When running SSL_get_secure_renegotiation_support() with 0.9.8n/0.9.8o/1.0.0a against an IIS6 server (win2003 i believe) which was patched with KB977377 the function returns that renegotiation is supported even though it's not. ( http://support.microsoft.com/kb/977377 )
However when trying with the openssl client it gives the correct error response as shown below. I've ran the function against patched and unpatched versions of apache/linux and it reports correctly. $ openssl s_client -connect N.N.N.N:443 CONNECTED(00000003) depth=0 /C=SE/ST=Stockholm/L=Stockholm/O=XXXXXX AB (publ)/OU=XXXXXXXX AB/CN=www.XXXXXXXXXX.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=SE/ST=Stockholm/L=Stockholm/O=XXXXXX AB (publ)/OU=XXXXXXXX AB/CN=www.XXXXXXXXXX.com verify error:num=27:certificate not trusted verify return:1 depth=0 /C=SE/ST=Stockholm/L=Stockholm/O=XXXXXX AB (publ)/OU=XXXXXXXX AB/CN=www.XXXXXXXXXX.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=SE/ST=Stockholm/L=Stockholm/O=XXXXXX AB (publ)/OU=XXXXXXXX AB/CN=www.XXXXXXXXXX.com i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/[email protected] --- Server certificate -----BEGIN CERTIFICATE----- certificate goes here -----END CERTIFICATE----- subject=/C=SE/ST=Stockholm/L=Stockholm/O=XXXXXX AB (publ)/OU=XXXXXXXX AB/CN=www.XXXXXXXXXX.com issuer=/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/[email protected] --- No client certificate CA names sent --- SSL handshake has read 1067 bytes and written 333 bytes --- New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA Server public key is 1024 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : DES-CBC3-SHA Session-ID: E81600002C11491C0F2E1C8327EC9846611AFA2C8D2A4DFC52B0157B41997F9C Session-ID-ctx: Master-Key: 4508F5236A15D7476D1019F931E01632DBEBC54D112F4C771FA2703EECBFBB338C14A4076335E8C5D223A2642FE42A34 Key-Arg : None Start Time: 1276744773 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- R RENEGOTIATING 16754:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:539: -- Eric Kinolik [email protected] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
