Interoperating with a legacy client.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




I'm writing a server to support a legacy client that uses OpenSSL to
secure its communication.  The client is using OpenSSL 1.0.1j, and I
have no control over that. I'm using the 1.0.1 version of OpenSSL supplied with my OS for the server side, but that is out of convenience rather than necessity.

My server appears to be working at least semi-correctly, but I have a problem with established connections being terminated by the server side, and I have run out of troubleshooting ideas.

The client will happily connect to my server, we complete the handshake, and start exchanging encrypted application data. Then, it seems like the client wants to renegotiate, because it sends the server a ClientHello across the established connection. But something is clearly not right, because
the server responds with a fatal alert and terminates the connection.

I can watch the connection with wireshark, so I can see in detail what's going on, but the client's
behavior doesn't make sense to me.

The typical interaction looks like this:

The client connects to the server.

The initial ClientHello advertises TLS 1.2 with a record version of 1.0, and includes TLS_EMPTY_RENEGOTIATION_INFO_SCSV in the cipher suites. Our ServerHello response includes a zero-length renegotiation_info extension. This all seems reasonable.

The negotiation settles on TLS 1.2, and subsequent application data records are sent at that version. At this point, everything
seems fine.

After sending some amount of application data, the client then seems to want to renegotiate. It sends another ClientHello.

At this point, things have gone wrong. The second ClientHello looks very, very similar to the one sent in the initial handshake. The record version is again 1.0, the TLS_EMPTY_RENEGOTIATION_INFO_SCSV is included in the cipher suites, and there's no
renegotiation_info extension present.

So, if the connection is using TLS 1.2, the server terminates the connection with a
version mismatch alert when it sees the second ClientHello.

If I force the server to use TLS 1.0, then the server terminates the connection because
of the SCSV present in the ClientHello during renegotiation.

I'm at a loss. It seems like the client is misbehaving, if the second ClientHello it sends is supposed to be a renegotiation attempt. But misbehaving or not, I still need to interoperate with this client.

Is there something I can do on the server side to be compatible with this client? Is it possible that I'm
causing the client's behavior through something I'm doing as the server?

I may be able to provide a sanitized packet trace or packet dissections showing the exact behavior I'm seeing, if that would be
helpful or interesting.

Any further troubleshooting options would be welcome.

--
Tim Kirby

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux