Re: lib/46878: connection to some https site using opensslcausesfreeze

[Izumi Tsutsui <tsutsui%ceres.dti.ne.jp@localhost>]

The following reply was made to PR lib/46878; it has been noted by GNATS.

From: Izumi Tsutsui <tsutsui%ceres.dti.ne.jp@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: tsutsui%ceres.dti.ne.jp@localhost
Subject: Re: lib/46878: connection to some https site using opensslcausesfreeze
Date: Wed, 3 Oct 2012 21:30:15 +0900

 ryoon@ wrote:
 
 > I have tested with openssl-1.0.1-stable-SNAP-20121002.tar.gz
 > (OpenSSL 1.0.1d-dev).
 > And I cannot connect to the servers.
 
 Actually the renegotiation fix in 1.0.1d is unrelated, i.e.
 the following fix doesn't solve the "server hang" problem at all:
 http://rt.openssl.org/Ticket/Display.html?id=2811&user=guest&pass=guest
 http://cvs.openssl.org/chngview?cn=22565
 I'm afraid it means the server side problem can't be resolved
 by client side.
 
 On the other hand, using -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50
 on libssl build works around, but it seems several people still
 claim "it isn't a right fix."
 
 It looks Wine had the same problem and they fixed it
 by disabling TLS 1.2 in their applications per Windows settings:
 http://bugs.winehq.org/show_bug.cgi?id=30598
 http://source.winehq.org/patches/data/89343
 
 Then, I think at least site specific applications like nicovideo_dl
 should be fixed by disabling TLS 1.2 in it as well.
 
 It would also be worth to make openssl have configurable
 settings for equivalents of OPENSSL_MAX_TLS1_2_CIPHER_LENGTH and
 OPENSSL_NO_TLS1_2_CLIENT in openssl.cnf for long term workaround,
 rather than compile time settings.
 
 ---
 Izumi Tsutsui