Thanks Marek. This is now working. Mistake on our part. We were using "," when doing OR in SSL_ctx_set_options instead of "|".
-Krishna On 7/10/06, Marek Marcola <[EMAIL PROTECTED]> wrote:
Hello, > > I've attached modified test client code, which without > OP_ALL option have results as: > $ ./ssl2 > crypto lib: OpenSSL 0.9.7f 22 Mar 2005 > the cipher used by the client: DES-CBC3-SHA > ssl_read: 1460 > 16808:error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or > bad record mac:s3_pkt.c:424: > > and after adding OP_ALL has results as: > $ ./ssl2 -op_all > crypto lib: OpenSSL 0.9.7f 22 Mar 2005 > the cipher used by the client: DES-CBC3-SHA > ssl_read: 1460 > ssl_read: 2048 > ssl_read: 2048 > ssl_read: 2048 > ssl_read: 2048 > ssl_read: 2048 > ssl_read: 2048 > ssl_read: 2048 > ssl_read: 2048 > ssl_read: 1810 > After more digging with ssldump: Default configuration (without SSL_OP_ALL): 1 4 0.3324 (0.0000) C>SV3.0(1) ChangeCipherSpec 1 5 0.3324 (0.0000) C>SV3.0(64) Handshake 1 6 0.5157 (0.1833) S>CV3.0(1) ChangeCipherSpec 1 7 0.7305 (0.2148) S>CV3.0(64) Handshake 1 8 0.7310 (0.0004) C>SV3.0(24) application_data 1 9 0.7310 (0.0000) C>SV3.0(352) application_data 1 10 0.9133 (0.1823) S>CV3.0(1488) application_data 1 11 1.1932 (0.2798) S>CV3.0(18216) application_data <-- here ERROR 1 1.1932 (0.0000) S>C TCP FIN 1 12 1.1947 (0.0014) C>SV3.0(24) Alert <-- here ALERT information configuration with SSL_OP_ALL: 1 4 0.3347 (0.0000) C>SV3.0(1) ChangeCipherSpec 1 5 0.3347 (0.0000) C>SV3.0(64) Handshake 1 6 0.5185 (0.1838) S>CV3.0(1) ChangeCipherSpec 1 7 0.7336 (0.2150) S>CV3.0(64) Handshake 1 8 0.7341 (0.0004) C>SV3.0(24) application_data 1 9 0.7341 (0.0000) C>SV3.0(352) application_data 1 10 0.9166 (0.1824) S>CV3.0(1488) application_data 1 11 1.1873 (0.2707) S>CV3.0(18216) application_data 1 1.1873 (0.0000) S>C TCP FIN 1 1.1891 (0.0018) C>S TCP FIN As we can see server sends big packet (18216 bytes) and OpenSSL refuse to process it (with RFC this should max 16384 bytes of data + header size). With SSL_OP_ALL we switch on flag SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER which instructs library to accept bigger packets. Best regars, -- Marek Marcola <[EMAIL PROTECTED]> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
