> On Aug 31, 2018, at 9:14 PM, Jordan Brown <open...@jordan.maileater.net>
> wrote:
>
> We're trying to nail down error reporting for TLS version mismatches, and
> we're seeing a couple of puzzling behaviors.
>
> First, and most puzzling... assume these two command lines:
>
> $ openssl s_server -cert 2018.08.31.a.pem -key 2018.08.31.a.key -no_tls1
This disables TLS 1.0 on the server, and if SSL 3.0 is supported at compile
time,
leaves the server willing to do SSL 3.0 or TLS 1.1 and up.
> $ openssl s_client -connect zel.us.oracle.com:4433 -tls1
This configures the client to do TLS 1.0 only via the version-specific
TLS1_client_method(), which DOES NOT support version negotiation. It
is NOT equivalent in some subtle ways to:
$ openssl s_client -connect zel.us.oracle.com:4433 -no_ssl3 -no_tls1_1
-no_tls1_2
That said, in either case the client sends "TLS 1.0" is its "maximum" protocol
version in its TLS client HELLO (the TLS 1.0 protocol does not support sending
a supported version list).
> That is, I have a server that won't accept TLSv1.0, and a client that will
> only accept TLSv1.0.
No, more precisely, you have a version-flexible server, that does not accept 1.0
and a *fixed-version* client that only supports 1.0.
What happens at that point depends on whether SSL 3.0 has been disabled on the
server,
or not. If SSL 3.0 is not disabled on the server (at compile time or by other
means),
then seeing TLS 1.0 as the client's max version, the server will respond with
SSL 3.0.
The client however, is not in a negotiating mood, and it will send a handshake
failure
alert:
SSL_connect:SSLv3 write client hello A
SSL3 alert write:fatal:handshake failure
SSL_connect:error in SSLv3 read server hello A
140735512441800:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:s3_pkt.c:365:
and on the server side you'll see:
SSL_accept:before/accept initialization
SSL_accept:SSLv3 read client hello A
SSL_accept:SSLv3 write server hello A
SSL_accept:SSLv3 write key exchange A
SSL_accept:SSLv3 write server done A
SSL_accept:SSLv3 flush data
SSL_accept:SSLv3 read client certificate A
SSL3 alert read:fatal:handshake failure
SSL_accept:failed in SSLv3 read client key exchange A
ERROR
140735512441800:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert
handshake failure:s3_pkt.c:1498:SSL alert number 40
If, on the other hand, you *also* disable SSL 3.0 on the server, then seeing
a maxim version or TLS 1.0 from the client, but with TLS 1.0 disabled the
server wants SSL 3.0, but that's also unavailable. For better or worse,
OpenSSL is unable with respond with a TLS 1.0 alert (TLS 1.0 is off), nor
SSL 3.0, so it simply fails:
SSL_accept:before/accept initialization
SSL_accept:error in SSLv2/v3 read client hello A
ERROR
140735512441800:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
protocol:s23_srvr.c:643:
shutting down SSL
The client's view of this is:
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:failed in SSLv3 read server hello A
140735512441800:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake
failure:s3_pkt.c:659:
You might argue that would should be able to send a TLS 1.0 fatal alert even
with TLS 1.0 disabled, but that's not how the OpenSSL 1.0.x code works. It
does not select explicitly disabled protocols for sending alerts, nor does
it select protocol versions higher than the client's limit.
In OpenSSL 1.1.x, with its more modern rewritten state machine, the behaviour
is closer to
what you expected. Server reports:
SSL_accept:before SSL initialization
SSL_accept:before SSL initialization
SSL3 alert write:fatal:protocol version
SSL_accept:error in error
ERROR
140735512441728:error:14209102:SSL
routines:tls_early_post_process_client_hello:unsupported
protocol:../openssl/ssl/statem/statem_srvr.c:1655:
and client sees:
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL3 alert read:fatal:protocol version
SSL_connect:error in error
140735512441728:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert
protocol version:../openssl/ssl/record/rec_layer_s3.c:1528:SSL alert number 70
--
Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
