Pls read inline... > > The interop problem is with 0.9.7d (no hardware switch was > used, but I > > do not know at the moment wether this is relevant to the issue at > > hand). The setup works fine with 0.9.6b with all others remaining > > constant. However, with 0.9.7d, it seems that an empty > record (unable > > to deduce if the 24B length reported by ssldump indicates a truly > > empty record) is being written first, and the second record carries > > all of the data. With 0.9.6b on the other hand, the very first app > > record carries all the data and things work fine. Given > these external > > symptoms as viewed with ssldump, I am guessing that the 0.9.7d > > behaviour is unacceptable to IAIK/Webmethods. > > > > What are the differences between openssl-engine-0.9.6b and > > openssl-0.9.7d wrt SSL_write that might explain this, if at all? > > Why/what is this first app record with 0.9.7d? ssldump o/p > in either > > cases is included below. (Pls search for [EMAIL PROTECTED]@ to get to the > relevant > > sections in ssldump) > > > > Thanks in advance for all responses, and for any advice on how to > > further debug such situations (gdb bio?). > > > > This may be due to the fact that more recent version protect > against a certain attack by including empty fragments. This > is permitted in the spec but some implementations don't like it. > > There are various flags which can be set to disable this > behaviour. How you enable them depends on the application you > are using.
Is it true that the attack mitigation would deterministically send an empty record first, or is it a coincidence of the implementation and the window I am looking at? What are these flags, and could you please point me to ptrs/docs for handling them? I am using stunnel for ssl proxying, but the test results I posted are from a simple http client that is SSL capable. IOW, I do maintain the code and can hence use any openssl api that might control these flags (not necessarily an app level knob). -Maruthi > Steve. > -- > Dr Stephen N. Henson. Email, S/MIME and PGP keys: see > homepage OpenSSL project core developer and freelance > consultant. Funding needed! Details on homepage. > Homepage: http://www.drh-consultancy.demon.co.uk > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [email protected] > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
