On Thu, Jul 16, 2015 at 12:02 PM, Michael Felt <[email protected]> wrote:
> Here I have the output of just one test t/ssl/pr12355.t - and note the > differences in the ssl_access_log - not just the error messages (I have > removed all "debug" messages from the logs as they were "in the way". > > LibreSSL is version 2.2.0, OpenSSL is version 0.9.8m (yes I know very old, > will test with latest patches later - I hope not relevant to here). > > So, please note: LibreSSL says access is: > t/logs/ssl_request_log:[16/Jul/2015:11:47:12 +0000] 127.0.0.1 - - "POST > /require-sha-cgi/perl_echo.pl HTTP/1.1" 403 237 > while OpenSSL says > t/logs/ssl_request_log:[16/Jul/2015:11:32:35 +0000] 127.0.0.1 TLSv1 RC4-SHA > "POST /require-sha-cgi/perl_echo.pl HTTP/1.1" 200 11 > > My question: what can I do to understand why OpenSSL is adding TLSv1 > RC4-SHA while LibreSSL is "- -" > > I'll take this one item. Take a look into our implementation of ssl_var_lookup_ssl and particularly ssl_var_lookup_ssl_cipher. I would expect LibreSSL isn't providing any meaningful data to represent.
