[openssl-users] SSL error “inappropriate fallback” and TLS_FALLBACK_SCSV

2017-05-31 Thread Florin Andrei
A bit of context: I have this endpoint behind an AWS ALB. I do SSL termination at the ALB. To my surprise, when looking at the client_tlsnegotiation_error_count metric for the ALB, I've noticed a substantial amount of failed connection attempts due to TLS negotiation errors - perhaps around

[openssl-users] enable TLS_RSA_WITH_RC4_128_MD5 in openssl 1.1.0e?

2017-05-31 Thread Siyuan Xiang
Hi all, I have a legacy server only accept TLS_RSA_WITH_RC4_128_MD5 cipher. I have a client using openssl 1.1.0e. It doesn't include TLS_RSA_WITH_RC4_128_MD5. I have recompiled the openssl using enable-weak-ssl-ciphers, but it doesn't work but TLS_RSA_WITH_RC4_128_SHA is in client hello

Re: [openssl-users] OpenSSL and RPATH's

2017-05-31 Thread Wouter Verhelst
On 31-05-17 17:11, PGNet Dev wrote: > On 5/31/17 3:16 AM, Wouter Verhelst wrote: >> On 30-05-17 18:12, PGNet Dev wrote: >> [...] >>> with lots of apps still not at all v110 >>> compatible, or at best broken in their attempts, having local builds of >>> both v110x and v102x is extremely useful --

Re: [openssl-users] OpenSSL and RPATH's

2017-05-31 Thread Michael Wojcik
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of PGNet Dev > Sent: Wednesday, May 31, 2017 11:12 > > And, IMO, that's just bad advice. RPATH is perfectly fine, and this^ is > exactly > what it exists for. Feel free to use it or not, but don't FUD perfectly >

Re: [openssl-users] OpenSSL and RPATH's

2017-05-31 Thread PGNet Dev
On 5/31/17 3:16 AM, Wouter Verhelst wrote: > On 30-05-17 18:12, PGNet Dev wrote: > [...] >> with lots of apps still not at all v110 >> compatible, or at best broken in their attempts, having local builds of >> both v110x and v102x is extremely useful -- and RPATH'ing makes that >> trivially

Re: [openssl-users] OpenSSL and RPATH's

2017-05-31 Thread Viktor Dukhovni
> On May 31, 2017, at 6:16 AM, Wouter Verhelst > wrote: > > RPATH is useful if the SONAME is the same but the libraries aren't, for > whatever reason (e.g., local patches). Other than that, you don't need > it, and it's generally a bad idea. There's no need to take

Re: [openssl-users] OpenSSL and RPATH's

2017-05-31 Thread Wouter Verhelst
On 30-05-17 18:12, PGNet Dev wrote: [...] > with lots of apps still not at all v110 > compatible, or at best broken in their attempts, having local builds of > both v110x and v102x is extremely useful -- and RPATH'ing makes that > trivially manageable. That's exactly my point -- you don't need to