[openssl-dev] [openssl.org #4303] OpenSSL 1.1.0 renegotiation problem (s_server/s_client)

Rainer Jung via RT rt at openssl.org
Fri Feb 12 18:41:41 UTC 2016


Using OpenSSL 1.1.0pre2 I see renegotiation problems between s_client 
and s_server (but also in Apache mod_ssl).

First starting:

   s_server -cert server.crt -key server.pem -accept 8443 -debug -state

Using default temp DH parameters
ACCEPT

Now starting

   s_client -connect localhost:8443 -debug -state

I see on the server side:

SSL_accept:before SSL initialization
...
SSL_accept:SSLv3/TLS write finished
-----BEGIN SSL SESSION PARAMETERS-----
MFoCAQECAgMDBALAMAQABDBWP93rPtTOpEyh6rNq87IB7+8JHLQ3Kgg3dDxFrxhH
6gdH1LM33nePKWE8je2ezmKhBgIEVr4d6aIEAgIcIKQGBAQAAAABrQMCAQE=
-----END SSL SESSION PARAMETERS-----
Shared 
ciphers:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-CCM8:DHE-RSA-AES256-CCM:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-CAMELLIA256-SHA384:ECDHE-ECDSA-CAMELLIA256-SHA384:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-CAMELLIA256-SHA256:DHE-DSS-CAMELLIA256-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:ECDH-RSA-CAMELLIA256-SHA384:ECDH-ECDSA-CAMELLIA256-SHA384:AES256-CCM8:AES256-CCM:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA256:CAMELLIA256-SHA:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES128-CCM:ECDHE-RSA-A!
 ES128-GC
M-SHA256
Signature Algorithms: 
RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Signature Algorithms: 
RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Supported Elliptic Curve Point Formats: 
uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported Elliptic Curves: 
P-256:P-521:brainpoolP512r1:brainpoolP384r1:P-384:brainpoolP256r1:secp256k1:B-571:K-571:K-409:B-409:K-283:B-283
Shared Elliptic curves: 
P-256:P-521:brainpoolP512r1:brainpoolP384r1:P-384:brainpoolP256r1:secp256k1:B-571:K-571:K-409:B-409:K-283:B-283
CIPHER is ECDHE-RSA-AES256-GCM-SHA384
Secure Renegotiation IS supported


and on the client side:


CONNECTED(00000003)
SSL_connect:before SSL initialization
...
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=San 
Francisco/O=ASF/OU=httpd-test/rsa-test/CN=localhost/emailAddress=test-dev at httpd.apache.org
issuer=/C=US/ST=California/L=San 
Francisco/O=ASF/OU=httpd-test/CN=ca/emailAddress=test-dev at httpd.apache.org
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1672 bytes and written 447 bytes
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
     Protocol  : TLSv1.2
     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
     Session-ID: 
B57844A325DB8E6781073CD615128A88342E850B5A11B9966A2B7C2F475B1727
     Session-ID-ctx:
     Master-Key: 
563FDDEB3ED4CEA44CA1EAB36AF3B201EFEF091CB4372A0837743C45AF1847EA0747D4B337DE778F29613C8DED9ECE62
     PSK identity: None
     PSK identity hint: None
     SRP username: None
     TLS session ticket lifetime hint: 7200 (seconds)
     TLS session ticket:
...

     Start Time: 1455300073
     Timeout   : 7200 (sec)
     Verify return code: 21 (unable to verify the first certificate)
     Extended master secret: yes
---


Now pressing R and return on the client side results on the server side in:


read from 0x2c9978 [0x2d7abb] (5 bytes => 5 (0x5))
0000 - 16 03 03 01 63                                    ....c
read from 0x2c9978 [0x2d7ac0] (355 bytes => 355 (0x163))
SSL_accept:before SSL initialization
SSL_accept:before SSL initialization
SSL_accept:SSLv3/TLS read client hello
SSL_accept:SSLv3/TLS write server hello
SSL_accept:SSLv3/TLS write certificate
SSL_accept:error in error
ERROR
4280523828:error:14179044:SSL 
routines:tls_construct_server_key_exchange:internal 
error:statem/statem_srvr.c:1778:
shutting down SSL
CONNECTION CLOSED
ACCEPT


and on the client side


R
RENEGOTIATING
SSL_connect:SSL negotiation finished successfully
write to 0x2cf680 [0x2dbc13] (360 bytes => 360 (0x168))
...
SSL_connect:SSLv3/TLS write client hello
read from 0x2cf680 [0x2d76c3] (5 bytes => 0 (0x0))
SSL_connect:error in SSLv3/TLS write client hello
write:errno=0
error in s_client


I ran into the same problem when trying to use OpenSSL 1.1.0pre2 in 
Apache for mod_ssl. The code in question is in 
tls_construct_server_key_exchange().

The following conditions triggers the jump to err:

    1773     if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
    1774         int nid;
    1775
    1776         if (s->s3->tmp.pkey != NULL) {
    1777             SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
    1778                    ERR_R_INTERNAL_ERROR);
    1779             goto err;
    1780         }

Using an AES reneg works, with ECDHE as above not.

Regards,

Rainer


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4303
Please log in as guest with password guest if prompted



More information about the openssl-dev mailing list