[openssl-users] s_server -www -tls1_3: Firefox/Chrome not working
Klaus Keppler
kk at keppler-it.de
Wed Sep 12 13:50:17 UTC 2018
Hi,
when I create a TLS-1.3-only "web" server with s_server (from OpenSSL
1.1.1-release), Firefox/Chrome can't access it.
According to all docs I've read so far, the TLS 1.3 implementations both
from Firefox (62.x) and from Chrome (69.x) should be compatible so far.
I created the web server with the following command:
./openssl s_server -accept 8444 -tls1_3 \
-cert sslcert.pem -key sslcert.key \
-www -state -debug -msg -security_debug_verbose
sslcert.pem/sslcert.key is a self-signed 2048 bit RSA certificate.
When starting without the "-tls1_3" option (or with "-tls1_2"), both
browsers can access that service (an OpenSSL stats page is displayed then).
With "-tls1_3",
- Firefox issues a SSL_ERROR_PROTOCOL_VERSION_ALERT
- Chrome issues a ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Server-side output is the same in both cases, see below for full message.
Connecting to that service using "openssl s_client -connect
localhost:8444" works fine.
There's no proxy, firewall or web filter software involved.
When I open e.g. www.cloudflare.com in a browser, connection is made
using TLS 1.3. So, the browser-side obviously works, I expect the
problem to be on the server-side.
Am I missing something? I can't imagine these products to be incompatible...
Thanks & best regards!
-Klaus
---cut---
Security callback: Version=TLS 1.3: yes
Security callback: Version=TLS 1.3: yes
SSL_accept:before SSL initialization
read from 0x2335fb0 [0x233c1b3] (5 bytes => 5 (0x5))
0000 - 16 03 01 02 00 .....
<<< ??? [length 0005]
16 03 01 02 00
read from 0x2335fb0 [0x233c1b8] (512 bytes => 512 (0x200))
0000 - 01 00 01 fc 03 03 bb 93-78 7e 86 eb 69 e5 b4 9f
[...]
01f0 - 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
SSL_accept:before SSL initialization
<<< TLS 1.3, Handshake [length 0200], ClientHello
01 00 01 fc 03 03 bb 93 78 7e 86 eb 69 e5 b4 9f
c2 28 16 9f 25 27 37 f5 42 5b c9 10 36 09 11 30
11 7f a5 ec 39 b8 20 15 a8 20 9e 24 0f 78 5d 11
b0 72 9a b0 4f 74 9b d2 c7 09 64 2d 3d 73 7c 8d
bd ce 4d f2 de 17 cf 00 1c 13 01 13 03 13 02 c0
2b c0 2f cc a9 cc a8 c0 2c c0 30 c0 13 c0 14 00
2f 00 35 00 0a 01 00 01 97 00 17 00 00 ff 01 00
01 00 00 0a 00 0e 00 0c 00 1d 00 17 00 18 00 19
01 00 01 01 00 0b 00 02 01 00 00 23 00 00 00 10
00 0e 00 0c 02 68 32 08 68 74 74 70 2f 31 2e 31
00 05 00 05 01 00 00 00 00 00 33 00 6b 00 69 00
1d 00 20 de 3f e9 13 12 8a 84 f4 5b 22 40 ae 3d
e9 56 04 e8 b4 68 ef 0a 02 fe b7 42 90 ab 26 f1
95 ff 2d 00 17 00 41 04 41 fd 89 36 89 df 02 3c
a3 cf 12 8a 27 6f d5 ba 17 29 49 b8 91 6b 6c 95
e2 7d a8 df fe a5 50 dc 35 0c 3d b5 2a b4 93 70
17 cd 62 a5 a1 03 7f 32 11 07 04 b3 b0 89 a4 8f
62 05 9f 69 74 1b c2 99 00 2b 00 09 08 7f 1c 03
03 03 02 03 01 00 0d 00 18 00 16 04 03 05 03 06
03 08 04 08 05 08 06 04 01 05 01 06 01 02 03 02
01 00 2d 00 02 01 01 00 1c 00 02 40 01 00 15 00
af 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>>> ??? [length 0005]
15 03 03 00 02
write to 0x2335fb0 [0x234a930] (7 bytes => 7 (0x7))
0000 - 15 03 03 00 02 02 46 ......F
>>> TLS 1.2, Alert [length 0002], fatal protocol_version
02 46
SSL3 alert write:fatal:protocol version
SSL_accept:error in error
140042894132992:error:14209102:SSL
routines:tls_early_post_process_client_hello:unsupported
protocol:ssl/statem/statem_srvr.c:1655:
More information about the openssl-users
mailing list