FYI - I have now tested with 1.0.1 beta 2 of openssl (again complied on powerppc/linux) as well and found the same behavior. I also tested against IIS on Windows 7 64bit as the server with the same behavior. Maybe that will help with the search for a suitable test server.
Test used $ openssl s_client -connect stk-pc.a51.lab:443 -cert /config/lighttpd/ssl.pem -CAfile /user/http_calist.pem -no_tls1_2 -no_tls1_1 Works But [C90-A:~] $ openssl s_client -connect stk-pc.a51.lab:443 -cert /config/lighttpd/ssl.pem -CAfile /user/http_calist.pem Does not and fails with a error 104 - which is IIS doing a hard reset on the connection and reports bad_mac_record in window's schannel provider. If you still can not find a suitable test server, I may be able to arrange one on a public IP, but that would have to be something done as a coordinated test and I would have to take that off-list to discuss. Thx -Steve -----Original Message----- From: Stephen Henson via RT [mailto:r...@openssl.org] Sent: Tuesday, February 07, 2012 2:44 PM To: Steve Kapinos (stkapino) Cc: openssl-dev@openssl.org Subject: [openssl.org #2702] TLS bad_mac_record with IIS 7 and client authentication > [stkap...@cisco.com - Mon Feb 06 23:58:36 2012]: > > Hrm.. zip checks out in the sent mail. Opens with 7zip ok. Here is > an alt download location - > http://dl.dropbox.com/u/43502643/ssldebug.zip > Thanks, that seems OK. > I would like to > test with the newer versions, but that is difficult for me due to > getting new builds on the platform. Was hoping since IIS is such a > common webserver the openssl team would have experience or access > to one to confirm the behavior or say its not reproducible so I can > push harder on the platform guys. > The public test server I normally access is down atm. Does anyone know of a public IIS test server requiring client authentication? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org