Comment 4 for bug 986147

One of our engineers says this:

FWIW, looking at the code, the problematic chunk, added to ssl/s23_clnt.c by tls12_workarounds.patch, was

@@ -467,6 +469,15 @@
                               SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
                               return -1;
                               }
+#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
+ /* Some servers hang if client hello > 256 bytes
+ * as hack workaround chop number of supported ciphers
+ * to keep it well below this if we use TLS v1.2
+ */
+ if (TLS1_get_version(s) >= TLS1_2_VERSION
+ && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
+ i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
+#endif
                       s2n(i,p);
                       p+=i;

OPENSSL_MAX_TLS1_2_CIPHER_LENGTH is defined to 50, and is actually the number of bytes to use for the cipher list in the handshake, not the number of ciphers. Each cipher uses 2 bytes, so we actually get only 25 ciphers.

And somebody that knows openssl might want to double-check that call to TLS1_get_version(s) - right before this chunk, there's a call to the function that actually adds the ciphers to the handshake buffer (ssl_cipher_list_to_bytes). That function compares the return value of TLS1_get_client_version(s) with TLS1_2_VERSION and then decides to skip the TLS1.2-only ciphers, which puts RC4-SHA among the first 50.

Either changing OPENSSL_MAX_TLS1_2_CIPHER_LENGTH to 100 (which actually means 50 ciphers) or changing the TLS1_get_version(s) to TLS1_get_client_version(s) fixes things, though I have no idea what this last change means.