Hey,
Yes that's exactly it - the padding extension fixes F5 but breaks
Ironport.
*however* of the two problems, the F5 one is probably bigger - and there's
more incentive for Ironport users to fix their side (by their nature the
Ironport boxes are something that users need to keep up-to-date anyway -
and of course OpenSSL has this code in it so many people trying to connect
to them have the problem now)..
The other workaround is to trim the cipher list to reduce the hello
below 256 bytes.
This broke enough stuff that OpenSSL changed this into option after a single
point release (added unconditionally in 1.0.1g, turned into option in
1.0.1h) [1].
[1]
http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=aaed77c55ecf82594bf3b44b1bcad66c42611777
Best regards,
Piotr Sikora