Re: lib/46878: connection to some https site using openssl causesfreeze

[Ryo ONODERA <ryo_on%yk.rim.or.jp@localhost>]

The following reply was made to PR lib/46878; it has been noted by GNATS.

From: Ryo ONODERA <ryo_on%yk.rim.or.jp@localhost>
To: gnats-bugs%NetBSD.org@localhost, tsutsui%ceres.dti.ne.jp@localhost
Cc: 
Subject: Re: lib/46878: connection to some https site using openssl
 causesfreeze
Date: Wed, 03 Oct 2012 01:16:16 +0900 (JST)

 Hi,
 
 From: Izumi Tsutsui <tsutsui%ceres.dti.ne.jp@localhost>, Date: Tue,  2 Oct 
2012 15:20:03 +0000 (UTC)
 
 > The following reply was made to PR lib/46878; it has been noted by GNATS.
 > 
 > From: Izumi Tsutsui <tsutsui%ceres.dti.ne.jp@localhost>
 > To: gnats-bugs%NetBSD.org@localhost
 > Cc: tsutsui%ceres.dti.ne.jp@localhost
 > Subject: Re: lib/46878: connection to some https site using openssl 
 > causesfreeze
 > Date: Wed, 3 Oct 2012 00:18:23 +0900
 > 
 >  ryoon@ wrote:
 >  
 >  >  In the end, NetBSD desktop users cannot use these sites with OpenSSL
 >  >  based https, and NetBSD desktop becomes less useful for usual users.
 >  
 >  Unfortunately, most typical NetBSD users and developers have
 >  less interests in marketing and desktop environments ;-p
 >  You should rather mention technical merit on it.
 >  
 >  If you'd like to integrate a patch to solve your problem,
 >  you should mention at least:
 >  
 >   - what's the actual problem
 >    => SSL access hangs on *some* specific sites?
 >  
 >   - what's the route cause
 >    => you didn't track it, right?
 >  
 >   - how does the proposed patch fix (or work around) the problem
 >    => I guess your patch is a "kludge", not a real fix
 >       (even if ubuntu has accepted it)
 >  
 >   - if the patch is not a "real fix", what's the possible bad side effects
 >    => appearently network embeded users rather want proper TLS 1.2 support
 >       rather than nicovideo support (IIRC gnash doesn't support it either)
 
 Thank you.
 I will also utilize this list in other PR.
 
 >  On the other hand, openssl changelogs say:
 >  
 >  http://www.openssl.org/news/changelog.html
 >  ---
 >  Changes between 1.0.1 and 1.0.1a [19 Apr 2012]
 >      :
 >    *) Workarounds for some broken servers that "hang" if a client hello
 >       record length exceeds 255 bytes:
 >   
 >       1. Do not use record version number > TLS 1.0 in initial client
 >          hello: some (but not all) hanging servers will now work.
 >       2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate
 >          the number of ciphers sent in the client hello. This should be
 >          set to an even number, such as 50, for example by passing:
 >          -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
 >          Most broken servers should now work.
 >       3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable
 >          TLS 1.2 client support entirely.
 >  ---
 >  
 >  - the problem was ack'ed by openssl guys
 >  
 >  - apearently the problem is at server side
 >  
 >  - "-DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=XX" could be another compromise
 >  
 >  And 1.0.1d (newer than our 1.0.1c) includes the following entry:
 >  ---
 >   Changes between 1.0.1c and 1.0.1d [xx XXX xxxx]
 >      :
 >    *) Don't use TLS 1.0 record version number in initial client hello
 >       if renegotiating.
 >  ---
 >  
 >  Could you try this renegotiation change?
 >  (I have not checked actuall changes though)
 
 I will try to use OpenSSL 1.0.1d.
 
 Thank you, again.
 
 --
 Ryo ONODERA // ryo_on%yk.rim.or.jp@localhost
 PGP fingerprint = 82A2 DC91 76E0 A10A 8ABB  FD1B F404 27FA C7D1 15F3