cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: SSL handshake problems

From: plot.lost <plot.lost_at_gmail.com>
Date: Mon, 11 Feb 2013 00:08:44 +0000

On 10/02/2013 21:55, plot.lost wrote:
> On 10/02/2013 21:29, Peter Sylvester wrote:
>> what server is at the other end?
>>
>> I vaguely remember that there is a pb if the client hello is longer
>> than 255 octets with some M$ system
>> fromopenssl CHANGES
>>
>> *) Workarounds for some broken servers that "hang" if a client hello
>> record length exceeds 255 bytes.
>>
>> 1. Do not use record version number > TLS 1.0 in initial client
>> hello: some (but not all) hanging servers will now work.
>> 2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate
>> the number of ciphers sent in the client hello. This should be
>> set to an even number, such as 50, for example by passing:
>> -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
>> Most broken servers should now work.
>> 3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable
>> TLS 1.2 client support entirely.
>> [Steve Henson]
>>
>
> That might be something, I get the following in the headers from that
> server:
>
> Server: Microsoft-IIS/6.0
> X-Powered-By: ASP.NET
>
> I'll try re-compiling OpenSSL with
> -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 and see if that changes anything.
>
>
I can confirm that after re-compiling OpenSSL with
-DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 that both the OpenSSL command line
and the curl command line can connect to that server without needing any
additional options (such as -3 etc)

Thanks for all the help on this.

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-02-11