A bit of context:
I have this endpoint behind an AWS ALB. I do SSL termination at the ALB.
To my surprise, when looking at the client_tlsnegotiation_error_count
metric for the ALB, I've noticed a substantial amount of failed
connection attempts due to TLS negotiation errors - perhaps around 5%
Hi all,
I have a legacy server only accept TLS_RSA_WITH_RC4_128_MD5 cipher.
I have a client using openssl 1.1.0e. It doesn't include
TLS_RSA_WITH_RC4_128_MD5.
I have recompiled the openssl using enable-weak-ssl-ciphers, but it
doesn't work
but TLS_RSA_WITH_RC4_128_SHA is in client hello messag
On 31-05-17 17:11, PGNet Dev wrote:
> On 5/31/17 3:16 AM, Wouter Verhelst wrote:
>> On 30-05-17 18:12, PGNet Dev wrote:
>> [...]
>>> with lots of apps still not at all v110
>>> compatible, or at best broken in their attempts, having local builds of
>>> both v110x and v102x is extremely useful -- an
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
> Of PGNet Dev
> Sent: Wednesday, May 31, 2017 11:12
>
> And, IMO, that's just bad advice. RPATH is perfectly fine, and this^ is
> exactly
> what it exists for. Feel free to use it or not, but don't FUD perfectly
> legit
On 5/31/17 3:16 AM, Wouter Verhelst wrote:
> On 30-05-17 18:12, PGNet Dev wrote:
> [...]
>> with lots of apps still not at all v110
>> compatible, or at best broken in their attempts, having local builds of
>> both v110x and v102x is extremely useful -- and RPATH'ing makes that
>> trivially managea
> On May 31, 2017, at 6:16 AM, Wouter Verhelst
> wrote:
>
> RPATH is useful if the SONAME is the same but the libraries aren't, for
> whatever reason (e.g., local patches). Other than that, you don't need
> it, and it's generally a bad idea.
There's no need to take absolutist view on this subj
On 30-05-17 18:12, PGNet Dev wrote:
[...]
> with lots of apps still not at all v110
> compatible, or at best broken in their attempts, having local builds of
> both v110x and v102x is extremely useful -- and RPATH'ing makes that
> trivially manageable.
That's exactly my point -- you don't need to
