OpenSSL: SessionTicket TLS extension problem

Posted by rursw1 on Stack Overflow See other posts from Stack Overflow or by rursw1
Published on 2010-04-19T12:56:08Z Indexed on 2010/04/21 13:43 UTC
Read the original article Hit count: 262

Filed under:

openssl

|

tls

|

handshaking

|

c++

Hello,

I'm using an application which uses OpenSSL for client TLS side. We upgrade the OpenSSL version from 0.9.8e to 0.9.8k. And then TLS doesn't work...

Wireshark shows that the new version (with OpenSSL 0.9.8k) sends the client hello packet with a SessionTicket extension - and the server side responds with a fatal internal error.

The previous version sends an almost identical hello packet, but without the SessionTicket ext.

When I replaced TLSv1_client_method with SSLv23_client_method, everything worked fine - the sent client hello packet was a SSLv2 one (In the sniffer) without any extension (as it wasn't TLS but SSL?)

Is there a better way to disable this extension or to solve the problem in another way?

Thanks in advance, rursw1

© Stack Overflow or respective owner

Related posts about openssl

Redhat | Openssl installation error

as seen on Server Fault - Search for 'Server Fault'
make -f objs/Makefile make[1]: Entering directory `/root/fuse-ssh/nginx-0.7.65' cd /usr/bin/openssl \ && make clean \ && ./config --prefix=/usr/bin/openssl/.openssl no-shared no-threads \ && make \ && make install /bin/sh: line 0: cd:… >>> More
Redhat | Openssl installation error

as seen on Stack Overflow - Search for 'Stack Overflow'
make -f objs/Makefile make[1]: Entering directory `/root/fuse-ssh/nginx-0.7.65' cd /usr/bin/openssl \ && make clean \ && ./config --prefix=/usr/bin/openssl/.openssl no-shared no-threads \ && make \ && make install /bin/sh: line 0: cd:… >>> More
Upgrade OpenSSL 0.9.8k to OpenSSL 1.0.1c on Ubuntu 10.04

as seen on Server Fault - Search for 'Server Fault'
We're currently using Ubuntu 10.04 and based on the PCI Compliance results, we're told to upgrade our OpenSSL. I attempted to do this using this reference: http://sandilands.info/sgordon/upgrade-latest-version-openssl-on-ubuntu and http://www.lunarforums.com/dedicated_web_hosting_at_lunarpages/upgrading_openssl-t35015… >>> More
Installing OpenSSL that supports SNI along with previous version of OpenSSL

as seen on Server Fault - Search for 'Server Fault'
So I learned that to host multiple HTTPS websites on the same IP address you need an OpenSSL version that supports SNI (0.9.8f and higher). My RHEL5 box currently has 0.9.8e and Apache version httpd-2.2.26-2.el5. According to a same question here it's not a good idea to replace the original version… >>> More
Solaris X86 AESNI OpenSSL Engine

as seen on Oracle Blogs - Search for 'Oracle Blogs'
Solaris X86 AESNI OpenSSL Engine Cryptography is a major component of secure e-commerce. Since cryptography is compute intensive and adds a significant load to applications, such as SSL web servers (https), crypto performance is an important factor. Providing accelerated crypto hardware greatly… >>> More

Related posts about tls

OpenVPN Error : TLS Error: local/remote TLS keys are out of sync: [AF_INET]

as seen on Server Fault - Search for 'Server Fault'
Fist off thanks for reading this, I appreciate any and all suggestions. I am having some serious problems reconnecting to my OpenVPN client using Riseup.net's VPN. I have spent a few days banging my head against the wall in attempts to set this up on my iOS devices....but that is a whole other issue… >>> More
Using SSL on slapd

as seen on Server Fault - Search for 'Server Fault'
I am setting up slapd to use SSL on Fedora 14. I have the following in my /etc/openldap/slapd.d/cn=config.ldif: olcTLSCACertificateFile: /etc/pki/tls/certs/SSL_CA_Bundle.pem olcTLSCertificateFile: /etc/pki/tls/certs/mydomain.crt olcTLSCertificateKeyFile: /etc/pki/tls/private/mydomain.key olcTLSCipherSuite:… >>> More
OpenLDAP, howto allow both secure (TLS) and unsecure (normal) connections?

as seen on Server Fault - Search for 'Server Fault'
Installed OpenLDAP 2.4 on FreeBSD 8.1. It works for ordinary connections OR for TLS connections. I can change it by (un)commenting the following lines in slapd.conf. # Enable TLS #security ssf=128 # Disable TLS security ssf=0 Is there a way to allow the clients to connect using TLS OR no-TLS… >>> More
Can't access Postfix TLS/SSL

as seen on Server Fault - Search for 'Server Fault'
I have set up my Postfix, with TLS/SSL, correctly. Every test on the machine itself (with telnet) runs fine. However, when I want to access the server from somewhere else, it fails. So port 587 and the rest is blocked for some reason, but I don't really know where. >>> More
Directory listing through FTPS (TLS) is not working

as seen on Server Fault - Search for 'Server Fault'
We recently switched our server to require TLS for every connection. This is working flawlessly so far, but one of our clients is having problems. Some facts: Server uses Pure-FTPD Server has a passive port range configured Server has no firewall limitations regarding the FTP Client uses WS FTP Client… >>> More