Re: Schanner secu

Wed, 19 Nov 2014 01:26:49 -0800 

Hi,
The latest Windows update that corrected the "WinShock" SChannel vulnerability brought many changes to the way TLS is performed and among the changes is the fact that the Supported Point Formats Extension is not sent anymore in the ServerHello during the TLS handshake. 


In version of OpenSSL prior to 1.0.0c, the Supported Point Formats 
Extension was expected to be present all the time which ofcourse is not 
correct. I have sent a patch for that in 2010 
(https://rt.openssl.org/Ticket/Display.html?id=2240&user=guest&pass=guest#txn-26841) 
and the correction was subsequently included in 1.0.0c.



This explains why you are starting to receive TLS handshake errors with 
curl client linked with OpenSSL 1.0.0a and 1.0.0b after the SChannel 
update from Microsoft.



If you are not able to upgrade your clients, then the only solution is 
to ask Microsoft how to force the inclusion of the Supported Point 
Formats Extension in the TLS handshake as it was the case before.
Their SChannel update brought new issues anyway and most certainly 
Microsoft will publish another update to SChannel in order to solve 
them, so there is a possibility for them to restore the old TLS 
handshake behavior unless it causes security issues for them (but I 
can't imagine how).


Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr

On 11/14/2014 10:02 PM, Gilles Vollant wrote:


Microsoft just published a patch on their SChannel component (KB 2992611 )


https://technet.microsoft.com/library/security/MS14-066



But with this fix, Web server IIS 7.5/8.0 on Windows server 2008R2 or 
Windows server 2012 did not accept download from curl + OpenSSL 1.0.0a 
/ 1.0.0b !




If you compile curl with OpenSSL 1.0.0a or 1.0.0b, curl cannot 
download anything from IIS 7.5/8.0 webserver using https after patching !



OpenSSL 1.0.0c has no problem. But somes clients cannot be updated 
magically!



Curl says:

curl: (35) error:1411809D:SSL 
routines:SSL_CHECK_SERVERHELLO_TLSEXT:tls invalid ecpointformat list


I made a report here:

http://www.winimage.com/demo_report_openssl_windows/


I hope Microsoft can (and will) update their fix to allow curl + 
openssl1.0.0(a or b) connect !


regards
Gilles Vollant


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org






















					Reply via email to