On Thu, Mar 01, 2012, Jakob Bohm wrote:
> On 2/29/2012 11:43 PM, Dr. Stephen Henson wrote:
> >On Wed, Feb 29, 2012, Tammany, Curtis wrote:
> >
> >>I had brought this issue up earlier ("Windows 7/IE8 CAC enabled sites").
> >>With SSL 3.0 only checked on IE8 (in windows 7), I could make a connection
> >>to my site that had OpenSSL 1.0.0g. With both SSL 3.0 AND TLS 1.0 checked, I
> >>could not make a connection. We rolled back versions of OpenSSL until we got
> >>to 0.9.8r which could make a connection with both protocols enabled on the
> >>browser...
> >>
> >>Will there be a version that will address MS12-006? TLS1.1? TLS1.2?
> >>
> >>
> >At present I cannot reproduce the issues with MS12-006 so I can only guess as
> >to the cause. If I can or I can get appropriate feedback I can work on a fix,
> >assuming it isn't fixed already: see below. TLS 1.1 and 1.2 will only ever
> >appear in OpenSSL 1.0.1 and later as new features don't appear in stable
> >releases: just bug fixes. That is currently in beta and a few issues remain
> >to
> >be resolved before the full release.
> Please read that again. He wrote that 1.0.0 did NOT work, but 0.9.8 works.
He mentioned rolling back to 0.9.8r. I was double checking that no 1.0.0
release actually worked. My reason is that a change introduced in 0.9.8s
related to SGC could break some operations with MSIE unrelated to SGC:
specifically renegotiation, which client authentication makes use of.
> >
> >So a few guesses:
> >
> >If the problem is no longer present in OpenSSL 0.9.8r then 1.0.0e may also
> >work. The only known problem with later versions is the SGC DoS fix has a bug
> >in it which may affect renegotiation in some circumstances. This bug *should*
> >be fixed in the latest snapshots of OpenSSL: please see if they work OK for
> >you.
> Please refer to my initial literature check higher up in this thread.
>
> MS12-006 is Microsoft's name for CVE-2011-3389, which you hopefully
> know better than I do.
>
> Microsoft KB2643584 et al is Microsoft's patch for CVE-2011-3389.
>
> According to Microsoft, their patch selectively fragments some of the
> SSL and TLS records in order to prevent the attack. They claim that
> this fragmentation is the most likely cause of interoperability issues
> and point to specific clauses in the SSL 3.0 and TLS 1.0 RFC's as
> justification for saying that any incompatible software (which might
> include OpenSSL 1.0.0) is buggy for not being compatible with their
> change, although that might just be BS.
>
Well OpenSSL should cleanly deal with fragments. In fact it is other
implementations that have had issues with OpenSSL using empty fragments
that cause problems. Ironically it was as a work around for this very issue.
So while fragmentation is a possible cause I'd consider it unlikely and I
can't think of any changes after 0.9.8r that would have broken that.
The use of TLS 1.1 and 1.2 in MSIE might have an effect: if there are
interop problems with MS TLS 1.1,1.2 and older versions of OpenSSL. Though I
don't know why the OP would also need to disable TLS 1.0.
Since I can't reproduce this I'm wondering if the CAC cards introduce an
additional element. I can see two possible reasons why they might:
1. Client authentication requires renegotiation if it is enabled on certain
webpages and not across the whole site. The was a problem with version numbers
in premaster secrets with IIS which has been fixed: I wonder if there is a
similar one with MSIE which affects OpenSSL servers.
2. Renegotiation might trigger the SGC bug.
However none of these precisely fits the facts: I'd expect both to give some
characteristic errors in the log and not affect TLS 1.0.
Anyway to answer the OPs earlier request about s_server. It can behave like a
mini test webserver and can print out useful diagnostics. A command like:
openssl s_server -cert cert.pem -www
Will start it and you can then access this at port 4433 i.e.:
https://www.host.com:4433/
That by default will not request client authentication. If you include -verify
9 on the command line it will.
I'd be interested to know if you can connect to that server with or without
client authentication.
That isn't a complete test though as it doesn't include an option to
selectively request client authentication on certain web pages: which I
suspect the website causing problems does.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
