Re: Re-negotiation handshake failed: Not accepted by client with OpenSSL 0.98m-beta1

Mon, 25 Jan 2010 16:31:10 -0800 

On Mon, Jan 25, 2010, Frederick Shotton wrote:

> Hi Steve,
> 
> I tried the new fix and it did not work for me. The Apache only fix did
> make renegotiation work however. The new fix hangs with the following
> output on s_client:
> 
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Server public key is 1024 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1
>     Cipher    : DHE-RSA-AES256-SHA
>     Session-ID:
> 62ABA153873FB6B1739D45679F686975BD80C45E8B6428ACD465E44652941B08
>     Session-ID-ctx:
>     Master-Key:
> 09A9AB1A2499B6D4327FF84026111E829BC4077DD694A9AAA37E1B0AF641BE2DB651FBA9ED0EAC9367EF3A488A97B4ED
>     Key-Arg   : None
>     TLS session ticket: ...
>     Start Time: 1264451239
>     Timeout   : 300 (sec)
>     Verify return code: 19 (self signed certificate in certificate chain)
> ---
> GET /cgi-bin/client-cert-reneg/printenv?p1=v1&p2=v2&p3=v3 HTTP/1.0
> Host: caqa3-3.ssltest.akamai.com
> 
> SSL_connect:SSL renegotiate ciphers
> SSL_connect:SSLv3 write client hello A
> SSL_connect:SSLv3 read server hello A
> depth=1 /C=US/ST=California/L=San Mateo/O=Akamai Technologies/OU=Ghost CA 2
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> SSL_connect:SSLv3 read server certificate A
> SSL_connect:SSLv3 read server key exchange A
> [hang]
> 
> 
> Let me know if there is anything I can provide to help.
> 

Hmm... I'll see if I can reproduce that later. Looks like something still
isn't flushing properly.

Does applying the Apache fix at:

http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_io.c?r1=787644&r2=787722&pathrev=787722

work?

Can you also try a third case in s3_srvr.c around line 466, so we also call
with BIO_CTRL_PENDING if the BIO_CTRL_WPENDING return value is zero?

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to