Fwd: Broken ChangeCipherspec record in TLS 1.2 with OpenSSL 1.0.2d?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

After long delays with the client vendor (rhymes with 'Big Red'), I finally
have a packet capture detailing the failing two-way authentication TLS 1.2
protocol exchanges - our handshake begins at packet 199 and proceeds with
packet 214 being sent from the Apache 2.2.29/OpenSSL 1.0.2d server at
136.223.23.16 sending a bad ChangeCipherSpec record (I've attached packet
excerpts from a failing two-way client and server auth session).  It looks
like our server is sending a {ChangeCipherSpec, Finished} record - but the
ChangeCipherSpec shows a length of 25 (19 hex) which causes the client to
respond with an Alert (97).

Any suggestions you can provide would be appreciated?

Thanks,
Paul Hebert/State University of New York

    199 3.953050    136.223.23.16         151.103.16.212        TLSv1.2  99
    Hello Request

    TLSv1.2 Record Layer: Handshake Protocol: Hello Request

    200 3.953237    151.103.16.212        136.223.23.16         TLSv1.2
217    Client Hello

    TLSv1.2 Record Layer: Handshake Protocol: Client Hello

    202 3.983310    136.223.23.16         151.103.16.212        TLSv1.2
1434   Server Hello

    TLSv1.2 Record Layer: Handshake Protocol: Server Hello

    206 3.983489    136.223.23.16         151.103.16.212        TLSv1.2
1183   Certificate Request, Server Hello Done

    TLSv1.2 Record Layer: Handshake Protocol: Multiple Handshake Messages

    TLSv1.2 Record Layer: Handshake Protocol: Multiple Handshake Messages

    209 3.984815    151.103.16.212        136.223.23.16         TLSv1.2
1197   Certificate

    TLSv1.2 Record Layer: Handshake Protocol: Certificate

    210 3.987192    151.103.16.212        136.223.23.16         TLSv1.2
725    Client Key Exchange, Certificate Verify, Change Cipher Spec, Finished

    TLSv1.2 Record Layer: Handshake Protocol: Client Key Exchange

    TLSv1.2 Record Layer: Handshake Protocol: Certificate Verify

    TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec

    TLSv1.2 Record Layer: Handshake Protocol: Finished

    214 4.017836    136.223.23.16         151.103.16.212        TLSv1.2
141    Change Cipher Spec, Finished

    TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec

    TLSv1.2 Record Layer: Handshake Protocol: Finished

    215 4.017917    151.103.16.212        136.223.23.16         TLSv1.2  97
    Alert (Level: Fatal, Description: Illegal Parameter)

    TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Illegal
Parameter)

    TLSv1.2 Record Layer: Application Data Protocol: http

    TLSv1.2 Record Layer: Application Data Protocol: http

    TLSv1.2 Record Layer: Application Data Protocol: http

    TLSv1.2 Record Layer: Application Data Protocol: http

    TLSv1.2 Record Layer: Application Data Protocol: http

    253 4.770105    136.223.23.16         151.103.16.212        TLSv1.2  97
    Alert (Level: Warning, Description: Close Notify)

    TLSv1.2 Record Layer: Alert (Level: Warning, Description: Close Notify)

~


On Thu, Aug 6, 2015 at 8:48 AM, Paul Hebert <pauljosephhebert at gmail.com>
wrote:

> We are using a wildcard certificate requiring SNI and are also requiring
> client certificate authentication.
>
> Our TLS 1.2 client is seeing a ChangeCipherspec record with length 30
> bytes (x19) instead of the expected 0x01.  The broken ChangeCipherspec
> record looks like this (hex) *14 03 03 00 01 19*.  Is this a problem with
> the TLS 1.2 client, or a problem with the OpenSSL 1.0.2d patch?
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151111/5ec747a1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tls12_fail_packets.zip
Type: application/zip
Size: 3408 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151111/5ec747a1/attachment.zip>


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux