On Wed Nov 06 22:15:45 2013, steve wrote:
> On Thu Mar 29 21:17:31 2012, steve wrote:
> > A temporary workaround for this is to apply these two patches to OpenSSL
Closing issue as resolved. Multiple work arounds are in the tree.
SteveH commited across all relevant branches.
https://github.com/ope
On Thu Mar 29 21:17:31 2012, steve wrote:
> A temporary workaround for this is to apply these two patches to OpenSSL
> 1.0.1:
>
> http://cvs.openssl.org/chngview?cn=22286
> http://cvs.openssl.org/chngview?cn=22306
>
> And recompile OpenSSL with -DOPENSSL_NO_TLS1_2_CLIENT (e.g. supplied as
> a comma
Per F5 Product Development, the log message quoted in the previous note is not
related to ID 376483. It is a cosmetic issue which may be safely ignored.
Amy Wilhelm
Enterprise Network Engineer
F5 Networks
__
OpenSSL Project
>> - sourceforge.net
>
> This one still fails, but I believe that that was caused by the
> load balancer of F5 Networks (Big IP).
And there is no good solution for it, except for updating load balancer
software. The only thing one can do otherwise is to minimize ClientHello
by aggressively exclud
On Thu, Mar 29, 2012 at 09:46:34PM +0200, Kurt Roeckx wrote:
> On Sun, Mar 25, 2012 at 01:52:22PM +0200, Stephen Henson via RT wrote:
> > > [steve - Sun Mar 25 13:11:30 2012]:
> > >
> > > I've done some more tests and it seems that the size of the client hello
> > > message is significant: all the
We run a site that uses the F5 Networks BIG-IP load balancer, and OpenSSL 1.0.1
triggers this bug on the load balancer. When it occurs, the load balancer
neither forwards the request to a pool member, nor does it respond to the
OpenSSL client. There are warning messages in the load balancer's
On Sun, Apr 01, 2012 at 02:42:20PM +0200, Dr. Stephen Henson wrote:
> On Sun, Apr 01, 2012, Dr. Stephen Henson wrote:
>
> >
> > Did a quick hack modification setting header version to 0x3,0x0 and it now
> > *will* connect to some sites it didn't before with a long client hello
> > including paypa
On Sun, Apr 01, 2012, Kurt Roeckx wrote:
> On Sun, Apr 01, 2012 at 02:42:20PM +0200, Dr. Stephen Henson wrote:
> > On Sun, Apr 01, 2012, Dr. Stephen Henson wrote:
> >
> > >
> > > Did a quick hack modification setting header version to 0x3,0x0 and it now
> > > *will* connect to some sites it didn
On Sun, Apr 01, 2012 at 02:42:20PM +0200, Dr. Stephen Henson wrote:
> On Sun, Apr 01, 2012, Dr. Stephen Henson wrote:
>
> >
> > Did a quick hack modification setting header version to 0x3,0x0 and it now
> > *will* connect to some sites it didn't before with a long client hello
> > including paypa
On Sun, Apr 01, 2012, Dr. Stephen Henson wrote:
>
> Did a quick hack modification setting header version to 0x3,0x0 and it now
> *will* connect to some sites it didn't before with a long client hello
> including paypal. It ends up negotiating TLS 1.2 anyway.
>
> I'll do some more tests to see wh
On Sun, Apr 01, 2012, Kurt Roeckx wrote:
>
> And they now both contain 0x03,0x03. At least gnutls is sending
> 0x03,0x00 with 0x03,0x03.
>
Gnutls is also sending client hellos shorter than 256 bytes (couldn't see a
way to extend it though I'm not familiar with gnutls).
> I already wondered ab
On Sun, Apr 01, 2012 at 12:17:19PM +0200, Andy Polyakov wrote:
> > It's empirically found that SSL 2.0 and TLS 1.0
> > ClientHellos larger than 256 bytes *are* accepted, while TLS 1.1 and 1.2
> > have to be shorter to be accepted.
>
> TLS version in ClientHello *message* is denoted by correspondin
> It's empirically found that SSL 2.0 and TLS 1.0
> ClientHellos larger than 256 bytes *are* accepted, while TLS 1.1 and 1.2
> have to be shorter to be accepted.
TLS version in ClientHello *message* is denoted by corresponding field.
