[openssl-dev] [openssl.org #4524] [BUG] TLS 1.2 handshake hangs for TLS 1.0 only hosts

[Henrik Hofmeister via RT]

Thank you all for the assistance - trying to convince Qt/C++ SSL sockets to do as you've described by cutting down on ciphers. I did check std Google Chrome ClientHello which does only contain about 10 cipher suites - where Qt seems to include a lot more (all supported) - so what i'm trying to determine now is which can I safely skip - based on name , bit, protocol - this is for a web browser so if anyone have any insight into which ciphers makes sense here that'd be greatly appreciated - for now i'm trying to just use the same as other browsers.
Thank you again!





On Sat, Apr 30, 2016 at 5:44 PM -0700, "Stephen Henson via RT" <rt at openssl.org> wrote:










On Sat Apr 30 21:23:30 2016, henrik at newdawn.dk wrote:
> Since this is a MS IIS 7.0 server I would argue that it'd be in the
> interest of openssl to handle the situation rather than accept this
> scenario - since IIS is likely powering more than a few hosts? It is
> possible to have the host correctly list its supported protocols using
> nmap - i'd assume the TLS1.2 attempt can be avoided altogether (
> without knowing any implementation details or if tht adds overhead
> though ) ?
>

As others have indicated this is a known bug with a load balancer and not IIS.

As well as the solutions suggested you can try the -bugs option to s_client
which pads client hellos to workaround this issue.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4524
Please log in as guest with password guest if prompted







-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4524
Please log in as guest with password guest if prompted