Hello, this is the Digest of a conversation concerning the Bug report filed as #1455 held with Christophe Devine:
Christophe Devine wrote: > Christian Marg wrote: >> Christophe Devine wrote: >>> Christian Marg wrote: >>>> Christophe Devine wrote: >>>>> Christian Marg wrote: >>>>>> I now have a console log of "ssldump host >>>>>> windowsserver.fqdn", see below. I hope that this log is useful. >>>>>> >>>>>> See the log on >>>>>> http://home.tu-clausthal.de/~ifcma/ssltest/with-pause.ssldump.txt >>>>>> and >>>>>> http://home.tu-clausthal.de/~ifcma/ssltest/without-pause.ssldump.txt >>>>>> >>>>> Looking at the logs, it appears the server drops the connection >>>>> after the client has sent his Finished message -- decryption >>>>> failed, probably. It may be helpful if you could provide a tcpdump >>>>> trace in both cases (with and without -pause). [Please add "-s 0" >>>>> to the TCP dump commandline] >>>>> >>>> Ok, here you are: >>>> http://home.tu-clausthal.de/~ifcma/ssltest/with-pause.tcpdump.raw >>>> http://home.tu-clausthal.de/~ifcma/ssltest/without-pause.tcpdump.raw >>> >>> [...] >>> >>> After having a look at the files, it appears there was only one minor >>> difference in both of the traces: in the first case (without pause), >>> several handshake messages are coalesced into a single TCP packet >>> whereas in the second case the client certificate message is sent in a >>> single TCP packet. This is according to the standard, so it's more >>> likely to be a problem with the server itself, not openssl. >> >> Is that merging of Messages to TCP Packets mentioned explicitly allowed >> in the standard? I'm asking because I tested and found working not only >> Mozilla SSL but Gnutls too. So maybe Openssl should just do it like all >> the others? >> >>> [Could you please try out programs/ssl_client2.c from >>> http://xyssl.org/code/download/xyssl-0.5.tgz] >> >> Yes: >> ========================================================= >> FreeBSD# ./ssl_client2 >> >> . Loading the CA root certificate ... ok >> . Loading the client cert. and key... ok >> . Connecting to tcp/windowsserver.fqdn/636 ... ok >> . Setting up the RNG and SSL state... ok >> . Performing the SSL/TLS handshake... ok >> [ Cipher is SSL3_RSA_RC4_128_MD5 ] >> . Verifying peer X.509 certificate... failed >> ! self-signed or not signed by a trusted CA >> >> > Write to server: >> >> < Read from server: >> ========================================================= >> Seems like it works ok... > > So it works with GnuTLS, NSS and XySSL, but not OpenSSL. Well to be frank I'm > a bit lost why this error is showing up. You probably need help from an > OpenSSL developper with more experience than me, I'm afraid. bye Christian -- Christian Marg mail: mailto:[EMAIL PROTECTED] Rechenzentrum TU Clausthal web : http://www.rz.tu-clausthal.de D-38678 Clausthal-Zellerfeld fon : 05323/72-2043 Germany ICQ : <on request>
signature.asc
Description: PGP signature