[openssl-users] Failure using ECDH-RSA-AES256-SHA with ssl3 on Master Branch

Matt Caswell matt at openssl.org
Mon Mar 23 13:01:29 UTC 2015



On 23/03/15 11:54, Linsell, StevenX wrote:
> On 20/0315 15:51, Matt Caswell wrote:
>> On 20/03/15 12:44, Linsell, StevenX wrote:
>>> On Thu, Mar 19, 2015, Steve Linsell wrote:
>>>>
>>> Following further testing I see identical failures in the master branch using the \
>>> following cipher/protocol combinations: 
>>> ECDH-ECDSA-AES128-SHA      ssl3 
>>> ECDH-ECDSA-AES256-SHA      ssl3            
>>> ECDH-ECDSA-DES-CBC3-SHA    ssl3          
>>> ECDH-ECDSA-RC4-SHA         ssl3               
>>> ECDH-RSA-AES128-SHA        ssl3                    
>>> ECDH-RSA-AES256-SHA        ssl3         
>>> ECDH-RSA-DES-CBC3-SHA      ssl3          
>>> ECDH-RSA-RC4-SHA           ssl3                
>>> ECDHE-ECDSA-AES128-SHA     ssl3         
>>> ECDHE-ECDSA-AES256-SHA     ssl3          
>>> ECDHE-ECDSA-DES-CBC3-SHA   ssl3                
>>> ECDHE-ECDSA-RC4-SHA        ssl3             
>>>
> 
>> Hi Steve
>>
>> Looks like a bug. Try the attached patch. Let me know how you get on.
>>
>> Thanks
>>
>> Matt
> 
> Thanks Matt that worked great.
> I've retested all the above cipher/protocol combinations and all now pass with the fix in place.
> 
> Just to close out my understanding.
> Within the tls1_check_ec_key function:
> The first iteration round the loop is checking that the curve within the certificate matches one of the curves in the list of curves that this build of OpenSSL supports.
> The second iteration round the loop is checking the curve within the certificate matches one of the curves in the list of curves sent from the peer via TLS extensions.
> In the case of the cipher/protocol combinations above we are using ssl3 which does not support TLS extensions so the second list will always be empty.
> As Viktor states RFC 4492 says if the client sends no TLS extension containing the curves supported then the server can choose any supported curve. So your fix is to continue when we reach the second iteration if there are no curves in the second list rather than flag an error.

Essentially yes, although with the refinement that the first iteration
checks the list of available curves for this SSL. This may or may not be
the same as the complete list of curves available in this *build* (e.g.
if SSL_set1_curves_list() has been used).

Matt



More information about the openssl-users mailing list