On 3/3/2010 11:50 AM, Stefan Fritsch wrote:
> On Wednesday 03 March 2010, Mladen Turk wrote:
>> BTW, I wouldn't recommend to compile against 0.9.8m.
>> openssl s_client < 0.9.8m block on renegotiation
>
> Have you only tried 0.9.8l as client? It has a known bug with
> renegotiation that makes it hang instead of fail.
>
> I have no problems with 0.9.8c and 0.9.8g (from Debian 4.0 and 5.0).
> If SSLInsecureRenegotiation is on, it works. If
> SSLInsecureRenegotiation is off, I get an "sslv3 alert handshake
> failure".
And the bug is specific to openssl < 0.9.8m mishandling the alert; it will
neither abort nor resume the prior session, so it is left to timeout. You
may want to contrast this behavior to legacy IE, Firefox, etc.
Attached is one suggestion of a workaround.
--- Begin Message ---
On Thu, Feb 25, 2010, Victor Duchovni wrote:
>
> If I field a patched server, and sufficiently many unpatched pre-0.9.8m
> OpenSSL clients attempt re-negotiation under normal conditions, I have
> a resource starvation problem and unhappy users who are more annoyed at
> stuck connections than failed ones.
>
It would under normal circumstances (for some value of normal) require a
specific request to renegotiate from the client code or setting of
renegotiation values in an SSL BIO. I don't know how many clients do that:
I suspect (and hope!) not many.
>
> Thanks for the suggested patch, I'll chat to our web-plant team to find
> out which of the two non-optimal behaviours they are more comfortably
> with.
>
An alternative which doesn't require modification of OpenSSL is to make use of
the info callback which gets called when an alert is sent. That could be used
to either just indicate the connection should be closed or (for example) set
a smaller timeout value.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-us...@openssl.org
Automated List Manager majord...@openssl.org
--- End Message ---
