On Sat, Nov 22, 2014, Deepak wrote: > Hi, > > Can a SSL client upgraded with patch for CVE-0224-2014 (say OpenSSL > 0.9.8zb) talk to SSL server which does not have this patch (say OpenSSL > 0.9.8u) ? > > Problem I have - > > Server -Apache 2.2.22 with mod_ssl compiled with OpenSSL 0.9.8u > > Client - privately maintained PKI code based upon OpenSSL 0.9.8h to which > we regularly backport OpenSSL patches. We have backported fix for cve 0224 > to this code. > > This client is rejecting handshake from above Server with error that it > received CCS byte early. > > How do I debug what is going on and solve this problem? >
There is a bug related to renegotiation and session tickets which can trigger a bogus CCS early error but it wasn't known to affect 0.9.8<->0.9.8. I'd suggest you try disabling session tickets to see if that helps. If it does try backporting commit 249a3e362fe406f8bc05cd3 to 0.9.8. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
