httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <wr...@rowe-clan.net>
Subject Re: Comparing LibreSSL and OpenSSL based on ApacheTest t/ssl results
Date Thu, 16 Jul 2015 17:56:55 GMT
On Thu, Jul 16, 2015 at 12:02 PM, Michael Felt <mamfelt@gmail.com> wrote:

> Here I have the output of just one test t/ssl/pr12355.t - and note the
> differences in the ssl_access_log - not just the error messages (I have
> removed all "debug" messages from the logs as they were "in the way".
>
> LibreSSL is version 2.2.0, OpenSSL is version 0.9.8m (yes I know very old,
> will test with latest patches later - I hope not relevant to here).
>
> So, please note: LibreSSL says access is:
> t/logs/ssl_request_log:[16/Jul/2015:11:47:12 +0000] 127.0.0.1 - - "POST
> /require-sha-cgi/perl_echo.pl HTTP/1.1" 403 237
> while OpenSSL says
> t/logs/ssl_request_log:[16/Jul/2015:11:32:35 +0000] 127.0.0.1 TLSv1 RC4-SHA
> "POST /require-sha-cgi/perl_echo.pl HTTP/1.1" 200 11
>
> My question: what can I do to understand why OpenSSL is adding TLSv1
> RC4-SHA while LibreSSL is "- -"
>
>
I'll take this one item.  Take a look into our implementation of
ssl_var_lookup_ssl
and particularly ssl_var_lookup_ssl_cipher.  I would expect LibreSSL isn't
providing
any meaningful data to represent.

Mime
View raw message