Re: Problem with SSLv23 / Win2k < sp4

[Jonathan Thompson]

So, its not exactly an SSLv2 or cipher issue.  IE submits an SSLv2 
Hello, but states it can support SSLv3.  The SSLv23_server_method then 
tries and negotiates SSLv3.  However, that fails.

Looking into what was fixed in SP4 I found this:
http://support.microsoft.com/kb/318815/

I then thought it could be something to do with SSL_CTX_set_options and 
the bug workarounds.  However, that didn't seem to work either.

SSL_CTX_set_options(ctx, SSL_OP_ALL);

Apache/IIS/etc work just fine.  The one thing I'm about go try is just 
firing up an openssl s_server and test IE against that.  If that works 
I'll grep through the code and see what more its doing.

If someone has seen this, and knows if this has to be handled at the 
handshake failure to renegotiate - let me know.

Thanks,
-Jon

PS - Kyle, if you force SSLv2 - Firefox refuses to connect.  So, at 
least that's helping the cause :-)


Kyle Hamilton wrote:
I believe that you have to explicitly allow the SSLv2 ciphers if you
want to enable the use of the old, insecure, hackable, crackable, and
almost-completely-worthless-from-a-security-standpoint protocol that
is SSLv2.

Please don't use SSLv2.  The sooner everyone moves away from it the
sooner its embarassment can just go away.

:)  (All joking aside, though, SSLv2 really shouldn't be used anymore.
 It especially shouldn't be used for new deployments since many
not-so-theoretical attacks have been documented against it.)

-Kyle H

On Thu, Apr 10, 2008 at 4:08 PM, Jonathan Thompson
<[EMAIL PROTECTED]> wrote:
 Quick question that I can't seem to find any info about.

 I've got a server implementing SSLv23_server_method.  However, on
 Windows 2000 < Service Pack 4 the server returns a failed handshake
 right after the SSLv2 Client Hello and then FIN/ACKs the client.

 If I force the server into SSLv2_server_method it works just fine.  Am I
 missing something?

 Thanks,
 -Jon

 ______________________________________________________________________
 OpenSSL Project                                 http://www.openssl.org
 User Support Mailing List                    openssl-users@openssl.org
 Automated List Manager                           [EMAIL PROTECTED]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]