Hello Roger, Sorry I did not respond sooner. I did the early SSL support in mozilla but have not touch this code in over a year or so. I think that the folks that you want to talk to are Javier Delgadillo and Terry Hayes <[EMAIL PROTECTED],[EMAIL PROTECTED]>. The now own the security management code in mozilla.
cc'in them. Regards, Doug Turner Roger Anderson wrote: >Hi All, > >My name's Roger Anderson, work at the University of California, San >Diego as a software engineer, manager of a systems department in our >facilities area. Using OpenSSL to support SSL/TLS protocols on a >facilities management website for campus. Server is cross-platform >C/C++ (Win32/Unix), in-process request handling, CAD and raster >graphics work, and database management with PostgreSQL. Server links >in OpenSSL (recent versions up to 0.9.6c) on Win32, BSD, Linux, etc. > >Spending some time this weekend grappling with a bug with Netscape >6.2 (recent Mozilla builds) and SSL_accept()/SSL_read() internals. >Connects from these clients cause the server-side to wait forever >in blocking mode and/or timeout in non-blocking mode. To be more >precise, behavior I'm seeing is success with the first accept or >handshake, and problems with the second. Recent posts from Tim, >Daniel and Bodo on openssl-dev "netscape 6.2 crash" provide good >descriptions of the problem. Bodo's comments about blocking on the >first connection seem right on target to me. Also dug up several >related bug reports over at <mozilla.org>, using component "Security >General" for query criteria. Some seem to be source issues with the >SSL connection, others related to build and config management. > >We've got a fair number of users around campus connecting now with >new NS and Mozilla builds on Win32, Unix even VMS on an Alpha if I >remember correctly. I'd very much like to find a workaround on the >server-side to handle these clients. I've been tinkering with calls >in the SSL API: BIO_sock_should_retry(), SSL_renegotiate(), >SSL_do_handshake() and so on. No success though. Need to download >the client-side source, build/debug to see what's going on exactly. >It's been wonderful and fun learning how OpenSSL works, but it's >Saturday afternoon and I'm running out of time. > >You guys are way more knowledgable and experienced with these source >packages, and even have some experience with this specific bug. I >wanted to poll whether you think there might be something we can do >on the server-side to handle the problem? Am I wasting time with the >server-side SSL tweaks? Advice on where to look, even whether you >think a workaround might actually work, is greatly appreciated. > >Fallback position is to simply timeout the problem connections and >move on to clients that are able to negotiate the SSL, with fixes >arriving at a later date in updated versions of NS and Mozilla. Just >hoping there's something we can do in the interim to keep these >users connecting... > >I'll keep hacking at it for a while longer. Downloading the client >build next. Couple hours left this afternoon. Might be able to >figure something out. Work tomorrow and lots todo in other areas >though. Any pointers (of a non-null variety!) greatly appreciated. > >Thanks! > >- Roger > >Roger Anderson, Director >Campus Planning Data and Systems >University of California, San Diego > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
