> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Graham Leggett > Sent: Thursday, November 09, 2017 08:30 > To: openssl-users@openssl.org > Subject: Re: [openssl-users] Ubuntu Xenial + Postgresql v9.5 == SSL > routines:ssl23_write:ssl handshake failure:s23_lib.c:177: > > On 09 Nov 2017, at 2:57 PM, Michael Wojcik > <michael.woj...@microfocus.com> wrote: > > > DEFAULT includes ECC suites. You should try something like > > DEFAULT:!ECDHE:!ECDH to eliminate the ECC Kx suites. > > I just tried that - no change in behaviour, apart from the negotiation of a > different cipher before the connection fails (0x9f).
OK. 9f is TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, so it's not an ECC issue after all. At least not with this client. It's not clear to me if you've gone back to the 1.0.1f client, or if you were still using 1.0.2m here. > Does or did openssl server have any known bugs with respect to the length > of a ClientHello packet being in excess of 255 bytes? Someone else will have to answer this. As far as I know, it was only the F5 TLS implementation that had this issue. -- Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
