Hi Stephen, I have another query ...
If i have an client application which is using a openssl 9.8k and tries to connect to server which has older openssl 9.8d which do not have support for tls extension. will the handshake fails in this case? I have gone through many documents and based on that , openssl has some API through which only the client application can send the tls extension during the handshake and if the client is not using this API to set the tls extension , then i hope all the handshake will be sucessful regardless if client and server have different openssl version . Please correct if i am wrong Thanks in Advance On Thu, Oct 1, 2009 at 2:59 AM, Stephen Henson via RT <[email protected]> wrote: >> [[email protected] - Wed Sep 30 10:19:55 2009]: >> >> We have found when openssl connects with another server with an older >> TLS implementation we get an error: >> SSL reported error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 >> alert unexpected message >> Compiling with OPENSSL_NO_TLSEXT defined seems to correct the problem. >> However when compiling the library with the "-DOPENSSL_NO_TLSEXT" >> option, the linker gives the following error: >> link /nologo /subsystem:console /opt:ref /dll >> /out:out32dll\ssleay32.dll /def:ms/SSLEAY32.def >> �...@c:\DOCUME~1\Rip\LOCALS~1\Temp\nm224.tmp >> SSLEAY32.def : error LNK2001: unresolved external symbol >> SSL_get_servername >> SSLEAY32.def : error LNK2001: unresolved external symbol >> SSL_get_servername_type >> SSLEAY32.def : error LNK2001: unresolved external symbol >> SSL_set_session_secret_cb >> SSLEAY32.def : error LNK2001: unresolved external symbol >> SSL_set_session_ticket_ext >> SSLEAY32.def : error LNK2001: unresolved external symbol >> SSL_set_session_ticket_ext_cb >> out32dll\ssleay32.lib : fatal error LNK1120: 5 unresolved externals >> We temporarily commented the lines in the SSLEAY32.def file for now, >> which allows the DLL to be built, but some of the openssl apps now >> do not link. A more elegant solution would be to change the code >> so that the functions such as SSL_get_servername still exist, but >> return NULL, or 0 instead when OPENSSL_NO_TLSEXT is defined. >> >> >> > > If you want to disable features on WIN32 you need to include them as an > argument to Configure or they will be missed. For example: > > perl Configure VC-WIN32 no-tlsext > > You may then need to recompile all of OpenSSL, the applications should > compile correctly. > > You don't mention the version of OpenSSL in use but if it is 0.9.8 then > disabling tickets should be sufficient to stop the use of TLS extensions > without having to remove support from the library. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List [email protected] > Automated List Manager [email protected] > -- Regards Joshi Chandran ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
