Modify client hello version when renegotiating to enhance interop with
some servers.
This commit is contained in:
parent
febec8ff23
commit
f4e1169341
5 changed files with 48 additions and 3 deletions
7
CHANGES
7
CHANGES
|
@ -267,6 +267,13 @@
|
|||
|
||||
Changes between 1.0.0f and 1.0.1 [xx XXX xxxx]
|
||||
|
||||
*) Some servers which support TLS 1.0 can choke if we initially indicate
|
||||
support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA
|
||||
encrypted premaster secret. As a workaround use the maximum pemitted
|
||||
client version in client hello, this should keep such servers happy
|
||||
and still work with previous versions of OpenSSL.
|
||||
[Steve Henson]
|
||||
|
||||
*) Add support for TLS/DTLS heartbeats.
|
||||
[Robin Seggelmann <seggelmann@fh-muenster.de>]
|
||||
|
||||
|
|
|
@ -2056,7 +2056,7 @@ static void print_stuff(BIO *bio, SSL *s, int full)
|
|||
}
|
||||
#endif
|
||||
|
||||
#ifdef SSL_DEBUG
|
||||
#ifndef SSL_DEBUG
|
||||
{
|
||||
/* Print out local port of connection: useful for debugging */
|
||||
int sock;
|
||||
|
|
|
@ -30,7 +30,10 @@ $OPENSSL x509 -req -in creq.pem -CA intca.pem -CAkey intkey.pem -days 3600 \
|
|||
|
||||
# First DH parameters
|
||||
|
||||
[ -f dhp.pem ] || $OPENSSL genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:1024 -out dhp.pem
|
||||
$OPENSSL genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_prime_len:1024 -out dhp.pem
|
||||
|
||||
# Uncomment out this line for X9.42 DH parameters instead
|
||||
$OPENSSL genpkey -genparam -algorithm DH -out dhp.pem -pkeyopt dh_rfc5114:2
|
||||
|
||||
# Now a DH private key
|
||||
$OPENSSL genpkey -paramfile dhp.pem -out dhskey.pem
|
||||
|
|
|
@ -689,9 +689,43 @@ int ssl3_client_hello(SSL *s)
|
|||
/* Do the message type and length last */
|
||||
d=p= &(buf[4]);
|
||||
|
||||
/* version indicates the negotiated version: for example from
|
||||
* an SSLv2/v3 compatible client hello). The client_version
|
||||
* field is the maximum version we permit and it is also
|
||||
* used in RSA encrypted premaster secrets. Some servers can
|
||||
* choke if we initially report a higher version then
|
||||
* renegotiate to a lower one in the premaster secret. This
|
||||
* didn't happen with TLS 1.0 as most servers supported it
|
||||
* but it can with TLS 1.1 or later if the server only supports
|
||||
* 1.0.
|
||||
*
|
||||
* Possible scenario with previous logic:
|
||||
* 1. Client hello indicates TLS 1.2
|
||||
* 2. Server hello says TLS 1.0
|
||||
* 3. RSA encrypted premaster secret uses 1.2.
|
||||
* 4. Handhaked proceeds using TLS 1.0.
|
||||
* 5. Server sends hello request to renegotiate.
|
||||
* 6. Client hello indicates TLS v1.0 as we now
|
||||
* know that is maximum server supports.
|
||||
* 7. Server chokes on RSA encrypted premaster secret
|
||||
* containing version 1.0.
|
||||
*
|
||||
* For interoperability it should be OK to always use the
|
||||
* maximum version we support in client hello and then rely
|
||||
* on the checking of version to ensure the servers isn't
|
||||
* being inconsistent: for example initially negotiating with
|
||||
* TLS 1.0 and renegotiating with TLS 1.2. We do this by using
|
||||
* client_version in client hello and not resetting it to
|
||||
* the negotiated version.
|
||||
*/
|
||||
#if 0
|
||||
*(p++)=s->version>>8;
|
||||
*(p++)=s->version&0xff;
|
||||
s->client_version=s->version;
|
||||
#else
|
||||
*(p++)=s->client_version>>8;
|
||||
*(p++)=s->client_version&0xff;
|
||||
#endif
|
||||
|
||||
/* Random stuff */
|
||||
memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* ssl/ssl3.h */
|
||||
|
||||
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
|
||||
* All rights reserved.
|
||||
*
|
||||
|
@ -388,6 +388,7 @@ typedef struct ssl3_buffer_st
|
|||
#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
|
||||
#define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010
|
||||
#define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020
|
||||
#define SSL3_FLAGS_CLEAR_CLIENT_CERT 0x0040
|
||||
|
||||
/* SSL3_FLAGS_SGC_RESTART_DONE is set when we
|
||||
* restart a handshake because of MS SGC and so prevents us
|
||||
|
|
Loading…
Reference in a new issue