Had just figured this detail from ssl.h and s3_enc.c given your previous mail. Disabled the behaviour in my code. Works!
Thanks a LOT and happy holidays. -Maruthi > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Dr. > Stephen Henson > Sent: Thursday, December 23, 2004 4:22 PM > To: [email protected] > Subject: Re: openssl 0.9.7d webmethods interop problem > > > On Thu, Dec 23, 2004, Maruthi Bhaskar (maruthi) wrote: > > > Pls read inline... > > > > > > The interop problem is with 0.9.7d (no hardware switch was > > > used, but I > > > > do not know at the moment wether this is relevant to > the issue at > > > > hand). The setup works fine with 0.9.6b with all others > remaining > > > > constant. However, with 0.9.7d, it seems that an empty > > > record (unable > > > > to deduce if the 24B length reported by ssldump > indicates a truly > > > > empty record) is being written first, and the second record > > > > carries all of the data. With 0.9.6b on the other hand, > the very > > > > first app record carries all the data and things work > fine. Given > > > these external > > > > symptoms as viewed with ssldump, I am guessing that the 0.9.7d > > > > behaviour is unacceptable to IAIK/Webmethods. > > > > > > > > What are the differences between openssl-engine-0.9.6b and > > > > openssl-0.9.7d wrt SSL_write that might explain this, > if at all? > > > > Why/what is this first app record with 0.9.7d? ssldump o/p > > > in either > > > > cases is included below. (Pls search for [EMAIL PROTECTED]@ to get to > > > > the > > > relevant > > > > sections in ssldump) > > > > > > > > Thanks in advance for all responses, and for any advice > on how to > > > > further debug such situations (gdb bio?). > > > > > > > > > > This may be due to the fact that more recent version > protect against > > > a certain attack by including empty fragments. This is > permitted in > > > the spec but some implementations don't like it. > > > > > > There are various flags which can be set to disable this > behaviour. > > > How you enable them depends on the application you are using. > > > > Is it true that the attack mitigation would > deterministically send an > > empty record first, or is it a coincidence of the > implementation and > > the window I am looking at? > > > > I think it does send an empty fragment first. > > > What are these flags, and could you please point me to ptrs/docs > > for handling them? I am using stunnel for ssl proxying, but the test > > results I posted are from a simple http client that is SSL capable. > > IOW, I do maintain the code and can hence use any openssl api that > > might control these flags (not necessarily an app level knob). > > > > These are the various things enabled when the -bugs option is > used on the > command line to s_client/s_server. They are documented in the > SSL_CTX_set_options() manual page, that specific one is > SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS. > > Steve. > -- > Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage > OpenSSL project core developer and freelance consultant. > Funding needed! Details on homepage. > Homepage: http://www.drh-consultancy.demon.co.uk > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [email protected] > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
