On 21 Nov, 08:00 pm, twisted@ralphm.ik.nu wrote:
On Fri, Nov 21, 2008 at 01:20:59PM -0500, Itamar Shtull-Trauring wrote:
On Thu, 2008-11-20 at 17:00 -0700, Jack Moffitt wrote:
I would like to propose that #3463 (http://twistedmatrix.com/trac/ticket/3463) be additionally committed to the 8.1 branch and any other branches that still get point releases. It is a pretty critical workaround which fixes the fact that recent OpenSSL libraries cannot connect to Java based services.
Why not request relevant distros to do an openssl bugfix and backport? It'd help more people than just twisted users.
Because it is actually a bug in Java, not in OpenSSL. It is just that recent OpenSSL versions enable a feature (Session Tickets) that is standards-wise backwards compatible. Arguably, distributions could choose to not enable the feature by default, but that doesn't have my preference.
This change adds a option to choose if the feature is used, and disables it by default because there is no further support in our SSL code for it and it immediately helps fix a problem that I don't think will be resolved server-side any time soon.
If the "fix" for Twisted is to just disable this feature by default, then it should remain disabled by default for everybody. Including it in the build so that people who want it can enable it is fine, but leaving it on by default for other libraries besides Twisted seems wrong. In other words, this really has nothing to do with Twisted, and everything to do with the fact that Debian should not be screwing around with OpenSSL. Have they already forgotten what happened last time?