SBR uses OpenSSL 0.9.7e and has its own extension parsing code (0.9.7e base code just ignores anything after the base ClientHello). SBR only explicitly handles the SessionTicket extension (for EAP-FAST), all others appear to be properly skipped, and SBR certainly knows nothing about the heartbeat extension.
For the case where SBR is failing it would be useful to see the data stream being sent. I have built our Odyssey Access Client with OpenSSL 1.0.1 and have not had this issue negotiating with SBR but maybe I did not explicitly try PEAP. Since this code in SBR has been present for several years and I know I've seen it ignore other extensions, perhaps it is a client side issue that enabling the heartbeat extension is having some other side effect? BCCing Robert D, you can send me logs at etkal <at> juniper <dot> net if you like and I'll take a look. Erik .................................... Erik Tkal Juniper OAC/UAC/Pulse Development -----Original Message----- From: owner-openssl-...@openssl.org [mailto:owner-openssl-...@openssl.org] On Behalf Of Stephen Henson via RT Sent: Thursday, June 07, 2012 6:35 PM To: openssl...@trk.nickurak.ca Cc: openssl-dev@openssl.org Subject: [openssl.org #2825] Bug: Unable to connect to WPA enterprise wireless > [openssl-dev@openssl.org - Fri Jun 08 00:27:27 2012]: > > This is almost identical to an issue we found with openssl 1.0.1b and > Juniper SBR version v6.13.4949 In our case we traced it to the > heartbeat extension. When the > extension is > sent in the ClientHello PEAP negotiation fails with fatal bad > certificate > alert. > By adding # define OPENSSL_NO_HEARTBEATS to opensslconf.h we disabled > the > extension and PEAP negotiation is successful. > > There really should be an API to disable this extension so that it can > be > enabled in use cases where it is needed and disabled in use cases > where it > breaks negotiation. > That's rather strange behaviour, the presence of a (presumably unsupported) extension causes a bad certificate alert? Is it just the heartbeat extension that triggers this or would the presence of any unknown extension cause a similar problem? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
