[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: lib/46878: connection to some https site using openssl causesfreeze
The following reply was made to PR lib/46878; it has been noted by GNATS.
From: Ryo ONODERA <ryo_on%yk.rim.or.jp@localhost>
To: gnats-bugs%NetBSD.org@localhost, tsutsui%ceres.dti.ne.jp@localhost
Subject: Re: lib/46878: connection to some https site using openssl
Date: Wed, 03 Oct 2012 01:16:16 +0900 (JST)
From: Izumi Tsutsui <tsutsui%ceres.dti.ne.jp@localhost>, Date: Tue, 2 Oct
2012 15:20:03 +0000 (UTC)
> The following reply was made to PR lib/46878; it has been noted by GNATS.
> From: Izumi Tsutsui <tsutsui%ceres.dti.ne.jp@localhost>
> To: gnats-bugs%NetBSD.org@localhost
> Cc: tsutsui%ceres.dti.ne.jp@localhost
> Subject: Re: lib/46878: connection to some https site using openssl
> Date: Wed, 3 Oct 2012 00:18:23 +0900
> ryoon@ wrote:
> > In the end, NetBSD desktop users cannot use these sites with OpenSSL
> > based https, and NetBSD desktop becomes less useful for usual users.
> Unfortunately, most typical NetBSD users and developers have
> less interests in marketing and desktop environments ;-p
> You should rather mention technical merit on it.
> If you'd like to integrate a patch to solve your problem,
> you should mention at least:
> - what's the actual problem
> => SSL access hangs on *some* specific sites?
> - what's the route cause
> => you didn't track it, right?
> - how does the proposed patch fix (or work around) the problem
> => I guess your patch is a "kludge", not a real fix
> (even if ubuntu has accepted it)
> - if the patch is not a "real fix", what's the possible bad side effects
> => appearently network embeded users rather want proper TLS 1.2 support
> rather than nicovideo support (IIRC gnash doesn't support it either)
I will also utilize this list in other PR.
> On the other hand, openssl changelogs say:
> Changes between 1.0.1 and 1.0.1a [19 Apr 2012]
> *) Workarounds for some broken servers that "hang" if a client hello
> record length exceeds 255 bytes:
> 1. Do not use record version number > TLS 1.0 in initial client
> hello: some (but not all) hanging servers will now work.
> 2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate
> the number of ciphers sent in the client hello. This should be
> set to an even number, such as 50, for example by passing:
> -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
> Most broken servers should now work.
> 3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable
> TLS 1.2 client support entirely.
> - the problem was ack'ed by openssl guys
> - apearently the problem is at server side
> - "-DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=XX" could be another compromise
> And 1.0.1d (newer than our 1.0.1c) includes the following entry:
> Changes between 1.0.1c and 1.0.1d [xx XXX xxxx]
> *) Don't use TLS 1.0 record version number in initial client hello
> if renegotiating.
> Could you try this renegotiation change?
> (I have not checked actuall changes though)
I will try to use OpenSSL 1.0.1d.
Thank you, again.
Ryo ONODERA // ryo_on%yk.rim.or.jp@localhost
PGP fingerprint = 82A2 DC91 76E0 A10A 8ABB FD1B F404 27FA C7D1 15F3
Main Index |
Thread Index |