1So far... 2 3ssl3.netscape.com:443 does not support client side dynamic 4session-renegotiation. 5 6ssl3.netscape.com:444 (asks for client cert) sends out all the CA RDN 7in an invalid format (the outer sequence is removed). 8 9Netscape-Commerce/1.12, when talking SSLv2, accepts a 32 byte 10challenge but then appears to only use 16 bytes when generating the 11encryption keys. Using 16 bytes is ok but it should be ok to use 32. 12According to the SSLv3 spec, one should use 32 bytes for the challenge 13when opperating in SSLv2/v3 compatablity mode, but as mentioned above, 14this breaks this server so 16 bytes is the way to go. 15 16www.microsoft.com - when talking SSLv2, if session-id reuse is 17performed, the session-id passed back in the server-finished message 18is different from the one decided upon. 19 20ssl3.netscape.com:443, first a connection is established with RC4-MD5. 21If it is then resumed, we end up using DES-CBC3-SHA. It should be 22RC4-MD5 according to 7.6.1.3, 'cipher_suite'. 23Netscape-Enterprise/2.01 (https://merchant.netscape.com) has this bug. 24It only really shows up when connecting via SSLv2/v3 then reconnecting 25via SSLv3. The cipher list changes.... 26NEW INFORMATION. Try connecting with a cipher list of just 27DES-CBC-SHA:RC4-MD5. For some weird reason, each new connection uses 28RC4-MD5, but a re-connect tries to use DES-CBC-SHA. So netscape, when 29doing a re-connect, always takes the first cipher in the cipher list. 30 31If we accept a netscape connection, demand a client cert, have a 32non-self-signed CA which does not have it's CA in netscape, and the 33browser has a cert, it will crash/hang. Works for 3.x and 4.xbeta 34 35Netscape browsers do not really notice the server sending a 36close notify message. I was sending one, and then some invalid data. 37netscape complained of an invalid mac. (a fork()ed child doing a 38SSL_shutdown() and still sharing the socket with its parent). 39 40Netscape, when using export ciphers, will accept a 1024 bit temporary 41RSA key. It is supposed to only accept 512. 42 43If Netscape connects to a server which requests a client certificate 44it will frequently hang after the user has selected one and never 45complete the connection. Hitting "Stop" and reload fixes this and 46all subsequent connections work fine. This appears to be because 47Netscape wont read any new records in when it is awaiting a server 48done message at this point. The fix is to send the certificate request 49and server done messages in one record. 50