On Thu, Jan 08, 2009, Brad House wrote: > What I've narrowed it down to is this ... > > Command run: > ./openssl s_client -no_ssl2 -connect igusprodb.globalpay.com:443 > > Tested versions: > OpenSSL 0.9.8h - good > OpenSSL 0.9.8i - good > OpenSSL 0.9.8j-stable-SNAP-20081123 - good > OpenSSL 0.9.8j release - bad > > Without the -no_ssl2, the release 0.9.8j is fine. Also, if I > pass -no_ticket _with_ -no_ssl2, it works ... > > So I'm wondering what's happened since November that would cause > this to fail... The 20081123 snapshot is the only one I have, I'll have > to do pulls directly from CVS to try to narrow the timeframe down > further, but maybe someone else knows already what the issue is... >
In 0.9.8j TLS extensions are enabled by default. If you use an SSLv2 compatible client hello then extensions are not sent. If you use SSL/TLS client hello they are sent. The only extension used by default is sesion ticket. So if you disable that no extensions are used either. Extensions should be tolerated by any compliant SSL/TLS implementation AFAIK. There is a provision in the specifications which permits additional information at the end of a client hello message even if the server doesn't understand it. Some older implementations (including ancient versions of OpenSSL) don't handle this situation properly. I suspect you've come across one of those. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
