cURL / Mailing Lists / curl-library / Single Mail


Re: SSL handshake problems

From: Peter Sylvester <>
Date: Sun, 10 Feb 2013 22:29:49 +0100

On 02/10/2013 09:40 PM, plot.lost wrote:
> On 10/02/2013 19:38, Guenter wrote:
>> Am 10.02.2013 19:37, schrieb plot.lost:
>>> What happens for curl running on other systems where OpenSSL also causes
>>> the same problem, is there anything that can be done within curl to
>>> change the OpenSSL behavior to fix this?
>> hard to tell what are 'other systems' since I didnt read what is your ;-)
>> (means: tell us on what OS you are seeing this issue)
>> also have you tried to connect with the openssl cmdline tool without specifying a ssl version and
>> if so do you see the issue there too?
>> GŁn.
> It's Ubuntu 10.04 LTS i686, using Open SSL 1.0.1a which was compiled using just ./config followed
> by make, no additional options provided.
> Connecting to that server using the basic openssl command line does hang before failing as well.
> If I add -ssl3 or -tls1 to the command line it works, if I add -ssl2 it fails immediately. It's
> only where no option is given that the problem occurs. I get that this is a problem within the
> OpenSSL that I have, I was just trying to find out if there is a way of working around it.
> If nothing else, I'll just go with using -3 for everything and hope I don't end up trying to
> connect to something which only supports TLS
what server is at the other end?

I vaguely remember that there is a pb if the client hello is longer than 255 octets with some M$ system
fromopenssl CHANGES

   *) Workarounds for some broken servers that "hang" if a client hello
      record length exceeds 255 bytes.

      1. Do not use record version number > TLS 1.0 in initial client
         hello: some (but not all) hanging servers will now work.
      2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate
     the number of ciphers sent in the client hello. This should be
         set to an even number, such as 50, for example by passing:
         -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
         Most broken servers should now work.
      3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable
     TLS 1.2 client support entirely.
      [Steve Henson]

List admin:
Received on 2013-02-10