Hi,
France, Strasbourg , 12 feb 2007 -------------
Resumed: Linux environment (2.6.17-gentoo )
Connexion failed in the new following context:
(SSLv3 + resume session + NO_INTERNAL_LOOKUP +
Version 0.9.8d )
Connexion normaly accepted in the various following context
( SSLv3 + resume session + NO_INTERNAL_LOOKUP +
version 0.9.7l )
( TLSV1 + resume session + NO_INTERNAL_LOOKUP +
version 0.9.8d )
( SSLv3 + resume session + Internal cache +
version 0.9.8d )
----------------------------------------------------
I am using sslv3 connexions, between clients and proxy-serveur,
in a double-authentification context.
I use "NO_INTERNAL_LOOKUP" with a memory cache .
With openssl-0.9.7l and previous , I don't see any problem .
Connexions and session-resume are perfect.
With openssl-0.9.8d The first connexion SSLv3 is always good, but
the
resume session is immediately broken , ssl engine call "removecb",
something is wrong and reject .
If I modify the server to INTERNAL CACHE the resume session is
now good in sslv3 too .
So I suppose my certificats are correct .
If my client use TLSv1 ( ssl_CTX = sslv23 ) the first and following
resumed
sessions are OK.
Do you have any information about this new resume failure in SSLv3 ?
How can I help you , and you help me too, to go further ?
Are there any changes about resume-session SSLv3 design between
0.9.8 and 0.9.7l ? Security failure patch ?
Best regards,
Jacques Vuillemin
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
