Why are you modifying OpenSSL for this? This is a Microsoft bug - have you reported it to Microsoft?
On 30/06/2011 19:58, Andrey Kulikov via RT wrote: > Now it is not possible to disable sending renegotiation_info extension from > server. > The only way to do it - is to disable TLS extension completelly, what may > not be considered as acceptable. > > But this is required for compatibility with clients, which can't understand > this extension > (but do require other extensions). > Among others, it is Windows clients, which do not support KB980436 correctly > (KB980436 is a Windows Update, implemented RFC5746 ( > http://tools.ietf.org/html/rfc5746) > "TLS Renegotiation Indication Extension" > http://support.microsoft.com/kb/980436 > > When this update is not installed, and server do send renegotiation_info > extension - they works. > But if this update is installed - they crash/not works when received > renegotiation_info extension. :( > > Supplied patch introduces new option SSL_OP_DO_NOT_SEND_RI. > When it set to context, renegotiation_info extension will not be sent. > Please note, this will not disable secure renegotiation, but just disable > sending renegotiation_info extension. > (which may be considered as equal). > > This is enabled bu specifying option > -not_send_ri > to s_server and s_client > > > In additional, patch introduced option -handle_cpro_bug to s_server, which > explicitly enables option SSL_OP_CRYPTOPRO_TLSEXT_BUG. > Yes, it also possible by specifying -bugs option to s_server, but presence > of SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER in SSL_OP_ALL prevents server from > parsing ClientHello at all: > > SSL_accept:error in SSLv3 read client hello B > 3066799772:error:1408F044:SSL routines:SSL3_GET_RECORD:internal > error:s3_pkt.c:308: > > > > In order to apply patch go to OpenSSL working directory and execute follwing > command: > > patch -p1 -l -u -b -i not_send_reneg_info.patch > > > Please let me know if you have any questions. > > Andrey. > > P.S. There is no more slots for new SSL_OP_* - I used the last available > one! :( > > > > > Now it is not possible to disable sending renegotiation_info extension > from server. > The only way to do it - is to disable TLS extension completelly, what > may not be considered as acceptable. > > But this is required for compatibility with clients, which can't > understand this extension > (but do require other extensions). > Among others, it is Windows clients, which do not support KB980436 correctly > (KB980436 is a Windows Update, implemented RFC5746 > (http://tools.ietf.org/html/rfc5746) > "TLS Renegotiation Indication Extension" > http://support.microsoft.com/kb/980436 > > When this update is not installed, and server do send renegotiation_info > extension - they works. > But if this update is installed - they crash/not works when received > renegotiation_info extension. :( > > Supplied patch introduces new option SSL_OP_DO_NOT_SEND_RI. > When it set to context, renegotiation_info extension will not be sent. > Please note, this will not disable secure renegotiation, but just > disable sending renegotiation_info extension. > (which may be considered as equal). > > This is enabled bu specifying option > -not_send_ri > to s_server and s_client > > > In additional, patch introduced option -handle_cpro_bug to s_server, > which explicitly enables option SSL_OP_CRYPTOPRO_TLSEXT_BUG. > Yes, it also possible by specifying -bugs option to s_server, but > presence of SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER in SSL_OP_ALL prevents > server from parsing ClientHello at all: > > SSL_accept:error in SSLv3 read client hello B > 3066799772:error:1408F044:SSL routines:SSL3_GET_RECORD:internal > error:s3_pkt.c:308: > > > > In order to apply patch go to OpenSSL working directory and execute > follwing command: > > patch -p1 -l -u -b -i not_send_reneg_info.patch > > > Please let me know if you have any questions. > > Andrey. > > P.S. There is no more slots for new SSL_OP_* - I used the last available > one! :( -- http://www.apache-ssl.org/ben.html http://www.links.org/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
