diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2000-02-15 14:19:44 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2000-02-15 14:19:44 +0000 |
| commit | de469ef21e4117908cc770f9ca25a26a01f9be38 (patch) | |
| tree | b2bfc3e899716f5ef736a66a7b81c15744e69c5f | |
| parent | ea96c4bc7f4983348d45257d4453490330404b18 (diff) | |
| download | openssl-de469ef21e4117908cc770f9ca25a26a01f9be38.tar.gz | |
Fix for Netscape "hang" bug.
| -rw-r--r-- | CHANGES | 6 | ||||
| -rw-r--r-- | bugs/SSLv3 | 8 | ||||
| -rw-r--r-- | ssl/s3_srvr.c | 18 |
3 files changed, 32 insertions, 0 deletions
@@ -4,6 +4,12 @@ Changes between 0.9.4 and 0.9.5 [xx XXX 2000] + *) Work around for Netscape hang bug. This sends certificate request + and server done in one record. Since this is perfectly legal in the + SSL/TLS protocol it isn't a "bug" option and is on by default. See + the bugs/SSLv3 entry for more info. + [Steve Henson] + *) HP-UX tune-up: new unified configs, HP C compiler bug workaround. [Andy Polyakov] diff --git a/bugs/SSLv3 b/bugs/SSLv3 index 2e22a65cdd..db53e1343a 100644 --- a/bugs/SSLv3 +++ b/bugs/SSLv3 @@ -39,3 +39,11 @@ SSL_shutdown() and still sharing the socket with its parent). Netscape, when using export ciphers, will accept a 1024 bit temporary RSA key. It is supposed to only accept 512. + +If Netscape connects to a server which requests a client certificate +it will frequently hang after the user has selected one and never +complete the connection. Hitting "Stop" and reload fixes this and +all subsequent connections work fine. This appears to be because +Netscape wont read any new records in when it is awaiting a server +done message at this point. The fix is to send the certificate request +and server done messages in one record. diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index b6b09e917c..c18b9c9131 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -57,6 +57,8 @@ */ #define REUSE_CIPHER_BUG +#define NETSCAPE_HANG_BUG + #include <stdio.h> #include <openssl/buffer.h> @@ -313,7 +315,12 @@ int ssl3_accept(SSL *s) s->s3->tmp.cert_request=1; ret=ssl3_send_certificate_request(s); if (ret <= 0) goto end; +#ifndef NETSCAPE_HANG_BUG s->state=SSL3_ST_SW_SRVR_DONE_A; +#else + s->state=SSL3_ST_SW_FLUSH; + s->s3->tmp.next_state=SSL3_ST_SR_CERT_A; +#endif s->init_num=0; } break; @@ -1194,6 +1201,17 @@ static int ssl3_send_certificate_request(SSL *s) s->init_num=n+4; s->init_off=0; +#ifdef NETSCAPE_HANG_BUG + p=(unsigned char *)s->init_buf->data + s->init_num; + + /* do the header */ + *(p++)=SSL3_MT_SERVER_DONE; + *(p++)=0; + *(p++)=0; + *(p++)=0; + s->init_num += 4; +#endif + } /* SSL3_ST_SW_CERT_REQ_B */ |