Hi All, My name's Roger Anderson, work at the University of California, San Diego as a software engineer, manager of a systems department in our facilities area. Using OpenSSL to support SSL/TLS protocols on a facilities management website for campus. Server is cross-platform C/C++ (Win32/Unix), in-process request handling, CAD and raster graphics work, and database management with PostgreSQL. Server links in OpenSSL (recent versions up to 0.9.6c) on Win32, BSD, Linux, etc.
Spending some time this weekend grappling with a bug with Netscape 6.2 (recent Mozilla builds) and SSL_accept()/SSL_read() internals. Connects from these clients cause the server-side to wait forever in blocking mode and/or timeout in non-blocking mode. To be more precise, behavior I'm seeing is success with the first accept or handshake, and problems with the second. Recent posts from Tim, Daniel and Bodo on openssl-dev "netscape 6.2 crash" provide good descriptions of the problem. Bodo's comments about blocking on the first connection seem right on target to me. Also dug up several related bug reports over at <mozilla.org>, using component "Security General" for query criteria. Some seem to be source issues with the SSL connection, others related to build and config management. We've got a fair number of users around campus connecting now with new NS and Mozilla builds on Win32, Unix even VMS on an Alpha if I remember correctly. I'd very much like to find a workaround on the server-side to handle these clients. I've been tinkering with calls in the SSL API: BIO_sock_should_retry(), SSL_renegotiate(), SSL_do_handshake() and so on. No success though. Need to download the client-side source, build/debug to see what's going on exactly. It's been wonderful and fun learning how OpenSSL works, but it's Saturday afternoon and I'm running out of time. You guys are way more knowledgable and experienced with these source packages, and even have some experience with this specific bug. I wanted to poll whether you think there might be something we can do on the server-side to handle the problem? Am I wasting time with the server-side SSL tweaks? Advice on where to look, even whether you think a workaround might actually work, is greatly appreciated. Fallback position is to simply timeout the problem connections and move on to clients that are able to negotiate the SSL, with fixes arriving at a later date in updated versions of NS and Mozilla. Just hoping there's something we can do in the interim to keep these users connecting... I'll keep hacking at it for a while longer. Downloading the client build next. Couple hours left this afternoon. Might be able to figure something out. Work tomorrow and lots todo in other areas though. Any pointers (of a non-null variety!) greatly appreciated. Thanks! - Roger Roger Anderson, Director Campus Planning Data and Systems University of California, San Diego ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
