Re: How is the TLS Record Layer Version Selected?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 29/10/2020 03:52, Thomas Antonio via openssl-users wrote:
> Hello, how does openSSL determine the Record Layer Version used to
> initiate a ClientHello message to the server? I believe the
> determination is made at this level.
> 
> When testing using multiple implementations (Python Requests on a Debian
> machine and `cURL --tlsv1.2 --tls-max 1.2` from macOS) I will seemingly
> at random see ClientHello messages using TLS Record Layer Version 1.0.
> The TLS Handshake Protocol remains correctly set at 1.2. The majority of
> the time the Record Layer Version is 1.2. What could be causing this
> change in Record Version?
> 
> I realize this is a valid message format and that a well configured TLS
> 1.2 server will accept this. Just trying to get to the bottom of what is
> causing this behaviour on the client side.
> 
> A post showing the Record Version and Handshake Protocol mismatch is here
> https://support.f5.com/csp/article/K53037818

The logic is here:

https://github.com/openssl/openssl/blob/648cf9249e6ec60e0af50d5d903e05244b837cb0/ssl/record/rec_layer_s3.c#L860-L861

And here:

https://github.com/openssl/openssl/blob/648cf9249e6ec60e0af50d5d903e05244b837cb0/ssl/record/rec_layer_s3.c#L882-L891


Basically the record version is never greater than TLSv1.2. If we're in
an initial ClientHello (not a renegotiation or an HRR) and the max
version is > TLSv1.0 then the record version is fixed at TLSv1.0 for the
ClientHello record.

Matt





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux