Hi! I did some more testing with 1.0.0beta4 and current 0.9.8-stable CVS branch to hopefully answer some of my questions.
On Mon, 9 Nov 2009 10:00:01 +0100 Tomas Hoger <[email protected]> wrote: > Following cn18794 changed that however. After receiving Client Hello, > server sends no reply to the client, calls SSL_clear and read-block in > an attempt to read Hello. So both client and server are trying to > read from the connection and neither detects the connection is not > usable any more. ... > - Is that intended behavior? Is server not sending alert on purpose? 0.9.8-stable does send an alert and tears down connection immediately. So the behavior in 0.9.8l was not really intended. > - Is SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION going to stay or > disappear with the addition of reneg extension? My bad, cn18804 answers that already: Unfortunately, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION turns out to be a bad idea. It has been replaced by SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with SSL_CTX_set_options(). > - Will all renegotiations remain banned by default even in versions > with reneg extension implemented? This is unclear, they are banned in 0.9.8-stable, but 1.0.0beta4 seems to allow all, even those without an extension. > - In 0.9.8l, when server calls SSL_renegotiate / SSL_do_handshake, no > Hello Request is sent. Will this behavior remain the same in future > versions? 0.9.8-stable does send Hello Request. th. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
