Additional workaround for PR#2771

If OPENSSL_MAX_TLS1_2_CIPHER_LENGTH is set then limit the size of client ciphersuites to this value. A value of 50 should be sufficient. Document workarounds in CHANGES.
author: Dr. Stephen Henson <steve@openssl.org> 2012-04-17 14:41:23 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2012-04-17 14:41:23 +0000
commit: 89bd25eb26bbc2ebceb4cd892e7453337804820c (patch)
tree: eb7f31e3247c005d9a72adb7ba264be475fdd20c /CHANGES
parent: 4a1cf50187659e60c5867ecbbc36e37b2605d2c3 (diff)
1 files changed, 12 insertions, 3 deletions
diff --git a/CHANGES b/CHANGES
index a834647c10..60f245bd70 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,9 +4,18 @@
 
  Changes between 1.0.1 and 1.0.1a [xx XXX xxxx]
 
-  *)
-
- Changes between 1.0.1 and 1.0.1a [xx XXX xxxx]
+  *) Workarounds for some broken servers that "hang" if a client hello
+     record length exceeds 255 bytes.
+
+     1. Do not use record version number > TLS 1.0 in initial client
+        hello: some (but not all) hanging servers will now work.
+     2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate
+	the number of ciphers sent in the client hello. This should be
+        set to an even number, such as 50, for example by passing:
+        -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
+        Most broken servers should now work.
+     3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable
+	TLS 1.2 client support entirely.
 
   *) Fix SEGV in Vector Permutation AES module observed in OpenSSH.
      [Andy Polyakov]
author	Dr. Stephen Henson <steve@openssl.org>	2012-04-17 14:41:23 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2012-04-17 14:41:23 +0000
commit	89bd25eb26bbc2ebceb4cd892e7453337804820c (patch)
tree	eb7f31e3247c005d9a72adb7ba264be475fdd20c /CHANGES
parent	4a1cf50187659e60c5867ecbbc36e37b2605d2c3 (diff)