Re: TLS extensions enabled by default in OpenSSL 0.9.8j (fwd)
Date: Sun, 25 Jan 2009 13:33:31 +0100 (CET)
I'm interested in feedback on how to deal with this new quirk in OpenSSL.
It seems they now enable a feature by default that makes it fail as a client
to connect to old versions of itself as a server!
I would prefer to avoid a new setopt option to alter this, but can we really
come up with a way to do it any other way?
(This mail is simply my response from the users list, forwarded over where I
think we can discuss technical solutions better.)
-- / daniel.haxx.se ---------- Forwarded message ---------- Date: Thu, 22 Jan 2009 19:48:00 +0100 (CET) From: Daniel Stenberg <daniel_at_haxx.se> Reply-To: the curl tool <curl-users_at_cool.haxx.se> To: the curl tool <curl-users_at_cool.haxx.se> Subject: Re: TLS extensions enabled by default in OpenSSL 0.9.8j On Thu, 22 Jan 2009, Sharad Gupta wrote: > Are there any plans on being able to pass the "-no_ticket" option that has > been introduced in Openssl0.9.8j? Its basically a flag to disable TLS > extensions which are enabled by default in 0.9.8j release of OpenSSL. I had trouble finding info on this topic, so I thought I might help others by mentioning that -no_ticket disables "rfc4507bis session ticket support". rfc4507bis was later turned into the proper RFC5077 it seems: http://tools.ietf.org/html/rfc5077 > If I try to use the new openssl library with curl, I am not able to connect > to SSL enabled HTTP sites using TLSv1. I can only use SSLv3 in that case. And > as it stands, there is no way that I can tell curl to pass the "no_ticket" > option to openssl. Ironicly enough it seems servers using older openssl 0.9.7 versions are showing this problem. If I understand things right, the following is a work-around: diff -u -r1.214 ssluse.c --- lib/ssluse.c 21 Jan 2009 04:42:47 -0000 1.214 +++ lib/ssluse.c 22 Jan 2009 18:51:03 -0000 @@ -1386,7 +1386,7 @@ implementations is desired." */ - SSL_CTX_set_options(connssl->ctx, SSL_OP_ALL); + SSL_CTX_set_options(connssl->ctx, SSL_OP_ALL|SSL_OP_NO_TICKET); /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */ if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT) -- / daniel.haxx.se ------------------------------------------------------------------- List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users FAQ: http://curl.haxx.se/docs/faq.html Etiquette: http://curl.haxx.se/mail/etiquette.htmlReceived on 2009-01-25