FWIW, looking at the code, the problematic chunk, added to ssl/s23_clnt.c by tls12_workarounds.patch, was
@@ -467,6 +469,15 @@ SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE); return -1; }
+#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
+ /* Some servers hang if client hello > 256 bytes
+ * as hack workaround chop number of supported ciphers
+ * to keep it well below this if we use TLS v1.2
+ */
+ if (TLS1_get_version(s) >= TLS1_2_VERSION
+ && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
+ i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
+#endif s2n(i,p); p+=i;
OPENSSL_MAX_TLS1_2_CIPHER_LENGTH is defined to 50, and is actually the number of bytes to use for the cipher list in the handshake, not the number of ciphers. Each cipher uses 2 bytes, so we actually get only 25 ciphers.
And somebody that knows openssl might want to double-check that call to TLS1_get_version(s) - right before this chunk, there's a call to the function that actually adds the ciphers to the handshake buffer (ssl_cipher_list_to_bytes). That function compares the return value of TLS1_get_client_version(s) with TLS1_2_VERSION and then decides to skip the TLS1.2-only ciphers, which puts RC4-SHA among the first 50.
Either changing OPENSSL_MAX_TLS1_2_CIPHER_LENGTH to 100 (which actually means 50 ciphers) or changing the TLS1_get_version(s) to TLS1_get_client_version(s) fixes things, though I have no idea what this last change means.
One of our engineers says this:
FWIW, looking at the code, the problematic chunk, added to ssl/s23_clnt.c by tls12_workaroun ds.patch, was
@@ -467,6 +469,15 @@
SSLerr( SSL_F_SSL23_ CLIENT_ HELLO,SSL_ R_NO_CIPHERS_ AVAILABLE) ;
return -1;
} MAX_TLS1_ 2_CIPHER_ LENGTH version( s) >= TLS1_2_VERSION MAX_TLS1_ 2_CIPHER_ LENGTH) MAX_TLS1_ 2_CIPHER_ LENGTH & ~1;
s2n(i, p);
p+=i;
+#ifdef OPENSSL_
+ /* Some servers hang if client hello > 256 bytes
+ * as hack workaround chop number of supported ciphers
+ * to keep it well below this if we use TLS v1.2
+ */
+ if (TLS1_get_
+ && i > OPENSSL_
+ i = OPENSSL_
+#endif
OPENSSL_ MAX_TLS1_ 2_CIPHER_ LENGTH is defined to 50, and is actually the number of bytes to use for the cipher list in the handshake, not the number of ciphers. Each cipher uses 2 bytes, so we actually get only 25 ciphers.
And somebody that knows openssl might want to double-check that call to TLS1_get_version(s) - right before this chunk, there's a call to the function that actually adds the ciphers to the handshake buffer (ssl_cipher_ list_to_ bytes). That function compares the return value of TLS1_get_ client_ version( s) with TLS1_2_VERSION and then decides to skip the TLS1.2-only ciphers, which puts RC4-SHA among the first 50.
Either changing OPENSSL_ MAX_TLS1_ 2_CIPHER_ LENGTH to 100 (which actually means 50 ciphers) or changing the TLS1_get_version(s) to TLS1_get_ client_ version( s) fixes things, though I have no idea what this last change means.