cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: ssl handshake failure with xfb gateway ftps server

From: Peter Sylvester <peter.sylvester_at_edelweb.fr>
Date: Thu, 23 Jul 2009 22:41:33 +0200

Gilles Hamel wrote:
> Daniel Stenberg wrote:
>>
>> Oh right, it seems nobody every wrote support for such an option.
>> Feel free to step uo and do it. We'll appreciate your patch!
>
> Finally I downgraded openssl library to 0.9.8i : the latest version
> with sni disabled.
> For those who want further information about sni, I recommend
> http://en.wikipedia.org/wiki/Server_Name_Indication.
> At now, I'm going on holiday. If I have any time, I'll write this
> patch willingly.
I am not sure whether the sni extension was actually ment to
be used for something else than https, i.e. a protocol that
without ssl is able to render a different service based on one
of several hostnames for the same ip address. Or, I wonder
whether some XXXs protocol with TLS will complain when you
don't send SNI today. (==> possible fix set SNI only for https)

But, in the light of possible other extensions,
it may be also interesting to investigate a bit about the server's SSL
stack, there are not too many IMO, and those that do not
ignore extra data on a tls client hello are even rare, I may be wrong,
but one openssl seemed to be one of them. And that's already years ago
I think.

Besides extensions, TLS doesn't really offer much compared to SSLV3,
so just using sslv3 is a pretty safe fallback combined with the age of
the server.

And, if one starts adding support for other tls extensions, ...

have fun
/PS

-------------------------------------------------------------------
List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2009-07-23