On 07/02/2013 14:36, James wrote:
Just an update, using a SSLCipherSuite in the SSL configuration file for Apache of RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 works fine. The ciphers we're using are DES-CBC3-MD5:RC2-CBC-MD5:RC4-MD5:DES-CBC3-SHA:RC4-MD5:RC4-SHA:DES-CBC3-SHA:AES128-SHA:AES256-SHA:RC4-MD5:RC4-SHA which is where I see the issue. I suppose I'll have to go through each cipher to determine the culprit. If I'm on the wrong path here and should be posting to the Apache mailing list, let me know but as I've stated previously, OpenSSL 1.0.1c-FIPS works fine with our current cipher suite.
This is probably the same bug that has been discussed recently - see "Major OpenSSL 1.0.1d regression from 1.0.1c" on openssl-dev and ticket 2975 "Regression in OpenSSL 1.0.1d x86_64: Corrrupted data stream". From that ticket:
"A serious regression was introduced in 1.0.1d that corrupts the data stream under certain circumstances. Firefox requests to an Apache server running on Linux/X86_64 with OpenSSL-1.0.1d result in "501 Server Error" responses. OpenSSL versions 1.0.1c and earlier are not affected. i686 (32 bit) versions are also not affected." And a comment: "Stop gap measure for now is to revert commit 125093b59f3c We're looking into the proper fix." -- Bruce Cran ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
