>>> On Wednesday, 14. January 2009 11:29:07 Dr. Stephen Henson wrote: >>>>> # openssl s_client -ssl3 -connect update.intranator.com:443 >>>>> CONNECTED(00000003) >>>>> 31738:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake >>>>> failure:s3_pkt.c:1060:SSL alert number 40 31738:error:1409E0E5:SSL >>>>> routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530: >>>>> >>>>> Is something wrong with my certificates or could >>>>> this be a regression with openssl 0.9.8j? >>>>> >>>>> "-ssl2" and "-tls1" works fine. Also does openssl version 0.9.8i. >>>> Try it with the -no_ticket option. Some servers have problems with >>>> SSL/TLS >>>> extensions and these were enabled by default in 0.9.8j. You can also >>>> disable extensions by compiling with the no-tlsext option. >>> Thanks for your rpely, "-no_ticket" seems to work. >>> The server is running openssl-0.9.7a from Centos/RHEL 3 >>> including the distribution specific patches. >>> Is openssl 0.9.7a known to be incompatible? >>> Guess I'll try the "no-tlsext" option next. >> I've hit a similar issue with a 3rd party server a few days >> ago. Yes, OpenSSL 0.9.7X (where X < l I believe, due to my >> own testing) doesn't allow TLS extensions to be sent during >> SSLv3 negotiation due to a bug. 0.9.8j turned on tls extensions >> by default so it appears to be hitting a few people (though I'm >> pretty sure 0.9.7 is more or less EOL'd, so people really should >> upgrade if at all possible). >> > > I did a few tests of my own. The change that fixed this is: > > http://cvs.openssl.org/chngview?cn=13795 > > Which was first included in OpenSSL 0.9.7c released way back on Jul 30 2003. > > I've tested 0.9.7b and that does have this bug but 0.9.7c does not. Of > course some later version might have included a change which broke it again...
Hmm, I'm pretty sure I tested 0.9.7d, and it had the bug, I could be mistaken though. Actually, I want to say the error message might have been something other than 'handshake failure' though, possibly 'invalid parameter' or something. I could retest, but I don't think there's probably much point ... -Brad ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
