[openssl-dev] [openssl.org #4080] Malformed Client Hello messages are accepted (session_id length)
Hubert Kario via RT
rt at openssl.org
Thu Oct 8 16:12:50 UTC 2015
The server does not abort connection upon receiving a Client Hello
message with malformed session_id field.
Affects 1.0.1, 1.0.2 and master.
In SSLv3 and all versions of TLS (e.g. RFC 5246), the SessionID is
defined as
opaque SessionID<0..32>;
that means, that any SessionID longer than 32 bytes creates an
incorrectly formatted Client Hello message, and as such, should be
rejected.
Reproducer:
openssl req -x509 -newkey rsa -keyout localhost.key -out localhost.crt -
nodes -batch
openssl s_server -key localhost.key -cert localhost.crt
In different console:
pip install --pre tlslite-ng
git clone https://github.com/tomato42/tlsfuzzer.git
cd tlsfuzzer
PYTHONPATH=. python scripts/test-invalid-session-id.py
--
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151008/b090ffa1/attachment.sig>
-------------- next part --------------
_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-mod at openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod
More information about the openssl-dev
mailing list