Thanks very much for your comments. I agree that if the MS software was causing this issue it would manifest itself with a direct con. as well.
The version numbers I get when routing through a proxy are major = 0x0054 and minor = 0x0054. These are being compared against the SSL* s version which is 0x0300. These are consistent each time I use the proxy connection. Direct connections match to 0x0300. I'll take a look at disabling the TLS this morning and also installing a newer proxy server. Cheers, Richard "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > On Tue, May 11, 2004, Richard Holliday wrote: > > > Hi, > > > > I've successfully linked with the OpenSSL libraries (+ DAVLib) on the > > Macintosh to produce an app which calls web services on an SSL enabled > > server. I am running into problems when hitting the secure server via MS > > Proxy. > > > > I use the "CONNECT xxx.xxx.xxx:443" syntax to establish an SSL tunnel and > > all is well. The SSL handshake looks good (from the tcp trace) but the > > OpenSSL libraries then have problems parsing the certificate which is sent > > from the server. The trace shows me that the certificate is transmitted and > > looks, for the most part, identical to the non-proxy direct connection which > > works. > > > > When stepping through the code it's actually failing when comparing the > > version of SSL which is being used in s3_pkt.c and returning > > SSL_R_WRONG_VERSION_NUMBER. I suspect that the offset into the certificate > > is wrong for some reason. > > > > If this rings a bell with anyone I'd be interested in your experiences. > > > > Its nothing to do with certificates. > > Some broken implementations send out the wrong version number in some SSL/TLS > packets. I *think* one older version of MS software does this. > > I can't see how that would affect a proxy but not a direct connection though. > > If that is the cause you could try upgrading the server software if that's an > option. Otherwise as a workaround you could try disabling TLS on the client to > see if that helps. > > If that isn't it try printing out the two version numbers in s3_pkt.c to see > what they are. > > Steve. > -- > Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage > OpenSSL project core developer and freelance consultant. > Funding needed! Details on homepage. > Homepage: http://www.drh-consultancy.demon.co.uk > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
