Why aren't you fixing your library, instead of pushing workarounds into open source? Is there some other vulnerability that you're trying to avoid, or is it a strict compatibility issue? If it's strictly for proprietary compatibility, then you need to get the proprietary vendor to fix its code for compatibility.
-Kyle H On September 2, 2014 5:07:26 AM PST, Artem Pylypchuk <artic...@ua.fm> wrote: > >Hello! > >The patch http://cvs.openssl.org/chngview?cn=22565 >does not fix the following error messages at write and session >re-negotiation, for TLS_v1_1_client_method: > >OpenSSL error 1: error:00000001:lib(0):func(0):reason(1) >error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number > > >My simplified use case for a O_NONBLOCK fd (based on Kannel gwlib >code): > >ssl_context = SSL_CTX_new(TLSv1_1_client_method()); > SSL_CTX_set_mode(ssl_context, > SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); >... >SSL *ssl = SSL_new(ssl_context); >... >ERR_clear_error(); >if (SSL_set_fd(ssl, fd) == 0) { ... } > >flags = fcntl(fd, F_GETFL); >newflags = flags | O_NONBLOCK; >fcntl(fd, F_SETFL, newflags); > >BIO_set_nbio(SSL_get_rbio(ssl), 1); >BIO_set_nbio(SSL_get_wbio(ssl), 1); >SSL_set_connect_state(ssl); > > >The following applies to latest release openssl-1.0.1i. > > >I think my server (a proprietary server) always negotiates the >connection down to TLSv1 (and also supports SSLv3). This is the alert >message from Wireshark after certificate exchange using >TLSv1_1_client_method: >TLSv1 Record Layer: Alert (Level: Fatal, Description: Protocol Version) >Content Type: Alert (21) >Version: TLS 1.0 (0x0301) >Length: 2 >Alert Message >Level: Fatal (2) >Description: Protocol Version (70) > >The reason why I started using specifically TLSv1/TLSv1.1 is because >this bug (known in 1.0.1h) occurs when negotiating with my server, >using default SSLv23_client_method: >error:140780E5:SSL routines:SSL23_READ:ssl handshake failure >More info here: >http://serverfault.com/questions/389197/ssl-routinesssl23-writessl-handshake-failure > > >Results: >Library error messages every time data is sent again into channel, but >a working connection for TLSv1_1_client_method. >There are no errors for TLS_v1_client_method or SSLv3_client_method. >The connection fails to negotiate (gets stuck) with the bug mentioned >above using SSLv23_client_method(), even with SSL_OP_NO_SSLv2 option. >Connection negotiates into SSLv3 and works without library errors using >SSLv23_client_method() with SSL_OP_NO_SSLv2 | SSL_OP_NO_TLSv1. > >Please review and fix. > > >ps: if you are a Kannel dev, try this quick demo: > >Connection *con; >con = conn_open_ssl_nb(server_addr, server_port, NULL, NULL); >SSL_clear(conn_get_ssl(pc->con)); >SSL_set_ssl_method(conn_get_ssl(con), TLSv1_1_client_method()); > >-- реклама ----------------------------------------------------------- >Крутые телефоны! Низкие цены! Покупай тут! >http://aukro.ua/?utm_source=i.ua&utm_medium=advert >______________________________________________________________________ >OpenSSL Project http://www.openssl.org >User Support Mailing List openssl-users@openssl.org >Automated List Manager majord...@openssl.org -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
