On Fri, 2010-06-18 at 17:37 -0400, Richard Matthew McCutchen wrote: > On Fri, 2010-04-30 at 17:03 -0400, Richard Matthew McCutchen wrote: > > On Fri, 2010-04-30 at 16:10 -0400, Eric Sturdivant wrote: > > > On Fri, 30 Apr 2010, Richard Matthew McCutchen wrote: > > > > On Fri, 2010-04-30 at 13:11 -0400, Daniel Lenski wrote: > > > >> If I try ldaps://directory.umd.edu, I get an error about being unable > > > >> to > > > >> contact the server. > > > > > > > > Indeed, the SSL interface seems to be broken. The server closes the > > > > connection without sending any data: > > > > > > Odd, it's working for me: (and alot of things would be broken if it > > > wasn't > > > working): > > [...] > > > z.glue.umd.edu -> directory.umd.edu TCP D=636 S=39185 Syn Seq=2539659181 > > > Len=0 Win=49640 Options=<mss 1460,nop,wscale 0,nop,nop,sackOK> > > > > I tried from glue and it works. Likewise from birdy.cs.umd.edu . > > However, it doesn't work from my computer on the wireless network, or > > using the UMD-Wireless VPN. Is there a firewall or something? The SSL > > interface has worked from my computer in the past. > > I spoke to John Pfeifer about this and we figured out what the problem > is. The server is throwing up because I have a new version of OpenSSL > that advertises RFC 5746 support via the renegotiation_info extension. > SSL servers are supposed to ignore extensions they don't understand.
I was mistaken. OpenSSL uses the SCSV, not the extension. There must be some other SSL compatibility problem, since NSS is able to complete the handshake successfully. I will do some more tests and post my findings. -- Matt
