[openssl-dev] [openssl.org #4524] [BUG] TLS 1.2 handshake hangs for TLS 1.0 only hosts
Viktor Dukhovni
openssl-users at dukhovni.org
Sat Apr 30 21:53:30 UTC 2016
> On Apr 30, 2016, at 5:26 PM, Salz, Rich <rsalz at akamai.com> wrote:
>
>> Since this is a MS IIS 7.0 server I would argue that it'd be in the interest of
>> openssl to handle the situation rather than accept this scenario - since IIS is
>> likely powering more than a few hosts?
>
> It's a known bug, and openssl can work-around the bug by configuring as described.
To be clear, it is a known issue in some F5 load-balancers that has been addressed
since, and a few other rather unusual systems. All systems that have trouble with
the larger TLS client HELLO should have been patched by now, and the problem is
entirely on their end.
I should also add that in OpenSSL 1.1.0 a lot of TLS ciphers that are obsolete
or unnecessary baggage have been phased out. So the 1.1.0 release may well
be more interoperable with such servers.
--
Viktor.
More information about the openssl-dev
mailing list