[openssl-dev] [openssl.org #4524] [BUG] TLS 1.2 handshake hangs for TLS 1.0 only hosts
Matt Caswell via RT
rt at openssl.org
Sat Apr 30 20:59:46 UTC 2016
On Sat Apr 30 19:51:51 2016, henrik at newdawn.dk wrote:
> Hi there
>
> I've recently come across what looks to be an internal bug in openssl:
>
> Original symptoms was that neither "curl" or "wget" could access the
> following site:
>
> https://coverage.tre.se - this site is using TLS 1.0 (only) and does
> have some pretty crazy certificate issues - but does show up "green"
> in most browsers (Unless you're on a system with an openssl which
> supports TLS 1.2 ).
>
> Accessing the site (curl / wget) hangs during SSL handshake.
>
> I then tried:
> openssl s_client -connect coverage.tre.se:443 which hangs as well
>
> By forcing the protocol to TLS1.0 it will correctly parse and see the
> certificate. By forcing protocol to TLS1.1 it'll correctly error out
> saying invalid protocol. Even just telling s_client to not include TLS
> 1.2 will make it work as expected.
>
> So to sum up:
>
> My guess would be that some incompatibility between the 1.0 and 1.2
> protocol causes 1.2 to not determine correctly that the server does
> not support it , and as such is unable to fallback to previous
> versions.
>
> I have verified this on several ubuntu 14.04 machines with the
> following openssl versions:
>
> OpenSSL 1.0.1f 6 Jan 2014
>
>
> OpenSSL 1.0.2g 1 Mar 2016
>
> And I've verified that it does work as expected on OSX which has a
> openssl version that does not support TLS 1.2:
>
> OpenSSL 0.9.8zg 14 July 2015
>
> Hope this helps resolve the issue.
This is not a bug in OpenSSL. The problem here is that the server is behaving
incorrectly when receiving large ClientHello messages. The ClientHello is the
first message that is sent from the client to the server. If a large
ClientHello is received then the server just hangs. The reason that this
impacts TLSv1.2 and not other versions is that there are more ciphersuites
available for that protocol version and therefore the ClientHello is bigger.
You can verify that it all works correctly by restricting the number of
ciphersuites that the client sends in its ClientHello. E.g. just sending one
ciphersuite:
openssl s_client -connect coverage.tre.se:443 cipher AES128-SHA
The above command works fine and successfully connects. If fixing the server is
not an option then a simple workaround is to define a ciphersuite selection
string that restricts the ciphersuites to a smaller set.
Closing this ticket.
Matt
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4524
Please log in as guest with password guest if prompted
More information about the openssl-dev
mailing list