On Nov 22, 2014 2:35 AM, "Dr. Stephen Henson" <st...@openssl.org> wrote: > > On Sat, Nov 22, 2014, Deepak wrote: > > > Hi, > > > > Can a SSL client upgraded with patch for CVE-0224-2014 (say OpenSSL > > 0.9.8zb) talk to SSL server which does not have this patch (say OpenSSL > > 0.9.8u) ? > > > > Problem I have - > > > > Server -Apache 2.2.22 with mod_ssl compiled with OpenSSL 0.9.8u > > > > Client - privately maintained PKI code based upon OpenSSL 0.9.8h to which > > we regularly backport OpenSSL patches. We have backported fix for cve 0224 > > to this code. > > > > This client is rejecting handshake from above Server with error that it > > received CCS byte early. > > > > How do I debug what is going on and solve this problem? > > > > There is a bug related to renegotiation and session tickets which can trigger > a bogus CCS early error but it wasn't known to affect 0.9.8<->0.9.8. > > I'd suggest you try disabling session tickets to see if that helps. > > If it does try backporting commit 249a3e362fe406f8bc05cd3 to 0.9.8. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org
Why do we see this problem in select few cases ? .. All of the users of our customized PKI are not complaining. Else this could be a major problem. Thank you.
