Re: Serious Bug in ssl3_get_record

2000-09-14 Thread Michael Lee
Bodo Moeller wrote: > On Thu, Sep 14, 2000 at 10:52:29AM +0800, Fung wrote: > >>> Have you tried using the SSLv23_method() instead of the SSLv3_method()? > >> But I know SSLv23_method has bugs at this version 0.9.5a. > > Can you elaborate? I think what he meant is that in some cases SSLv23_metho

Re: Serious Bug in ssl3_get_record

2000-09-13 Thread Fung
But I know SSLv23_method has bugs at this version 0.9.5a. I really hope that 0.9.6 can solve all problems I have found so far. > Have you tried using the SSLv23_method() instead of the SSLv3_method()? > The problem is that if I use SSLv3_method to connect to a client that > supports SSLv2 ONLY.

Re: Serious Bug in ssl3_get_record

2000-09-13 Thread Jeffrey Altman
Have you tried using the SSLv23_method() instead of the SSLv3_method()? > The problem is that if I use SSLv3_method to connect to a client that > supports SSLv2 ONLY. Then we function ssl3_get_record always returns "WRONG > VERSION NUMBER". Should I try to connect again with SSLv2_method?? > > O

Re: Serious Bug in ssl3_get_record

2000-09-13 Thread Fung
The problem is that if I use SSLv3_method to connect to a client that supports SSLv2 ONLY. Then we function ssl3_get_record always returns "WRONG VERSION NUMBER". Should I try to connect again with SSLv2_method?? On Sat, Sep 09, 2000 at 09:19:34AM +0800, Fung wrote: > If you look at the source c

Re: Serious Bug in ssl3_get_record

2000-09-12 Thread Bodo Moeller
On Sat, Sep 09, 2000 at 09:19:34AM +0800, Fung wrote: > If you look at the source code, you will see the following > static int ssl3_get_record(SSL *s) > [...skipped] > n=ssl3_read_n(s,SSL3_RT_HEADER_LENGTH, >SSL3_RT_MAX_PACKET_SIZE,0); > if (n <= 0) return(n); /* error or non-blocking */

Re: Serious Bug in ssl3_get_record

2000-09-08 Thread Bodo Moeller
On Fri, Sep 08, 2000 at 05:44:35PM +0800, Fung wrote: > I have found that there is a serious bug located in the static > function ssl3_get_record in s3_pkt.c. The fault is that the function > NEVER gets the version number of SSL and MUST returns "wrong version > number" error. That means if I cre

Serious Bug in ssl3_get_record

2000-09-08 Thread Fung
Hi all,   I have found that there is a serious bug located in the static function ssl3_get_record in s3_pkt.c. The fault is that the function NEVER gets the version number of SSL and MUST returns "wrong version number" error. That means if I create SSL_CTX with SSLv3_method, then I get "wrong