OK, I'm resolving this ticket. If this problem appears again, please send a new bug report.
Thanks. [EMAIL PROTECTED] - Sun Nov 30 09:32:41 2003]: > Fortunately for me, the issue has gone away of its own free will (I > added a note about that in the Request Tracker under #740). It turns out > the version of Windows 2000 in the test lab was very old, without even > the High Encryption Pack installed. So it did all kind of awkward > things, like using an export ciphersuite with a non-export certificate. > After installing some Win2k and Internet Explorer service packs, the > server stopped doing that. Now, the 0.9.7c works for me as well. > > I'm afraid the system backup from before applying the patches has > already been overwritten, so I was unable to revert the server to the > old state and test from the new snapshots. > > Tal > > -----Original Message----- > From: Richard Levitte via RT [mailto:[EMAIL PROTECTED] > Sent: Saturday, November 29, 2003 11:45 AM > To: Tal Mozes > Cc: [EMAIL PROTECTED] > Subject: [openssl.org #740] SSL handshake broken after upgrading to > 0.9.7c > > > The fix in X509_certificate_type() was correct but was built on old > data. These days, export keys can be up to 1024 bits. All of OpenSSL > 0.9.7c, except for X509_certificate_type(), reflected these new rulings. > Another ticket (#771) pointed this out, and I changed > X509_certificate_type() yesterday to check if the key is up to 1024 bits > instead of 512, and if so, mark it as an export certificate. That > change should resolve your issue as well. > > Please try the latest 0.9.7 snapshot and see if your issue has gone > away. If not, we need to dig deeper. > > [EMAIL PROTECTED] - Tue Oct 21 17:19:56 2003]: > > > After upgrading (from 0.9.7b) to 0.9.7c, SSL handshake fails. Here are > > > the symptoms: > > SSL_connect breaks with SSL_R_MISSING_EXPORT_TMP_RSA_KEY. This happens > > > because the client plans on using RSA_EXPORT1024_WITH_DES_CBC_SHA, and > > > the server has a certificate with a 1024-bit RSA key. > > In 0.9.7b there was a bug in X509_certificate_type() that caused it to > > > mark the server's public key with EVP_PKT_EXP (i.e. this is an export > > cipher key). The bug was fixed in 0.9.7c, and so I have an EXPORT > > cipher, with NON-EXPORT key. > > This causes a check in ssl3_check_cert_and_algorithm() to fail because > > > an EXPORT algorithm is used with NON-EXPORT certificate, and no > > temporary EXPORT key. > > My question is: Why is this check needed? Is it required in SSL/TLS > > specification? It seems strange to me to blame the server for not > > generating a temporary 512 bit key (the algorithm specifies explicitly > > > RSA-1024...). > > Anybody encountered this before? Any solution / workaround? > > I'm using Windows 2000 Active Directory as the server, and the client > is > > my application which is linked with OpenLDAP and OpenSSL. It tries to > > establish a LDAP over SSL connection on port 636. (Same client works > > when linked with 0.9.7b) Thanks Tal > > > > > -- > Richard Levitte > [EMAIL PROTECTED] > -- Richard Levitte [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
