On Thu Mar 29 21:17:31 2012, steve wrote:
A temporary workaround for this is to apply these two patches to OpenSSL
1.0.1:
http://cvs.openssl.org/chngview?cn=22286
http://cvs.openssl.org/chngview?cn=22306
And recompile OpenSSL with -DOPENSSL_NO_TLS1_2_CLIENT (e.g. supplied as
a command line
Per F5 Product Development, the log message quoted in the previous note is not
related to ID 376483. It is a cosmetic issue which may be safely ignored.
Amy Wilhelm
Enterprise Network Engineer
F5 Networks
__
OpenSSL Project
- sourceforge.net
This one still fails, but I believe that that was caused by the
load balancer of F5 Networks (Big IP).
And there is no good solution for it, except for updating load balancer
software. The only thing one can do otherwise is to minimize ClientHello
by aggressively excluding
On Thu, Mar 29, 2012 at 09:46:34PM +0200, Kurt Roeckx wrote:
On Sun, Mar 25, 2012 at 01:52:22PM +0200, Stephen Henson via RT wrote:
[steve - Sun Mar 25 13:11:30 2012]:
I've done some more tests and it seems that the size of the client hello
message is significant: all the options
We run a site that uses the F5 Networks BIG-IP load balancer, and OpenSSL 1.0.1
triggers this bug on the load balancer. When it occurs, the load balancer
neither forwards the request to a pool member, nor does it respond to the
OpenSSL client. There are warning messages in the load balancer's
On Sun, Apr 01, 2012 at 02:42:20PM +0200, Dr. Stephen Henson wrote:
On Sun, Apr 01, 2012, Dr. Stephen Henson wrote:
Did a quick hack modification setting header version to 0x3,0x0 and it now
*will* connect to some sites it didn't before with a long client hello
including paypal. It
It's empirically found that SSL 2.0 and TLS 1.0
ClientHellos larger than 256 bytes *are* accepted, while TLS 1.1 and 1.2
have to be shorter to be accepted.
TLS version in ClientHello *message* is denoted by corresponding field.
But then the *message* is placed to TLS *record*, which is denoted
On Sun, Apr 01, 2012 at 12:17:19PM +0200, Andy Polyakov wrote:
It's empirically found that SSL 2.0 and TLS 1.0
ClientHellos larger than 256 bytes *are* accepted, while TLS 1.1 and 1.2
have to be shorter to be accepted.
TLS version in ClientHello *message* is denoted by corresponding
On Sun, Apr 01, 2012, Kurt Roeckx wrote:
And they now both contain 0x03,0x03. At least gnutls is sending
0x03,0x00 with 0x03,0x03.
Gnutls is also sending client hellos shorter than 256 bytes (couldn't see a
way to extend it though I'm not familiar with gnutls).
I already wondered about
On Sun, Apr 01, 2012, Dr. Stephen Henson wrote:
Did a quick hack modification setting header version to 0x3,0x0 and it now
*will* connect to some sites it didn't before with a long client hello
including paypal. It ends up negotiating TLS 1.2 anyway.
I'll do some more tests to see what
On Sun, Apr 01, 2012 at 02:42:20PM +0200, Dr. Stephen Henson wrote:
On Sun, Apr 01, 2012, Dr. Stephen Henson wrote:
Did a quick hack modification setting header version to 0x3,0x0 and it now
*will* connect to some sites it didn't before with a long client hello
including paypal. It
On Sun, Apr 01, 2012, Kurt Roeckx wrote:
On Sun, Apr 01, 2012 at 02:42:20PM +0200, Dr. Stephen Henson wrote:
On Sun, Apr 01, 2012, Dr. Stephen Henson wrote:
Did a quick hack modification setting header version to 0x3,0x0 and it now
*will* connect to some sites it didn't before
I've done some more tests and it seems that the size of the client hello
message is significant: all the options that work reduce the size of
client hello. If you use the -debug option and check out the first
message bytes 4 and 5 it seems those servers hang if the length exceeds
0xFF (using
On Sat, Mar 31, 2012 at 08:12:54PM +0200, Andy Polyakov wrote:
I've done some more tests and it seems that the size of the client hello
message is significant: all the options that work reduce the size of
client hello. If you use the -debug option and check out the first
message bytes 4
So I'm getting more and more reports of sites that have a problem
since 1.0.1. They basicly fall in 2 categories:
- They don't tolerate versions higher than TLS 1.0
- They don't like big packets.
