diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2012-04-17 15:12:09 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2012-04-17 15:12:09 +0000 |
commit | 800e1cd969f5c89f142857f63416b44ab063fb1b (patch) | |
tree | dcaeca0dfb1111a4e208eec970c4660295ec6b8a /CHANGES | |
parent | 293706e72c314b0155f4e7062e57db4b48d0e60e (diff) |
Additional workaround for PR#2771
If OPENSSL_MAX_TLS1_2_CIPHER_LENGTH is set then limit the size of client
ciphersuites to this value. A value of 50 should be sufficient.
Document workarounds in CHANGES.
Diffstat (limited to 'CHANGES')
-rw-r--r-- | CHANGES | 13 |
1 files changed, 13 insertions, 0 deletions
@@ -291,6 +291,19 @@ Changes between 1.0.1 and 1.0.1a [xx XXX xxxx] + *) Workarounds for some broken servers that "hang" if a client hello + record length exceeds 255 bytes: + + 1. Do not use record version number > TLS 1.0 in initial client + hello: some (but not all) hanging servers will now work. + 2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate + the number of ciphers sent in the client hello. This should be + set to an even number, such as 50, for example by passing: + -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure. + Most broken servers should now work. + 3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable + TLS 1.2 client support entirely. + *) Fix SEGV in Vector Permutation AES module observed in OpenSSH. [Andy Polyakov] |