Thanks Brad, that totally solved the issue. You have saved us days of agony :). I did notice that without this option, I was still able to make a TLS connection to my server (which was running 0.9.8g). But, google seems to be running a much older one.
-Saurabh On Thu, May 28, 2009 at 12:11 AM, joshi chandran <[email protected] > wrote: > if both the server and client are at openssl 9.8j, should i have to > use this changes > > ifndef OPENSSL_NO_TLSEXT > SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET); > #endif > > Should i have to use this at the client side or server side if openssl > version are different in server and client. > > > On 5/27/09, Brad House <[email protected]> wrote: > >> I have been using libjingle (http://code.google.com/p/libjingle/) with > >> openssl on linux. I recently upgraded my openssl from 0.9.8g to 0.9.8j, > >> and suddenly my TLS negotiation stopped working. I reverted back to > >> 0.9.8g, and it started working again. > >> > >> Is there a particular change that might be causing this? > >> > >> I see a Client Hello A packet, then a read error, and then there is no > >> further reads on the 0.9.8j, whereas with the 0.9.8g there are further > >> reads, and the TLS handshake completes. > >> > >> To verify, you can download the code from > >> http://code.google.com/p/libjingle/, and then configure/make it. After > >> make, you can go to libjingle-0.4.0/talk/examples/pcp, and run ./pcp. > >> There you can put in your googletalk username/password to login. With > >> 0.9.8g it will login, but with 0.9.8j it will just hang at logging in > >> (in the tls handshake). Any help is appreciated. > > > > I've run into this same issue before in my own products. It is due to a > > bug on the server side. Most likely the server is running an older > version > > of OpenSSL not being able to handle tls extensions in the protocol > stream. > > One such extension, TLS Tickets, are enabled by default in later versions > > of 0.9.8. > > > > To correct this issue you need to disable ticket support on the client > > side at runtime. You can use something like this to do that: > > #ifndef OPENSSL_NO_TLSEXT > > SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET); > > #endif > > > > -Brad > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > Development Mailing List [email protected] > > Automated List Manager [email protected] > > > > > -- > Regards > Joshi Chandran > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List [email protected] > Automated List Manager [email protected] >
