<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.E-MailFormatvorlage17
{mso-style-type:personal-compose;
font-family:"Arial",sans-serif;
color:windowtext;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
p.Default, li.Default, div.Default
{mso-style-name:Default;
margin:0cm;
margin-bottom:.0001pt;
text-autospace:none;
font-size:12.0pt;
font-family:"Arial",sans-serif;
color:black;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:176239051;
mso-list-type:hybrid;
mso-list-template-ids:920547304 -46758994 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Arial",sans-serif;
mso-fareast-font-family:Calibri;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l1
{mso-list-id:234820579;
mso-list-type:hybrid;
mso-list-template-ids:1213482478 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l2
{mso-list-id:946038566;
mso-list-type:hybrid;
mso-list-template-ids:-1891329774 1162664886 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Arial",sans-serif;
mso-fareast-font-family:Calibri;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif">Hi,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif">We have a C++ client application and a C++ server application using
<b>OpenSSL 1.1.0f </b>to encrypt the TCP/IP communication.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif">We enforce mutual authentication (also the server requests certificates from the clients and verifies if they are issued by a CA it trusts).<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="Default"><span style="font-size:10.0pt">We are able to update certificates (Host certificates and trusted CA certificates) on clients and servers without stopping the executables or interrupting the communication. We managed the update of the trusted
CA certificates by using <b>TLS Extension #3 (trusted_ca_keys) specified in RFC6066</b>.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif">We are able to remove old obsolete certificates (Host certificates and trusted CA certificates) on clients and servers without stopping the executables or interrupting the communication.
New established TCP/IP sessions will always use the newest certificates.<br>
The update of a trusted CA certificate might look like this:<o:p></o:p></span></p>
<ul style="margin-top:0cm" type="disc">
<li class="MsoListParagraph" style="margin-left:0cm;mso-list:l1 level1 lfo3"><span style="font-size:10.0pt;font-family:"Arial",sans-serif">Server and clients are deployed with certificates issued by
<b>CA1</b>, the <b>CA1 </b>certificate is deployed as trusted root certificate.<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0cm;mso-list:l1 level1 lfo3"><span style="font-size:10.0pt;font-family:"Arial",sans-serif">Certificates issued by
<b>CAnew </b>and the <b>CAnew </b>certificate will be deployed to the server and all clients. Whenever a new TCP/IP session is established the new certificates are used.<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0cm;mso-list:l1 level1 lfo3"><span style="font-size:10.0pt;font-family:"Arial",sans-serif">Once all
<b>CAnew </b>certificates are deployed, the <b>CA1 </b>certificates can be removed from the server and the clients.<o:p></o:p></span></li></ul>
<p class="MsoListParagraph"><span style="font-size:10.0pt;font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif">We also want to force established TCP sessions to move from obsolete certificates the newest certificates be triggering a renegotiation. We expect the renegotiation to fail,
if the host does not have the right set of certificates. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif">This works fine, if we trigger the renegotiation at the client, but the real benefit would be to do the renegotiation on the server. So we could remove all already connected
malicious clients which have managed to steal obsolete certificates. <b>But sadly this does not work the way we implemented it</b>.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif">we implemented the renegotiation by essentially calling<o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:36.0pt"><span style="font-size:10.0pt;font-family:"Arial",sans-serif">SSL_renegotiate() and
<o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:36.0pt"><span style="font-size:10.0pt;font-family:"Arial",sans-serif">SSL_do_handshake()<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif">But see our trace for a better illustration what is going on.
