I've uploaded upstream's suggested workaround for most of the problems here. It isn't complete, and in particular it doesn't deal with the server in the bug description (see the Debian bug for a categorisation of the problems here), which is why I've left this bug open at a lowered importance.
openssl (1.0.1-2ubuntu3) precise; urgency=low
* Temporarily work around TLS 1.2 failures as suggested by upstream
(LP #965371):
- Use client version when deciding whether to send supported signature
algorithms extension.
- Experimental workaround to large client hello issue: if
OPENSSL_NO_TLS1_2_CLIENT is set then TLS v1.2 is disabled for clients
only.
- Compile with -DOPENSSL_NO_TLS1_2_CLIENT.
This fixes most of the reported problems, but does not fix the case of
servers that reject version numbers they don't support rather than
trying to negotiate a lower version (e.g. www.mediafire.com).
-- Colin Watson <email address hidden> Fri, 30 Mar 2012 17:11:45 +0100
I've uploaded upstream's suggested workaround for most of the problems here. It isn't complete, and in particular it doesn't deal with the server in the bug description (see the Debian bug for a categorisation of the problems here), which is why I've left this bug open at a lowered importance.
openssl (1.0.1-2ubuntu3) precise; urgency=low
* Temporarily work around TLS 1.2 failures as suggested by upstream NO_TLS1_ 2_CLIENT is set then TLS v1.2 is disabled for clients NO_TLS1_ 2_CLIENT.
(LP #965371):
- Use client version when deciding whether to send supported signature
algorithms extension.
- Experimental workaround to large client hello issue: if
OPENSSL_
only.
- Compile with -DOPENSSL_
This fixes most of the reported problems, but does not fix the case of
servers that reject version numbers they don't support rather than
trying to negotiate a lower version (e.g. www.mediafire.com).
-- Colin Watson <email address hidden> Fri, 30 Mar 2012 17:11:45 +0100