Adrian Peck wrote:
>
> Having found that the Microsoft SGC extensions to SSL were not implemented
> in openssl-0.9.4, I made some changes myself. However as you can see the
> changes are very hacky due to my wish to keep the changes as simple as
> possible.
>
> The basic problem is that IE4 or 5 will issue a client hello message
> immediately after receiving the server hello and server certificate if it
> finds that this certificate was a Server Gated Crypto ( SGC ) certificate.
> The 'point' of this is to change the cipher suites that are offered to the
> server without starting a new SSL session. My code peeks at the client
> message to check for a client hello and resets the SSL state to
> SSL_ST_ACCEPT if it spots one. The code is only visited if the SSL mode
> SSL_MODE_NCIPHER_SGC_HACK is set.
>
Let me see if I understand this. MSIE sends a client hello immediately
after receiving the server hello if it contains an SGC certificate?
This seems to be allowed in the SSL 3 spec: it seems to suggest that a
client can send a client hello whenever it feels the need to. If OpenSSL
can't handle this then it may be at fault.
I'm not sure what the MSIE logic of not starting a new session is
though. At this point no cryptographic operations have been performed so
there isn't much overhead.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