<o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif">Note!</span></b><span style="font-size:10.0pt;font-family:"Arial",sans-serif">
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif"> We use SSL_CTX_set_info_callback() to get insights into OpenSSL states and set the following essential configurations:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif"> SSL_CTX_set_verify(m_ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, &verify_callback);<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif"> SSL_CTX_add_client_custom_ext(m_ctx, TLSEXT_TYPE_trusted_ca_keys, &<b>client_add_cb</b>, nullptr, nullptr, &<b>client_parse_cb</b>, nullptr);<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif"> SSL_CTX_add_server_custom_ext(m_ctx, TLSEXT_TYPE_trusted_ca_keys, &<b>server_add_cb</b>, nullptr, nullptr, &<b>server_parse_cb</b>, nullptr);<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><u><span style="font-size:10.0pt;font-family:"Arial",sans-serif"><o:p><span style="text-decoration:none"> </span></o:p></span></u></b></p>
<p class="MsoNormal"><b><u><span style="font-size:10.0pt;font-family:"Arial",sans-serif">Scenario 1:</span></u></b><span style="font-size:10.0pt;font-family:"Arial",sans-serif"> Client triggered renegotiation
<span style="background:lime;mso-highlight:lime">(<b>Note!</b> works as expected)</span><o:p></o:p></span></p>
<p class="MsoNormal"><b><u><span style="font-size:10.0pt;font-family:"Arial",sans-serif"><o:p><span style="text-decoration:none"> </span></o:p></span></u></b></p>
<p class="MsoNormal"><b><u><span style="font-size:10.0pt;font-family:Consolas">Client trace (Dist):<o:p></o:p></span></u></b></p>
<p class="MsoNormal"><b><u><span style="font-size:10.0pt;font-family:Consolas"><o:p><span style="text-decoration:none"> </span></o:p></span></u></b></p>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="border-collapse:collapse;border:none">
<tbody>
<tr>
<td width="170" valign="top" style="width:127.2pt;border:solid windowtext 1.0pt;padding:0cm 5.4pt 0cm 5.4pt">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:Consolas">Comment<o:p></o:p></span></b></p>
</td>
<td width="832" valign="top" style="width:22.0cm;border:solid windowtext 1.0pt;border-left:none;padding:0cm 5.4pt 0cm 5.4pt">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:Consolas">Trace snippet <o:p></o:p></span></b></p>
</td>
</tr>
<tr>
<td width="170" valign="top" style="width:127.2pt;border:solid windowtext 1.0pt;border-top:none;padding:0cm 5.4pt 0cm 5.4pt">
<p class="MsoNormal"><b><u><span style="font-size:10.0pt;font-family:Consolas"><o:p><span style="text-decoration:none"> </span></o:p></span></u></b></p>
</td>
<td width="832" valign="top" style="width:22.0cm;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0cm 5.4pt 0cm 5.4pt">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas">___________HANDSHAKE_START_ fd=13 in state SSL negotiation finished successfully<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas">___________CONNECT_LOOP__OK____ fd=13 in state SSL negotiation finished successfully<o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="170" valign="top" style="width:127.2pt;border:solid windowtext 1.0pt;border-top:none;padding:0cm 5.4pt 0cm 5.4pt">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas">OpenSSL called custom extension callback<o:p></o:p></span></p>
</td>
<td width="832" valign="top" style="width:22.0cm;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0cm 5.4pt 0cm 5.4pt">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas">++ client_add_cb Entered
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas">{<o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="170" valign="top" style="width:127.2pt;border:solid windowtext 1.0pt;border-top:none;padding:0cm 5.4pt 0cm 5.4pt">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas">Client_add_cb calls sendTrustedCAKeys()<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas">The list of trused CA’s sent to the server.<o:p></o:p></span></p>
</td>
<td width="832" valign="top" style="width:22.0cm;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0cm 5.4pt 0cm 5.4pt">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"> ++ sendTrustedCAKeys Entered
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"> {<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"> CA directory: /opt/IowaDev/Projects/WCCILProject/config/CertStore//trusted<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"> <== send peer a list of my trusted CAs. SHA1: A7:8F:B0:9A:96:A4:A0:4E:6F:B3:BF:4D:24:B3:85:0D:4A:64:9B:30
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"> Subject : /C=AT/ST=OOE/O=ETM/OU=INNO/CN=CA1 file: af83623b.0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"> Out : A7:8F:B0:9A:96:A4:A0:4E:6F:B3:BF:4D:24:B3:85:0D:4A:64:9B:30
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"> } ++ sendTrustedCAKeys returns : 1 elapsed time: 3685525ns<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"><o:p> </o:p></span></p>
</td>
</tr>
<tr>
<td width="170" valign="top" style="width:127.2pt;border:solid windowtext 1.0pt;border-top:none;padding:0cm 5.4pt 0cm 5.4pt">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"><o:p> </o:p></span></p>
</td>
<td width="832" valign="top" style="width:22.0cm;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0cm 5.4pt 0cm 5.4pt">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas">} ++ client_add_cb returns : 1 elapsed time: 14254269ns<o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="170" valign="top" style="width:127.2pt;border:solid windowtext 1.0pt;border-top:none;padding:0cm 5.4pt 0cm 5.4pt">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"><o:p> </o:p></span></p>
</td>
<td width="832" valign="top" style="width:22.0cm;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0cm 5.4pt 0cm 5.4pt">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas">___________CONNECT_LOOP__OK____ fd=13 in state SSLv3/TLS write client hello<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas">___________CONNECT_EXIT__ fd=13 in state SSLv3/TLS write client hello<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"><o:p> </o:p></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><b><u><span style="font-size:10.0pt;font-family:Consolas"><o:p><span style="text-decoration:none"> </span></o:p></span></u></b></p>
<p class="MsoNormal"><b><u><span style="font-size:10.0pt;font-family:Consolas">Server trace (Proxy):<o:p></o:p></span></u></b></p>
<p class="MsoNormal"><b><u><span style="font-size:10.0pt;font-family:Consolas"><o:p><span style="text-decoration:none"> </span></o:p></span></u></b></p>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="border-collapse:collapse;border:none">
<tbody>
<tr>
<td width="170" valign="top" style="width:127.2pt;border:solid windowtext 1.0pt;padding:0cm 5.4pt 0cm 5.4pt">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:Consolas">Comment<o:p></o:p></span></b></p>
</td>
<td width="832" valign="top" style="width:22.0cm;border:solid windowtext 1.0pt;border-left:none;padding:0cm 5.4pt 0cm 5.4pt">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:Consolas">Trace snippet <o:p></o:p></span></b></p>
</td>
</tr>
<tr>
<td width="170" valign="top" style="width:127.2pt;border:solid windowtext 1.0pt;border-top:none;padding:0cm 5.4pt 0cm 5.4pt">
<p class="MsoNormal"><b><u><span style="font-size:10.0pt;font-family:Consolas"><o:p><span style="text-decoration:none"> </span></o:p></span></u></b></p>
</td>
<td width="832" valign="top" style="width:22.0cm;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0cm 5.4pt 0cm 5.4pt">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas">___________HANDSHAKE_START_ fd=316 in state before SSL initialization<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas">___________ACCEPT__LOOP__OK____ fd=316 in state before SSL initialization<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas">___________ACCEPT__LOOP__OK____ fd=316 in state before SSL initialization<o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="170" valign="top" style="width:127.2pt;border:solid windowtext 1.0pt;border-top:none;padding:0cm 5.4pt 0cm 5.4pt">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas;background:lime;mso-highlight:lime">I expect server_parse_cb() returning 0 to cause the interruption of the connection.<br>
<br>
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas;background:lime;mso-highlight:lime">Can you confirm this</span><span style="font-size:10.0pt;font-family:Consolas">?<o:p></o:p></span></p>
</td>
<td width="832" valign="top" style="width:22.0cm;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0cm 5.4pt 0cm 5.4pt">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas">++ CertFileTLSContextHandler::server_parse_cb Entered
<br>
{<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"> == server_parse_cb: ext_type: 3 inlen: 61 in: A7:8F:B0:9A:96:A4:A0:4E:6F:B3:BF:4D:24:B3:85:0D:4A:64:9B:30
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"> ++ CertificateStoreDirectory::findCertBy by SHA1 Entered
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"> {<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"> certificate: fde47a0f.1 ignored! does not match A7:8F:B0:9A:96:A4:A0:4E:6F:B3:BF:4D:24:B3:85:0D:4A:64:9B:30<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"> } ++ CertificateStoreDirectory::findCertBy returns : elapsed time: 1302748ns<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas">} ++ CertFileTLSContextHandler::server_parse_cb
<span style="background:lime;mso-highlight:lime">returns : 0</span> elapsed time: 1351234ns<o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="170" valign="top" style="width:127.2pt;border:solid windowtext 1.0pt;border-top:none;padding:0cm 5.4pt 0cm 5.4pt">
<p class="MsoNormal"><b><u><span style="font-size:10.0pt;font-family:Consolas"><o:p><span style="text-decoration:none"> </span></o:p></span></u></b></p>
</td>
