Well, the (open source) library Kannel gwlib (which is not mine, btw, since I'm not associated with Kannel project) works fine. My project simply uses both Kannel gwlib and openssl.
On the other hand, it is not always possible to persuade the proprietary vendors to fix their implementations. I think the number of options to openssl, like those listed here http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html# shows us that open source tries to stay as much interoperable with other vendors as possible. My point is as simple as it is: there is a known bug in OpenSSL resulting in a stuck connection for TLSv1/TLSv1.1 proprietary servers. Moreover, for an abstract proprietary server that supports only TLSv1 and SSLv3 exclusively, there is a problem with negotiation using default method and a problem with re-negotiation error messages for TLSv1.1 method. There is a patch (which has been added to next release version 1.0.1i) to OpenSSL that fixes the second problem, and I wanted to notify openssl developers that this (already existing) fix seems incomplete. Thus, I'm not pushing any project decisions about workarounds for OpenSSL, but merely notifying that the patch they applied doesn't quite work. I'm unfamiliar with OpenSSL source tree but could potentially fix it myself and push a patch, after many hours of looking into it. Regards. 02.09.2014 16:39, Kyle Hamilton <aerow...@gmail.com> >Why aren't you fixing your library, instead of pushing workarounds into open >source? Is there some other vulnerability that you're trying to avoid, or is >it a strict compatibility issue? If it's strictly for proprietary >compatibility, then you need to get the proprietary vendor to fix its code for >compatibility. > > -Kyle H > > On September 2, 2014 5:07:26 AM PST, Artem Pylypchuk <artic...@ua.fm> wrote: > > > >Hello! > > > >The patch http://cvs.openssl.org/chngview?cn=22565 > >does not fix the following error messages at write and session > >re-negotiation, for TLS_v1_1_client_method: > > > >OpenSSL error 1: error:00000001:lib(0):func(0):reason(1) > >error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number > > > > > >My simplified use case for a O_NONBLOCK fd (based on Kannel gwlib > >code): > > > >ssl_context = SSL_CTX_new(TLSv1_1_client_method()); > > SSL_CTX_set_mode(ssl_context, > > SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); > >... > >SSL *ssl = SSL_new(ssl_context); > >... > >ERR_clear_error(); > >if (SSL_set_fd(ssl, fd) == 0) { ... } > > > >flags = fcntl(fd, F_GETFL); > >newflags = flags | O_NONBLOCK; > >fcntl(fd, F_SETFL, newflags); > > > >BIO_set_nbio(SSL_get_rbio(ssl), 1); > >BIO_set_nbio(SSL_get_wbio(ssl), 1); > >SSL_set_connect_state(ssl); > > > > > >The following applies to latest release openssl-1.0.1i. > > > > > >I think my server (a proprietary server) always negotiates the > >connection down to TLSv1 (and also supports SSLv3). This is the alert > >message from Wireshark after certificate exchange using > >TLSv1_1_client_method: > >TLSv1 Record Layer: Alert (Level: Fatal, Description: Protocol Version) > >Content Type: Alert (21) > >Version: TLS 1.0 (0x0301) > >Length: 2 > >Alert Message > >Level: Fatal (2) > >Description: Protocol Version (70) > > > >The reason why I started using specifically TLSv1/TLSv1.1 is because > >this bug (known in 1.0.1h) occurs when negotiating with my server, > >using default SSLv23_client_method: > >error:140780E5:SSL routines:SSL23_READ:ssl handshake failure > >More info here: > >http://serverfault.com/questions/389197/ssl-routinesssl23-writessl-handshake-failure > > > > > >Results: > >Library error messages every time data is sent again into channel, but > >a working connection for TLSv1_1_client_method. > >There are no errors for TLS_v1_client_method or SSLv3_client_method. > >The connection fails to negotiate (gets stuck) with the bug mentioned > >above using SSLv23_client_method(), even with SSL_OP_NO_SSLv2 option. > >Connection negotiates into SSLv3 and works without library errors using > >SSLv23_client_method() with SSL_OP_NO_SSLv2 | SSL_OP_NO_TLSv1. > > > >Please review and fix. > > > > > >ps: if you are a Kannel dev, try this quick demo: > > > >Connection *con; > >con = conn_open_ssl_nb(server_addr, server_port, NULL, NULL); > >SSL_clear(conn_get_ssl(pc->con)); > >SSL_set_ssl_method(conn_get_ssl(con), TLSv1_1_client_method()); > > > >-- реклама ----------------------------------------------------------- > >Крутые телефоны! Низкие цены! Покупай тут! > >http://aukro.ua/?utm_source=i.ua&utm_medium=advert > >______________________________________________________________________ > >OpenSSL Project http://www.openssl.org > >User Support Mailing List openssl-users@openssl.org > >Automated List Manager majord...@openssl.org > > -- > Sent from my Android device with K-9 Mail. Please excuse my brevity. -- реклама ----------------------------------------------------------- Крутые телефоны! Низкие цены! Покупай тут! http://aukro.ua/?utm_source=i.ua&utm_medium=advert ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
