> From: owner-openssl-us...@openssl.org On Behalf Of Baker, Darryl > Sent: Friday, 07 December, 2012 11:30
> > Dave Thompson said: > > > > The problem is not in accepting the cert, the problem is > you received no response (serverhello) at all, much less a cert. > > When I try with vanilla 1.0.1c it works, but only TLSv1.0. > > > > There have been reports of some server software failing > because the clienthello for 1.2 is longer than in earlier versions <snip> > I have not yet tried looking at the packets yet but the > options for openssl you suggested both -no_tls1_2 and -tls1 > return the similar results as before though -tls1 does > generate a slightly different error. > > -no_tls1_2: 3077863048:error:140790E5:SSL > routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: > -tls1: 3078067848:error:1409E0E5:SSL > routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:592: > Neither: 3078428296:error:140790E5:SSL > routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: > And "handshake has read 0 bytes and written <N> bytes" in all cases? If so, then it doesn't look like the ClientHello-too-long issue. I don't recall if you said, but some browser(s?) and 1.0.0 work okay *from the same client machine* where 1.0. fails? If not, it might be something about your machine the server doesn't like (probably not too likely) -- or something else in the network doesn't like (more and more common nowadays). ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
