Additional workaround for PR#2771

If OPENSSL_MAX_TLS1_2_CIPHER_LENGTH is set then limit the size of client ciphersuites to this value. A value of 50 should be sufficient. Document workarounds in CHANGES.
author: Dr. Stephen Henson <steve@openssl.org> 2012-04-17 15:12:09 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2012-04-17 15:12:09 +0000
commit: 800e1cd969f5c89f142857f63416b44ab063fb1b (patch)
tree: dcaeca0dfb1111a4e208eec970c4660295ec6b8a /CHANGES
parent: 293706e72c314b0155f4e7062e57db4b48d0e60e (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/CHANGES b/CHANGES
index c596c35e45..6bd5420d2c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -291,6 +291,19 @@
   
  Changes between 1.0.1 and 1.0.1a [xx XXX xxxx]
 
+  *) Workarounds for some broken servers that "hang" if a client hello
+     record length exceeds 255 bytes:
+ 
+     1. Do not use record version number > TLS 1.0 in initial client
+        hello: some (but not all) hanging servers will now work.
+     2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate
+        the number of ciphers sent in the client hello. This should be
+        set to an even number, such as 50, for example by passing:
+        -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
+        Most broken servers should now work.
+     3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable
+        TLS 1.2 client support entirely.
+
   *) Fix SEGV in Vector Permutation AES module observed in OpenSSH.
      [Andy Polyakov]
author	Dr. Stephen Henson <steve@openssl.org>	2012-04-17 15:12:09 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2012-04-17 15:12:09 +0000
commit	800e1cd969f5c89f142857f63416b44ab063fb1b (patch)
tree	dcaeca0dfb1111a4e208eec970c4660295ec6b8a /CHANGES
parent	293706e72c314b0155f4e7062e57db4b48d0e60e (diff)