Patch for PR696 looks fine to me, though attached patch alternative
may be considered .1% 'better' as it more closely mimicks the other
side of the fence: the transmission code in s2_clnt.c:

                        p=buf;
                        *(p++)=SSL2_MT_ERROR;
                        s2n(SSL2_PE_NO_CERTIFICATE,p);

-->

--- /home/ger/prj/1original/openssl/openssl/./ssl/s2_srvr.c     2009-01-08
00:44:26.000000000 +0100
+++ ./ssl/s2_srvr.c     2009-04-09 13:02:09.000000000 +0200
@@ -970,6 +970,7 @@

                if ((s->init_num >= 3) && (p[0] == SSL2_MT_ERROR))
                        {
+                       p++; /* [i_a] fix PR696: see
http://rt.openssl.org/Ticket/Display.html?id=696 */
                        n2s(p,i);
                        if (i != SSL2_PE_NO_CERTIFICATE)
                                {

'tis the same as the original fix posted then; just different wording.
(And to answer the then comment in there: no, definitely do NOT use
n2l3 here: that's serving a different purpose. Here a 16-bit integer
code should be retrieved, so the only thing missing was the pointer
increment before doing so.


You might want to submit this to the bug tracker at r...@openssl.org
(while referring to PR696 and the current mail trail in users@
here...)




On Thu, Apr 9, 2009 at 12:22 PM, Anil Tambe <tambe.a...@gmail.com> wrote:
> Thanks .. the information was helpful ..
> i found one patch which resolves this issue .. ( Please read
> the Disclaimer)
> http://rt.openssl.org/Ticket/Display.html?id=696&user=guest&pass=guest
> i applied that patch and sslv2 client was able to do successful
> communication without passing the certificate ..
> Request you all to review the patch and let us know your thoughts on it ...
> Thanks
> Anil
>
> On Wed, Apr 8, 2009 at 6:06 AM, Dave Thompson
> <dave.thomp...@princetonpayments.com> wrote:
>>
>> > From: owner-openssl-us...@openssl.org On Behalf Of Anil Tambe
>> > Sent: Tuesday, 07 April, 2009 03:23
>> > i am using the latest openssl 0.9.8k. the -verify option works fine
>> > with ssl3 , but handshake fails if i use -ssl2 .
>>
>> > ./openssl s_server -verify 0 -debug
>>
>> > ./openssl s_client -ssl3 -debug  [ works fine .]
>>
>> > > ./openssl s_client -ssl2
>> (snip certs)
>> > 22360:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake
>> failure:s2_pkt.c:428:
>>
>> Use -msg and you should see before that something like
>> <<< SSL 2.0 [length 0012], REQUEST-CERTIFICATE
>>    07 01 69 de b1 89 f9 f4 db 0d 12 f2 34 3b 1a a5
>>    50 90
>> >>> SSL 2.0 [length 0003], ERROR: NO-CERTIFICATE-ERROR
>>    00 00 02
>>
>> or look at the server output and you should see
>> 10233:error:140710CA:SSL routines:REQUEST_CERTIFICATE:peer error no
>> certificate:s2_pkt.c:675:
>>
>> Apparently SSLv2 doesn't support optional client auth;
>> if the server requests it (which s_server -verify does)
>> the client must provide it (so give it -key & pw & -cert).
>>
>> v2 is way old, and less functional in numerous ways.
>> This is apparently one, although I didn't remember it
>> specifically. Prefer v3/TLS if you have a choice.
>>
>>
>>
>> ______________________________________________________________________
>> OpenSSL Project                                 http://www.openssl.org
>> User Support Mailing List                    openssl-us...@openssl.org
>> Automated List Manager                           majord...@openssl.org
>
>



-- 
Met vriendelijke groeten / Best regards,

Ger Hobbelt

--------------------------------------------------
web:    http://www.hobbelt.com/
        http://www.hebbut.net/
mail:   g...@hobbelt.com
mobile: +31-6-11 120 978
--------------------------------------------------
--- /home/ger/prj/1original/openssl/openssl/./ssl/s2_srvr.c	2009-01-08 00:44:26.000000000 +0100
+++ ./ssl/s2_srvr.c	2009-04-09 13:02:09.000000000 +0200
@@ -970,6 +970,7 @@
 
 		if ((s->init_num >= 3) && (p[0] == SSL2_MT_ERROR))
 			{
+			p++; /* [i_a] fix PR696: see http://rt.openssl.org/Ticket/Display.html?id=696 */
 			n2s(p,i);
 			if (i != SSL2_PE_NO_CERTIFICATE)
 				{

Reply via email to