Dear Mr. Moeller,
I totally agree that it is an IE bug but unfortunately
we have to live with IE(!) and so by Microsoft doctrine (!)
it's the other programs that interact with IE that have bugs ...
Seriously, I wish to thank you and the other people in the ssl
development team for your effort and resolve to fix this annoyance,
Thanks a lot,
E.I.Sarmas
- Original Message -
From: Bodo Moeller via RT [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: ÐÝìðôç, 13 Éïõíßïõ 2002 12:18 ìì
Subject: [openssl.org #87] openssl 0.9.6b to 0.9.6d with IE5.5 and IE6 and
3DES-CBC-SHA hangs
[[EMAIL PROTECTED] - Fri Jun 7 14:22:15 2002]:
even though Netscape still works, this should be considered a bug
since
IE is now broken when in the past it worked fine
It is a bug in IE, not in OpenSSL. Note that the problem is avoided
when using RC4 ciphersuites, and these are typically preferred by most
clients anyway. However OpenSSL clients prefer 3DES ciphersuites by
default, so interoperability problems of OpenSSL clients with broken
servers must be expected.
Future versions of OpenSSL will be modified so that the CBC security
workaround that caused these problems with some broken SSL/TLS
implementations can be disabled. We have to decide whether to give
higher priority to security (enable the workaround by default and let
applications that don't need it, such is Apache with mod_ssl or
Apache-SSL, disable it) or to interoperability (disable the workaround
by default and rely on applications to enable it when it is needed).
__
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]