Comment 10 for bug 965371

I've uploaded upstream's suggested workaround for most of the problems here. It isn't complete, and in particular it doesn't deal with the server in the bug description (see the Debian bug for a categorisation of the problems here), which is why I've left this bug open at a lowered importance.

openssl (1.0.1-2ubuntu3) precise; urgency=low

  * Temporarily work around TLS 1.2 failures as suggested by upstream
    (LP #965371):
    - Use client version when deciding whether to send supported signature
      algorithms extension.
    - Experimental workaround to large client hello issue: if
      OPENSSL_NO_TLS1_2_CLIENT is set then TLS v1.2 is disabled for clients
      only.
    - Compile with -DOPENSSL_NO_TLS1_2_CLIENT.
    This fixes most of the reported problems, but does not fix the case of
    servers that reject version numbers they don't support rather than
    trying to negotiate a lower version (e.g. www.mediafire.com).

 -- Colin Watson <email address hidden> Fri, 30 Mar 2012 17:11:45 +0100