But then the *message* is placed to TLS *record*, which is denot
On Sun, Apr 01, 2012 at 12:13:44AM +0200, Dr. Stephen Henson wrote:
>
> OpenSSL 1.0 and later will use an *SSLv3* compatible client hello provided no
> SSLv2 ciphersuites are requested. The default cipherstring now excludes all
> SSLv2 ciphersuites so by default you wont get SSLv2 client hellos. I
On Sat, Mar 31, 2012 at 11:09:15PM +0200, Andy Polyakov wrote:
>
> Bugs never make sense. But what do you mean by "doesn't seem to happen
> here"? Can you connect with 'openssl s_client -connect
> www.paypal.com:443 -cipher DEFAULT:\!AES' and 'openssl s_client -connect
> www.paypal.com:443 -cipher
On Sat, Mar 31, 2012, Kurt Roeckx wrote:
> On Sat, Mar 31, 2012 at 08:12:54PM +0200, Andy Polyakov wrote:
> > >>> I've done some more tests and it seems that the size of the client hello
> > >>> message is significant: all the options that work reduce the size of
> > >>> client hello. If you use t
>>> So I'm getting more and more reports of sites that have a problem
>>> since 1.0.1. They basicly fall in 2 categories:
>>> - They don't tolerate versions higher than TLS 1.0
>>> - They don't like big packets.
>>>
>>> Of the 2nd case I have at least found people complain about those
>>> sites:
>
On Sat, Mar 31, 2012 at 08:12:54PM +0200, Andy Polyakov wrote:
> >>> I've done some more tests and it seems that the size of the client hello
> >>> message is significant: all the options that work reduce the size of
> >>> client hello. If you use the -debug option and check out the first
> >>> mes
>>> I've done some more tests and it seems that the size of the client hello
>>> message is significant: all the options that work reduce the size of
>>> client hello. If you use the -debug option and check out the first
>>> message bytes 4 and 5 it seems those servers hang if the length exceeds
>>
On Sun, Mar 25, 2012 at 01:52:22PM +0200, Stephen Henson via RT wrote:
> > [steve - Sun Mar 25 13:11:30 2012]:
> >
> > I've done some more tests and it seems that the size of the client hello
> > message is significant: all the options that work reduce the size of
> > client hello. If you use the
A temporary workaround for this is to apply these two patches to OpenSSL
1.0.1:
http://cvs.openssl.org/chngview?cn=22286
http://cvs.openssl.org/chngview?cn=22306
And recompile OpenSSL with -DOPENSSL_NO_TLS1_2_CLIENT (e.g. supplied as
a command line option to config or Configure). I'm working on s
> [steve - Sun Mar 25 13:11:30 2012]:
>
> I've done some more tests and it seems that the size of the client hello
> message is significant: all the options that work reduce the size of
> client hello. If you use the -debug option and check out the first
> message bytes 4 and 5 it seems those serv
> [k...@roeckx.be - Sun Mar 25 04:51:32 2012]:
>
> On Fri, Mar 23, 2012 at 06:49:43PM +0100, Stephen Henson via RT wrote:
> > > [ste...@stebalien.com - Fri Mar 23 18:21:39 2012]:
> > >
> > > OpenSSL negotiation times out when connecting to Outlook Exchange
> 2007
> > > both through Outlook Web Acc
On Fri, Mar 23, 2012 at 06:49:43PM +0100, Stephen Henson via RT wrote:
> > [ste...@stebalien.com - Fri Mar 23 18:21:39 2012]:
> >
> > OpenSSL negotiation times out when connecting to Outlook Exchange 2007
> > both through Outlook Web Access (webmail) and IMAP (POP untested). This
> > bug appeared
> [ste...@stebalien.com - Fri Mar 23 18:21:39 2012]:
>
> OpenSSL negotiation times out when connecting to Outlook Exchange 2007
> both through Outlook Web Access (webmail) and IMAP (POP untested). This
> bug appeared between version 1.0.0h and 1.0.1-beta1.
>
> OS: Arch Linux
> Applications tested
OpenSSL negotiation times out when connecting to Outlook Exchange 2007
both through Outlook Web Access (webmail) and IMAP (POP untested). This
bug appeared between version 1.0.0h and 1.0.1-beta1.
OS: Arch Linux
Applications tested: Offlineimap (IMAP), elinks (webmail), wget (webmail).
Version: 1.0
26 matches
Mail list logo