On Wed, Jan 14, 2009, Brad House wrote: >> On Wednesday, 14. January 2009 11:29:07 Dr. Stephen Henson wrote: >>>> # openssl s_client -ssl3 -connect update.intranator.com:443 >>>> CONNECTED(00000003) >>>> 31738:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake >>>> failure:s3_pkt.c:1060:SSL alert number 40 31738:error:1409E0E5:SSL >>>> routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530: >>>> >>>> Is something wrong with my certificates or could >>>> this be a regression with openssl 0.9.8j? >>>> >>>> "-ssl2" and "-tls1" works fine. Also does openssl version 0.9.8i. >>> Try it with the -no_ticket option. Some servers have problems with >>> SSL/TLS >>> extensions and these were enabled by default in 0.9.8j. You can also >>> disable extensions by compiling with the no-tlsext option. >> Thanks for your rpely, "-no_ticket" seems to work. >> The server is running openssl-0.9.7a from Centos/RHEL 3 >> including the distribution specific patches. >> Is openssl 0.9.7a known to be incompatible? >> Guess I'll try the "no-tlsext" option next. > > I've hit a similar issue with a 3rd party server a few days > ago. Yes, OpenSSL 0.9.7X (where X < l I believe, due to my > own testing) doesn't allow TLS extensions to be sent during > SSLv3 negotiation due to a bug. 0.9.8j turned on tls extensions > by default so it appears to be hitting a few people (though I'm > pretty sure 0.9.7 is more or less EOL'd, so people really should > upgrade if at all possible). >
I did a few tests of my own. The change that fixed this is: http://cvs.openssl.org/chngview?cn=13795 Which was first included in OpenSSL 0.9.7c released way back on Jul 30 2003. I've tested 0.9.7b and that does have this bug but 0.9.7c does not. Of course some later version might have included a change which broke it again... Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
