From: Janusz Harkot <janusz.harkot@gmail.com>
To: Daniel Stenberg <daniel@haxx.se>
Cc: git@vger.kernel.org
Subject: Re: SNI (SSL virtual hosts)
Date: Tue, 4 Jun 2013 23:26:51 +0200 [thread overview]
Message-ID: <630928524B6441DC907D7AFF34389010@gmail.com> (raw)
In-Reply-To: <alpine.DEB.2.00.1306042305300.2878@tvnag.unkk.fr>
valid point, but from what you can find on the web, the only solution provided everywhere was to
disable certificate checking… so maybe that's not me, but this is first time someone spent
some time to check whats going on :)
at least there will be something, maybe this will help someone…
thanks Daniel!
best!
Janusz
On Tuesday, 4 June 2013 at 23:18, Daniel Stenberg wrote:
> On Tue, 4 Jun 2013, Janusz Harkot wrote:
>
> > > What makes you suggest that's what's happening? Sure, if it would've sent no
> > > or the wrong host name it would probably have that effect.
> >
> >
> >
> > line:
> >
> > [36] * Re-using existing connection! (#0) with host (nil)
>
> Ah that. Yes, that's a stupid line to show (that bug has been fixed since).
> But if you look further down your log you see that the connection which is
> re-used according to that log line gets closed anyway.
>
> > it looks like it is working
>
> Awesome!
>
> > So, the question is still why it is not working with openssl 0.9.8r - this
> > version supports SNI by default. This looks like an error in openssl (maybe:
> > Only allow one SGC handshake restart for SSL/TLS.)
>
>
>
> Right. As you can see in the libcurl code it activates SNI for OpenSSL the
> exact same way independently of what version that's used.
>
> > Now is the question, shall this be handled by curl or left alone? (handling
> > older version of openssl, and force new ssl session?)
>
>
>
> I'm not even completely convinced this is "just" an old-OpenSSL-problem. If
> that version you're using is the one Apple has provided, there's the risk that
> the problem is rather caused by their changes!
>
> I'm reluctant to globally switch off session-id caching for OpenSSL 0.9.8
> users since that feature has been used for over 8 years in the code and you're
> the first to have a problem with it! =-/
>
> --
>
> / daniel.haxx.se (http://daniel.haxx.se)
> --
> To unsubscribe from this list: send the line "unsubscribe git" in
> the body of a message to majordomo@vger.kernel.org (mailto:majordomo@vger.kernel.org)
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2013-06-04 21:27 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <DC851F5EA18E478DACB62178624BF5B7@gmail.com>
2013-06-04 9:36 ` SNI (SSL virtual hosts) Janusz Harkot
2013-06-04 9:45 ` Daniel Stenberg
2013-06-04 10:19 ` Janusz Harkot
2013-06-04 11:58 ` Daniel Stenberg
2013-06-04 16:59 ` Janusz Harkot
2013-06-04 21:18 ` Daniel Stenberg
2013-06-04 21:26 ` Janusz Harkot [this message]
2013-06-05 6:58 ` Daniel Stenberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=630928524B6441DC907D7AFF34389010@gmail.com \
--to=janusz.harkot@gmail.com \
--cc=daniel@haxx.se \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).