cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: SSL handshake problems

From: plot.lost <plot.lost_at_gmail.com>
Date: Sun, 10 Feb 2013 21:55:56 +0000

On 10/02/2013 21:29, Peter Sylvester wrote:
> On 02/10/2013 09:40 PM, plot.lost wrote:
>> On 10/02/2013 19:38, Guenter wrote:
>>> Am 10.02.2013 19:37, schrieb plot.lost:
>>>> What happens for curl running on other systems where OpenSSL also
>>>> causes
>>>> the same problem, is there anything that can be done within curl to
>>>> change the OpenSSL behavior to fix this?
>>> hard to tell what are 'other systems' since I didnt read what is
>>> your ;-)
>>> (means: tell us on what OS you are seeing this issue)
>>> also have you tried to connect with the openssl cmdline tool without
>>> specifying a ssl version and if so do you see the issue there too?
>>>
>>> GŁn.
>>
>> It's Ubuntu 10.04 LTS i686, using Open SSL 1.0.1a which was compiled
>> using just ./config followed by make, no additional options provided.
>>
>> Connecting to that server using the basic openssl command line does
>> hang before failing as well. If I add -ssl3 or -tls1 to the command
>> line it works, if I add -ssl2 it fails immediately. It's only where
>> no option is given that the problem occurs. I get that this is a
>> problem within the OpenSSL that I have, I was just trying to find out
>> if there is a way of working around it.
>>
>> If nothing else, I'll just go with using -3 for everything and hope I
>> don't end up trying to connect to something which only supports TLS
>>
> what server is at the other end?
>
> I vaguely remember that there is a pb if the client hello is longer
> than 255 octets with some M$ system
> fromopenssl CHANGES
>
> *) Workarounds for some broken servers that "hang" if a client hello
> record length exceeds 255 bytes.
>
> 1. Do not use record version number > TLS 1.0 in initial client
> hello: some (but not all) hanging servers will now work.
> 2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate
> the number of ciphers sent in the client hello. This should be
> set to an even number, such as 50, for example by passing:
> -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
> Most broken servers should now work.
> 3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable
> TLS 1.2 client support entirely.
> [Steve Henson]
>

That might be something, I get the following in the headers from that
server:

Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET

I'll try re-compiling OpenSSL with -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50
and see if that changes anything.

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-02-10