Of the 2nd case I have at least found people complain about those
sites:
- www.facebook.com
On Sat, Mar 31, 2012, Kurt Roeckx wrote:
On Sat, Mar 31, 2012 at 08:12:54PM +0200, Andy Polyakov wrote:
I've done some more tests and it seems that the size of the client hello
message is significant: all the options that work reduce the size of
client hello. If you use the -debug
On Sat, Mar 31, 2012 at 11:09:15PM +0200, Andy Polyakov wrote:
Bugs never make sense. But what do you mean by doesn't seem to happen
here? Can you connect with 'openssl s_client -connect
www.paypal.com:443 -cipher DEFAULT:\!AES' and 'openssl s_client -connect
www.paypal.com:443 -cipher ALL'?
On Sun, Apr 01, 2012 at 12:13:44AM +0200, Dr. Stephen Henson wrote:
OpenSSL 1.0 and later will use an *SSLv3* compatible client hello provided no
SSLv2 ciphersuites are requested. The default cipherstring now excludes all
SSLv2 ciphersuites so by default you wont get SSLv2 client hellos. If
A temporary workaround for this is to apply these two patches to OpenSSL
1.0.1:
http://cvs.openssl.org/chngview?cn=22286
http://cvs.openssl.org/chngview?cn=22306
And recompile OpenSSL with -DOPENSSL_NO_TLS1_2_CLIENT (e.g. supplied as
a command line option to config or Configure). I'm working on
On Sun, Mar 25, 2012 at 01:52:22PM +0200, Stephen Henson via RT wrote:
[steve - Sun Mar 25 13:11:30 2012]:
I've done some more tests and it seems that the size of the client hello
message is significant: all the options that work reduce the size of
client hello. If you use the -debug
[k...@roeckx.be - Sun Mar 25 04:51:32 2012]:
On Fri, Mar 23, 2012 at 06:49:43PM +0100, Stephen Henson via RT wrote:
[ste...@stebalien.com - Fri Mar 23 18:21:39 2012]:
OpenSSL negotiation times out when connecting to Outlook Exchange
2007
both through Outlook Web Access (webmail)
[steve - Sun Mar 25 13:11:30 2012]:
I've done some more tests and it seems that the size of the client hello
message is significant: all the options that work reduce the size of
client hello. If you use the -debug option and check out the first
message bytes 4 and 5 it seems those servers
On Fri, Mar 23, 2012 at 06:49:43PM +0100, Stephen Henson via RT wrote:
[ste...@stebalien.com - Fri Mar 23 18:21:39 2012]:
OpenSSL negotiation times out when connecting to Outlook Exchange 2007
both through Outlook Web Access (webmail) and IMAP (POP untested). This
bug appeared between
OpenSSL negotiation times out when connecting to Outlook Exchange 2007
both through Outlook Web Access (webmail) and IMAP (POP untested). This
bug appeared between version 1.0.0h and 1.0.1-beta1.
OS: Arch Linux
Applications tested: Offlineimap (IMAP), elinks (webmail), wget (webmail).
Version:
[ste...@stebalien.com - Fri Mar 23 18:21:39 2012]:
OpenSSL negotiation times out when connecting to Outlook Exchange 2007
both through Outlook Web Access (webmail) and IMAP (POP untested). This
bug appeared between version 1.0.0h and 1.0.1-beta1.
OS: Arch Linux
Applications tested:
25 matches
Mail list logo
