shibboleth-dev - Re: [Shib-Dev] OpenSSL 0.9.8j and Tomcat

Subject: Shibboleth Developers

List archive

Re: [Shib-Dev] OpenSSL 0.9.8j and Tomcat

From: Kaspar Brand <>
To:
Subject: Re: [Shib-Dev] OpenSSL 0.9.8j and Tomcat
Date: Thu, 05 Feb 2009 08:50:51 +0100

> Since life's been boring lately, my favorite open source projects have
> decided to stir things up. Took me a while to track this down, but I believe
> there's an incompatibility between OpenSSL 0.9.8j clients (e.g. libcurl,
> i.e. the SP) and Tomcat TLS/SSL servers (most likely anything using the Sun
> Java SSL implementation).

Looking at the changelog, one candidate for causing handshake troubles
could be

> Changes between 0.9.8i and 0.9.8j [07 Jan 2009]
[...]
> *) Enable TLS extensions by default.
> [Ben Laurie]

If you add "disable-tlsext" to the OpenSSL config command and recompile,
does the error disappear? With the s_client commannd (from a "stock"
0.9.8j version), you could also try "-no_ticket" and see if that helps
(will disable one of the TLS extensions, which might be the culprit here).

Kaspar

OpenSSL 0.9.8j and Tomcat, Scott Cantor, 02/04/2009
- Re: [Shib-Dev] OpenSSL 0.9.8j and Tomcat, Kaspar Brand, 02/05/2009
  - RE: [Shib-Dev] OpenSSL 0.9.8j and Tomcat, Scott Cantor, 02/05/2009
    - Re: [Shib-Dev] OpenSSL 0.9.8j and Tomcat, Kaspar Brand, 02/05/2009
      - RE: [Shib-Dev] OpenSSL 0.9.8j and Tomcat, Scott Cantor, 02/05/2009
      - RE: [Shib-Dev] OpenSSL 0.9.8j and Tomcat, Scott Cantor, 02/05/2009
- Re: [Shib-Dev] OpenSSL 0.9.8j and Tomcat, André Cruz, 02/05/2009
  - RE: [Shib-Dev] OpenSSL 0.9.8j and Tomcat, Scott Cantor, 02/05/2009
    - Re: [Shib-Dev] OpenSSL 0.9.8j and Tomcat, André Cruz, 02/05/2009
      - Re: [Shib-Dev] OpenSSL 0.9.8j and Tomcat, André Cruz, 02/06/2009
        
        Re: [Shib-Dev] OpenSSL 0.9.8j and Tomcat, Kaspar Brand, 02/06/2009
    - Re: [Shib-Dev] OpenSSL 0.9.8j and Tomcat, André Cruz, 02/05/2009

List archive

Re: [Shib-Dev] OpenSSL 0.9.8j and Tomcat