Question about handshake error

Wed Mar 11 17:27:43 UTC 2020

On 11/03/2020 17:08, Niki Dinsey wrote:
> As for going back to the software vendor, I absolutely want to but don't
> hold out too much hope they will change anything. 
> I'm basically going to say this:
> 
> The certificate chain contains two redundant root certificates, these
> should be removed as there is no need to send root certificates and
> because they are signed with SHA1 stricter servers like Debian are
> dropping the connection.

Replace "stricter servers" with "stricter clients".

You might like to point them to my email explaining the issue in more
detail:

https://mta.openssl.org/pipermail/openssl-users/2020-March/012006.html

> 
> Does that sound about right?
> 
> As for the conversation with Viktor, it's all over my head! Can I just
> ignore and get back to work? Thanks again

Yes - ignore it. Viktor is suggesting that the unknown server that is
being used might actually be OpenSSL - in which case we might want to
make a change to our code so that it is more tolerant of this
mis-configuration. It makes no difference to you though.

Matt

> 
> Niki  
> 
> On Wed, 11 Mar 2020 at 15:33, Viktor Dukhovni
> <openssl-users at dukhovni.org <mailto:openssl-users at dukhovni.org>> wrote:
> 
>     On Wed, Mar 11, 2020 at 11:31:51AM -0400, Viktor Dukhovni wrote:
> 
>     > I think the server could be OpenSSL, because why I made sure that
> 
>     s/why/while/.
> 
>     > self-signed CA signatures are not subjected to security levels in
>     > x509_vfy.c, the same exclusion does not appear to be present in:
>     >
>     >     int ssl_security_cert(SSL *s, SSL_CTX *ctx, X509 *x, int vfy,
>     int is_ee)
>     > [...]
> 
>     -- 
>         Viktor.
> 
> 
> 
> -- 
> Niki Dinsey
> IS Manager
> 07974 214718
> 01235 849061 (x261)
> 
> Save the date: Abingdon's first 24hr *Giving Day - 18 March 2020*.
> Help support our ambition to double the number of bursaries across the
> Foundation.
> 
> <http://www.150givingday.abingdon.org.uk>
> 
> 
> Abingdon School: A company limited by guarantee Registered in England
> and Wales. Company No. 3625063 
>  
> Registered Office: 
> Abingdon School 
> Park Road
> Abingdon 
> OX14 1DE 
> Registered Charity No. 1071298
>  
> All information in this message and attachments is confidential and may
> be legally privileged. Only intended recipients are authorised to use
> it. E-mail transmissions are not guaranteed to be secure or error free
> and the sender does not accept liability for such errors or omissions.
> The company will not accept any liability in respect of such
> communication that violates our ICT policies.