[openssl-dev] [openssl.org #4596] OpenSSL TLS Version Handling Errors

Hubert Kario via RT rt at openssl.org
Tue Jun 28 17:25:57 UTC 2016


from RT#2777

On Monday 27 June 2016 20:43:07 Rich Salz via RT wrote:
> please open a new ticket if this is still an issue with current (at least
> 1.0.2, ideally master) sources.

Current 1.0.2 still doesn't handle ClientHello.client_version set to 0x00,0x00
correctly in a 0x03, 0x00 record layer, the connection is just closed without
sending an Alert message.

current master handles all correctly

all test performed:
3, 3 version in 3, 0 record - passed
3, 3 version in 3, 254 record - passed 
254, 254 version in 3, 254 record - passed
254, 254 version in 3, 0 record - passed
0, 0 version in 3, 0 record - fail

(if you think any other values should be checked, feel free to contact me)

reproducer script:
https://github.com/tomato42/tlsfuzzer/blob/master/scripts/test-version-numbers.py

to reproduce:
openssl req -x509 -newkey rsa -keyout localhost.key -out localhost.crt -subj /CN=localhost -nodes -batch
openssl s_server -key localhost.key -cert localhost.crt -www 2>server.err >server.out &
openssl_pid=$!
git clone https://github.com/tomato42/tlsfuzzer
pushd tlsfuzzer
git clone https://github.com/tomato42/tlslite-ng .tlslite-ng
ln -s .tlslite-ng/tlslite tlslite
git clone https://github.com/warner/python-ecdsa .python-ecdsa
ln -s .python-ecdsa/ecdsa ecdsa
PYTHONPATH=. python scripts/test-version-numbers.py
popd
kill $openssl_pid
-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4596
Please log in as guest with password guest if prompted

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160628/ac150a97/attachment.sig>


More information about the openssl-dev mailing list