> On Aug 31, 2018, at 9:14 PM, Jordan Brown <openssl@xxxxxxxxxxxxxxxxxxxx> wrote: > > We're trying to nail down error reporting for TLS version mismatches, and we're seeing a couple of puzzling behaviors. > > First, and most puzzling... assume these two command lines: > > $ openssl s_server -cert 2018.08.31.a.pem -key 2018.08.31.a.key -no_tls1 This disables TLS 1.0 on the server, and if SSL 3.0 is supported at compile time, leaves the server willing to do SSL 3.0 or TLS 1.1 and up. > $ openssl s_client -connect zel.us.oracle.com:4433 -tls1 This configures the client to do TLS 1.0 only via the version-specific TLS1_client_method(), which DOES NOT support version negotiation. It is NOT equivalent in some subtle ways to: $ openssl s_client -connect zel.us.oracle.com:4433 -no_ssl3 -no_tls1_1 -no_tls1_2 That said, in either case the client sends "TLS 1.0" is its "maximum" protocol version in its TLS client HELLO (the TLS 1.0 protocol does not support sending a supported version list). > That is, I have a server that won't accept TLSv1.0, and a client that will only accept TLSv1.0. No, more precisely, you have a version-flexible server, that does not accept 1.0 and a *fixed-version* client that only supports 1.0. What happens at that point depends on whether SSL 3.0 has been disabled on the server, or not. If SSL 3.0 is not disabled on the server (at compile time or by other means), then seeing TLS 1.0 as the client's max version, the server will respond with SSL 3.0. The client however, is not in a negotiating mood, and it will send a handshake failure alert: SSL_connect:SSLv3 write client hello A SSL3 alert write:fatal:handshake failure SSL_connect:error in SSLv3 read server hello A 140735512441800:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:365: and on the server side you'll see: SSL_accept:before/accept initialization SSL_accept:SSLv3 read client hello A SSL_accept:SSLv3 write server hello A SSL_accept:SSLv3 write key exchange A SSL_accept:SSLv3 write server done A SSL_accept:SSLv3 flush data SSL_accept:SSLv3 read client certificate A SSL3 alert read:fatal:handshake failure SSL_accept:failed in SSLv3 read client key exchange A ERROR 140735512441800:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1498:SSL alert number 40 If, on the other hand, you *also* disable SSL 3.0 on the server, then seeing a maxim version or TLS 1.0 from the client, but with TLS 1.0 disabled the server wants SSL 3.0, but that's also unavailable. For better or worse, OpenSSL is unable with respond with a TLS 1.0 alert (TLS 1.0 is off), nor SSL 3.0, so it simply fails: SSL_accept:before/accept initialization SSL_accept:error in SSLv2/v3 read client hello A ERROR 140735512441800:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:643: shutting down SSL The client's view of this is: SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL_connect:failed in SSLv3 read server hello A 140735512441800:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659: You might argue that would should be able to send a TLS 1.0 fatal alert even with TLS 1.0 disabled, but that's not how the OpenSSL 1.0.x code works. It does not select explicitly disabled protocols for sending alerts, nor does it select protocol versions higher than the client's limit. In OpenSSL 1.1.x, with its more modern rewritten state machine, the behaviour is closer to what you expected. Server reports: SSL_accept:before SSL initialization SSL_accept:before SSL initialization SSL3 alert write:fatal:protocol version SSL_accept:error in error ERROR 140735512441728:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../openssl/ssl/statem/statem_srvr.c:1655: and client sees: SSL_connect:before SSL initialization SSL_connect:SSLv3/TLS write client hello SSL3 alert read:fatal:protocol version SSL_connect:error in error 140735512441728:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../openssl/ssl/record/rec_layer_s3.c:1528:SSL alert number 70 -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