<td width="832" valign="top" style="width:22.0cm;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0cm 5.4pt 0cm 5.4pt">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas">___________WRITE___ALERT_ fd=316 in state SSLv3/TLS read client hello err: fatal: decode error<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas">___________ACCEPT__EXIT__ fd=316 in state error
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas">11152:error:1417D0E3:SSL routines:tls_process_client_hello:parse tlsext:ssl\statem\statem_srvr.c:1209:<o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><u><span style="font-size:10.0pt;font-family:"Arial",sans-serif">Scenario 2:</span></u></b><span style="font-size:10.0pt;font-family:"Arial",sans-serif"> Server triggered renegotiation
<span style="background:yellow;mso-highlight:yellow">(Expected to interrupt connection as well.)</span><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><u><span style="font-size:10.0pt;font-family:Consolas">Server trace (Proxy):<o:p></o:p></span></u></b></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><u><span style="font-size:10.0pt;font-family:Consolas"><o:p><span style="text-decoration:none"> </span></o:p></span></u></b></p>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="border-collapse:collapse;border:none">
<tbody>
<tr>
<td width="170" valign="top" style="width:127.2pt;border:solid windowtext 1.0pt;padding:0cm 5.4pt 0cm 5.4pt">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:Consolas">Comment<o:p></o:p></span></b></p>
</td>
<td width="832" valign="top" style="width:22.0cm;border:solid windowtext 1.0pt;border-left:none;padding:0cm 5.4pt 0cm 5.4pt">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:Consolas">Trace snippet <o:p></o:p></span></b></p>
</td>
</tr>
<tr>
<td width="170" valign="top" style="width:127.2pt;border:solid windowtext 1.0pt;border-top:none;padding:0cm 5.4pt 0cm 5.4pt">
<p class="MsoNormal"><b><u><span style="font-size:10.0pt;font-family:Consolas"><o:p><span style="text-decoration:none"> </span></o:p></span></u></b></p>
</td>
<td width="832" valign="top" style="width:22.0cm;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0cm 5.4pt 0cm 5.4pt">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas">++ TLSContextHandler::renegotiate Entered
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas">{<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"> Trusting CA certificate "/C=AT/ST=OOE/O=ETM/OU=INNO/CN=CA2" file fde47a0f.1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"> Use host certificate: "/C=AT/ST=OOE/L=LINZ/O=ETM/OU=INNO/CN=Sys2:Single"
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"> issued by : "/C=AT/ST=OOE/O=ETM/OU=INNO/CN=CA2"
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"> file : Single.1.cert.pem<br>
<br>
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"> Use private key file: Single.1.key.pem<o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="170" valign="top" style="width:127.2pt;border:solid windowtext 1.0pt;border-top:none;padding:0cm 5.4pt 0cm 5.4pt">
<p class="MsoNormal"><b><u><span style="font-size:10.0pt;font-family:Consolas"><o:p><span style="text-decoration:none"> </span></o:p></span></u></b></p>
</td>
<td width="832" valign="top" style="width:22.0cm;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0cm 5.4pt 0cm 5.4pt">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"> ++ TLSContextHandler::doHandshake Entered
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"> {<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"> ___________HANDSHAKE_START_ fd=920 in state SSL negotiation finished successfully<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"> ___________ACCEPT__LOOP__OK____ fd=920 in state SSL negotiation finished successfully<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"> ___________ACCEPT__LOOP__OK____ fd=920 in state SSLv3/TLS write hello request<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"><o:p> </o:p></span></p>
</td>
</tr>
<tr>
<td width="170" valign="top" style="width:127.2pt;border:solid windowtext 1.0pt;border-top:none;padding:0cm 5.4pt 0cm 5.4pt">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas;background:red;mso-highlight:red">Here I am missing server_parse_cb() (see Server trace scenario 1)</span><span style="font-size:10.0pt;font-family:Consolas"><o:p></o:p></span></p>
</td>
<td width="832" valign="top" style="width:22.0cm;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0cm 5.4pt 0cm 5.4pt">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"><o:p> </o:p></span></p>
</td>
</tr>
<tr>
<td width="170" valign="top" style="width:127.2pt;border:solid windowtext 1.0pt;border-top:none;padding:0cm 5.4pt 0cm 5.4pt">
<p class="MsoNormal"><b><u><span style="font-size:10.0pt;font-family:Consolas"><o:p><span style="text-decoration:none"> </span></o:p></span></u></b></p>
</td>
