The TLS client in openssl-1.0.0 branch aborts the connection if SSL_OP_ALLOW_UNSAFE_RENEGOTIATION (or SSL_OP_ALL) flag is not set by the calling application and the connected server does not return the extension in the server hello message. Unfortunately too many applications do not set SSL_OP_ALL which makes them incompatible with currently virtually every server as the renegotiation extension supporting servers are not deployed yet. I propose adding a new flag for the client which would explicitely disable connection to unsafe servers and to allow this connection by default. For now in Fedora I am forced to just disable the client side check.
See also: https://bugzilla.redhat.com/show_bug.cgi?id=537962 -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
