Where can we found the RFC about this cipher ? This blog page contain information about cipher order in Windows and the bug
http://blog.ittoby.com/2014/11/microsoft-kb-2992611-winshock-more.html 2014-11-19 10:16 GMT+01:00 Mounir IDRASSI <mounir.idra...@idrix.net>: > Hi, > > The latest Windows update that corrected the "WinShock" SChannel > vulnerability brought many changes to the way TLS is performed and among > the changes is the fact that the Supported Point Formats Extension is not > sent anymore in the ServerHello during the TLS handshake. > > In version of OpenSSL prior to 1.0.0c, the Supported Point Formats > Extension was expected to be present all the time which ofcourse is not > correct. I have sent a patch for that in 2010 (https://rt.openssl.org/ > Ticket/Display.html?id=2240&user=guest&pass=guest#txn-26841) and the > correction was subsequently included in 1.0.0c. > > This explains why you are starting to receive TLS handshake errors with > curl client linked with OpenSSL 1.0.0a and 1.0.0b after the SChannel update > from Microsoft. > > If you are not able to upgrade your clients, then the only solution is to > ask Microsoft how to force the inclusion of the Supported Point Formats > Extension in the TLS handshake as it was the case before. > Their SChannel update brought new issues anyway and most certainly > Microsoft will publish another update to SChannel in order to solve them, > so there is a possibility for them to restore the old TLS handshake > behavior unless it causes security issues for them (but I can't imagine > how). > > Cheers, > -- > Mounir IDRASSI > IDRIX > http://www.idrix.fr > > > On 11/14/2014 10:02 PM, Gilles Vollant wrote: > >> >> Microsoft just published a patch on their SChannel component (KB 2992611 ) >> >> >> https://technet.microsoft.com/library/security/MS14-066 >> >> >> But with this fix, Web server IIS 7.5/8.0 on Windows server 2008R2 or >> Windows server 2012 did not accept download from curl + OpenSSL 1.0.0a / >> 1.0.0b ! >> >> >> If you compile curl with OpenSSL 1.0.0a or 1.0.0b, curl cannot download >> anything from IIS 7.5/8.0 webserver using https after patching ! >> >> OpenSSL 1.0.0c has no problem. But somes clients cannot be updated >> magically! >> >> >> Curl says: >> curl: (35) error:1411809D:SSL routines:SSL_CHECK_SERVERHELLO_TLSEXT:tls >> invalid ecpointformat list >> >> I made a report here: >> >> http://www.winimage.com/demo_report_openssl_windows/ >> >> I hope Microsoft can (and will) update their fix to allow curl + >> openssl1.0.0(a or b) connect ! >> >> regards >> Gilles Vollant >> > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
