On 19.08.2015, at 21:40, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
> I've figured out what's going on. LibreSSL 2.2.2 appears to have
> disabled support for the SSLv2-compatible client HELLO. Servers
> that have not disabled SSLv2 are unable to complete an SSLv2-compatible
> TLS handshake with LibreSSL 2.2.2. Connections that use an SSLv2
> hello fail. Also clients that use just SSLv3 (no extensions, ...)
> fail.
JFTR:
We have released LibreSSL 2.2.3, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.
This release is based on the stable OpenBSD 5.8 branch, fixing a bug
that
affects interoperability with some SSL clients.
* LibreSSL 2.2.2 incorrectly handles ClientHello messages that do not
include TLS extensions, resulting in such handshakes being aborted.
This release corrects the handling of such messages. Thanks to
Ligushka from github for reporting the issue.
(see http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.2.3-relnotes.txt)
I did test a pre-release patch and didn't see my reported issues with LibreSSL
2.2.2 any longer.
Regards,
Michael
