On 31-07-2015 23:06, Viktor Dukhovni wrote: > On Fri, Jul 31, 2015 at 08:47:45PM +0000, Felix Almeida wrote: > >> I've tested other OpenSSL versions and everything goes well up to version >> 1.0.1o, starting from 1.0.2 I see this handshake error. > It seems you're posting follow-ups without checking whether your > original post was answered. > >> I also tried to disable TLS on 1.0.2d by passing "no-tls" to the config >> script, but this broke the building process (make stopped with an error). >> So I believe I will stick with version 1.0.1o for now. :-\ > Or configure a cipherlist more compatible with a long obsolete and > no longer supported Windows 2003 TLS stack. > The Windows 2003 TLS stack became unsupported for most (but /not all/) users less than 20 days ago. Treating it as marginal and not as something that any core networking library needs to be compatible (even *tested* with) out of the box is another symptom of the useless attitudes that permeate the new OpenSSL leadership. The old OpenSSL project belonged to the long standing tradition of making sure that Internet software needs to work with the quirks of anything it could reasonably encounter on any real world network, including both the Internet, the US military networks (which have allegedly paid a boatload of money for continued Win2003 support) and any closed site networks that reuse Internet protocols for their internal operations. It would have been a serious brown bag moment for the old maintainers to discover this in a release made that close to (if not even overlapping) the vendor support period for such a widely deployed system. There is a lot of utility software which is linked to OpenSSL libraries with very little user configurability and which is simply expected to "just work" when transferring data off a (not so) old Windows computer. The old team would have gone out of their way to make sure the standard OpenSSL code would generate backward compatible hello records by default, e.g. by ensuring that the strongest enabled Win 5.x compatible cipher was within the first 64 ciphers if that is indeed the technical solution. Such real world quality issues are much more important than making sure broken test tools don't complain that code to prevent accidental heap corruption is not being called by the current test suite because the relevant coding errors have not yet happened. OpenSSL is supposed to make sure that practical tools such as wget, curl, fetchmail etc. etc. can talk to almost any old SSL/TLS implementation that might be found in a dusty basement or on an old backup tape somewhere. Talking to an old Netscape Navigator 3.x or a clunky old printer should have a high chance of working, while talking to anything popular that was up to date with official security updates less than 2 years ago (let alone a month) is a simple must. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 Soborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded
