(linenum→info "unix/slp.c:2238")

openssl/0.9.8g/bugs/SSLv3

    1: So far...
    2: 
    3: ssl3.netscape.com:443 does not support client side dynamic
    4: session-renegotiation.
    5: 
    6: ssl3.netscape.com:444 (asks for client cert) sends out all the CA RDN
    7: in an invalid format (the outer sequence is removed).
    8: 
    9: Netscape-Commerce/1.12, when talking SSLv2, accepts a 32 byte
   10: challenge but then appears to only use 16 bytes when generating the
   11: encryption keys.  Using 16 bytes is ok but it should be ok to use 32.
   12: According to the SSLv3 spec, one should use 32 bytes for the challenge
   13: when opperating in SSLv2/v3 compatablity mode, but as mentioned above,
   14: this breaks this server so 16 bytes is the way to go.
   15: 
   16: www.microsoft.com - when talking SSLv2, if session-id reuse is
   17: performed, the session-id passed back in the server-finished message
   18: is different from the one decided upon.
   19: 
   20: ssl3.netscape.com:443, first a connection is established with RC4-MD5.
   21: If it is then resumed, we end up using DES-CBC3-SHA.  It should be
   22: RC4-MD5 according to 7.6.1.3, 'cipher_suite'.
   23: Netscape-Enterprise/2.01 (https://merchant.netscape.com) has this bug.
   24: It only really shows up when connecting via SSLv2/v3 then reconnecting
   25: via SSLv3. The cipher list changes....
   26: NEW INFORMATION.  Try connecting with a cipher list of just
   27: DES-CBC-SHA:RC4-MD5.  For some weird reason, each new connection uses
   28: RC4-MD5, but a re-connect tries to use DES-CBC-SHA.  So netscape, when
   29: doing a re-connect, always takes the first cipher in the cipher list.
   30: 
   31: If we accept a netscape connection, demand a client cert, have a
   32: non-self-signed CA which does not have it's CA in netscape, and the
   33: browser has a cert, it will crash/hang.  Works for 3.x and 4.xbeta
   34: 
   35: Netscape browsers do not really notice the server sending a
   36: close notify message.  I was sending one, and then some invalid data.
   37: netscape complained of an invalid mac. (a fork()ed child doing a
   38: SSL_shutdown() and still sharing the socket with its parent).
   39: 
   40: Netscape, when using export ciphers, will accept a 1024 bit temporary
   41: RSA key.  It is supposed to only accept 512.
   42: 
   43: If Netscape connects to a server which requests a client certificate
   44: it will frequently hang after the user has selected one and never
   45: complete the connection. Hitting "Stop" and reload fixes this and
   46: all subsequent connections work fine. This appears to be because 
   47: Netscape wont read any new records in when it is awaiting a server
   48: done message at this point. The fix is to send the certificate request
   49: and server done messages in one record.
Syntax (Markdown)