> From: Dave Thompson > > > > Yes, the server has a custom root cert that isn't installed on this > machine. I am happy that the server cert is correct. > > > For testing that's okay, but I hope in real use you are verifying. > Otherwise an active attacker may be able to MITM your connections.
Production environments do a peer verification. I disabled that for development purposes. > The ServerHello does indeed contain the secure-renegotiation extension in > one pcap and not the other. Assuming there isn't some really weird logic on > the server that supports 5746 only sometimes, this might be due to the > (much) larger cipherlist -- OpenSSL puts ERI-SCSV at the end of the > cipherlist, > so if the server can only handle maybe 32 or 50 or so entries in the > cipherlist it > might not "see" ERI in the default-ciphers case. > > You could experiment with intermediate size cipherlists -- my suggestion of > forcing -tls1 by itself takes you down from 80 to 52 (because it implicitly > disables the TLSv1.2-only SHA2 and GCM suites), or so does explicit -cipher > DEFAULT:!TLSv1.2 . Removing more things you shouldn't want anyway goes > lower e.g. DEFAULT:!TLSv1.2:!EXPORT:!LOW:!SRP:!kECDH should be 30. [snip] > If the problem is the length of the ClientHello and/or cipherlist -- as is > consistent with but not conclusively proven by what you've seen so far, and > is somewhat similar to the fact that other servers have already been found to > fail or hang *initial* negotiation when ClientHello >= 256 bytes (although > this > server did *not* fail there), just using a shorter cipherlist > should work. A few akRSA, one or two DHE-RSA and ECDHE-RSA because a > server with RSA can still do akRSA unless KU prohibits, a few ECDHE-ECDSA > and perhaps a few DHE-DSS -- maybe 20 total -- should handle any sane > server. That's great, thank you for the detailed explanations. Your hunch that the problem lies with the length of the cipherlist seems to bear out; I removed some of the ciphers you suggested and the server still happily connects. It creates a Client Hello of 198 bytes which should also avoid the other problem you mention (that I haven't seen on this particular server). Thanks for all the help, Ben ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
