Re: Re[2]: Renegotiation workaround for TLS 1.2, 1.1 patch doesn't work (Check-in [22565])

[Krzysztof Kwiatkowski]

What you could also consider doing is to look at list of cipher suites 
that you advertise during handshake and try to restrict it a bit.
I had same problem with F5 BIG-IP after migration OpenSSL 1.0.0 -> 
1.0.1k (it seems there was many ciphers added between those to versions 
which makes). Then I've selected only strong, "well-known" ciphers that 
I want to use and since then (half a year) haven't seen any problem in 
this area.

Regards,
Kris

On 2014-09-02 22:35, Artem Pylypchuk wrote:
Yes, I did it (see my original message - it works with SSL_OP_NO_SSLv2
| SSL_OP_NO_TLSv1). I'm not having trouble in getting it to work.
But, my server also supports SSLv3.
And the problem I described is not in the connection being stuck (I
only mentioned it as a related bug), but error messages like
OpenSSL error 1: error:00000001:lib(0):func(0):reason(1)
error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

still being present for such a server when using TLSv1.1 and
re-negotiating. They were supposed to get fixed by the patch
http://cvs.openssl.org/chngview?cn=22565

Of course, the error messages themselves can be removed by choosing
suitable methods and flags (all working combinations listed in
original message).

Did I pick the wrong list to report this?

Cheers.

02.09.2014 23:13, Viktor Dukhovni <openssl-us...@dukhovni.org>
On Tue, Sep 02, 2014 at 10:52:59PM +0300, Artem Pylypchuk wrote:

> Yes, the "stuck connection" bug I mentioned is the "F5 BigIP needs padding 
bug" or is very similar to it.
> Sorry for the confusing explanation.

To disable TLSv1.2 with the associated ciphers and extensions (which
increase the size of the client hello and trigger the padding 
extension)
use SSLv23_client_method() with SSL_OP_NO_TLSv1_2 and if that's not
enough also SSL_OP_NO_TLSv1_1.

See SSL_set_options(3).

--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org


-- реклама -----------------------------------------------------------
Крутые телефоны! Низкие цены! Покупай тут!
http://aukro.ua/?utm_source=i.ua&utm_medium=advert
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org