<td width="832" valign="top" style="width:22.0cm;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0cm 5.4pt 0cm 5.4pt">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"> ___________ACCEPT__EXIT__ fd=920 in state SSL negotiation finished successfully<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"> SSL_do_handshake(ssl)
<b>rc:</b> 1, <b>SSL error:</b> [0] SSL_ERROR_NONE, <b>OS error:</b> [0] No error<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"> } ++ TLSContextHandler::doHandshake returns : 1 elapsed time: 310500ns<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"><o:p> </o:p></span></p>
</td>
</tr>
<tr>
<td width="170" valign="top" style="width:127.2pt;border:solid windowtext 1.0pt;border-top:none;padding:0cm 5.4pt 0cm 5.4pt">
<p class="MsoNormal"><b><u><span style="font-size:10.0pt;font-family:Consolas"><o:p><span style="text-decoration:none"> </span></o:p></span></u></b></p>
</td>
<td width="832" valign="top" style="width:22.0cm;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0cm 5.4pt 0cm 5.4pt">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas">} TLSContextHandler::renegotiate returns : 1 elapsed time: 3564000ns<o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><u><span style="font-size:10.0pt;font-family:Consolas">Client trace (Dist):<o:p></o:p></span></u></b></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><u><span style="font-size:10.0pt;font-family:Consolas"><o:p><span style="text-decoration:none"> </span></o:p></span></u></b></p>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="border-collapse:collapse;border:none">
<tbody>
<tr>
<td width="170" valign="top" style="width:127.2pt;border:solid windowtext 1.0pt;padding:0cm 5.4pt 0cm 5.4pt">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:Consolas">Comment<o:p></o:p></span></b></p>
</td>
<td width="832" valign="top" style="width:22.0cm;border:solid windowtext 1.0pt;border-left:none;padding:0cm 5.4pt 0cm 5.4pt">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:Consolas">Trace snippet <o:p></o:p></span></b></p>
</td>
</tr>
<tr>
<td width="170" valign="top" style="width:127.2pt;border:solid windowtext 1.0pt;border-top:none;padding:0cm 5.4pt 0cm 5.4pt">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:Consolas"><o:p> </o:p></span></b></p>
</td>
<td width="832" valign="top" style="width:22.0cm;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0cm 5.4pt 0cm 5.4pt">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas">___________HANDSHAKE_START_ fd=13 in state SSL negotiation finished successfully<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas">___________CONNECT_LOOP__OK____ fd=13 in state SSL negotiation finished successfully<o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="170" valign="top" style="width:127.2pt;border:solid windowtext 1.0pt;border-top:none;padding:0cm 5.4pt 0cm 5.4pt">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas">client_add_cb ist called, but the server never gets the data! (see above)<o:p></o:p></span></p>
</td>
<td width="832" valign="top" style="width:22.0cm;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0cm 5.4pt 0cm 5.4pt">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas">++ client_add_cb Entered
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas">{<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"> ++ sendTrustedCAKeys Entered
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"> {<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"> <== send peer a list of my trusted CAs. SHA1: A7:8F:B0:9A:96:A4:A0:4E:6F:B3:BF:4D:24:B3:85:0D:4A:64:9B:30 <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"> Subject : /C=AT/ST=OOE/O=ETM/OU=INNO/CN=CA1 file: af83623b.0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"> Out : A7:8F:B0:9A:96:A4:A0:4E:6F:B3:BF:4D:24:B3:85:0D:4A:64:9B:30
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"> } ++ sendTrustedCAKeys returns : 1 elapsed time: 3685525ns<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas">} ++ client_add_cb returns : 1 elapsed time: 14254269ns<o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="170" valign="top" style="width:127.2pt;border:solid windowtext 1.0pt;border-top:none;padding:0cm 5.4pt 0cm 5.4pt">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"><o:p> </o:p></span></p>
</td>
<td width="832" valign="top" style="width:22.0cm;border-top:none;border-left:none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;padding:0cm 5.4pt 0cm 5.4pt">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas">___________CONNECT_LOOP__OK____ fd=13 in state SSLv3/TLS write client hello<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas">___________CONNECT_EXIT__ fd=13 in state SSLv3/TLS write client hello<o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif">Could you please advice how to solve this issue.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="DE-AT" style="font-size:10.0pt;font-family:"Arial",sans-serif">With best regards,<br>
</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif">Andreas Pflügl</span><span lang="DE-AT"><o:p></o:p></span></p>
</div>
</body>
</html>