[openssl-dev] [openssl.org #4303] OpenSSL 1.1.0 renegotiation problem (s_server/s_client)
Rainer Jung via RT
rt at openssl.org
Fri Feb 12 18:41:41 UTC 2016
Using OpenSSL 1.1.0pre2 I see renegotiation problems between s_client
and s_server (but also in Apache mod_ssl).
First starting:
s_server -cert server.crt -key server.pem -accept 8443 -debug -state
Using default temp DH parameters
ACCEPT
Now starting
s_client -connect localhost:8443 -debug -state
I see on the server side:
SSL_accept:before SSL initialization
...
SSL_accept:SSLv3/TLS write finished
-----BEGIN SSL SESSION PARAMETERS-----
MFoCAQECAgMDBALAMAQABDBWP93rPtTOpEyh6rNq87IB7+8JHLQ3Kgg3dDxFrxhH
6gdH1LM33nePKWE8je2ezmKhBgIEVr4d6aIEAgIcIKQGBAQAAAABrQMCAQE=
-----END SSL SESSION PARAMETERS-----
Shared
ciphers:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-CCM8:DHE-RSA-AES256-CCM:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-CAMELLIA256-SHA384:ECDHE-ECDSA-CAMELLIA256-SHA384:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-CAMELLIA256-SHA256:DHE-DSS-CAMELLIA256-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:ECDH-RSA-CAMELLIA256-SHA384:ECDH-ECDSA-CAMELLIA256-SHA384:AES256-CCM8:AES256-CCM:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA256:CAMELLIA256-SHA:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES128-CCM:ECDHE-RSA-A!
ES128-GC
M-SHA256
Signature Algorithms:
RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Signature Algorithms:
RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Supported Elliptic Curve Point Formats:
uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported Elliptic Curves:
P-256:P-521:brainpoolP512r1:brainpoolP384r1:P-384:brainpoolP256r1:secp256k1:B-571:K-571:K-409:B-409:K-283:B-283
Shared Elliptic curves:
P-256:P-521:brainpoolP512r1:brainpoolP384r1:P-384:brainpoolP256r1:secp256k1:B-571:K-571:K-409:B-409:K-283:B-283
CIPHER is ECDHE-RSA-AES256-GCM-SHA384
Secure Renegotiation IS supported
and on the client side:
CONNECTED(00000003)
SSL_connect:before SSL initialization
...
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=San
Francisco/O=ASF/OU=httpd-test/rsa-test/CN=localhost/emailAddress=test-dev at httpd.apache.org
issuer=/C=US/ST=California/L=San
Francisco/O=ASF/OU=httpd-test/CN=ca/emailAddress=test-dev at httpd.apache.org
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1672 bytes and written 447 bytes
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
B57844A325DB8E6781073CD615128A88342E850B5A11B9966A2B7C2F475B1727
Session-ID-ctx:
Master-Key:
563FDDEB3ED4CEA44CA1EAB36AF3B201EFEF091CB4372A0837743C45AF1847EA0747D4B337DE778F29613C8DED9ECE62
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
...
Start Time: 1455300073
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: yes
---
Now pressing R and return on the client side results on the server side in:
read from 0x2c9978 [0x2d7abb] (5 bytes => 5 (0x5))
0000 - 16 03 03 01 63 ....c
read from 0x2c9978 [0x2d7ac0] (355 bytes => 355 (0x163))
SSL_accept:before SSL initialization
SSL_accept:before SSL initialization
SSL_accept:SSLv3/TLS read client hello
SSL_accept:SSLv3/TLS write server hello
SSL_accept:SSLv3/TLS write certificate
SSL_accept:error in error
ERROR
4280523828:error:14179044:SSL
routines:tls_construct_server_key_exchange:internal
error:statem/statem_srvr.c:1778:
shutting down SSL
CONNECTION CLOSED
ACCEPT
and on the client side
R
RENEGOTIATING
SSL_connect:SSL negotiation finished successfully
write to 0x2cf680 [0x2dbc13] (360 bytes => 360 (0x168))
...
SSL_connect:SSLv3/TLS write client hello
read from 0x2cf680 [0x2d76c3] (5 bytes => 0 (0x0))
SSL_connect:error in SSLv3/TLS write client hello
write:errno=0
error in s_client
I ran into the same problem when trying to use OpenSSL 1.1.0pre2 in
Apache for mod_ssl. The code in question is in
tls_construct_server_key_exchange().
The following conditions triggers the jump to err:
1773 if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
1774 int nid;
1775
1776 if (s->s3->tmp.pkey != NULL) {
1777 SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
1778 ERR_R_INTERNAL_ERROR);
1779 goto err;
1780 }
Using an AES reneg works, with ECDHE as above not.
Regards,
Rainer
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4303
Please log in as guest with password guest if prompted
More information about the openssl-dev
mailing list