > extension and PEAP negotiation is successful. > > There really should be an API to disable this extension so that it can > be > enabled in use cases where it is needed and disabled in use cases > where it > breaks negotiation. >
That's rather strange behaviour, the presence of a (presumably unsupported) extension causes a bad certificate alert? Is it just the heartbeat extension that triggers this or would the presence of any unknown extension cause a similar problem? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org