Patch for PR696 looks fine to me, though attached patch alternative
may be considered .1% 'better' as it more closely mimicks the other
side of the fence: the transmission code in s2_clnt.c:
p=buf;
*(p++)=SSL2_MT_ERROR;
s2n(SSL2_PE_NO_CERTIFICATE,p);
-->
--- /home/ger/prj/1original/openssl/openssl/./ssl/s2_srvr.c 2009-01-08
00:44:26.000000000 +0100
+++ ./ssl/s2_srvr.c 2009-04-09 13:02:09.000000000 +0200
@@ -970,6 +970,7 @@
if ((s->init_num >= 3) && (p[0] == SSL2_MT_ERROR))
{
+ p++; /* [i_a] fix PR696: see
http://rt.openssl.org/Ticket/Display.html?id=696 */
n2s(p,i);
if (i != SSL2_PE_NO_CERTIFICATE)
{
'tis the same as the original fix posted then; just different wording.
(And to answer the then comment in there: no, definitely do NOT use
n2l3 here: that's serving a different purpose. Here a 16-bit integer
code should be retrieved, so the only thing missing was the pointer
increment before doing so.
You might want to submit this to the bug tracker at [email protected]
(while referring to PR696 and the current mail trail in users@
here...)
On Thu, Apr 9, 2009 at 12:22 PM, Anil Tambe <[email protected]> wrote:
> Thanks .. the information was helpful ..
> i found one patch which resolves this issue .. ( Please read
> the Disclaimer)
> http://rt.openssl.org/Ticket/Display.html?id=696&user=guest&pass=guest
> i applied that patch and sslv2 client was able to do successful
> communication without passing the certificate ..
> Request you all to review the patch and let us know your thoughts on it ...
> Thanks
> Anil
>
> On Wed, Apr 8, 2009 at 6:06 AM, Dave Thompson
> <[email protected]> wrote:
>>
>> > From: [email protected] On Behalf Of Anil Tambe
>> > Sent: Tuesday, 07 April, 2009 03:23
>> > i am using the latest openssl 0.9.8k. the -verify option works fine
>> > with ssl3 , but handshake fails if i use -ssl2 .
>>
>> > ./openssl s_server -verify 0 -debug
>>
>> > ./openssl s_client -ssl3 -debug [ works fine .]
>>
>> > > ./openssl s_client -ssl2
>> (snip certs)
>> > 22360:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake
>> failure:s2_pkt.c:428:
>>
>> Use -msg and you should see before that something like
>> <<< SSL 2.0 [length 0012], REQUEST-CERTIFICATE
>> 07 01 69 de b1 89 f9 f4 db 0d 12 f2 34 3b 1a a5
>> 50 90
>> >>> SSL 2.0 [length 0003], ERROR: NO-CERTIFICATE-ERROR
>> 00 00 02
>>
>> or look at the server output and you should see
>> 10233:error:140710CA:SSL routines:REQUEST_CERTIFICATE:peer error no
>> certificate:s2_pkt.c:675:
>>
>> Apparently SSLv2 doesn't support optional client auth;
>> if the server requests it (which s_server -verify does)
>> the client must provide it (so give it -key & pw & -cert).
>>
>> v2 is way old, and less functional in numerous ways.
>> This is apparently one, although I didn't remember it
>> specifically. Prefer v3/TLS if you have a choice.
>>
>>
>>
>> ______________________________________________________________________
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing List [email protected]
>> Automated List Manager [email protected]
>
>
--
Met vriendelijke groeten / Best regards,
Ger Hobbelt
--------------------------------------------------
web: http://www.hobbelt.com/
http://www.hebbut.net/
mail: [email protected]
mobile: +31-6-11 120 978
--------------------------------------------------
--- /home/ger/prj/1original/openssl/openssl/./ssl/s2_srvr.c 2009-01-08 00:44:26.000000000 +0100
+++ ./ssl/s2_srvr.c 2009-04-09 13:02:09.000000000 +0200
@@ -970,6 +970,7 @@
if ((s->init_num >= 3) && (p[0] == SSL2_MT_ERROR))
{
+ p++; /* [i_a] fix PR696: see http://rt.openssl.org/Ticket/Display.html?id=696 */
n2s(p,i);
if (i != SSL2_PE_NO_CERTIFICATE)
{
