Patch for PR696 looks fine to me, though attached patch alternative may be considered .1% 'better' as it more closely mimicks the other side of the fence: the transmission code in s2_clnt.c:
p=buf; *(p++)=SSL2_MT_ERROR; s2n(SSL2_PE_NO_CERTIFICATE,p); --> --- /home/ger/prj/1original/openssl/openssl/./ssl/s2_srvr.c 2009-01-08 00:44:26.000000000 +0100 +++ ./ssl/s2_srvr.c 2009-04-09 13:02:09.000000000 +0200 @@ -970,6 +970,7 @@ if ((s->init_num >= 3) && (p[0] == SSL2_MT_ERROR)) { + p++; /* [i_a] fix PR696: see http://rt.openssl.org/Ticket/Display.html?id=696 */ n2s(p,i); if (i != SSL2_PE_NO_CERTIFICATE) { 'tis the same as the original fix posted then; just different wording. (And to answer the then comment in there: no, definitely do NOT use n2l3 here: that's serving a different purpose. Here a 16-bit integer code should be retrieved, so the only thing missing was the pointer increment before doing so. You might want to submit this to the bug tracker at r...@openssl.org (while referring to PR696 and the current mail trail in users@ here...) On Thu, Apr 9, 2009 at 12:22 PM, Anil Tambe <tambe.a...@gmail.com> wrote: > Thanks .. the information was helpful .. > i found one patch which resolves this issue .. ( Please read > the Disclaimer) > http://rt.openssl.org/Ticket/Display.html?id=696&user=guest&pass=guest > i applied that patch and sslv2 client was able to do successful > communication without passing the certificate .. > Request you all to review the patch and let us know your thoughts on it ... > Thanks > Anil > > On Wed, Apr 8, 2009 at 6:06 AM, Dave Thompson > <dave.thomp...@princetonpayments.com> wrote: >> >> > From: owner-openssl-us...@openssl.org On Behalf Of Anil Tambe >> > Sent: Tuesday, 07 April, 2009 03:23 >> > i am using the latest openssl 0.9.8k. the -verify option works fine >> > with ssl3 , but handshake fails if i use -ssl2 . >> >> > ./openssl s_server -verify 0 -debug >> >> > ./openssl s_client -ssl3 -debug [ works fine .] >> >> > > ./openssl s_client -ssl2 >> (snip certs) >> > 22360:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake >> failure:s2_pkt.c:428: >> >> Use -msg and you should see before that something like >> <<< SSL 2.0 [length 0012], REQUEST-CERTIFICATE >> 07 01 69 de b1 89 f9 f4 db 0d 12 f2 34 3b 1a a5 >> 50 90 >> >>> SSL 2.0 [length 0003], ERROR: NO-CERTIFICATE-ERROR >> 00 00 02 >> >> or look at the server output and you should see >> 10233:error:140710CA:SSL routines:REQUEST_CERTIFICATE:peer error no >> certificate:s2_pkt.c:675: >> >> Apparently SSLv2 doesn't support optional client auth; >> if the server requests it (which s_server -verify does) >> the client must provide it (so give it -key & pw & -cert). >> >> v2 is way old, and less functional in numerous ways. >> This is apparently one, although I didn't remember it >> specifically. Prefer v3/TLS if you have a choice. >> >> >> >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-us...@openssl.org >> Automated List Manager majord...@openssl.org > > -- Met vriendelijke groeten / Best regards, Ger Hobbelt -------------------------------------------------- web: http://www.hobbelt.com/ http://www.hebbut.net/ mail: g...@hobbelt.com mobile: +31-6-11 120 978 --------------------------------------------------
--- /home/ger/prj/1original/openssl/openssl/./ssl/s2_srvr.c 2009-01-08 00:44:26.000000000 +0100 +++ ./ssl/s2_srvr.c 2009-04-09 13:02:09.000000000 +0200 @@ -970,6 +970,7 @@ if ((s->init_num >= 3) && (p[0] == SSL2_MT_ERROR)) { + p++; /* [i_a] fix PR696: see http://rt.openssl.org/Ticket/Display.html?id=696 */ n2s(p,i); if (i != SSL2_PE_NO_CERTIFICATE) {