]>
Commit | Line | Data |
---|---|---|
d02b48c6 RE |
1 | So far... |
2 | ||
3 | ssl3.netscape.com:443 does not support client side dynamic | |
4 | session-renegotiation. | |
5 | ||
6 | ssl3.netscape.com:444 (asks for client cert) sends out all the CA RDN | |
7 | in an invalid format (the outer sequence is removed). | |
8 | ||
9 | Netscape-Commerce/1.12, when talking SSLv2, accepts a 32 byte | |
10 | challenge but then appears to only use 16 bytes when generating the | |
11 | encryption keys. Using 16 bytes is ok but it should be ok to use 32. | |
12 | According to the SSLv3 spec, one should use 32 bytes for the challenge | |
13 | when opperating in SSLv2/v3 compatablity mode, but as mentioned above, | |
14 | this breaks this server so 16 bytes is the way to go. | |
15 | ||
16 | www.microsoft.com - when talking SSLv2, if session-id reuse is | |
17 | performed, the session-id passed back in the server-finished message | |
18 | is different from the one decided upon. | |
19 | ||
20 | ssl3.netscape.com:443, first a connection is established with RC4-MD5. | |
21 | If it is then resumed, we end up using DES-CBC3-SHA. It should be | |
22 | RC4-MD5 according to 7.6.1.3, 'cipher_suite'. | |
23 | Netscape-Enterprise/2.01 (https://merchant.netscape.com) has this bug. | |
24 | It only really shows up when connecting via SSLv2/v3 then reconnecting | |
25 | via SSLv3. The cipher list changes.... | |
26 | NEW INFORMATION. Try connecting with a cipher list of just | |
27 | DES-CBC-SHA:RC4-MD5. For some weird reason, each new connection uses | |
28 | RC4-MD5, but a re-connect tries to use DES-CBC-SHA. So netscape, when | |
29 | doing a re-connect, always takes the first cipher in the cipher list. | |
30 | ||
31 | If we accept a netscape connection, demand a client cert, have a | |
32 | non-self-sighed CA which does not have it's CA in netscape, and the | |
33 | browser has a cert, it will crash/hang. Works for 3.x and 4.xbeta | |
34 | ||
35 | Netscape browsers do not really notice the server sending a | |
36 | close notify message. I was sending one, and then some invalid data. | |
37 | netscape complained of an invalid mac. (a fork()ed child doing a | |
38 | SSL_shutdown() and still sharing the socket with its parent). | |
39 | ||
40 | Netscape, when using export ciphers, will accept a 1024 bit temporary | |
41 | RSA key. It is supposed to only accept 512. | |
de469ef2 DSH |
42 | |
43 | If Netscape connects to a server which requests a client certificate | |
44 | it will frequently hang after the user has selected one and never | |
45 | complete the connection. Hitting "Stop" and reload fixes this and | |
46 | all subsequent connections work fine. This appears to be because | |
47 | Netscape wont read any new records in when it is awaiting a server | |
48 | done message at this point. The fix is to send the certificate request | |
49 | and server done messages in one record. |