Re: Bug? Server app with TLSv1...method crashes when accessed by SSLv3...method client

Fri, 8 Oct 1999 00:40:32 -0700 

On Fri, Oct 08, 1999 at 09:10:51AM +0200, Peter 'Luna' Runestig wrote:
> Hi all,
> 
> I know this is a thin report, but I'll give it a try anyway. I'm working on
> a telnetd patch for the IETF draft STARTTLS spec using openssl. If I set up
> openssl on the telnetd server with:
> 
> ctx = SSL_CTX_new(TLSv1_server_method());
> or
> ctx = SSL_CTX_new(TLSv1_method());
> 
> and then access this server with a client with:
> 
> ctx = SSL_CTX_new(SSLv3_method());
> 
> not only the server process creashes, but also the xterm window that the
> process was running in. It seems to happen at SSL_accept() in the server. If
> I use TLSv1_method() in the client, all is fine. If I use SSLv3_method() in
> the server, the client setup doesn't matter, all is fine (this is what I'm
> using now).

Hi,

at which point does the crash happen? Does it happen _in_ SSS_accept()
or after SSL_accept() returns?
TLSv1_server_method explicitly will only accept connections using the
TLSv1 protocol and as far as I understood, will not even accept a
SSLv2 or SSLv3 client hello. So far a connection made with SSLv3_client_method
must fail. It should however not crash.
If you want to accept every client hello but only want to establish
TLSv1 sessions, you must use SSLv23_server_method and use the
SSL_OP_NO_SSLv2 and SSL_OP_NO_SSLv3 options (see s_server.c).
If you donīt care to much, you can just use SSLv23_client/server_method
on both sides. If they both support TLSv1, they will use it anyway.

Well, anyway OpenSSL should not crash, so it would be a good idea to
either generate a core dump for analysis or even run your test software
under a debugger to find out where it is crashing.
Do you check all of the return values? Maybe you could already see an
error during the setup.

Best regards,
        Lutz
PS. When developing my STARTTLS extension for the postfix MTA I had a lot
of strange things happening, but no "strange" crashes. And most of this
could have been avoided by reading the "OpenSSL Library Userīs Guide",
which unfortunately is not yet available :-)
-- 
Lutz Jaenicke                             [EMAIL PROTECTED]
BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to