On Wed, Feb 29, 2012, Tammany, Curtis wrote:
> I had brought this issue up earlier ("Windows 7/IE8 CAC enabled sites").
> With SSL 3.0 only checked on IE8 (in windows 7), I could make a connection
> to my site that had OpenSSL 1.0.0g. With both SSL 3.0 AND TLS 1.0 checked, I
> could not make a connection. We rolled back versions of OpenSSL until we got
> to 0.9.8r which could make a connection with both protocols enabled on the
> browser...
>
> Will there be a version that will address MS12-006? TLS1.1? TLS1.2?
>
>
At present I cannot reproduce the issues with MS12-006 so I can only guess as
to the cause. If I can or I can get appropriate feedback I can work on a fix,
assuming it isn't fixed already: see below. TLS 1.1 and 1.2 will only ever
appear in OpenSSL 1.0.1 and later as new features don't appear in stable
releases: just bug fixes. That is currently in beta and a few issues remain to
be resolved before the full release.
So a few guesses:
If the problem is no longer present in OpenSSL 0.9.8r then 1.0.0e may also
work. The only known problem with later versions is the SGC DoS fix has a bug
in it which may affect renegotiation in some circumstances. This bug *should*
be fixed in the latest snapshots of OpenSSL: please see if they work OK for
you.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
