On Thu, Mar 29, 2012 at 09:46:34PM +0200, Kurt Roeckx wrote: > On Sun, Mar 25, 2012 at 01:52:22PM +0200, Stephen Henson via RT wrote: > > > [steve - Sun Mar 25 13:11:30 2012]: > > > > > > I've done some more tests and it seems that the size of the client hello > > > message is significant: all the options that work reduce the size of > > > client hello. If you use the -debug option and check out the first > > > message bytes 4 and 5 it seems those servers hang if the length exceeds > > > 0xFF (using two bytes instead of one). > > > > > > > If you use the option "-servername <very long string>" you can precisely > > control the size of the client hello. If you use that to make client > > hello long enough you get the hang with OpenSSL 1.0.0h and earlier as well. > > So I'm getting more and more reports of sites that have a problem > since 1.0.1. They basicly fall in 2 categories: > - They don't tolerate versions higher than TLS 1.0 > - They don't like big packets. > > Of the 2nd case I have at least found people complain about those > sites: > - www.facebook.com > - www.paypal.com
Those seem to work with the 1.0.1a version, even when the packets are still bigger than 256. It's sending a TLS 1.2 ClientHello in a TLS 1.0 packet now. > - sourceforge.net This one still fails, but I believe that that was caused by the load balancer of F5 Networks (Big IP). Kurt ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
