Re: handshake failure with OPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50

2012-11-23 Thread Rainer Canavan
On Nov 22, 2012, at 13:29 , "Dr. Stephen Henson" wrote: > > So you're saying it does *NOT* set SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS? That > should be OK then as inserting empty fragments is one way of preventing the > BEAST attack but some servers can't handle it. That's correct, curl does NOT s

Re: handshake failure with OPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50

2012-11-22 Thread Dr. Stephen Henson
On Tue, Nov 20, 2012, Rainer Canavan wrote: > > On Nov 20, 2012, at 12:47 , "Dr. Stephen Henson" wrote: > > > On Tue, Nov 20, 2012, Dr. Stephen Henson wrote: > > > >> On Fri, Nov 16, 2012, Rainer Canavan wrote: > >> > >>> > >>> Since openssl is part of a product that we ship, would you consi

Re: handshake failure with OPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50

2012-11-22 Thread Rainer Canavan
On Nov 20, 2012, at 12:47 , "Dr. Stephen Henson" wrote: > On Tue, Nov 20, 2012, Dr. Stephen Henson wrote: > >> On Fri, Nov 16, 2012, Rainer Canavan wrote: >> >>> >>> Since openssl is part of a product that we ship, would you consider moving >>> RC4-MD5 to the front of the cipher list by defau

Re: handshake failure with OPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50

2012-11-20 Thread Dr. Stephen Henson
On Tue, Nov 20, 2012, Dr. Stephen Henson wrote: > On Fri, Nov 16, 2012, Rainer Canavan wrote: > > > > > Since openssl is part of a product that we ship, would you consider moving > > RC4-MD5 to the front of the cipher list by default a good idea, or are there > > drawbacks that I overlooked, or

Re: handshake failure with OPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50

2012-11-20 Thread Dr. Stephen Henson
On Fri, Nov 16, 2012, Rainer Canavan wrote: > > Since openssl is part of a product that we ship, would you consider moving > RC4-MD5 to the front of the cipher list by default a good idea, or are there > drawbacks that I overlooked, or would this even be preferred, since RC4 has > been propagated

Re: handshake failure with OPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50

2012-11-20 Thread Rainer Canavan
On Nov 15, 2012, at 18:04 , "Dr. Stephen Henson" wrote: > The -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH option was a quick hack to workaround > some broken servers. It may not be needed now many have been fixed and > applications where you have some control over the connection parameters > don't really

Re: handshake failure with OPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50

2012-11-15 Thread Dr. Stephen Henson
On Wed, Nov 14, 2012, Rainer Canavan wrote: > We compile our application with -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to > avoid the > server hang described in the Changelog for 1.0.1a. However, I have now > encountered > a server that fails to handshake with openssl (the command line tool or e.

handshake failure with OPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50

2012-11-15 Thread Rainer Canavan
We compile our application with -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to avoid the server hang described in the Changelog for 1.0.1a. However, I have now encountered a server that fails to handshake with openssl (the command line tool or e.g. curl linked against libopenssl) if openssl has bee