> There are two workarounds but they have to be enables at compile time. > > You can stop TLS 1.2 for clients using -DOPENSSL_NO_TLS1_2_CLIENT or > restrict > the cipher list length using -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=XXX for > example 50. >
I believe we will be solving our problem like this temporarily. Meantime, I'm just wondering that it sounds a bit strange to use TLS 1.2 as a default version while only 16% of the websites are supporting it according to wiki: https://en.wikipedia.org/wiki/Transport_Layer_Security#Applications_and_adoption Maybe I might be bias if there is any "changing protocol" negotiation or something. Thanks for all the help by the way. Roy. On Thu, Jul 25, 2013 at 4:00 PM, Dr. Stephen Henson <st...@openssl.org>wrote: > On Thu, Jul 25, 2013, kirpit wrote: > > > I understand the main problem is the server not responding clients > > supporting TLS 1.2 that uses longer ClientHello. And unfortunately, we > pull > > data by python not curl so we don't have the fancy to pass openssl > > parameters for connections and such. It uses the protocols whatever > version > > of openssl it was compiled with. > > > > I am definitely going to complain about this issue to the service > provider > > but I don't have much hope for them to take this seriously. So I wonder > if > > next versions of openssl should care about workarounds for these painful > > servers? > > > > There are two workarounds but they have to be enables at compile time. > > You can stop TLS 1.2 for clients using -DOPENSSL_NO_TLS1_2_CLIENT or > restrict > the cipher list length using -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=XXX for > example 50. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >