Am 22.02.2014 16:04, schrieb Marc Hoersken: > After pushing the change on the 31th of January, I did now notice that > there seems to be a problem with stunnel and Schannel while using > TLSv1.2. Disabling it and only allowing SSLv3, TLSv1.0 and TLSv1.1 on > either site (stunnel config or Internet Explorer options) avoids the issue. > > ... > > So there seems to be an incompatibility between the stunnel and Schannel > implementations of TLSv1.2.
I found the reason for this incompatibility to be the MD5 hash algorithm used for the signature of the self-signed test certificate. Schannel's implementation of TLSv1.2 does not accept certificates with signatures which are based upon the MD5 hash algorithm. [1] In order to fix the issue within the testsuite, I regenerated the certificate using a SHA1 hash and pushed it to the repository. [2] I also added a note regarding the impact of the previous changes to the defaults of WinSSL to the release notes. [3] [1] http://blogs.msdn.com/b/ieinternals/archive/2011/03/25/misbehaving-https-servers-impair-tls-1.1-and-tls-1.2.aspx [2] https://github.com/bagder/curl/commit/b5486adc9bb335818e501b925544dcd6b3fd92e4 [3] https://github.com/bagder/curl/commit/e08d0662b7b6e22d0f09b445141fd7827ae68478 ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html