> Dave Thompson said: > > The problem is not in accepting the cert, the problem is you received no > response (serverhello) at all, much less a cert. > When I try with vanilla 1.0.1c it works, but only TLSv1.0. > > There have been reports of some server software failing because the > clienthello for 1.2 is longer than in earlier versions > (this occurs before it has a chance to negotiate the version down). Try > specifying > -tls1 or at least -no_tls1_2 . Maybe try -cipher listspec smaller than the > default (one cipher the server likes is enough, I got DES-CBC3-SHA). > Although the problem usually reported is at 255/256 bytes and 226 is less. > > Your browsers may not be using 1.2 at all, or they may be using it more > conservatively than OpenSSL does (by default). If > you want to check, get a network trace. I recommend www.wireshark.org on > Windows or MacOSX. > On Linux you can capture with tcpdump, but I find the display unhelpful and > prefer to download to wireshark for display.
I have not yet tried looking at the packets yet but the options for openssl you suggested both -no_tls1_2 and -tls1 return the similar results as before though -tls1 does generate a slightly different error. -no_tls1_2: 3077863048:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: -tls1: 3078067848:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:592: Neither: 3078428296:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: Darryl Baker Sr Application Support Engineer Connecture Inc ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
