>Number: 176722 >Category: misc >Synopsis: OpenSSL 1.0.1e fails to fallback to TLS1 if the server doesn't >allow for anything else >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Mar 07 07:40:00 UTC 2013 >Closed-Date: >Last-Modified: >Originator: Johannes Meixner >Release: 10.0-CURRENT >Organization: >Environment: FreeBSD xmj.local 10.0-CURRENT FreeBSD 10.0-CURRENT #2 r247490M: Fri Mar 1 19:16:27 EET 2013 root@xmj.local:/usr/obj/usr/src/sys/xmj amd64 >Description: Error first described by Pablo Almeida on https://bugs.launchpad.net/openssl/+bug/965371/
-- when trying to `openssl s_client -showcerts -connect coremis-cas.myocean.eu:443' OpenSSL1.0.1e (11 Feb 13 from ports) doesn't fall back (as it does for 0.9.8x 10 May 2012) to TLS1 and, instead of showing certs, gives CONNECTED(00000004) --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 319 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- However, when forcing s_client to use -tls1, the result is as expected, returning the site's certificates. Why doesn't openssl notice it can't any other method but TLS1 -- and fall back to that one, as in previous versions? >How-To-Repeat: Run `openssl s_client -showcerts -connect coremis-cas.myocean.eu:443' on OpenSSL 1.0.1e versus openssl s_client -showcerts -tls1 -connect coremis-cas.myocean.eu:443 >Fix: >Release-Note: >Audit-Trail: >Unformatted: _______________________________________________ freebsd-bugs@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
