On Thu, Jul 25, 2013, kirpit wrote: > I understand the main problem is the server not responding clients > supporting TLS 1.2 that uses longer ClientHello. And unfortunately, we pull > data by python not curl so we don't have the fancy to pass openssl > parameters for connections and such. It uses the protocols whatever version > of openssl it was compiled with. > > I am definitely going to complain about this issue to the service provider > but I don't have much hope for them to take this seriously. So I wonder if > next versions of openssl should care about workarounds for these painful > servers? >
There are two workarounds but they have to be enables at compile time. You can stop TLS 1.2 for clients using -DOPENSSL_NO_TLS1_2_CLIENT or restrict the cipher list length using -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=XXX for example 50. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org