[openssl-users] Version negotiation failure failure?

Viktor Dukhovni openssl-users at dukhovni.org
Tue Sep 11 01:13:38 UTC 2018

> On Aug 31, 2018, at 9:14 PM, Jordan Brown <openssl at jordan.maileater.net> wrote:
> We're trying to nail down error reporting for TLS version mismatches, and we're seeing a couple of puzzling behaviors.
> First, and most puzzling... assume these two command lines:
> $ openssl s_server -cert 2018.08.31.a.pem -key 2018.08.31.a.key -no_tls1

This disables TLS 1.0 on the server, and if SSL 3.0 is supported at compile time,
leaves the server willing to do SSL 3.0 or TLS 1.1 and up.

> $ openssl s_client -connect zel.us.oracle.com:4433 -tls1

This configures the client to do TLS 1.0 only via the version-specific
TLS1_client_method(), which DOES NOT support version negotiation.  It
is NOT equivalent in some subtle ways to:

  $ openssl s_client -connect zel.us.oracle.com:4433 -no_ssl3 -no_tls1_1 -no_tls1_2

That said, in either case the client sends "TLS 1.0" is its "maximum" protocol
version in its TLS client HELLO (the TLS 1.0 protocol does not support sending
a supported version list).

> That is, I have a server that won't accept TLSv1.0, and a client that will only accept TLSv1.0.

No, more precisely, you have a version-flexible server, that does not accept 1.0
and a *fixed-version* client that only supports 1.0.

What happens at that point depends on whether SSL 3.0 has been disabled on the server,
or not.  If SSL 3.0 is not disabled on the server (at compile time or by other means),
then seeing TLS 1.0 as the client's max version, the server will respond with SSL 3.0.
The client however, is not in a negotiating mood, and it will send a handshake failure

  SSL_connect:SSLv3 write client hello A
  SSL3 alert write:fatal:handshake failure
  SSL_connect:error in SSLv3 read server hello A
  140735512441800:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:365:

and on the server side you'll see:

  SSL_accept:before/accept initialization
  SSL_accept:SSLv3 read client hello A
  SSL_accept:SSLv3 write server hello A
  SSL_accept:SSLv3 write key exchange A
  SSL_accept:SSLv3 write server done A
  SSL_accept:SSLv3 flush data
  SSL_accept:SSLv3 read client certificate A
  SSL3 alert read:fatal:handshake failure
  SSL_accept:failed in SSLv3 read client key exchange A
  140735512441800:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1498:SSL alert number 40

If, on the other hand, you *also* disable SSL 3.0 on the server, then seeing
a maxim version or TLS 1.0 from the client, but with TLS 1.0 disabled the
server wants SSL 3.0, but that's also unavailable.  For better or worse,
OpenSSL is unable with respond with a TLS 1.0 alert (TLS 1.0 is off), nor
SSL 3.0, so it simply fails:

  SSL_accept:before/accept initialization
  SSL_accept:error in SSLv2/v3 read client hello A
  140735512441800:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:643:
  shutting down SSL

The client's view of this is:

  SSL_connect:before/connect initialization
  SSL_connect:SSLv3 write client hello A
  SSL_connect:failed in SSLv3 read server hello A
  140735512441800:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:

You might argue that would should be able to send a TLS 1.0 fatal alert even
with TLS 1.0 disabled, but that's not how the OpenSSL 1.0.x code works.  It
does not select explicitly disabled protocols for sending alerts, nor does
it select protocol versions higher than the client's limit.

In OpenSSL 1.1.x, with its more modern rewritten state machine, the behaviour is closer to
what you expected.  Server reports:

  SSL_accept:before SSL initialization
  SSL_accept:before SSL initialization
  SSL3 alert write:fatal:protocol version
  SSL_accept:error in error
  140735512441728:error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../openssl/ssl/statem/statem_srvr.c:1655:

and client sees:

  SSL_connect:before SSL initialization
  SSL_connect:SSLv3/TLS write client hello
  SSL3 alert read:fatal:protocol version
  SSL_connect:error in error
  140735512441728:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../openssl/ssl/record/rec_layer_s3.c:1528:SSL alert number 70


More information about the openssl-users mailing list