On Thu, Dec 23, 2004, Maruthi Bhaskar (maruthi) wrote: > Folks, > The setup involves a http client posting a transaction to > a webmethods server. Stunnel is being used in client mode > for ssl. I am being told that SSL for webmethods is from the IAIK stack. > I apologize in advance for the lack of specific details at the moment, > but will provide them as soon as they are obtained. > > The interop problem is with 0.9.7d (no hardware switch was used, but I > do not know at the moment wether this is relevant to the issue at hand). > The setup works fine with 0.9.6b with all others remaining constant. > However, with 0.9.7d, it seems that an empty record (unable to deduce if > the 24B length reported by ssldump indicates a truly empty record) is > being written first, > and the second record carries all of the data. With 0.9.6b on > the other hand, the very first app record carries all the data and > things work fine. Given these external symptoms as viewed with ssldump, > I am guessing that the 0.9.7d behaviour is > unacceptable to IAIK/Webmethods. > > What are the differences between openssl-engine-0.9.6b and > openssl-0.9.7d wrt SSL_write that might explain this, if at all? > Why/what is this first > app record with 0.9.7d? ssldump o/p in either cases is included below. > (Pls search for [EMAIL PROTECTED]@ to get to the relevant sections in ssldump) > > Thanks in advance for all responses, and for any advice on how to > further debug such situations (gdb bio?). >
This may be due to the fact that more recent version protect against a certain attack by including empty fragments. This is permitted in the spec but some implementations don't like it. There are various flags which can be set to disable this behaviour. How you enable them depends on the application you are using. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
