Shibboleth Developers

["Scott Cantor" <>]

Since life's been boring lately, my favorite open source projects have
decided to stir things up. Took me a while to track this down, but I believe
there's an incompatibility between OpenSSL 0.9.8j clients (e.g. libcurl,
i.e. the SP) and Tomcat TLS/SSL servers (most likely anything using the Sun
Java SSL implementation).

The trigger for this is the disabling of SSLv2 or the explicit selection of
SSLv3 or TLSv1 in the client, and it results in various handshaking errors
of different types depending on the option used.

Curl as of version 7.18.1 disables SSLv2 by default if you don't choose a
specific protocol, so as a result, no matter what the SP code does, one of
those triggers is in effect with any recent version.

The actual bug appears to show up only with OpenSSL 0.9.8j. The last SP
release on Windows used either g or h, and nothing else is using j yet for
the most part, since it's very recent. With a cygwin build of 0.9.8i, I
don't get the error.

I've reproduced the behavior with both my own build and a Cygwin version of
0.9.8j. Haven't tried a Unix version yet. I don't need curl to show it,
openssl s_client alone reveals the error. My Tomcat's the latest 6.0, but I
think any version's probably affected.

This leaves me in a little bit of a quandary for the next release, and the
usual response when you raise these sorts of issues is deafening silence,
but I guess I'll try. Independent confirmation of this would be helpful,
particularly with different Tomcat/Java versions.

-- Scott