[openssl-dev] [openssl.org #3764] [BUG REPORT] Missing message Alert on ssl23_get_server_hello negotiation failure
Fernando Mognon via RT
rt at openssl.org
Mon Mar 23 20:47:44 UTC 2015
Hi,
openSSL version: 1.0.1l
openSUSE-release 13.1-1.10
This problem only show for s23_clnt.c module. The flow is correct for
s3_clnt.c module.
If the TLS client starts a client hello, with tls1.1 for example and the
server only supports tls1.0, if the TLS client receives a protocol version
from the server that it does not support it should break the TLS
negotiation by sending a protocol_version Alert to the TLS Server
Although there is debug SSLerr the message ALERT is not sent.
SSL_connect:error in SSLv2/v3 read server hello A
3074041532:error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported
protocol:s23_clnt.c:740:
This behavior is described in RFC5246
Backward Compatibility
E.1 <https://tools.ietf.org/html/rfc5246#appendix-E.1>. Compatibility
with TLS 1.0/1.1 and SSL 3.0
Since there are various versions of TLS (1.0, 1.1, 1.2, and any
future versions) and SSL (2.0 and 3.0), means are needed to negotiate
the specific protocol version to use. The TLS protocol provides a
built-in mechanism for version negotiation so as not to bother other
protocol components with the complexities of version selection.
TLS versions 1.0, 1.1, and 1.2, and SSL 3.0 are very similar, and use
compatible ClientHello messages; thus, supporting all of them is
relatively easy. Similarly, servers can easily handle clients trying
to use future versions of TLS as long as the ClientHello format
remains compatible, and the client supports the highest protocol
version available in the server.
A TLS 1.2 client who wishes to negotiate with such older servers will
send a normal TLS 1.2 ClientHello, containing { 3, 3 } (TLS 1.2) in
ClientHello.client_version. If the server does not support this
version, it will respond with a ServerHello containing an older
version number. If the client agrees to use this version, the
negotiation will proceed as appropriate for the negotiated protocol.
If the version chosen by the server is not supported by the client
(or not acceptable), the client MUST send a "protocol_version" alert
message and close the connection.
A Possible fix would be just call function ssl3_send_alert() like it
is done in the function ssl3_get_server_hello(), s3clnt.c, which works
fine.
I need to use the module s23_xxx.c because the application (Kamailio)
needs to be configured to support 1.0 and higher version
(TLS_USE_TLSv1_PLUS)
Att.
Fernando Mognon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: BadCase_ClientRejectsTLSv10_No_ALERT.pcap
Type: application/octet-stream
Size: 3253 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150323/1c4ca75f/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: GoodCase_ClientRejectsTLSv10_withAlertProtocolVersion.pcap
Type: application/octet-stream
Size: 4330 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150323/1c4ca75f/attachment-0001.obj>
More information about the openssl-dev
mailing list