[openssl-dev] [openssl.org #4524] [BUG] TLS 1.2 handshake hangs for TLS 1.0 only hosts

Sat Apr 30 21:53:30 UTC 2016

> On Apr 30, 2016, at 5:26 PM, Salz, Rich <rsalz at akamai.com> wrote:
> 
>> Since this is a MS IIS 7.0 server I would argue that it'd be in the interest of
>> openssl to handle the situation rather than accept this scenario - since IIS is
>> likely powering more than a few hosts?
> 
> It's a known bug, and openssl can work-around the bug by configuring as described.

To be clear, it is a known issue in some F5 load-balancers that has been addressed
since, and a few other rather unusual systems.  All systems that have trouble with
the larger TLS client HELLO should have been patched by now, and the problem is
entirely on their end.

I should also add that in OpenSSL 1.1.0 a lot of TLS ciphers that are obsolete
or unnecessary baggage have been phased out.  So the 1.1.0 release may well
be more interoperable with such servers.

-- 
	Viktor.