Re: [openssl.org #87] openssl 0.9.6b to 0.9.6d with IE5.5 and IE6 and 3DES-CBC-SHA hangs
Dear Mr. Moeller, I totally agree that it is an IE bug but unfortunately we have to live with IE(!) and so by Microsoft doctrine (!) it's the other programs that interact with IE that have bugs ... Seriously, I wish to thank you and the other people in the ssl development team for your effort and resolve to fix this annoyance, Thanks a lot, E.I.Sarmas - Original Message - From: Bodo Moeller via RT [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: ÐÝìðôç, 13 Éïõíßïõ 2002 12:18 ìì Subject: [openssl.org #87] openssl 0.9.6b to 0.9.6d with IE5.5 and IE6 and 3DES-CBC-SHA hangs [[EMAIL PROTECTED] - Fri Jun 7 14:22:15 2002]: even though Netscape still works, this should be considered a bug since IE is now broken when in the past it worked fine It is a bug in IE, not in OpenSSL. Note that the problem is avoided when using RC4 ciphersuites, and these are typically preferred by most clients anyway. However OpenSSL clients prefer 3DES ciphersuites by default, so interoperability problems of OpenSSL clients with broken servers must be expected. Future versions of OpenSSL will be modified so that the CBC security workaround that caused these problems with some broken SSL/TLS implementations can be disabled. We have to decide whether to give higher priority to security (enable the workaround by default and let applications that don't need it, such is Apache with mod_ssl or Apache-SSL, disable it) or to interoperability (disable the workaround by default and rely on applications to enable it when it is needed). __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #87] openssl 0.9.6b to 0.9.6d with IE5.5 and IE6 and 3DES-CBC-SHA hangs
[[EMAIL PROTECTED] - Fri Jun 7 14:22:15 2002]: even though Netscape still works, this should be considered a bug since IE is now broken when in the past it worked fine It is a bug in IE, not in OpenSSL. Note that the problem is avoided when using RC4 ciphersuites, and these are typically preferred by most clients anyway. However OpenSSL clients prefer 3DES ciphersuites by default, so interoperability problems of OpenSSL clients with broken servers must be expected. Future versions of OpenSSL will be modified so that the CBC security workaround that caused these problems with some broken SSL/TLS implementations can be disabled. We have to decide whether to give higher priority to security (enable the workaround by default and let applications that don't need it, such is Apache with mod_ssl or Apache-SSL, disable it) or to interoperability (disable the workaround by default and rely on applications to enable it when it is needed). __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #87] openssl 0.9.6b to 0.9.6d with IE5.5 and IE6 and 3DES-CBC-SHA hangs
Hello, I want to report that with IE5.5 and IE6 (but not Netscape) when using as web server: apache 1.3.14 + modssl 2.7.1 + openssl 0.9.6b and restrict the Ciphersuite to DES3-CBC-SHA all is working fine but with web server: apache 1.3.24 + modssl 2.8.8 + openssl 0.9.6d and again restrict the Ciphersuite to DES3-CBC-SHA then Explorer hangs forever when loading any page (apache logs indicate a single successful connection and that's all) clearly this has to do a lot with the openssl change from 0.9.6b to 0.9.6d [ I am not versed in the modssl/openssl technology but I suspect it must be something related to the following CHANGE notice *) Implement a countermeasure against a vulnerability recently found in CBC ciphersuites in SSL 3.0/TLS 1.0: Send an empty fragment before application data chunks to avoid the use of known IVs with data potentially chosen by the attacker. [Bodo Moeller] ] even though Netscape still works, this should be considered a bug since IE is now broken when in the past it worked fine Can someone comment on this behavior and PLEASE recommend a workaround (enabling us to keep the same Ciphersuite)? Thanks in advance, E.I.Sarmas email: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]