Hi all,
I need some help in figuring out how to solve a SSL handshake failure that started after upgrading (from 0.9.7b) to 0.9.7c. Here are the symptoms:
SSL_connect breaks with SSL_R_MISSING_EXPORT_TMP_RSA_KEY. This happens because the client plans on using RSA_EXPORT1024_WITH_DES_CBC_SHA, and the server has a certificate with a 1024-bit RSA key.
In 0.9.7b there was a bug in X509_certificate_type() that caused it to mark the server's public key with EVP_PKT_EXP (i.e. this is an export cipher key). The bug was fixed in 0.9.7c, and so I have an EXPORT cipher, with NON-EXPORT key.
This causes a check in ssl3_check_cert_and_algorithm() to fail because an EXPORT algorithm is used with NON-EXPORT certificate, and no temporary EXPORT key.
My question is: Why is this check needed? Is it required in SSL/TLS specification? It seems strange to me to blame the server for not generating a temporary 512 bit key (the algorithm specifies explicitly RSA-1024…).
Anybody encountered this before? Any solution / workaround?
I'm using Windows2000 as the server, and my application which is linked with OpenLDAP and OpenSSL as the client.
Thanks
Tal
