Re: Handshake Failure SSLv3 versions over 0.9.7a

Thu, 08 Jan 2009 03:14:15 -0800 

I would expect it has something to do with the following change (from
0.9.7b CHANGELOG):
+   *) Countermeasure against the Klima-Pokorny-Rosa extension of
+      Bleichbacher's attack on PKCS #1 v1.5 padding: treat
+      a protocol version number mismatch like a decryption error
+      in ssl3_get_client_key_exchange (ssl/s3_srvr.c).
+      [Bodo Moeller]

-Kyle H

On Wed, Jan 7, 2009 at 9:44 AM, Dewald, Matt <matt.dew...@webmetrics.com> wrote:
> Hello,
>
>
>
> I've recently come across a problem with openssl versions over 0.9.7a. I
> have a network of approximately 100 servers using curl to access
> different websites. Some of the servers are using openssl 0.9.7a and
> some are using 0.9.8b. We recently encountered a problem accessing some
> sites utilizing SSL that returns an error stating...
>
>
>
> "Unknown SSL protocol error in connection"
>
>
>
> This error only happens on servers running 0.9.8b. The 0.9.7a servers
> can access the sites just fine. I tried upgrading one of the servers to
> 0.9.8i to see if there was a bug in openssl, but the same problem
> happened. This issue appears to only happen if SSLv3 is attempted. TLS
> or SSLv2 work. The problem is that curl uses sslv3 and fails out. This
> only happens on a few sites.
>
>
>
> This is a sample from 0.9.8b
>
>
>
> $ openssl s_client -connect www.hottopic.com:443 -ssl3 -debug
>
> CONNECTED(00000003)
>
> write to 0x95a9bb0 [0x95b3968] (97 bytes => 97 (0x61))
>
> 0000 - 16 03 00 00 5c 01 00 00-58 03 00 49 64 e7 d8 f4
> ....\...X..Id...
>
> 0010 - 71 df 07 cb a3 1a f0 0c-e8 a9 95 48 3b 90 25 f7
> q..........H;.%.
>
> 0020 - f4 00 b1 05 a7 ef 93 42-d7 46 5a 00 00 30 00 39
> .......B.FZ..0.9
>
> 0030 - 00 38 00 35 00 16 00 13-00 0a 00 33 00 32 00 2f
> .8.5.......3.2./
>
> 0040 - 00 66 00 05 00 04 00 63-00 62 00 15 00 12 00 09
> .f.....c.b......
>
> 0050 - 00 65 00 64 00 14 00 11-00 08 00 06 00 03 02 01
> .e.d............
>
> 0061 - <SPACES/NULS>
>
> read from 0x95a9bb0 [0x95af158] (5 bytes => 0 (0x0))
>
> 5249:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
> failure:s3_pkt.c:530:
>
>
>
> Here's a sample from 0.9.7a
>
>
>
>> openssl s_client -connect www.hottopic.com:443 -ssl3 -debug
>
> CONNECTED(00000003)
>
> write to 080B2388 [080BC140] (100 bytes => 100 (0x64))
>
> 0000 - 16 03 00 00 5f 01 00 00-5b 03 00 49 64 e9 5a 69
> ...._...[..Id.Zi
>
> 0010 - 35 b8 92 66 d4 68 30 fb-ea 31 8d f2 d5 cd 3d aa
> 5..f.h0..1....=.
>
> 0020 - 0f 28 65 21 dc 0b 7c ad-e9 60 0c 00 00 34 00 39
> .(e!..|..`...4.9
>
> 0030 - 00 38 00 35 00 16 00 13-00 0a 00 33 00 32 00 2f
> .8.5.......3.2./
>
> 0040 - 00 66 00 05 00 04 00 63-00 62 00 61 00 15 00 12
> .f.....c.b.a....
>
> 0050 - 00 09 00 65 00 64 00 60-00 14 00 11 00 08 00 06
> ...e.d.`........
>
> 0060 - 00 03 01                                          ...
>
> 0064 - <SPACES/NULS>
>
> read from 080B2388 [080B7930] (5 bytes => 5 (0x5))
>
> 0000 - 16 03 00 06 a0                                    .....
>
> read from 080B2388 [080B7935] (1696 bytes => 1696 (0x6A0))
>
> 0000 - 02 00 00 46 03 00 00 00-00 3a 72 7e 52 85 1d 38
> ...F.....:r~R..8
>
> 0010 - d9 80 11 b6 f3 24 0d ad-19 3a e9 83 a5 6e c6 a5
> .....$...:...n..
>
> 0020 - 76 0b 67 95 5c 36 20 85-34 00 00 c5 38 ef df 6e   v.g.\6
> .4...8..n
>
> 0030 - 37 13 40 da 90 5d b9 a2-43 c0 ce 58 58 58 58 3a
> 7...@..]..c..xxxx:
>
> 0040 - e2 64 49 f0 00 00 00 00-0a 00 0b 00 06 4e 00 06
> .dI..........N..
>
> 0050 - 4b 00 04 0d 30 82 04 09-30 82 03 76 a0 03 02 01
> K...0...0..v....
>
> 0060 - 02 02 10 7b a8 95 b9 01-91 46 76 26 95 5e ef 67
> ...{.....Fv&.^.g
>
> 0070 - d3 6b 5a 30 0d 06 09 2a-86 48 86 f7 0d 01 01 05
> .kZ0...*.H......
>
> 0080 - 05 00 30 5f 31 0b 30 09-06 03 55 04 06 13 02 55
> ..0_1.0...U....U
>
> 0090 - 53 31 20 30 1e 06 03 55-04 0a 13 17 52 53 41 20   S1 0...U....RSA
>
> 00a0 - 44 61 74 61 20 53 65 63-75 72 69 74 79 2c 20 49   Data Security,
> I
>
> 00b0 - 6e 63 2e 31 2e 30 2c 06-03 55 04 0b 13 25 53 65
> nc.1.0,..U...%Se
>
> 00c0 - 63 75 72 65 20 53 65 72-76 65 72 20 43 65 72 74   cure Server
> Cert
>
> 00d0 - 69 66 69 63 61 74 69 6f-6e 20 41 75 74 68 6f 72   ification
> Author
>
> 00e0 - 69 74 79 30 1e 17 0d 30-36 30 37 31 34 30 30 30
> ity0...060714000
>
> 00f0 - 30 30 30 5a 17 0d 30 39-30 37 31 36 32 33 35 39
> 000Z..0907162359
>
> 0100 - 35 39 5a 30 81 be 31 0b-30 09 06 03 55 04 06 13
> 59Z0..1.0...U...
>
> 0110 - 02 55 53 31 13 30 11 06-03 55 04 08 13 0a 43 61
> .US1.0...U....Ca
>
> 0120 - 6c 69 66 6f 72 6e 69 61-31 1b 30 19 06 03 55 04
> lifornia1.0...U.
>
> 0130 - 07 14 12 43 69 74 79 20-6f 66 20 49 6e 64 75 73   ...City of
> Indus
>
> 0140 - 74 72 79 2c 2c 31 16 30-14 06 03 55 04 0a 14 0d
> try,,1.0...U....
>
> 0150 - 48 6f 74 20 54 6f 70 69-63 20 49 6e 63 31 15 30   Hot Topic
> Inc1.0
>
> 0160 - 13 06 03 55 04 0b 14 0c-49 6e 74 65 72 6e 65 74
> ...U....Internet
>
> 0170 - 20 47 72 70 31 33 30 31-06 03 55 04 0b 14 2a 54
> Grp1301..U...*T
>
> 0180 - 65 72 6d 73 20 6f 66 20-75 73 65 20 61 74 20 77   erms of use at
> w
>
> 0190 - 77 77 2e 76 65 72 69 73-69 67 6e 2e 63 6f 6d 2f
> ww.verisign.com/
>
> 01a0 - 72 70 61 20 28 63 29 30-35 31 19 30 17 06 03 55   rpa
> (c)051.0...U
>
> 01b0 - 04 03 14 10 77 77 77 2e-68 6f 74 74 6f 70 69 63
> ....www.hottopic
>
> 01c0 - 2e 63 6f 6d 30 81 9f 30-0d 06 09 2a 86 48 86 f7
> .com0..0...*.H..
>
> 01d0 - 0d 01 01 01 05 00 03 81-8d 00 30 81 89 02 81 81
> ..........0.....
>
> 01e0 - 00 90 f6 07 d2 75 9d 71-b4 ee ed 44 bb 90 5d f4
> .....u.q...D..].
>
> 01f0 - 86 7b d0 e7 a3 a8 5d a5-3c a9 dc 6b f2 dd 1c 88
> .{....].<..k....
>
> 0200 - a7 2e 19 ca 8c 45 27 b1-dc 42 63 3b ec 1c 6a 04
> .....E'..Bc;..j.
>
> 0210 - 27 c0 03 6d e6 cb e6 27-47 cc fc 05 1d b2 4c 01
> '..m...'G.....L.
>
> 0220 - 1a 14 5f 70 82 da 90 a2-42 ca fa 73 d7 a2 ad 4a
> .._p....B..s...J
>
> 0230 - 6e 05 ac 80 b3 d1 64 19-19 fc e7 79 35 f4 74 cd
> n.....d....y5.t.
>
> 0240 - 9c d2 81 f1 7b 23 5f da-4d 4a 09 4d 03 4c 7d fb
> ....{#_.MJ.M.L}.
>
> 0250 - 80 3f 83 26 16 38 14 e2-66 0c 33 2e ea 55 45 93
> .?.&.8..f.3..UE.
>
> 0260 - 1f 02 03 01 00 01 a3 82-01 68 30 82 01 64 30 09
> .........h0..d0.
>
> 0270 - 06 03 55 1d 13 04 02 30-00 30 0b 06 03 55 1d 0f
> ..U....0.0...U..
>
> 0280 - 04 04 03 02 05 a0 30 40-06 03 55 1d 1f 04 39 30
> .......@..u...90
>
> 0290 - 37 30 35 a0 33 a0 31 86-2f 68 74 74 70 3a 2f 2f
> 705.3.1./http://
>
> 02a0 - 53 56 52 53 65 63 75 72-65 2d 63 72 6c 2e 76 65
> SVRSecure-crl.ve
>
> 02b0 - 72 69 73 69 67 6e 2e 63-6f 6d 2f 53 56 52 53 65
> risign.com/SVRSe
>
> 02c0 - 63 75 72 65 2e 63 72 6c-30 44 06 03 55 1d 20 04   cure.crl0D..U.
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-users@openssl.org
> Automated List Manager                           majord...@openssl.org
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to