Hello,
> RFC 4346 says the server key exchange message is only sent when
> DHE_DSS, DHE_RSA, or DH_anon is used as the cipher suite. It further
> says the server key exchange message can contain RSA or DH public
> components. I am confused. If DHE_DSS, DHE_RSA, or DH_anon is used,
> then DH is used for key exchange. The public key sent in the server
> key exchange message must be DH public components. Under what
> condition would a RSA key be sent in a server key exchange message?
When export restrictions apply.
For example, you may run "openssl s_server" with export
restricted cipher (key.pem is RSA 2048 bit length):
$ openssl s_server -key key.pem -cert crt.pem -debug -state -cipher
ACCEPT <-- waiting for client connection
now, you may connect with ssl client:
$ openssl s_client -debug -state
and on server side you well see:
ACCEPT
SSL_accept:before/accept initialization
read from 0x923b9e0 [0x9241068] (11 bytes => 11 (0xB))
0000 - 80 8c 01 03 01 00 63 ......c
000b - <SPACES/NULS>
read from 0x923b9e0 [0x9241073] (131 bytes => 131 (0x83))
0000 - 00 00 39 00 00 38 00 00-35 00 00 16 00 00 13 00 ..9..8..5.......
0010 - 00 0a 07 00 c0 00 00 33-00 00 32 00 00 2f 03 00 .......3..2../..
....
....
( here temporary RSA key is generated of 512 bit len
and his modulus and exponent is sent to client in
server_key_exchange message:
16 03 01 01 4d - ssl handshake header
0c 00 01-49 - server_key_exchange (0c) and packet length
00 40 - length of modulus (64 bytes = 512 bits)
b1 96 8a ... - modulus
00 03 - length of public exponent
01 00 01 - public exponent
01 00 6e ... - signature
)
Generating temp (512 bit) RSA key...
write to 0x923b9e0 [0x924b230] (338 bytes => 338 (0x152))
0000 - 16 03 01 01 4d 0c 00 01-49 00 40 b1 96 8a 20 a1 [EMAIL PROTECTED] .
0010 - 7a 3a 07 c8 c2 fb 53 75-c9 2b 99 af fc 34 7b f1 z:....Su.+...4{.
0020 - 83 22 97 3c f8 13 bf 06-53 40 dc 26 3e 39 39 e4 .".<[EMAIL
PROTECTED]&>99.
0030 - 52 14 fa 4b 3f cd 3e db-24 b6 e1 d3 99 5d 30 b8 R..K?.>.$....]0.
0040 - 06 30 76 4b 48 c6 73 6b-ce 4d 2f 00 03 01 00 01 .0vKH.sk.M/.....
0050 - 01 00 6e 0b de c6 3c 37-7d f8 97 b6 a9 d0 40 25 ..n...<[EMAIL
PROTECTED]
0060 - 9f 02 93 f7 6e 86 1a 29-2c e0 e7 bb 62 bc 53 bf ....n..),...b.S.
0070 - df e9 ec 74 9c 71 3a c0-dd e5 25 64 89 ca c2 08 ...t.q:...%d....
0080 - 1e 3b 26 4c 31 a8 ea 03-0f ab 94 6a 4e 1b 76 3c .;&L1......jN.v<
0090 - b9 d6 ba 25 ef ec 9d 23-d5 11 42 36 b7 0b 20 5c ...%...#..B6.. \
00a0 - d9 d8 15 5b ec db 3e d5-bb e9 ad fe d4 31 bb 6d ...[..>......1.m
00b0 - 7f a3 90 ac e7 16 a7 5b-cf 4f b3 f4 e2 1f 9f e3 .......[.O......
00c0 - 3a 28 06 f3 ec 25 95 7a-1b 9f db 28 73 57 b9 1a :(...%.z...(sW..
00d0 - 01 d6 27 0d f8 af c2 79-f8 ee bf b0 63 89 be d4 ..'....y....c...
00e0 - 7c 8f 56 d3 7e ed cb f6-08 df d2 a8 1f 37 91 24 |.V.~........7.$
00f0 - c2 96 83 29 62 c0 a0 70-eb 29 f5 36 3b 1e 5d 4c ...)b..p.).6;.]L
0100 - 97 04 f0 87 1b 82 d7 9a-cb 2a 88 fc b7 3f 81 4f .........*...?.O
0110 - 21 7f 53 39 79 ab a9 21-7d b7 28 d3 92 fe 1b 26 !.S9y..!}.(....&
0120 - 47 ae 0b 43 2c 4e 9d 81-b3 94 7f 66 0f 70 83 04 G..C,N.....f.p..
0130 - af bc b9 01 8a c6 b0 35-fa 81 63 35 a7 6d 2d 87 .......5..c5.m-.
0140 - 06 cc ea 8b 34 b1 d6 be-09 c5 d6 e3 f9 a8 d5 9a ....4...........
0150 - b5 29 .)
SSL_accept:SSLv3 write key exchange A
write to 0x923b9e0 [0x924b230] (9 bytes => 9 (0x9))
0000 - 16 03 01 00 04 0e ......
0009 - <SPACES/NULS>
SSL_accept:SSLv3 write server done A
SSL_accept:SSLv3 flush data
....
CIPHER is EXP-DES-CBC-SHA
on client side you will see:
....
( as you can see, this client_key_exchange looks like made
with 512 key, not 2048:
16 03 01 00 46 - ssl handshake header
10 00 00-42 - client_key_exchange (10) and packet length
00 40 - RSA encrypted data length (64 bytes = 512 bits)
9a 9c 12 - RSA encrypted data
NOTE: in SSL3 there is no additional length field (here 00 40)
)
write to 0x9df0340 [0x9e00cf8] (75 bytes => 75 (0x4B))
0000 - 16 03 01 00 46 10 00 00-42 00 40 9a 9c 12 84 56 [EMAIL PROTECTED]
0010 - 5d 13 a5 13 15 3e e5 0f-ff f9 d1 20 a6 65 28 a9 ]....>..... .e(.
0020 - f1 ec 8d 4a b2 5c ff 85-59 5b 2e 02 68 e2 36 f6 ...J.\..Y[..h.6.
0030 - 7a 9b 5f d7 14 41 4d f8-4d 58 26 a7 2e ca 11 4b z._..AM.MX&....K
0040 - 9b a7 92 4d 68 32 e0 6c-ae bf f7 ...Mh2.l...
SSL_connect:SSLv3 write client key exchange A
....
New, TLSv1/SSLv3, Cipher is EXP-DES-CBC-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : EXP-DES-CBC-SHA
Session-ID: B9AD1A16F0DD275581FEB0E1B379E532F8A837A52B08DD3EEB007877F2556908
Session-ID-ctx:
Master-Key:
FE95015C290C1BB321207202E5387328C13AEDE4EAC09B3A46067F7E597677D8F0A4AF69D5CD8EFA9E6B603CE77B579A
Key-Arg : None
Krb5 Principal: None
Start Time: 1187551131
Timeout : 300 (sec)
---
and even that "Server public key is 2048 bit" length,
client_key_exchange was made with 512 key length.
Best regards,
--
Marek Marcola <[EMAIL PROTECTED]>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
