On Wednesday, 14. January 2009 11:29:07 Dr. Stephen Henson wrote:
# openssl s_client -ssl3 -connect update.intranator.com:443
CONNECTED(00000003)
31738:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure:s3_pkt.c:1060:SSL alert number 40 31738:error:1409E0E5:SSL
routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:
Is something wrong with my certificates or could
this be a regression with openssl 0.9.8j?
"-ssl2" and "-tls1" works fine. Also does openssl version 0.9.8i.
Try it with the -no_ticket option. Some servers have problems with SSL/TLS
extensions and these were enabled by default in 0.9.8j. You can also
disable extensions by compiling with the no-tlsext option.
Thanks for your rpely, "-no_ticket" seems to work.
The server is running openssl-0.9.7a from Centos/RHEL 3
including the distribution specific patches.
Is openssl 0.9.7a known to be incompatible?
Guess I'll try the "no-tlsext" option next.
I've hit a similar issue with a 3rd party server a few days
ago. Yes, OpenSSL 0.9.7X (where X < l I believe, due to my
own testing) doesn't allow TLS extensions to be sent during
SSLv3 negotiation due to a bug. 0.9.8j turned on tls extensions
by default so it appears to be hitting a few people (though I'm
pretty sure 0.9.7 is more or less EOL'd, so people really should
upgrade if at all possible).
-Brad
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
